Virus\Malware removal logs attached

Bobbeye, Thank you (& rf6647) for your response. Before proceeding with your recommendations, a couple of comments -

1) I had JRE 6.0 Update 2 or 3 and went to download the latest version (as part of the 8 Step process) it was huge and taking forever (currently dialup, should have ADSL in a few weeks) so cnacelled the download and also uninstalled the JRE version I had, believing did not really need it

2) The Norton removal tool site is asking for what year the product is, but dont remember and cant find my documentation. In folder C:\Program Files\Common Files\Symantec Shared\CCPD-LC are these 5 items:

ez_log HTML doc, symlcrst.dll, symlctnk.dll, (next 3 are core components) symlctnk.dll, symlcnet.dll, symlcsvc
Would opening any of them give us a clue of what year I had?

Please advise, thanks!

Try this:
Right click on Start> Explore> Programs> right click on Symantec (or Norton)> Properties> look for the Created date. You can also double-click to open the program, then do the right click> Properties on some of the files o the right. Should give you some ides of when you first got it. It looks like 'symlctnk.dll' may be a 2005 product. That may help you.

You need to stop those Symantec/Norton processes. They will interfere with AVG>

uninstalled the JRE version I had, believing did not really need it

Click to expand...

But you do need Java. There will be some features you won't be able to see or do without it.

Go to this site and download v6u10: https://www.techspot.com/downloads/6463-java-se.html

Downloaded the Norton Removal Tool and followed the instructions from your first message (5:03). Have attached 2 HJT logs: a = before / b = after, doing the “Fix Checked”. As you will see in the 2nd log Norton is gone, however I should tell you that in the folder - C:\Program Files\Common Files\Symantec Shared\CCPD-LC, the item - symlcrst.dll remains.

I did not download Java (it’s huge) but plan to as soon is my ADSL connection is operational…is that OK?

My problems with IE are continuing, and when appropriate can provide additional details to those found in my initial post. Thanks Bobbye

I very rarely get to say this, but your HijackThis log doesn't look complete.

1. There are no IE start and Search pages set up: R0, R1, R2, R3
2. The programs do not show any browser.
3. There are no Active X Object loading: 016
4. The only Services running are AVG and AdAware (old version)

Use this instruction from kimland to reset IE:

How to use Reset Internet Explorer Settings (RIES)

1. Click the Tools menu, and then click Internet Options.
2. On the Advanced tab, click Reset.
3. In the Reset Internet Explorer Settings dialog box, click Reset.
4. When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.
5. Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7.

Note for users who cannot start Internet Explorer 7 for some reason, use RIES from Internet Options in Control Panel.

Refer here: http://www.microsoft.com/windows/ie/.../ietopten.mspx
For even more options

Click to expand...

Then, please review your Services on the sites below. Make sure the ones showing Automatic are set to Automatic. IF you have Disabled any of the Services, check the references for proper settings, them check the Dependency tab. This will show other Services that need to be running.

Do this in Safe Mode: Start> Run> services.msc>> Review as noted:

http://www.ss64.com/ntsyntax/services.html
http://www.blackviper.com/WinXP/servicecfg.htm

After you have reset IE and the Services, run HijackThis again and attach the log.

Before proceeding with your directions looked over the 2 services sites you suggested. Then for a couple days could not open IE at all, did some scans and Malwarebytes found a Rootkit.agent (log attached). Also from the task manager, I deleted 3 iexplore.exe entries thinking that was related to the IE no access issue. Using another PC obtained the directions from malwarehelp.org/how-to-reset-internet-explorer-6-to.html and reset my IE 6 default settings. This has enabled IE access again. Ran HJT and have attached log (017s suspicious?). Now ready to review Services…because I have - Windows XP Pro x64 (64-bit) Service Pack 2 – should I use this blackviper.com/WinXPx64/servicecfg.htm as my reference? Any other recommendations for now, thank you.

I'll take the easy part.

Use HJT, tick the O17 entries, select Fix (user discretion)

whois = panafonet.gr, not on any blaqklist(robtex)
O17 - HKLM\System\CCS\Services\Tcpip\..\{036D24A7-8C44-48A2-B9ED-175EA6644FFA}: NameServer = 213.249.17.10 213.249.17.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{036D24A7-8C44-48A2-B9ED-175EA6644FFA}: NameServer = 213.249.17.10 213.249.17.11

Click to expand...

In the next steps, perform thorough scanning

Restart

Update MBAM & SAS

Until clean or no further progress is noted
> MBAM, scan quick mode, save log

Restarts between scans if logs indicate reboot

SAS > preferences > scanning control > tick: closer browser, tick: terminate memory threats >close

Until clean or no further progress is noted
> SAS > scan computer > quick scan, save log

MBAM > complete scan
SAS > complete scan
HJT

Post logs.& report progress and other observations.

FYI - included MBAM log did not report rootkit.agent.

I'd like to add some comments. The HijackThis log still does not look complete- either that or the system just plain isn't set up right:

1. There is no Homepage. Back in Post #7, I said this:

I very rarely get to say this, but your HijackThis log doesn't look complete.
1. There are no IE start and Search pages set up: R0, R1, R2, R3
2. The programs do not show any browser.
3. There are no Active X Object loading: 016
4. The only Services running are AVG and AdAware (old version)

Click to expand...

Regarding:

FYI - included MBAM log did not report rootkit.agent

Click to expand...

.
DO NOT use System Restore. You have a rootkit malware there. We will drop all the old restore point when through.

Regarding this ISP:

IP 213.249.17.10
netname: PANAFONET
descr: Panafonet ISP network
descr: Athens, Greece
Dial-up ISP in Greece
http://www.panafonet.gr/Panafonet/En/services/dialup/faq2.shtml

Click to expand...

This is the first time it's come up. It does not show on the previous logs.
O17 - HKLM\System\CCS\Services\Tcpip\..\{036D24A7-8C44-48A2-B9ED-175EA6644FFA}: NameServer = 213.249.17.10 213.249.17.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{036D24A7-8C44-48A2-B9ED-175EA6644FFA}: NameServer = 213.249.17.10 213.249.17.11

Click to expand...

This appears to be a legitimate ISP. If it is your ISP or that of your company, it doesn't need to be removed. However that fact that it is just now showing up indicates that something is still changing on the system,.

Have you downloaded/installed or changed anything in the system EXCEPT what we have asked you to do?

Please clarify the issue of the ISP or company. Please clarify why there is no homepage set up for IE.
Please clarify the Services issue. Have you gone into Services and disable any?

Have you made the attempt to clean up files as suggested in Step #2 here:
https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Continuing to run the malware cleaning programs isn't going to fix the problem is the system isn't configured correctly. It also appears that ComboFix may be indicated rather than Mbam again,

Bobbye, I have answered the questions from your last post –

Have you downloaded/installed or changed anything in the system EXCEPT what we have asked you to do?
I would say no but advise you of the following - while resetting IE 6 (instructions from malwarehelp.org/how-to-reset-internet-explorer-6-to.html) –
1. in Temp Internet Files / Settings / View Objects, there was one item in C:\WINDOWS\Downloaded Program Files, had something to do with Active X, and I deleted it.
2. a number of my settings had been set to a custom level (don’t remember under which tabs) before I changed them to default
3. home page was defaulted to MSN but have since put it back to Google
4. have updated to Ad-Aware 2008 (but that was after last scan logs I sent)

Please clarify the issue of the ISP or company. Please clarify why there is no homepage set up for IE.
Panafonet is my dialup ISP, will change when I get broadband connection. Maybe the reason the 017 did not show up before is that I was offline when ran previous scans. I do have a homepage set up in Internet options / general (comment 3 above)

Please clarify the Services issue. Have you gone into Services and disable any?
I have only looked them over in normal mode and have not changed anything yet, based on blackviper.com/WinXPx64/servicecfg.htm, below are the instances where my services setup currently differs -

blackviper Pro x64 default / my current settings

1. Application Experience Lookup Service - Automatic/Disabled
2. Background Intelligent Transfer Service – Manual/Automatic
3. ClipBook - Manual/Disabled
4. COM+ Event System – Automatic/Manual
5. Network DDE – Manual/Disabled
6. Network DDE DSDM – Manual/Disabled
7. Performance Logs and Alerts – Automatic/Manual
8. Universal Plug and Play Device Host – Automatic/Manual
9. Virtual Disk Service – Manual/Disabled
10. Windows Image Acquisition (WIA) – Automatic/Manual
11. Windows User Mode Driver Framework – Manual/Disabled
12. WinHTTP Web Proxy Auto-Discovery Service - Manual/Disabled

However my current settings from above do correspond to the recommendations from the ss64.com/ntsyntax/services.html site (though could not find nos. 1, 8, 10, 11)

Have you made the attempt to clean up files as suggested in Step #2 here:
techspot.com/vb/topic58138.html
I had not since my first post, have now downloaded new version of CCleaner and ran it.

After CCleaner (forgot instructions and only did it once), ran MBAM & SAS both were clean, then HJT twice - off & online, logs attached.

I recommend you go back in and change these services:
11. Windows User Mode Driver Framework - Manual/Disabled >> change to Manual>> needs PlugnPlay
12. WinHTTP Web Proxy Auto-Discovery Service - Manual/Disabled >> change to Manual

For #1: this is not a standard Services. It is added with the Windows Server download:

Description of the Application Experience Lookup Service in Windows Server 2003 SP1
http://support.microsoft.com/kb/902196

Click to expand...

The best rule to follow when customizing Services is to use the Manual Start up, not to disable it, if uncertain of it's function. You appear to have this server so you need the Service to be able to run.

For #8, Universal Plug and Play in Windows XP UpnP

is clearly listed on all Services sites
http://technet.microsoft.com/en-us/library/bb457049.aspx

Click to expand...

For #10, WIA, also a standard Windows XP Service, listed on the reference sites.

(WIA) API is standardized for acquiring digital images from devices that are primarily used to capture still images and for managing these devices.

Click to expand...

For #11, Windows User Mode Driver Framework:

It is a device-driver development platform first introduced with Microsoft's Windows Vista operating system, and is also available for Windows XP. It facilitates the creation of drivers for certain classes of devices.So you would have had to download this to Windows XP- which is why it shouldn't be disabled!
http://en.wikipedia.org/wiki/User-Mode_Driver_Framework

Click to expand...

Go back in and fix those Services. I'll be reviewing the HijackThis log.

We're spinning wheels here. Two weeks, no progress! You HIjack Log is still not displaying what are 'normal' entries: Nor is it current because it's not showing what you have said you did- re homepage, updates, etc.

No matter what you are telling me, I have to deal with the entries I am seeing in our log. If I can't see them, they aren't there!- or you're giving an out of date log.

Continuing:

1. There are no IE start and Search pages set up: R0, R1, R2, R3>> still none showing
You say: "3. home page was defaulted to MSN but have since put it back to Google" Where are they?

Click to expand...

Adobe:
Your Adobe Reader is out of date.

Vulnerabilities can be exploited. Click here to download the latest version v9: https://www.techspot.com/downloads/2083-adobe-reader-dc.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php
Click on ‘Get it Free button

Click to expand...

Update Java:

You show no Java installed. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 10 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

Click to expand...

You are running an outdated AdAware 2007.
( have updated to Ad-Aware 2008 (but that was after last scan logs I sent) Then you log is NOT current.

Current version is 2009. Update from here:
http://www.download.com/Ad-Aware-2009-Definition-File/3000-8022_4-10892937.html

Click to expand...

Sorry…was a little overwhelmed at first about changing Services but also could not get online for a couple days.

Regarding - IE Start, search pages, home page –
all I can say is that I did the RIES for IE 6 and am not giving you out of date logs. There has to be another explanation…maybe an indication of at least part of my computer problem?

Services
I made a mistake on some of the services that reported I had, defined “disabled” as either – not having certain ones listed on Blackviper, or, had it and was actually disabled. The following 3 in fact I do not have:
1. Application Experience Lookup Service
11. Windows User Mode Driver Framework
12. WinHTTP Web Proxy Auto-Discovery Service

I have changed the following 2 from manual to automatic:
8. Universal Plug and Play Device Host
10. Windows Image Acquisition (WIA)

The only services have left disabled and based on their description (this is a home PC, not networked etc.) don’t feel I need are: Alerter, Clipbook, Human interface device access, Messenger, Network DDE, Network DDE DSDM, Routing & remote access, Telnet.

Have installed FoxIt Reader & uninstalled Adobe. Since the FoxIt site (and a number of others) required a credit card number for other “free” product offers, downloaded from www.brothersoft.com/foxit-pdf-reader-129745.html, also tried www.techspot.com/downloads/2713-foxit-reader-beta.html but link did not work.

As mentioned in previous posts I would like to wait till have ADSL connection (~ 3 weeks) before downloading Java - JRE, assumed that was OK.

I recently downloaded Ad-Aware 2008 version 7.1.0.11 and is updated, the 2009 you suggested actually requires the 2007 shell. Ran it & found a malware. Also, don’t know if is significant but appears there a discrepancy between removed/quarantined
- Detailed Statistics – win32.backdoor.sinowal. Items found 2; Items removed 1
&
- Log
Number of infections found: 79
Critical: 2
Privacy Objects: 77
Infections deleted: 79
Total infections quarantined: 2
Total infections ignored by scanner: 0

Chronological summary of all infections (including previous posts):
AVG
- JS/Downloader.agent
(and while running CCleaner)
- Trojan horse backdoor.generic10.SMQ

Malwarebytes
- (2) wsn.poem Trojan.Agent

Malwarebytes
- Rootkit.agent

Ad-Aware
- win32.backdoor.sinowal

I have not attached another HJT log as the only change I noticed was that Adobe is gone.

Change to MANUAL

I have changed the following 2 from manual to automatic:
8. Universal Plug and Play Device Host
10. Windows Image Acquisition (WIA)

Click to expand...

These Services are okay Disabled: Remember, always check the Dependency tab when changing Service Startup. Note- BlackViper site page for WinXP64bit, SP2 is:
http://www.blackviper.com/WinXPx64/servicecfg.htm

Alerter,
Clipbook,
Human interface device access,
Messenger,
Network DDE,
Network DDE DSDM,
Routing & remote access,
Telnet.

Click to expand...

Have installed FoxIt Reader & uninstalled Adobe. Since the FoxIt site (and a number of others) required a credit card number for other “free” product offers,

Click to expand...

This is not the case. Apparently you didn't click on the 'Get it Free' button. I have FoxIt and I have frequently recommended it. The FoxIt Reader on the home site does NOT require credit. It is free, so are the updates. There are additional 'paid' products which "include" the FoxIt Reader. But Reader alone is free.

Please advise system status. If stable, we can remove the cleaning tools as follows:

* Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

Click to expand...

Clear your existing System Restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
This will remove all restore points except the new one you just created.

Click to expand...

I wanted to confirm with you that my system is stable, before proceeding with OTCleanit. I believe it is, though the IE issues remain - pretty much as described in my very first post as well as no IE start and Search pages set up (HJT log attached)

Another symptom, although probably the least of my worries, for the past couple months the theme, periodically changes upon start up from Window Classic to Windows XP even though I keep changing it back (task manager > display > themes).

I also decided to redo the complete 8 step process (for a 2nd time) – the SAS was clean, but MBAM (log attached) found this

Trojan.Downloader
C:\System Volume Information\_restore{A2740E0A-AF91-4F7E-B0E2-8E6FFC29790E}\RP97\A0063877.sys

noticed the location is similar to 11/15 scan (from log in previous post)

Rootkit.Agent
C:\System Volume Information\_restore{A2740E0A-AF91-4F7E-B0E2-8E6FFC29790E}\RP91\A0062110.sys

Should I proceed with OTCleanit & System Restore now? Thank you.

First I wanna look a little deeper at your system.

Download random's system information tool (RSIT) by random/random from here and save it to your Desktop.

• Double click on RSIT.exe to run.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
• Please post the contents of both logs in the next reply.

You also seem to be missing some updates from microsoft. Please visit www.update.microsoft.com after running RSIT

Attached are the RSIT logs. The first time I downloaded it made a mistake and it went to a temp file that i now can't find, is also on my desktop. Know not having the MS updates is a problem but it is probably not something I can/should do right now. Thank you & Bobbye very much for your assistance.

Ok, first disable AVG real time monitoring - right click it in the system tray and check/uncheck to disable it

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

Thank you Blind Dragon.

Attached are the 2 logs. There already seem to be signs of improvement, I will await your comments, thanks.

One more scan to be sure

====================================

Run Kaspersky Online AV Scanner

In order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

The Kapersky scanner got stuck twice at the same point -

Scan is running (21%)
Now scanning: VBAOL10.CHM
Location: C:\Program Files...Office\Office10\1032

Up to there it had not found anything and I waited 15-20 minutes each time to see if would start again.

Trend Micro Housecall Free Online Scanner

• 
  It`s one of the very few online scanners that will actually disinfect viruses etc.
• First Open Internet Explorer
• Go to Trend Micro's Housecall website which can be found HERE
• Click on the link that says "Scan now. It's Free"
• A new tab will open where you will have to tick a box to agree to the terms of service.
• Click "Launch House Call"
• Follow any additional on screen instructions
• Select any infections then Fix Checked after the scan

I had problems downloading Trend Micro Housecall due to my dial up connection. Since am able to get IE to work using various means, have decided to wait ~2 weeks when hopefully will have the ADSL connection, and then do the following:

- install a firewall (probably Comodo)
- redo the 8 step Instructions and if I see anything new in the logs, send them to you before proceeding further
(from here on, would appreciate your input)
- reset IE 6 Settings (RIES)
- really not sure if I should do this -- redo random's system information tool (RSIT) & Combofix (also files from the 1st time I ran them are on my system, OK to leave them there)??
- then am inclined to try Kaspersky again, have cleared temp files so assume 1st dowload of the program is gone, researched the file it was getting stuck on (C:\Program Files...Office\Office10\1032...VBAOL10.CHM) and it appears to relate to Outlook which I do not use

I will look forward to your instructions Blind Dragon, thank you very much!