Solved Browser redirect + poor performance + error on exit explorer

Status
Not open for further replies.

beogil

Posts: 23   +0
Hi and thanks,

Started this process once about a week ago, but only got to step 5. (Dad of 3 and busy life :) Started over last night at step 1. Will post original results, and new results in the posts to follow.

Symptoms
  • Poor perfomance. Laggy opening apps, esp. explorer
  • Explorer redirects occasionally. Sometimes from google search. Sometimes on its own. It just did it again this morning after step 5. Step required reboot. Opened explorer to read next step... home page is msn, and it redirected.
  • All redirects are actually a new explorer window that pops up. (original window stays open at correct location). Redirects are random pages... nots of 'winners click here' type stuff.
  • Up until today, when closed explorer, an error dialog box would pop up. (Wrote it down but lost it) Something like a call error reading memory at a certain location.
  • After any reboot, computer ALWAYS says it needs to reboot again. I have let it do it a few times thinking it was installing updates, but it will loop through reboots 6 or 7 times. Gave up after that... will click cancel now.
  • Get lots of "internet explorer cannot display page". Will have to reload page several times to get it to load. In step 6, could NOT use the link to the java update. It said "internet explorer cannot display page" no may how times I reloaded. Ended up typing java link in directly

When I updated java, these are the outdated versions I removed: 5.1, 5.4, 6.1, 6.2, 6.3, 6.5, and 6.7. Updated to 6.18.

On the next post, I will post the first mbam log and superantispyware log. (It did find some things)

The following post will have all the results + hijack this from today.

Thanks again for your help. I am headed to work... not sure how this works, so let me know if I need to be at the computer for an extended time. its 6:30am here... will be back tonight about 5:00

Thanks,
Tim
 
Good Morning dad of 3! I think I remember you. Please wait until you have all 3 logs ready and then include them in your next reply.

I'm sure you already know there can be many reasons for poor performance, slow computer, etc. What we'll do is check for malware, hopefully find and make sure it's removed. We'll see how the system is then and go from there.

Edit: Add this:
Please download VEW and save it to your Desktop:

Setting up the program

Double-click VEW.exe then under Select log to query, select:
  • Application
    [*] System


    Under Select type to list, select:
  • Critical (Vista only)
  • Error

    Click the radio button for Number of events
  • Type 20 in the 1 to 20 box
  • Then click the Run button.
  • Notepad will open with the output log.

    Load the log
  • In Notepad, click Edit> Select all
  • Then press Edit > Copy
  • Press Ctrl+V on your keyboard to paste the log to your next reply.
(Courtesy rev-Olie)

Reboot before you do this- hoping to check for any error that corresponds to having to reboot again.
 
logs from first mbam and antispy

here are the logs from the first time... only got to step 5. (Actually, I had tried mbam a twice before that... then realized I had a problem and found this page. I am including those two original mbam logs as well.)

thx
 

Attachments

  • mbam-log-2010-02-18 (19-27-35).txt
    1 KB · Views: 1
  • mbam-log-2010-02-19 (17-12-20).txt
    1.9 KB · Views: 1
  • mbam-log-2010-03-11 (07-23-17).txt
    953 bytes · Views: 2
  • SUPERAntiSpyware Scan Log - 03-11-2010 - 08-43-53.log
    2.8 KB · Views: 1
sorry... most recent logs

sorry... had already uploaded the previous message, then saw your reply... uploading the most recent and complete now...
 

Attachments

  • SUPERAntiSpyware Scan Log - 03-17-2010 - 21-06-36.log
    2.6 KB · Views: 2
  • mbam-log-2010-03-17 (20-07-32).txt
    886 bytes · Views: 1
  • hijackthis.log
    10.9 KB · Views: 2
event view log

Log: 'Application' Date/Time: 18/03/2010 3:00:38 AM
Type: error Category: 0
Event: 1024 Source: MsiInstaller
Product: Microsoft Office Access Runtime (English) 2007 - Update 'Microsoft Office 2007 Service Pack 2 (SP2)' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Log: 'Application' Date/Time: 18/03/2010 3:00:38 AM
Type: error Category: 0
Event: 10005 Source: MsiInstaller
Product: Microsoft Office Access Runtime (English) 2007 -- Error 2711. An internal error has occurred. (OfficeWebComponents11 )

Log: 'Application' Date/Time: 17/03/2010 7:41:33 PM
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 17/03/2010 7:40:46 PM
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 17/03/2010 1:02:14 AM
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 16/03/2010 3:10:30 AM
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 16/03/2010 3:00:39 AM
Type: error Category: 0
Event: 1024 Source: MsiInstaller
Product: Microsoft Office Access Runtime (English) 2007 - Update 'Microsoft Office 2007 Service Pack 2 (SP2)' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Log: 'Application' Date/Time: 16/03/2010 3:00:39 AM
Type: error Category: 0
Event: 10005 Source: MsiInstaller
Product: Microsoft Office Access Runtime (English) 2007 -- Error 2711. An internal error has occurred. (OfficeWebComponents11 )

Log: 'Application' Date/Time: 16/03/2010 1:39:56 AM
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 15/03/2010 10:43:14 AM
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 15/03/2010 10:43:08 AM
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 15/03/2010 10:43:03 AM
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 15/03/2010 7:42:03 AM
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 15/03/2010 7:38:19 AM
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 15/03/2010 5:24:49 AM
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 15/03/2010 5:24:44 AM
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 18/03/2010 6:48:23 AM
Type: error Category: 0
Event: 49 Source: Ftdisk
Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

Log: 'System' Date/Time: 18/03/2010 6:48:23 AM
Type: error Category: 0
Event: 45 Source: Ftdisk
The system could not sucessfully load the crash dump driver.

Log: 'System' Date/Time: 18/03/2010 5:55:00 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Application Management service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 18/03/2010 5:54:59 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Application Management service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 18/03/2010 5:54:59 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Application Management service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 18/03/2010 5:54:59 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Application Management service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 18/03/2010 5:54:59 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Application Management service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 18/03/2010 5:54:59 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Application Management service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 18/03/2010 5:54:59 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Application Management service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 18/03/2010 5:54:59 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Application Management service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 18/03/2010 5:54:59 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Application Management service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 18/03/2010 5:54:59 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Application Management service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 18/03/2010 5:54:58 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Application Management service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 18/03/2010 5:54:58 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Application Management service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 18/03/2010 5:54:58 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Application Management service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 18/03/2010 5:54:58 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Application Management service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 18/03/2010 5:54:58 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Application Management service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 18/03/2010 5:54:58 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Application Management service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 18/03/2010 5:54:58 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Application Management service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 18/03/2010 5:54:58 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Application Management service terminated with the following error: The specified module could not be found.
 
I had to truncate the last message... said it was too long. I deleted the oldest of the events (from two days ago)

thx again
 
sorry for so many posts... as I was looking over that even log, remembered another symptom I am having. When I go to certain websites (always google maps for instance), it starts to try to install a service pack or something related to microsoft office. I have no idea what it is talking about, so cancel out, then the page works fine....

thx
 
Okay, since you left the logs, I looked for anything significant. What I found is that your system isn't secure and has an affinity for Trojans! You get rid of one, then get another! This means 2 things: you need to improve the system security and it's likely that all of the malware hasn't been cleaned:

You go from Vundo to Trojab FakeAlert, which drops Trojan Hiloti. They get removed then you get either Vundo back again- or it's wasn't fully removed, then Trojan Fraudpack-so- skip the Event Viewer for now and let's work on the malware first:

Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    Important! Save the renamed download to your desktop.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  • Double click on the setup file on the desktop to run
  • If prompted to download and install the Recovery Console, please do so.
    (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  • If prompted to update, please allow.
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
.
Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Leave the Combofix report and Eset log in your next reply and we'll determine what's next.

In the meantime, I notice you're using QuickBooks. A file in QB was found to have malware. IF you can find this file, do a right click and scan with the antivirus:
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\LPNG.DLL

The log says 'Header'. I'm not sure if it means the Vundo was found in the header of the file.

EDIT: I see you were posting the events while I was working on the logs. Please take MS Office off of Startup. That's about all I can get from those events.
 
I will get right to that when I get back to the computer... it will be late afternoon. Thanks so much for your help, Bobbye! I look forward to getting this thing fixed.

again, I will be checking posts/email, so if anything else comes up, jsut let me know.

thx
 
wow... this is not going well! :) Sorry it has taken me so long, but I have been trying without success to do your steps.

combofix - downloaded and renamed to Combofix(.exe) At some point it must have renamed itself Combofix(.exe).exe, because after some trouble, I looked at it and noticed that. When I double clicked to run it, the first time it showed a progress bar, then about 30 seconds after that disappeared, a disclaimer message came up, and I accepted, then nothing. Waited a minute or two and tried again... this time the progress bar, but no disclaimer... then nothing. Tried a few times and the same. Tried clicking in the progress bar to gt it to freeze. Command window with blue background came up and said this ""SWSC" is not recognized as an internal or external command, operable program or batch file"... then nothing. Opened taskmanager to see if the task was running in the background... nothing. So tried again. Nothing... however, I was noticing that each time, after the progress bar, the desktop would 'reset' itself. AND the taskmanger would shut down on its own. Moved on.

Eset - had fits getting it to load in explorer. It tried to install active x app several times. Kept accepting, and seemed stuck in a loop. Sometimes the pop up scanner would be blank. Finally got it to open with the actual scanner, but then got this message - "can not get update. Is proxy configured?" I looked at the proxy, but didn't know what to set it to. Sometimes the window came up with "Internet explorer cannot access page" message. Moved on.

Could not find the quickbooks file in the directory.

Was able to remove msoffice from startup... SUCCESS!! (well, 1 out of 4) :)

I will start back with combofix (redownload, etc) and go through the steps again until I hear back from you in hopes that it finally takes. (Between fixing dinner for the kids)

Thanks again for your help.
 
one other thing... my network connection is doing SOMETHING while I couldn't get any of this to work. In the 1 hour my connection has been up, its 'received' over 30meg. Most of it while trying to access the scanner.

thx
 
hey... success... i started over, and downloaded combofix from the other link on that page... renamed it with a dash this time, and tried it. This time I waited a lot longer... about 3 minutes, then the command window finally popped up and ran. I have the log file... I am going to try the other one, then upload both.

Explorer seems especially laggy now.

brb
 
Ok... tried eset again. This time it started to download (after several explorer could nto download page errors) and got all the way to 100% on the virus definition update.... then gave "unexpected error 2002" in the scanner explorer window.

I started over, and this time it said it had run before, and it started the virus update at 50%, but kept giving me a proxy error and didn't go further. Can't seem to get past it. It did leave a log, but it doesn't seem complete. I don't think I will get it to work, so I am uploading both the combofix log and the eset log.

Thanks!
 

Attachments

  • ComboFix.txt
    15.2 KB · Views: 1
  • log.txt
    822 bytes · Views: 0
persistence pays off... kept trying eset, and after an hour it finally finished the download and ran. Its still running on the other computer... going very slowly. I'll check on it in the morning, and upload the log file. So far it has only found one infection "Win32/Olmarik.UI trojan"
 
Eset finished its scan. the log file is attached. there was also a new folder created... c:\Qoobox (?) it has another log file in it (combofix quarantine files.txt) Let me know if you want me to upload that too.

will check back in the am.


Thanks!!!
 

Attachments

  • log.txt
    2.4 KB · Views: 1
c:\Qoobox?
This is the name of the folder that Combofix puts quarantined files in. So apparently the program ran. There should be a log-
Let me know if you want me to upload that too.
I need to see it please.

It looks like there was some problem with the Eset updating. I'll know more after seeing the Combofix report.

By the way, if you need to add a comment or change something in your post and there is no reply yet, you can use the Edit feature instead of making a new reply.
 
Thanks, Bobbye.

Busy day! Ok, attached are the following:
  • The eset log file
  • the Combofix log file (located in C:/)
  • The Combofix quarantine file (in C:/Qoobox)
  • The Combofix program list (in C:/Qoobox)

I understand what you are saying... I looked back, and I had left a lot of posts :) I'll be more brief, and use the edit feature.

By the way... I haven't had anymore redirects since yesterday.

Looking forward to your next advice.
Thanks!
Tim
 

Attachments

  • ComboFix-quarantined-files.txt
    1.5 KB · Views: 1
  • Add-Remove Programs.txt
    4 KB · Views: 1
  • ComboFix 3-18.txt
    15.2 KB · Views: 1
  • eset log.txt
    2.4 KB · Views: 1
Tim, I understand that you're busy and probably doing these scans in between feeding the kids, but you're actually making more work for yourself.

You don't need to separate the Combofix report. I see everything I need to in the log from the scan. If I write script for any entries in Combofix, then you will be instructed to post the resulting log from that. But I don't need 'qoobox' and add/remove entries broken apart. I also did not request a listing of the Add/Remove programs.

I went back and read your original post again. You are really not describing a 'redirect'. It's more like you've got adware popping up in another Window.
  • "Poor perfomance." "Laggy opening apps, esp. explorer"> this can be caused by a multitude of things.
  • "Explorer redirects occasionally".Are you referring to Internet Explorer or Windows Explorer. It is not enough to just say 'Explorer.'
  • "Sometimes from google search. Sometimes on its own." If malware is causing a redirect, it is typical to either type a site in the address bar but be 'redirected' to a different site OR type a word(s) in Google search box, choose a site from the hits, but have a different site come up instead.
  • "All redirects are actually a new explorer window that pops up. (original window stays open at correct location)". This is not a redirect. It's more a description of either adware or possibly spyware pop-ups or pop-unders.
  • ".....when closed explorer, (Internet Explorer or Windows Explorer) an error dialog box would pop up. Something like a call error reading memory at a certain location." A referenced memory error can be caused by several things, one of them being as simple as having too many Windows open or programs running at the same time.
  • "After any reboot, computer ALWAYS says it needs to reboot again." The events, all involving Office would indicate a failed installation- for whatever reason.
  • "internet explorer cannot display page". This can be due to a setting problem in Internet Explorer, a server problem from your ISP or a server problem from the site you are trying to access.
Please do the following:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::

Folder::
c:\windows\Bhaqipokidu.bin
c:\windows\Xnago.dat

Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

Rescan with HJT once more after doing above. Attach new log. IF clean and problem has been resolved, I'll have you remove the cleaning tools and old restore points.

Regarding QuickBooks: you have the following entries:
QBFC3.0>> QuickBooks component used for third party applications (QBFC)
QuickBooks Premier: Professional Services Edition 2004
QuickBooks Premier: Professional Services Edition 2007
QuickBooks Product Listing Service>> QuickBooks Product Listing Service was discontinued with QuickBooks 2007.


If you are no longer using this program and have any information you need saved, I can set up removal for you- let me know.
 
Thanks! (Sorry about the extra log files. I misunderstood.)

Attached is the combofix log file using the CFScript you provided, run this morning. (It appears to have deleted the CFScript after use... I assume that is normal)

Attached is the new HJT log file.

Regarding previous post:
  • Performance: Computer does not seem as laggy. Explorer is on first open, but likely due to being on a wifi network (running a hardline is my next proj)
  • Redirect: You are correct. It was not a redirect. It was always a pop up in a new window. Poor explanation on my part. I have not noticed it doing this now in the past day. (It was pretty regular)
  • I am no longer getting the error on close Internet explorer.
  • Reboot Loop: I guess I will check my Office installation after you think we have fixed everything else. Thanks for pointing that out.
  • IExplorer cannot display page: It could also be due to my weak wifi.
  • Quickbooks: I no longer use QB (haven't for 2 years). I would like to back-up and remove. If you can help me, that would be great. If not, I am sure I can get it done after we are finished with this.

By the way... when internet explorer opens, it says it is not he default browser anymore. I assume that these fixes reset iexplorer? Am I ok to set it as my default?

Thanks again.
 

Attachments

  • ComboFix 3-20.txt
    13.2 KB · Views: 2
  • hijackthis 3-20.log
    10.4 KB · Views: 1
For IE default: Control Panel> Internet Options> Programs tab> Check 'Internet Explorer should check to see if it's the default browser'> Apply> Answer Yes when asked if you want it to be the default> Apply> OK.

The pop-up windows were probably due to the malware that you had. I can't do anything about the low connectivity. Once you get Office installed correctly-OR-not installed, off of startup, those errors will stop.

Attached is the combofix log file using the CFScript you provided, run this morning. (It appears to have deleted the CFScript after use... I assume that is normal)

No, this is not normal. the log produced after the fix will show the entries that are deleted. This is not the right log. I'm going to set it up again, (I've added some) so follow it and leave me the report after the fix. It doesn't just disappear:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:

Code:
File::
c:\windows\system32\d3d9caps.dat
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\KSDA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

Folder::
c:\windows\Xnago.dat
c:\windows\Bhaqipokidu.bin
Registry::

Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
==================================================
Please open HighJackThis to 'do system scan only. Check each of the following if present:
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\QuickBooks Online Backup\AgentSrv.EXE
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe


Close all Windows except HJT and click on "Fix Checked."
================================================
Click on Start> Run> type in services.msc> double click on each of the following and set Startup type as shown:
AgentSrv> Disable> Stop the Service
QBFCService> Disable> Stop the Service
QBCFMonitorService> Disable> Stop the Service
================================================
Click on Start> Run> type in msconfig> enter> Selective Startup> Startup tab> Uncheck all Intuit/QuickBook entries> when through click on Apply> OK.
================================================
Reboot the computer. NOTE: You will get a nag message that you can ignore and close after checking 'don't sow this message again.' Stay in Selective Startup.
=========================================
=========================================
About QuickBooks: you are stopping the QuickBook entries from running above. This does not remove any of the content, so all the backups will still be available.
You can notice from the above processes that I'm having you stop that you have been running, loading and updating QuickBooks for the 2 years you haven't been using the program! Good wake up call to check Add/Remove Programs in the Control Panel and uninstall any programs you no longer use.
======================================
This is separate from the fix above: To do when you can- not part of this cleaning:
Here are some of the QuickBook files and folders. I left original dates in when given You can use this to find and backup what you want. When you have finished with the backing up, run Combofix again and I'll write script to remove all the files and folders. don't want to do that now as you would lose all the information:
Entries to look for backups:
c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\Components\DownloadQB17\Patch\qbpatch2.exe
2008-01-11 20:32: c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2008-01-19 17:02 c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2
c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
QuickBooksDB17;
c:\progra~1\Intuit\QUICKB~2\QBDBMgrN.exe -hvQuickBooksDB17


__________________
 
Combofix - created new script and saved to desktop, drug to Combofix icon as shown. During one of the stages in the combofixes window, the windows desktop disappears for a while. When it reappears, the CFScript.txt file is gone. Attached is the C:/Combofix.txt. (FYI - both this morning, and this time, combofix says there is an update... I click yes to have it update... not sure if that is an issue... seems to run normally after)

HJT - did the scan, selected files you mentioned, and cilcked fix. After it ran, it asked to reboot the computer, and I clicked yes.

Services.mcs - Did not see Agentsrv or the other two quickbooks you mentioned. I did see an Intuit and two other Quickbooks listings which I disabled.

Msconfig - could not find any QB (or Intuit) entries... was very diligent in looking for them.

Yes, after this is done, I would appreciate your help in removing QB. Thanks.
 

Attachments

  • ComboFix.txt
    13.5 KB · Views: 1
Good! IF you look at the Combofix lpg now, you will see a section at the top named "Files" and another named "Other Deletions"- these are the entries I had you move in the fix.

There are still 2 entries that refused to be addressed:
c:\windows\Bhaqipokidu.bin
c:\windows\Xnago.dat


I did some more searching for Xnago and found:
Domain Name: XNAGO.COM
Registrar: MONIKER
Registrant [2067250]:
JP Net
BidoDotComBIIHH, PO BOX 58138,1 Salt Lake City, UT, 84158-1381, US

But there is no further information available. Does this domain mean anything to you? I still couldn't find anything on Bhaqipokidu- does that means anythng to you? Both of these entries are for 2/20/2010

When we write script and the directions are followed, the fix either does what we tell it to or gives s notice that the file or folder couldn't be found. Neither of the logs after running the script tells me either. So I'm going to set it up once more, with an additional entry and change is type. Please follow the directions exactly:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:

Code:
File::
c:\windows\Xnago.dat
c:\windows\Bhaqipokidu.bin

Folder::

RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\ACPI\PNP0F13\3&61aaa01&0\LogConf]
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

NOTE: when you run Combofix again after dragging the script into it, if you get a notice of update, don't update.
__________________
 
Hi Bobbye,

Regarding Xnago and Bhaqipokidu... They don't mean anything to me... not sure what they are from. I checked my calendar to see what I would have been up to that day. It doesn't ring a bell at all.

I promise I followed the directions exaclty... closed ALL open windows/browsers/etc... suspended norton AV (and superantispyware)... placed scripts on desktop. It DID asked to update, but I clicked no. It ran as usual. this time the desktop disappeared somewhere between stage 50 and it writing the log. In looking at the log, it does appear to have doen something with those two files, but again, the script file is gone.

Attached is the log file.

Thanks again :)
 

Attachments

  • ComboFix.txt
    12.7 KB · Views: 1
Status
Not open for further replies.
Back