I followed the - UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions. I am in Athens Greece and currently have dial up access.

AVG found &
- JS/Downloader.agent
also while I was running CCleaner, and not online, AVG found
- Trojan horse backdoor.generic10.SMQ

Note: was not able to follow the instructions in Castlecops to disable AVG Anti-spyware

Symptoms:
primary symptom that continues is that IE is unstable
- my Internet dial up icon stopped working, so created a 2nd one to bypass the problem, and now it seems each time I log on a different one of the two works
- after opening the first couple IE windows, cant open additional ones (especially from the IE quick start in lower tray, though have a little better luck through start up menu or links in Word docs). When I close these IE windows that wont go to Google, the messages are:

Error Signature
szAppName : IEXPLORE.EXE szAppVer : 6.0.2900.2180 szModName : hungapp
szModVer : 0.0.0.0 offset : 00000000

Error Report Contents
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER3b56.dir00\IEXPLORE.EXE.mdmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER3b56.dir00\appcompat.txt

or

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WERa475.dir00\IEXPLORE.EXE.mdmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WERa475.dir00\appcompat.txt

Attached are 3 logfiles

Thank you,
Constantino

Attached Files

	mbam-log-2008-11-02 (01-43-18).txt (1.7 KB, 10 views)
	SUPERAntiSpyware Scan Log - 11-02-2008 - 03-43-12.log (654 Bytes, 5 views)
	hijackthis log 2008-11-2.txt (3.5 KB, 6 views)

Here is a bump for your problem.

My assessment - no threats remain
SAS log was of the wrong type.
MBAM log - 3 threats removed [Spyware.Sinowal, wsnpoem, unnamed]
HJT log - OK


Your remaining symptoms concerning IE stability suggests "RIES" - reset IE settings.
Borrowed from Kimsland

Since your connection speed is limited by dialup access, it is difficult to recommend updating to XP SP3.
However, updating to IE7 may "repair" the IE browser.

Posting errors appearing in the events logs for you IE problem should be taken to another thread once this thread reaches closure.

The two main problems:
You have no Java running:
Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 10 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

You have 2 antivirus programs running. If you previously had Symantec/Norton, you need to use the Norton Uninstaller to complete, as these process are still running:

Download the Removal Tool from here and save to the desktop- don't run yet:
http://service1.symantec.com/SUPPORT...05033108162039

Reopen HijackThis and scan> Check the following processes:
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot. into Safe Mode:
Start> Run> type in ;msconfig' without quotes> enter> Selective Startup Startup tab> UNCHECK any Symantec or Norton processes> Apply> OK

Start> Run> services.msc> right click on Symantec Core LC > Properties> change Startup type to Disabled> Close.

Double-click on the Norton Uninstaller and run it.

Delete your temp files.

Reboot into Normal Mode> close the nag message that comes up after checking 'don't show this message again'.

Please rerun HijackThis once more to make sure the entries are gone. Attach log. Some of the entries appear to be missing and it's may be due to the problem with IE>

Bobbeye, Thank you (& rf6647) for your response. Before proceeding with your recommendations, a couple of comments -

1) I had JRE 6.0 Update 2 or 3 and went to download the latest version (as part of the 8 Step process) it was huge and taking forever (currently dialup, should have ADSL in a few weeks) so cnacelled the download and also uninstalled the JRE version I had, believing did not really need it

2) The Norton removal tool site is asking for what year the product is, but dont remember and cant find my documentation. In folder C:\Program Files\Common Files\Symantec Shared\CCPD-LC are these 5 items:

ez_log HTML doc, symlcrst.dll, symlctnk.dll, (next 3 are core components) symlctnk.dll, symlcnet.dll, symlcsvc
Would opening any of them give us a clue of what year I had?

Please advise, thanks!

Try this:
Right click on Start> Explore> Programs> right click on Symantec (or Norton)> Properties> look for the Created date. You can also double-click to open the program, then do the right click> Properties on some of the files o the right. Should give you some ides of when you first got it. It looks like 'symlctnk.dll' may be a 2005 product. That may help you.

You need to stop those Symantec/Norton processes. They will interfere with AVG>

But you do need Java. There will be some features you won't be able to see or do without it.

Go to this site and download v6u10: http://www.java.com/en/download/manual.jsp

Downloaded the Norton Removal Tool and followed the instructions from your first message (5:03). Have attached 2 HJT logs: a = before / b = after, doing the “Fix Checked”. As you will see in the 2nd log Norton is gone, however I should tell you that in the folder - C:\Program Files\Common Files\Symantec Shared\CCPD-LC, the item - symlcrst.dll remains.

I did not download Java (it’s huge) but plan to as soon is my ADSL connection is operational…is that OK?

My problems with IE are continuing, and when appropriate can provide additional details to those found in my initial post. Thanks Bobbye

Attached Files

	hijackthis log 2008-11-7 (a).txt (3.8 KB, 0 views)
	hijackthis log 2008-11-7 (b).txt (3.4 KB, 3 views)

I very rarely get to say this, but your HijackThis log doesn't look complete.

1. There are no IE start and Search pages set up: R0, R1, R2, R3
2. The programs do not show any browser.
3. There are no Active X Object loading: 016
4. The only Services running are AVG and AdAware (old version)

Use this instruction from kimland to reset IE:
Then, please review your Services on the sites below. Make sure the ones showing Automatic are set to Automatic. IF you have Disabled any of the Services, check the references for proper settings, them check the Dependency tab. This will show other Services that need to be running.

Do this in Safe Mode: Start> Run> services.msc>> Review as noted:

http://www.ss64.com/ntsyntax/services.html
http://www.blackviper.com/WinXP/servicecfg.htm

After you have reset IE and the Services, run HijackThis again and attach the log.

Before proceeding with your directions looked over the 2 services sites you suggested. Then for a couple days could not open IE at all, did some scans and Malwarebytes found a Rootkit.agent (log attached). Also from the task manager, I deleted 3 iexplore.exe entries thinking that was related to the IE no access issue. Using another PC obtained the directions from malwarehelp.org/how-to-reset-internet-explorer-6-to.html and reset my IE 6 default settings. This has enabled IE access again. Ran HJT and have attached log (017s suspicious?). Now ready to review Services…because I have - Windows XP Pro x64 (64-bit) Service Pack 2 – should I use this blackviper.com/WinXPx64/servicecfg.htm as my reference? Any other recommendations for now, thank you.

Attached Files

	mbam-log-2008-11-15 (00-18-03).txt (963 Bytes, 5 views)
	hijackthis log 2008-11-15.log (3.6 KB, 3 views)

I'll take the easy part.

Use HJT, tick the O17 entries, select Fix (user discretion)
In the next steps, perform thorough scanning

Restart

Update MBAM & SAS

Until clean or no further progress is noted
> MBAM, scan quick mode, save log

Restarts between scans if logs indicate reboot

SAS > preferences > scanning control > tick: closer browser, tick: terminate memory threats >close

Until clean or no further progress is noted
> SAS > scan computer > quick scan, save log

MBAM > complete scan
SAS > complete scan
HJT

Post logs.& report progress and other observations.

FYI - included MBAM log did not report rootkit.agent.

I'd like to add some comments. The HijackThis log still does not look complete- either that or the system just plain isn't set up right:

1. There is no Homepage. Back in Post #7, I said this:
Regarding: .
DO NOT use System Restore. You have a rootkit malware there. We will drop all the old restore point when through.

Regarding this ISP:
This appears to be a legitimate ISP. If it is your ISP or that of your company, it doesn't need to be removed. However that fact that it is just now showing up indicates that something is still changing on the system,.

Have you downloaded/installed or changed anything in the system EXCEPT what we have asked you to do?

Please clarify the issue of the ISP or company. Please clarify why there is no homepage set up for IE.
Please clarify the Services issue. Have you gone into Services and disable any?

Have you made the attempt to clean up files as suggested in Step #2 here:
http://www.techspot.com/vb/topic58138.html

Continuing to run the malware cleaning programs isn't going to fix the problem is the system isn't configured correctly. It also appears that ComboFix may be indicated rather than Mbam again,

Bobbye, I have answered the questions from your last post –

Have you downloaded/installed or changed anything in the system EXCEPT what we have asked you to do?
I would say no but advise you of the following - while resetting IE 6 (instructions from malwarehelp.org/how-to-reset-internet-explorer-6-to.html) –
1. in Temp Internet Files / Settings / View Objects, there was one item in C:\WINDOWS\Downloaded Program Files, had something to do with Active X, and I deleted it.
2. a number of my settings had been set to a custom level (don’t remember under which tabs) before I changed them to default
3. home page was defaulted to MSN but have since put it back to Google
4. have updated to Ad-Aware 2008 (but that was after last scan logs I sent)

Please clarify the issue of the ISP or company. Please clarify why there is no homepage set up for IE.
Panafonet is my dialup ISP, will change when I get broadband connection. Maybe the reason the 017 did not show up before is that I was offline when ran previous scans. I do have a homepage set up in Internet options / general (comment 3 above)

Please clarify the Services issue. Have you gone into Services and disable any?
I have only looked them over in normal mode and have not changed anything yet, based on blackviper.com/WinXPx64/servicecfg.htm, below are the instances where my services setup currently differs -

blackviper Pro x64 default / my current settings

1. Application Experience Lookup Service - Automatic/Disabled
2. Background Intelligent Transfer Service – Manual/Automatic
3. ClipBook - Manual/Disabled
4. COM+ Event System – Automatic/Manual
5. Network DDE – Manual/Disabled
6. Network DDE DSDM – Manual/Disabled
7. Performance Logs and Alerts – Automatic/Manual
8. Universal Plug and Play Device Host – Automatic/Manual
9. Virtual Disk Service – Manual/Disabled
10. Windows Image Acquisition (WIA) – Automatic/Manual
11. Windows User Mode Driver Framework – Manual/Disabled
12. WinHTTP Web Proxy Auto-Discovery Service - Manual/Disabled

However my current settings from above do correspond to the recommendations from the ss64.com/ntsyntax/services.html site (though could not find nos. 1, 8, 10, 11)

Have you made the attempt to clean up files as suggested in Step #2 here:
techspot.com/vb/topic58138.html
I had not since my first post, have now downloaded new version of CCleaner and ran it.

After CCleaner (forgot instructions and only did it once), ran MBAM & SAS both were clean, then HJT twice - off & online, logs attached.

Attached Files

	hijackthis log (offline) 2008-11-17.txt (3.4 KB, 2 views)
	hijackthis log (online) 2008-11-17.txt (3.7 KB, 1 views)

I recommend you go back in and change these services:
11. Windows User Mode Driver Framework - Manual/Disabled >> change to Manual>> needs PlugnPlay
12. WinHTTP Web Proxy Auto-Discovery Service - Manual/Disabled >> change to Manual

For #1: this is not a standard Services. It is added with the Windows Server download:
The best rule to follow when customizing Services is to use the Manual Start up, not to disable it, if uncertain of it's function. You appear to have this server so you need the Service to be able to run.

For #8, Universal Plug and Play in Windows XP UpnP For #10, WIA, also a standard Windows XP Service, listed on the reference sites. For #11, Windows User Mode Driver Framework: Go back in and fix those Services. I'll be reviewing the HijackThis log.

We're spinning wheels here. Two weeks, no progress! You HIjack Log is still not displaying what are 'normal' entries: Nor is it current because it's not showing what you have said you did- re homepage, updates, etc.

No matter what you are telling me, I have to deal with the entries I am seeing in our log. If I can't see them, they aren't there!- or you're giving an out of date log.

Continuing:
Adobe:
Your Adobe Reader is out of date.
Update Java:
You are running an outdated AdAware 2007.
( have updated to Ad-Aware 2008 (but that was after last scan logs I sent) Then you log is NOT current.

Sorry…was a little overwhelmed at first about changing Services but also could not get online for a couple days.

Regarding - IE Start, search pages, home page –
all I can say is that I did the RIES for IE 6 and am not giving you out of date logs. There has to be another explanation…maybe an indication of at least part of my computer problem?

Services
I made a mistake on some of the services that reported I had, defined “disabled” as either – not having certain ones listed on Blackviper, or, had it and was actually disabled. The following 3 in fact I do not have:
1. Application Experience Lookup Service
11. Windows User Mode Driver Framework
12. WinHTTP Web Proxy Auto-Discovery Service

I have changed the following 2 from manual to automatic:
8. Universal Plug and Play Device Host
10. Windows Image Acquisition (WIA)

The only services have left disabled and based on their description (this is a home PC, not networked etc.) don’t feel I need are: Alerter, Clipbook, Human interface device access, Messenger, Network DDE, Network DDE DSDM, Routing & remote access, Telnet.

Have installed FoxIt Reader & uninstalled Adobe. Since the FoxIt site (and a number of others) required a credit card number for other “free” product offers, downloaded from www.brothersoft.com/foxit-pdf-reader-129745.html, also tried http://www.techspot.com/downloads/27...ader-beta.html but link did not work.

As mentioned in previous posts I would like to wait till have ADSL connection (~ 3 weeks) before downloading Java - JRE, assumed that was OK.

I recently downloaded Ad-Aware 2008 version 7.1.0.11 and is updated, the 2009 you suggested actually requires the 2007 shell. Ran it & found a malware. Also, don’t know if is significant but appears there a discrepancy between removed/quarantined
- Detailed Statistics – win32.backdoor.sinowal. Items found 2; Items removed 1
&
- Log
Number of infections found: 79
Critical: 2
Privacy Objects: 77
Infections deleted: 79
Total infections quarantined: 2
Total infections ignored by scanner: 0

Chronological summary of all infections (including previous posts):
AVG
- JS/Downloader.agent
(and while running CCleaner)
- Trojan horse backdoor.generic10.SMQ

Malwarebytes
- (2) wsn.poem Trojan.Agent

Malwarebytes
- Rootkit.agent

Ad-Aware
- win32.backdoor.sinowal

I have not attached another HJT log as the only change I noticed was that Adobe is gone.

Change to MANUAL
These Services are okay Disabled: Remember, always check the Dependency tab when changing Service Startup. Note- BlackViper site page for WinXP64bit, SP2 is:
http://www.blackviper.com/WinXPx64/servicecfg.htm
This is not the case. Apparently you didn't click on the 'Get it Free' button. I have FoxIt and I have frequently recommended it. The FoxIt Reader on the home site does NOT require credit. It is free, so are the updates. There are additional 'paid' products which "include" the FoxIt Reader. But Reader alone is free.

Please advise system status. If stable, we can remove the cleaning tools as follows:
Clear your existing System Restore points and establish a new clean restore point:

I wanted to confirm with you that my system is stable, before proceeding with OTCleanit. I believe it is, though the IE issues remain - pretty much as described in my very first post as well as no IE start and Search pages set up (HJT log attached)

Another symptom, although probably the least of my worries, for the past couple months the theme, periodically changes upon start up from Window Classic to Windows XP even though I keep changing it back (task manager > display > themes).

I also decided to redo the complete 8 step process (for a 2nd time) – the SAS was clean, but MBAM (log attached) found this

Trojan.Downloader
C:\System Volume Information\_restore{A2740E0A-AF91-4F7E-B0E2-8E6FFC29790E}\RP97\A0063877.sys

noticed the location is similar to 11/15 scan (from log in previous post)

Rootkit.Agent
C:\System Volume Information\_restore{A2740E0A-AF91-4F7E-B0E2-8E6FFC29790E}\RP91\A0062110.sys

Should I proceed with OTCleanit & System Restore now? Thank you.

Attached Files

	mbam-log-2008-11-21 (19-33-04).txt (966 Bytes, 1 views)
	hijackthis log 2008-11-21.txt (3.0 KB, 2 views)

First I wanna look a little deeper at your system.

Download random's system information tool (RSIT) by random/random from here and save it to your Desktop.

• Double click on RSIT.exe to run.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
• Please post the contents of both logs in the next reply.

You also seem to be missing some updates from microsoft. Please visit www.update.microsoft.com after running RSIT

Attached are the RSIT logs. The first time I downloaded it made a mistake and it went to a temp file that i now can't find, is also on my desktop. Know not having the MS updates is a problem but it is probably not something I can/should do right now. Thank you & Bobbye very much for your assistance.

Attached Files

	RSIT log 2008-11-24.txt (12.3 KB, 2 views)
	RSIT info 2008-11-24.txt (2.2 KB, 3 views)

Ok, first disable AVG real time monitoring - right click it in the system tray and check/uncheck to disable it

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

Thank you Blind Dragon.