I cant connect to Microsoft any antivirus on line scans

Deb · July 08, 2010, 06:50:50 AM

Hi, am I glad to have found your forum. I have been battling a virus that wont allow me to connect to Microsoft, on line scans, or download them without error and now the PC freezes from a disk anti virus. This is obviously a serious virus. E scan is being replaced by Trend Micro and so the lapse between them must have allowed this to occur also windows update has nothing in the folder. Please help me and thank you

Deb · July 08, 2010, 10:47:47 AM

I cant find where to add to my original post I down loaded combo fix renamed it and ran it showed escan on tried to uninstall but file corrupt and can not turn it off as can not access any part of it. Combo says if I continue I could destroy my machine and at my own risk. I can not simply delete the file escan as it says programs may not work I feel like I am being backed into a cornor here

MikeW · July 08, 2010, 12:12:52 PM

Wait for one of our experts to help you Deb

Corrine · July 08, 2010, 02:23:24 PM

Hi, Deb. Welcome to LandzDown Forum.

We will do our best to assist you. However, in order to do so, please follow all instructions provided in the sequence given. Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use. This may cause conflicts with the tools being used in the cleanup process.

If you have questions regarding any of the instructions or problems running any tools, please let us know.

Select Safe Mode with Networking. (To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. Windows will now boot into safe mode with networking and prompt you to login as a user.)

Please start Internet Explorer, and when the program is open, do the following:
-- click on the Tools menu and then select Internet Options.
-- click on the Connections
-- click on the Lan Settings button tab
-- under the Proxy Server section, please uncheck the checkbox labeled "Use a proxy server for your LAN"
-- press the OK button to close this screen. Then press the OK button to close the Internet Options screen.

Please download rkill from one of the following links and save to your Desktop:

One, Two,Three or Four

Double-click rkill to run.
A command window will open then disappear upon completion, this is normal.
Please leave rkill on the Desktop until otherwise advised.
Do NOT restart your computer after running rkill as the malware program(s) will start again.

Notes:

If you you receive security warnings about rkill, please ignore and allow the download to continue.

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware and
Launch Malwarebytes' Anti-Malware
Click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, be sure Quick scan is selected, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
Click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here on Windows XP: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt and C:\Users\UserName\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt on Windows Vista and Windows 7.
Please post contents of that file in your next reply.

Deb · July 09, 2010, 03:39:32 AM

Hi Internet connection wont work on safe mode and shows nothing in its file to change lan with
IE also has nothing in it, I did download combofix.exe and ran it in desperation last night so I have likely stuffed up majorly also i had previously run MBAM over this last week trying to sort out problem. I believe escan being out of date has a lot to do with some of this as it shows as still active on my firewall and the uninstall file for it is corrupt also keep getting chkdsk request for corrupt files. Any how below is the results of both logs and hey thanks for trying to help me out here I am following instruction to the letter now just hope its not too late

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Owner on 09/07/2010 at 13:09:21.

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Owner\My Documents\Downloads\rkill.exe

Rkill completed on 09/07/2010 at 13:09:22.

An error occurred mbam error updating 12007, 0,WinHTTP send request

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

9/07/2010 1:40:16 p.m.
mbam-log-2010-07-09 (13-40-16).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 230436
Time elapsed: 27 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Corrine · July 09, 2010, 04:06:53 PM

Hi, Deb.

Please do not run ComboFix again without instructions. Let's see the log.

Hold down the Windows Key and the "R" key. A run box will appear. Copy and paste the following: C:\Qoobox\ComboFix.txt then click OK.

Notepad will open with a log. Post the contents of that log in your next reply.

Deb · July 09, 2010, 09:39:48 PM

Hi
ComboFix 10-07-07.01 - Owner 09/07/2010 1:13.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.643 [GMT 12:00]
Running from: c:\documents and settings\Owner\Desktop\Clark76.exe
AV: eScan for Windows *On-access scanning enabled* (Outdated) {E25EE26A-7512-411E-BAF6-D9AFA504A475}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents
c:\windows\regedit.com
c:\windows\system32\taskmgr.com

.
((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 )))))))))))))))))))))))))))))))
.

2010-07-06 02:06 . 2010-07-06 02:06   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-07-06 01:47 . 2010-07-06 01:47   --------   d-sh--w-   c:\documents and settings\LocalService\IECompatCache
2010-07-06 01:46 . 2010-07-06 01:46   --------   d-sh--w-   c:\documents and settings\LocalService\PrivacIE
2010-07-06 01:46 . 2010-07-06 01:47   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
2010-07-06 01:46 . 2010-07-06 01:46   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-07-05 11:06 . 2010-07-05 11:06   0   ----a-w-   c:\windows\system32\MsiExec.dat
2010-07-05 11:06 . 2010-07-05 11:06   0   ----a-w-   c:\windows\UNRecode.dat
2010-07-05 11:06 . 2010-07-05 11:06   0   ----a-w-   c:\windows\UNNeroVision.dat
2010-07-05 11:06 . 2010-07-05 11:06   0   ----a-w-   c:\windows\UNNeroShowTime.dat
2010-07-05 11:06 . 2010-07-05 11:06   0   ----a-w-   c:\windows\UNNeroMediaHome.dat
2010-07-05 11:06 . 2010-07-05 11:06   0   ----a-w-   c:\windows\UNNeroBackItUp.dat
2010-07-05 11:06 . 2010-07-05 11:06   0   ----a-w-   c:\windows\uninst.dat
2010-07-05 11:06 . 2010-07-05 11:06   0   ----a-w-   c:\windows\system32\rundll32.dat
2010-07-05 11:06 . 2010-07-05 11:06   0   ----a-w-   c:\windows\system32\nvudisp.dat
2010-07-05 11:06 . 2010-07-05 11:06   0   ----a-w-   c:\windows\system32\KmRemove.dat
2010-07-05 11:06 . 2010-07-05 11:06   --------   d-----w-   c:\windows\$$$Temp_&&&_Hives
2010-07-05 11:06 . 2010-07-05 22:04   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\ExpertScan
2010-07-04 09:50 . 2010-07-04 09:50   --------   d-----w-   c:\windows\system32\URTTEMP
2010-07-04 09:00 . 2010-07-04 09:03   71680   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-07-04 06:57 . 2010-07-04 08:38   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Temp
2010-07-02 09:07 . 2010-07-02 09:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2010-07-02 08:56 . 2010-07-02 09:17   2568656   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-02 08:56 . 2010-07-02 09:07   1025992   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\SecurityScan_Release.exe
2010-06-30 06:27 . 1996-11-21 22:15   92208   ----a-w-   c:\windows\system\WING.DLL
2010-06-30 06:27 . 1996-11-21 22:15   6736   ----a-w-   c:\windows\system\WINGDIB.DRV
2010-06-30 06:27 . 1996-11-21 22:15   27648   ----a-w-   c:\windows\system\WAVMIX16.DLL
2010-06-30 06:27 . 1996-11-21 22:15   188960   ----a-w-   c:\windows\system\WINGDE.DLL
2010-06-30 06:27 . 1996-11-21 22:15   12800   ----a-w-   c:\windows\system\WING32.DLL
2010-06-24 00:03 . 2010-06-24 00:03   --------   d-----w-   c:\documents and settings\samp\Local Settings\Application Data\Ahead
2010-06-16 01:40 . 2010-06-16 01:40   --------   d-----w-   C:\New Folder
2010-06-16 01:39 . 2010-06-16 01:39   --------   d-----w-   c:\documents and settings\samp\Local Settings\Application Data\Adobe
2010-06-10 22:47 . 2010-06-10 22:47   --------   d-----w-   c:\documents and settings\Owner\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 12:03 . 2009-08-25 04:08   --------   d-----w-   c:\program files\eScan
2010-07-08 06:59 . 2010-03-06 12:40   --------   d-----w-   c:\program files\Free Window Registry Repair
2010-07-07 05:02 . 2010-01-07 06:54   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-07-06 11:28 . 2007-08-06 21:28   70416   -c--a-w-   c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 09:19 . 2007-08-09 00:52   --------   d-----w-   c:\program files\EPSON
2010-07-06 02:00 . 2008-06-28 20:36   --------   d-----w-   c:\program files\Google
2010-07-05 11:06 . 2008-07-24 04:37   --------   d-----w-   c:\program files\yWriter2
2010-07-05 11:06 . 2010-04-03 12:49   --------   d-----w-   c:\program files\CoreFTP
2010-07-04 09:07 . 2008-09-14 01:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2010-07-04 01:31 . 2009-05-13 04:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\ParetoLogic
2010-06-30 05:48 . 2007-09-10 05:57   --------   d-----w-   c:\program files\Microsoft Kids
2010-06-10 21:22 . 2010-04-10 04:49   --------   d-----w-   c:\program files\Yahoo!
2010-06-08 09:13 . 2010-06-07 01:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-06 10:47 . 2010-06-06 03:51   --------   d-----w-   c:\documents and settings\All Users\Application Data\Common Toolkit Suite
2010-06-06 10:40 . 2010-06-06 10:40   --------   dc----w-   c:\documents and settings\All Users\Application Data\{69F69AB0-8485-4B45-A118-148977C1651A}
2010-06-06 10:39 . 2010-06-06 03:50   --------   d-----w-   c:\documents and settings\Owner\Application Data\Fighters
2010-06-06 03:52 . 2010-06-06 03:51   --------   d-----w-   c:\documents and settings\All Users\Application Data\clp
2010-06-05 07:45 . 2010-06-05 07:45   70528   ----a-w-   c:\documents and settings\samp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-05 07:08 . 2010-06-05 07:08   --------   d-----w-   c:\documents and settings\All Users\Application Data\XoftSpySE
2010-06-05 05:40 . 2010-06-05 05:39   --------   d-----w-   c:\documents and settings\Owner\Application Data\PCFix
2010-05-31 22:34 . 2010-05-31 22:34   --------   d-----w-   c:\documents and settings\samp\Application Data\.clamwin
2010-05-31 20:57 . 2010-05-31 20:56   --------   d-----w-   c:\program files\Ask.com
2010-05-30 21:16 . 2010-05-30 21:16   --------   d-----w-   c:\documents and settings\samp\Application Data\Yahoo!
2010-05-30 09:28 . 2010-05-30 09:28   --------   d-----w-   c:\documents and settings\samp\Application Data\Xerox
2010-05-30 03:53 . 2010-05-30 03:53   --------   d-----w-   c:\documents and settings\Owner\Application Data\Malwarebytes
2010-05-30 03:53 . 2010-05-30 03:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-29 20:53 . 2007-08-06 21:25   --------   d-----w-   c:\program files\KMaestro
2010-05-29 06:35 . 2007-08-06 03:48   196608   -c--a-w-   c:\windows\system32\drivers\nStandard.bin
2010-05-25 06:33 . 2007-08-06 03:25   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-05-25 06:33 . 2007-08-06 03:48   --------   d-----w-   c:\program files\ASUS
2010-04-03 12:49 . 2010-04-03 12:09   3520550   -c--a-w-   c:\program files\coreftplite.exe
2010-03-29 07:37 . 2010-03-29 05:53   15331909   -c--a-w-   c:\program files\AVSVideoEditor.exe.part
2010-03-07 03:24 . 2010-03-07 03:23   1666   -c--a-w-   c:\program files\SOUNDMAXINTEGRATEDDIGITALHDAUDIO6.10.1.6585f40fd54c64fbb86b9f465bee20651a0a.dmx-info
2010-03-07 02:50 . 2010-03-07 02:50   3874552   -c--a-w-   c:\program files\drivermax.exe
2010-03-04 10:42 . 2010-03-04 10:38   1146184   -c--a-w-   c:\program files\wlsetup-web.exe
2009-03-21 14:06 . 2006-02-28 12:00   159084   --sha-r-   c:\windows\system32\dkzjpky.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 04:50   1197448   ----a-w-   c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-07-12 352256]
"XeroxScannerDaemon"="c:\program files\Xerox\NWWia\XrxFTPLt.exe" [2001-08-17 27648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"nwiz"="nwiz.exe" [2007-04-12 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"eScan CleanUp"="c:\progra~1\eScan\Cleanup.exe" [2005-04-04 486400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     \0

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\wlsetup-web.exe"=
"c:\\Program Files\\Microsoft Silverlight\\sllauncher.exe"=
"c:\\Program Files\\EPSON\\Creativity Suite\\Attach To Email\\AttachToEmail.exe"=
"c:\\Program Files\\EPSON\\Creativity Suite\\Easy Photo Print\\EEasyPhotoPrint.exe"=
"c:\\Program Files\\EPSON\\Creativity Suite\\File Manager\\EFileManager.exe"=
"c:\\Program Files\\EPSON Print CD\\EPSONCD.exe"=
"c:\\Program Files\\InterActual\\InterActual Player\\iPlayer.exe"=
"c:\\Program Files\\InterActual\\InterActual Player\\inuninst.exe"=
"c:\\Program Files\\Straighthold Trader\\MetaEditor.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\EPSON\\PIF DESIGNER\\PIF DESIGNER.exe"=
"c:\\Program Files\\EPSON\\Creativity Suite\\Scan Assistant\\EScanAssist.exe"=
"c:\\Program Files\\CoreFTP\\UNWISE.EXE"=
"c:\\Program Files\\eScan\\unins000.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Movie Maker\\moviemk.exe"=
"c:\\Program Files\\xerox\\nwwia\\XrxFTPLt.exe"=
"c:\\Program Files\\CoreFTP\\coreftp.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5750:TCP"= 5750:TCP:haivgfe
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [28/08/2009 2:46 p.m. 38968]
R2 eScan-trayicos;eScan Server-Updater;c:\progra~1\eScan\TRAYSSER.EXE [7/08/2007 9:36 a.m. 110592]
R2 ESCANMX;eScan Monitor Extension;c:\windows\system32\drivers\escanmxx.sys [7/08/2007 10:05 a.m. 33792]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [28/08/2009 2:46 p.m. 178872]
S2 exwklhtf;Image Windows;c:\windows\system32\svchost.exe -k netsvcs [1/03/2006 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/07/2010 2:00 p.m. 135664]
S2 KAVMonitorService;eScan Monitor Service;c:\progra~1\eScan\avpm.exe [7/08/2007 9:36 a.m. 622750]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
exwklhtf
.
Contents of the 'Scheduled Tasks' folder

2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-06 02:00]

2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-06 02:00]

2010-07-04 c:\windows\Tasks\User_Feed_Synchronization-{50A9C00E-06C1-442E-8161-44D674D61CD3}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 15:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uStart Page = hxxp://msn.co.nz/
mStart Page = hxxp://msn.co.nz/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: %SystemRoot%\system32\mwtsp.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\d2wlnfy9.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://msn.co.nz/
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=CLA&o=15306&locale=en_US&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-PConPoint_is1 - c:\program files\PConPoint\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-09 01:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\exwklhtf]
"ServiceDll"="c:\windows\system32\dkzjpky.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,5c,5e,e3,ac,7a,b1,48,bb,c3,48,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,5c,5e,e3,ac,7a,b1,48,bb,c3,48,\

[HKEY_USERS\S-1-5-21-854245398-162531612-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(812)
c:\windows\system32\mwtsp.dll
.
Completion time: 2010-07-09 01:19:49
ComboFix-quarantined-files.txt 2010-07-08 13:19

Pre-Run: 58,085,769,216 bytes free
Post-Run: 58,069,913,600 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /Execute /fastdetect

- - End Of File - - 416AA1E6DEF81F2AEDFB29492FC61F8B
thanks

Corrine · July 10, 2010, 12:03:53 AM

Hi, Deb.

Why did you rename ComboFix as Clark76.exe"?

Please take care of escan before proceeding further! Here is a link for the escan removal tool: http://www.microworldsystems.com/download/tools/esremove.exe Before you use it, be sure to have a replacement anti-virus software downloaded and ready to install. The following are A/V and Firewalls are free for personal use.

Free Antivirus Software:

avast! 5 Home Edition
Avira AntiVir PersonalEdition Classic
Microsoft Security Essentials

Free Firewalls:

Online Armor Free
-- Setup instructions at http://www.tallemu.com/webhelp3/Welcome.html
-- Additional assistance at the support forum at http://support.tallemu.com/vbforum/
Agnitum Outpost Firewall
-- Guide at http://www.outpostfirewall.com/guide/index.htm for Outpost Free Firewall
-- Outpost FREE FAQ at the support forum here: Outpost Users Support Forum

It appears you have been using a registry cleaner. I strongly advise you to reconsider that as registry cleaners tend to do more harm than good.

I also note the AskToolbar installed on your computer. You may want to read Current Practices of IAC/Ask Toolbars. If you decide to remove it, check Add/Remove programs for an uninstall option.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK). Copy/Paste all of the text present inside the code box below:

Code Select


File::
c:\windows\system32\MsiExec.dat
c:\windows\UNRecode.dat
c:\windows\UNNeroVision.dat
c:\windows\UNNeroShowTime.dat
c:\windows\UNNeroMediaHome.dat
c:\windows\UNNeroBackItUp.dat
c:\windows\uninst.dat
c:\windows\system32\rundll32.dat
c:\windows\system32\nvudisp.dat
c:\windows\system32\KmRemove.dat
c:\windows\system32\dkzjpky.dll

Folder::
c:\windows\$$$Temp_&&&_Hives

Save this as CFScript.txt and place it on your desktop.
Close any open browsers.
Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please go here to run an on-line scan from ESET.

Note: It is easiest if you use Internet explorer for this scan. (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now.

Deb · July 10, 2010, 03:40:16 AM

HI
Windows firewall is still showing escan may be out of date but the remove was successful and all clear in both control panel and program folder. Here is combo log off to run scan now thanks for all your help - amazing

ComboFix 10-07-07.01 - Owner 10/07/2010 16:10:03.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.749 [GMT 12:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: eScan for Windows *On-access scanning enabled* (Outdated) {E25EE26A-7512-411E-BAF6-D9AFA504A475}

FILE ::
"c:\windows\system32\dkzjpky.dll"
"c:\windows\system32\KmRemove.dat"
"c:\windows\system32\MsiExec.dat"
"c:\windows\system32\nvudisp.dat"
"c:\windows\system32\rundll32.dat"
"c:\windows\uninst.dat"
"c:\windows\UNNeroBackItUp.dat"
"c:\windows\UNNeroMediaHome.dat"
"c:\windows\UNNeroShowTime.dat"
"c:\windows\UNNeroVision.dat"
"c:\windows\UNRecode.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\$$$Temp_&&&_Hives
c:\windows\system32\dkzjpky.dll
c:\windows\system32\KmRemove.dat
c:\windows\system32\MsiExec.dat
c:\windows\system32\nvudisp.dat
c:\windows\system32\rundll32.dat
c:\windows\uninst.dat
c:\windows\UNNeroBackItUp.dat
c:\windows\UNNeroMediaHome.dat
c:\windows\UNNeroShowTime.dat
c:\windows\UNNeroVision.dat
c:\windows\UNRecode.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_exwklhtf
-------\Service_exwklhtf

((((((((((((((((((((((((( Files Created from 2010-06-10 to 2010-07-10 )))))))))))))))))))))))))))))))
.

2010-07-10 03:38 . 2010-07-10 03:39   6203745   ----a-w-   c:\windows\REGBK10.ZIP
2010-07-10 03:35 . 2010-07-10 03:37   --------   d-----w-   c:\documents and settings\Owner\Application Data\Download Manager
2010-07-09 01:10 . 2010-04-29 03:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-09 01:10 . 2010-07-09 01:10   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-09 01:10 . 2010-04-29 03:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-07-09 00:19 . 2010-07-09 00:19   --------   d-sh--w-   c:\documents and settings\Administrator\IECompatCache
2010-07-09 00:18 . 2010-07-09 00:18   --------   d-sh--w-   c:\documents and settings\Administrator\PrivacIE
2010-07-08 12:04 . 2010-07-10 04:00   --------   d-----w-   C:\ComboFix.exe
2010-07-06 02:06 . 2010-07-06 02:06   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-07-06 01:47 . 2010-07-06 01:47   --------   d-sh--w-   c:\documents and settings\LocalService\IECompatCache
2010-07-06 01:46 . 2010-07-06 01:46   --------   d-sh--w-   c:\documents and settings\LocalService\PrivacIE
2010-07-06 01:46 . 2010-07-06 01:47   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
2010-07-06 01:46 . 2010-07-06 01:46   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-07-05 11:06 . 2010-07-05 22:04   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\ExpertScan
2010-07-04 09:50 . 2010-07-04 09:50   --------   d-----w-   c:\windows\system32\URTTEMP
2010-07-04 06:57 . 2010-07-10 04:06   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Temp
2010-07-02 09:07 . 2010-07-02 09:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2010-06-30 06:27 . 1996-11-21 22:15   92208   ----a-w-   c:\windows\system\WING.DLL
2010-06-30 06:27 . 1996-11-21 22:15   6736   ----a-w-   c:\windows\system\WINGDIB.DRV
2010-06-30 06:27 . 1996-11-21 22:15   27648   ----a-w-   c:\windows\system\WAVMIX16.DLL
2010-06-30 06:27 . 1996-11-21 22:15   188960   ----a-w-   c:\windows\system\WINGDE.DLL
2010-06-30 06:27 . 1996-11-21 22:15   12800   ----a-w-   c:\windows\system\WING32.DLL
2010-06-24 00:03 . 2010-06-24 00:03   --------   d-----w-   c:\documents and settings\samp\Local Settings\Application Data\Ahead
2010-06-16 01:40 . 2010-06-16 01:40   --------   d-----w-   C:\New Folder
2010-06-16 01:39 . 2010-06-16 01:39   --------   d-----w-   c:\documents and settings\samp\Local Settings\Application Data\Adobe
2010-06-10 22:47 . 2010-06-10 22:47   --------   d-----w-   c:\documents and settings\Owner\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-10 03:34 . 2010-01-07 06:54   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-07-08 06:59 . 2010-03-06 12:40   --------   d-----w-   c:\program files\Free Window Registry Repair
2010-07-06 11:28 . 2007-08-06 21:28   70416   -c--a-w-   c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 09:19 . 2007-08-09 00:52   --------   d-----w-   c:\program files\EPSON
2010-07-06 02:00 . 2008-06-28 20:36   --------   d-----w-   c:\program files\Google
2010-07-05 11:06 . 2008-07-24 04:37   --------   d-----w-   c:\program files\yWriter2
2010-07-05 11:06 . 2010-04-03 12:49   --------   d-----w-   c:\program files\CoreFTP
2010-07-04 09:07 . 2008-09-14 01:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2010-07-04 09:03 . 2010-07-04 09:00   71680   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-07-04 01:31 . 2009-05-13 04:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\ParetoLogic
2010-07-02 09:17 . 2010-07-02 08:56   2568656   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-02 09:07 . 2010-07-02 08:56   1025992   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\SecurityScan_Release.exe
2010-06-30 05:48 . 2007-09-10 05:57   --------   d-----w-   c:\program files\Microsoft Kids
2010-06-10 21:22 . 2010-04-10 04:49   --------   d-----w-   c:\program files\Yahoo!
2010-06-08 09:13 . 2010-06-07 01:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-06 10:47 . 2010-06-06 03:51   --------   d-----w-   c:\documents and settings\All Users\Application Data\Common Toolkit Suite
2010-06-06 10:40 . 2010-06-06 10:40   --------   dc----w-   c:\documents and settings\All Users\Application Data\{69F69AB0-8485-4B45-A118-148977C1651A}
2010-06-06 10:39 . 2010-06-06 03:50   --------   d-----w-   c:\documents and settings\Owner\Application Data\Fighters
2010-06-06 03:52 . 2010-06-06 03:51   --------   d-----w-   c:\documents and settings\All Users\Application Data\clp
2010-06-05 07:45 . 2010-06-05 07:45   70528   ----a-w-   c:\documents and settings\samp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-05 07:08 . 2010-06-05 07:08   --------   d-----w-   c:\documents and settings\All Users\Application Data\XoftSpySE
2010-06-05 05:40 . 2010-06-05 05:39   --------   d-----w-   c:\documents and settings\Owner\Application Data\PCFix
2010-05-31 22:34 . 2010-05-31 22:34   --------   d-----w-   c:\documents and settings\samp\Application Data\.clamwin
2010-05-31 20:57 . 2010-05-31 20:56   --------   d-----w-   c:\program files\Ask.com
2010-05-30 21:16 . 2010-05-30 21:16   --------   d-----w-   c:\documents and settings\samp\Application Data\Yahoo!
2010-05-30 09:28 . 2010-05-30 09:28   --------   d-----w-   c:\documents and settings\samp\Application Data\Xerox
2010-05-30 03:53 . 2010-05-30 03:53   --------   d-----w-   c:\documents and settings\Owner\Application Data\Malwarebytes
2010-05-30 03:53 . 2010-05-30 03:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-29 20:53 . 2007-08-06 21:25   --------   d-----w-   c:\program files\KMaestro
2010-05-29 06:35 . 2007-08-06 03:48   196608   -c--a-w-   c:\windows\system32\drivers\nStandard.bin
2010-05-25 06:33 . 2007-08-06 03:25   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-05-25 06:33 . 2007-08-06 03:48   --------   d-----w-   c:\program files\ASUS
2010-04-03 12:49 . 2010-04-03 12:09   3520550   -c--a-w-   c:\program files\coreftplite.exe
2010-03-29 07:37 . 2010-03-29 05:53   15331909   -c--a-w-   c:\program files\AVSVideoEditor.exe.part
2010-03-07 03:24 . 2010-03-07 03:23   1666   -c--a-w-   c:\program files\SOUNDMAXINTEGRATEDDIGITALHDAUDIO6.10.1.6585f40fd54c64fbb86b9f465bee20651a0a.dmx-info
2010-03-07 02:50 . 2010-03-07 02:50   3874552   -c--a-w-   c:\program files\drivermax.exe
2010-03-04 10:42 . 2010-03-04 10:38   1146184   -c--a-w-   c:\program files\wlsetup-web.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 04:50   1197448   ----a-w-   c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-07-12 352256]
"XeroxScannerDaemon"="c:\program files\Xerox\NWWia\XrxFTPLt.exe" [2001-08-17 27648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"nwiz"="nwiz.exe" [2007-04-12 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     \0

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\wlsetup-web.exe"=
"c:\\Program Files\\Microsoft Silverlight\\sllauncher.exe"=
"c:\\Program Files\\EPSON\\Creativity Suite\\Attach To Email\\AttachToEmail.exe"=
"c:\\Program Files\\EPSON\\Creativity Suite\\Easy Photo Print\\EEasyPhotoPrint.exe"=
"c:\\Program Files\\EPSON\\Creativity Suite\\File Manager\\EFileManager.exe"=
"c:\\Program Files\\EPSON Print CD\\EPSONCD.exe"=
"c:\\Program Files\\InterActual\\InterActual Player\\iPlayer.exe"=
"c:\\Program Files\\InterActual\\InterActual Player\\inuninst.exe"=
"c:\\Program Files\\Straighthold Trader\\MetaEditor.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\EPSON\\PIF DESIGNER\\PIF DESIGNER.exe"=
"c:\\Program Files\\EPSON\\Creativity Suite\\Scan Assistant\\EScanAssist.exe"=
"c:\\Program Files\\CoreFTP\\UNWISE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Movie Maker\\moviemk.exe"=
"c:\\Program Files\\xerox\\nwwia\\XrxFTPLt.exe"=
"c:\\Program Files\\CoreFTP\\coreftp.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5750:TCP"= 5750:TCP:haivgfe
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [28/08/2009 2:46 p.m. 38968]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [28/08/2009 2:46 p.m. 178872]
S2 exwklhtf;Image Windows;c:\windows\system32\svchost.exe -k netsvcs [1/03/2006 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/07/2010 2:00 p.m. 135664]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
exwklhtf
.
Contents of the 'Scheduled Tasks' folder

2010-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-06 02:00]

2010-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-06 02:00]

2010-07-09 c:\windows\Tasks\User_Feed_Synchronization-{50A9C00E-06C1-442E-8161-44D674D61CD3}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 15:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uStart Page = hxxp://msn.co.nz/
mStart Page = hxxp://msn.co.nz/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\d2wlnfy9.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://msn.co.nz/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-10 16:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\exwklhtf]
"ServiceDll"="c:\windows\system32\dkzjpky.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,5c,5e,e3,ac,7a,b1,48,bb,c3,48,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,5c,5e,e3,ac,7a,b1,48,bb,c3,48,\

[HKEY_USERS\S-1-5-21-854245398-162531612-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4004)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\AEADISRV.EXE
c:\windows\ATKKBService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\Panda Software\PavShld\pavprsrv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2010-07-10 16:22:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-10 04:22
ComboFix2.txt 2010-07-08 13:19

Pre-Run: 58,016,800,768 bytes free
Post-Run: 57,920,765,952 bytes free

- - End Of File - - C274F6E32B2820ECBC499F51F69C7697

Deb · July 10, 2010, 11:04:33 AM

C:\System Volume Information\_restore{24ECAB32-E39B-4E0A-A332-0A948B9D6334}\RP54\A0111992.exe a variant of Win32/Adware.ErrorClean application cleaned by deleting - quarantined

System is running much better no reset of servers seem to be able to connect to sites again and update is down loading. Have removed ask tool bar yet it is still on google even though disabled I removed it through control panel

Thanks
Deb

Corrine · July 10, 2010, 06:03:32 PM

Hi, Deb.

We can take care of the leftover ASK and escan entry with Combofix. What antivirus software are you installing to replace escan?

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK). Copy/Paste all of the text present inside the code box below:

Code Select

SecCenter::
AV: eScan for Windows *On-access scanning enabled* (Outdated) {E25EE26A-7512-411E-BAF6-D9AFA504A475}

Folder::
c:\program files\Ask.com

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

Firefox::
Firefox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\d2wlnfy9.default\
Firefox -: prefs.js: browser.search.selectedEngine - Ask.com

Save this as CFScript.txt and place it on your desktop.
Close any open browsers.
Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Deb · July 12, 2010, 01:50:34 AM

Hi
Trend Micro Professional I have installed and it has removed the escan message plus ask has gone from firefox browser all running aok - thank you so much for all you have done to help me
Deb

Corrine · July 12, 2010, 01:16:26 PM

Hi, Deb.

Please post the last Combofix log so we can finish.

Deb · July 23, 2010, 05:37:11 AM

Hi
I have been trying to download another combofix.exe as mine saying it is out of date can you please supply the link as I am not getting anywhere my computer is so slow I could sleep for the night wake up and it would still be trying. thats a joke, do you want me to add the special script again or run combofix without it
Than
ks Deb

Corrine · July 23, 2010, 02:23:33 PM

Hi, Deb.

Too much time has passed for you to be running ComboFix again unless we know what is happening.

Please download random's system information tool (RSIT):

Download RSIT by random/random from here and save it to your desktop.
Double-click RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized).