C:\WINDOWS\wml.exe

[Quazze]

Errors Under Event Viewer

I still am waiting to Download the update for Windows as you suggested. It states that it will take 1 hour to perform [I will perform such action when I go to sleep in the next hour]. Nonetheless, here is what I found.

I now will post Errors in the Event Viewer as you suggested (the spacing did not come out as I planned, but you get the idea):

Event ID Source
6 ACPI
7 cdrom
101 Automatic LiveUpdate Scheduler
137 Ntfs
1000 Application Error
1002 Application Hang
1002 Dhcp-Client
1048 LSM
3003 Windows Defender
4345 Servicing
4385 Servicing
4609 EventSystem
5007 WerSvc
6008 EventLog
6161 Print
7000 Service Control Manager Eventlog Provider
7001 Service Control Manager Eventlog Provider
7009 Service Control Manager Eventlog Provider
7026 Service Control Manager Eventlog Provider
7031 Service Control Manager Eventlog Provider
8194 VSS
10005 DistributedCOM
10005 MsiInstaller
10610 DistributedCOM
11904 MsiInstaller

 

[Quazze]

Ignore Post. Waiting for reply.

 

[Blind Dragon]

Let's give this a shot. 2 options for you to try:

Download to your Desktop this self-extracting ZIP archive FixPolicies.exe

• Double-click FixPolicies.exe
• Click the Install button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies
• Double-click to Open the new Folder, and then double-click the file named Fix_Policies.cmd
• A black box will briefly appear and then close. This will enable your Control Panel, Task Manager and stop any Administrative warnings.
------------------------------------------------------------------------------------------------------

Hold your windows key on keyboard and press R --> type in regedit

Then go to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

Look for the entries NoDispAppearancePage and NoDispBackgroundPage. If they have 1 as their values, set them to 0.

--------------------------------------------------------------------------------------------------

 

[Quazze]

I held the windows key and pressed R on the keyboard. I typed in regedit. I then saw HKEY_CURRENT_USER (which I assume is HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System). I did not see any entries for NoDispAppearancePage or NoDispBackgroundPage. What I believe is an entry has an icon with ab on it and it says (Default). Under Type, it says REG_SZ and under Data is says (value not set). Folders under HKEY_CURRENT_USER are as follows:

AppEvents
Console
Control Panel
Environment
EUDC
Indentities
Keybaord Layout
newtork
New Key #1
New Key #2
New Key #6
New Key #7
Printers
SessionInformation
Software
System
TYPELIB
Volatile Environment

I also tried FixPolicies. I performed all actions you requested, but I do not see a change. I still have a black background and all my pictures in my picture folder(s) are empty (you have to physically click on the picture to view it).

Furthermore, I ran Trend Micro AntiVirus an hour ago and there was 23 virus in my CPU. Just thought I'd tell you that.

In final note, my Windows Security Center periodically informs me that my UAC is still turned off. Should I turn this back on?

 

[Blind Dragon]

I held the windows key and pressed R on the keyboard. I typed in regedit. I then saw HKEY_CURRENT_USER (which I assume is HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System). I did not see any entries for NoDispAppearancePage or NoDispBackgroundPage. What I believe is an entry has an icon with ab on it and it says (Default). Under Type, it says REG_SZ and under Data is says (value not set). Folders under HKEY_CURRENT_USER are as follows:

AppEvents
Console
Control Panel
Environment
EUDC
Indentities
Keybaord Layout
newtork
New Key #1
New Key #2
New Key #6
New Key #7
Printers
SessionInformation
Software
System
TYPELIB
Volatile Environment

I also tried FixPolicies. I performed all actions you requested, but I do not see a change. I still have a black background and all my pictures in my picture folder(s) are empty (you have to physically click on the picture to view it).

You need to expand software folder then microsoft folder ect. till you get to the key I listed above.

Furthermore, I ran Trend Micro AntiVirus an hour ago and there was 23 virus in my CPU. Just thought I'd tell you that.

In final note, my Windows Security Center periodically informs me that my UAC is still turned off. Should I turn this back on?

Yes turn UAC back on. Did you check the paths of what Trend AV found. It could have been in old restore points or quarantine of other removal tools, we have not cleaned all that up yet.

 

[Quazze]

I apologize. I did not check the paths of what Trend AV found (I wasn't thinking straight). I'll run it again and see if anything comes up.

I did turn UAC back on.

I also followed the path of HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\S ystem ... but there was nothing inside the System folder (except that default thing I mentioned previously).

 

[Quazze]

Virus Log

Virus Log is attached. I thought Trend AV automatically deleted these files, but apparently not since no action was taken. Do I need to manually delete these files? If so, what is the best way to approach this?

 

[Blind Dragon]

No big deal there, just navigate to the following folder and delete it.

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

* When finished exit out of OTMoveIt2



clear system restore points

• 
  This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  This will remove all restore points except the new one you just created.

 

[Quazze]

System Restore Point ...

Blind Dragon,

Just as I had problems a few days ago uninstalling ComboFix, again I could not get it uninstalled by typing in ComboFix /u in the Run box. However, when I used OTMoveit2 by Old Timer, ComboFix [among other things] was removed. Once the computer rebooted itself, my background black screen was gone and my original picture was set in place. Also, all pictures in my picture folder seem perfect for automatic viewing now [since this was a problem before]. Great job!

_______________________________________
Next, I went to System Restore to create a restore point. The only options it will provide are the following:

Recommended Restore: Select this option to undo the most recent update, driver, or software installation if you think it is causing problems.
4/11/2008 4:14:14pm Iastall: Windows Update
Current time zone: Pacific Daylight Time

Choose a different restore point.

_______________________________________

Right below these two options there is also a line that states, "To create a restore point, open System Protection." If I click on the "open System Protection", it has a line at the bottom of the window that reads, "You can create a restore point right now for the disks selected above" and C: has an automatic checkmark on it.

I didn't want to mess anything up and wanted your clarification before I continued onward.

 

[Blind Dragon]

yes you want to create a restore point right now for C:

in addition we should rehide protected files

Set correct settings for files

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please check Hide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

 

[Quazze]

Greetings,

Everything in regard to your directions was smooth with the exception of "Display content of system folders" under the Start > My Computer > Tools menu > Folder Options > View tab. I did not see this option.

I also created a new system restore point and followed your directions to delete all other points as you suggested (cleanmgr).

In addition, before doing that, this morning I ran a new Trend AV scan and it found 23 Spyware files but 0 Viruses, which is good. Trend Micro Anti-Virus did not give me any options to remove the Spyware nor did it give me information on what they were or where they were located. It is probably not important, but just something I wanted to point out to you.

Other than that, everything seems to be looking good. What are your thoughts?

 

[Blind Dragon]

Lets see if you can do this scan: let me know if it finds and removes anything

Trend Micro Housecall Free Online Scanner

• 
  It`s one of the very few online scanners that will actually disinfect viruses etc.
• First Open Internet Explorer
• Go to Trend Micro's Housecall website which can be found HERE
• Click on the link that says "Scan now. It's Free"
• A new tab will open where you will have to tick a box to agree to the terms of service.
• Click "Launch House Call"
• Follow any additional on screen instructions
• Select any infections then Fix Checked after the scan

 

[Quazze]

It would appear that everything is in perfect working condition and Trend Housecall was able to pick up and erase the spyware and 1 virus it found. It also gave me a free 2 month subscription.

I think I made a mistake when downloading Housecall because it removed my previous subscription and program of Trend Micro AV. I tried reloading my Trend Micro AV but it keeps telling me that another version was detected and that I need to restart my computer [and if you restart your CPU, upon reboot, the start up will automatically appear]. This is not the case because when I reboot as it suggests, I am not prompted to do anything afterward.

I think after the two month subscription, I will just remove Trend Micro Housecall Free Online Scanner and then reload my previous Trend Micro AV 2007 software that I have [since that subscription ends September 2008].

Other than that, everything seems to be working great.

 

[Blind Dragon]

Housecall is just an online scanner, no real time protection

I would recommend you uninstall housecall and reinstall Trend AV 2007

 

[Quazze]

Thank you so much for all your assistance through this trying time. Is there anyway I can repay you?

 

[Blind Dragon]

Just knowing that you appreciate the help is good. Also, making sure to follow the advice I have given to keep yourself safe.

1 anti-virus
1 firewall
and multiple anti-spyware programs
keep everything up to date and scan regularly.

If you do have any more issues please let me know.

Regards,

BD

 

[Quazze]

Just a quick note:

When using Trend Micro Housecall, it keeps collecting a series of particular cookies in my Cache that it considers Spyware. They are as follows:

Cache\mediaplex.com, cache\atdmt.com, cache\advertising.com, cache\doubleclick.net, cache\revsci.net and cache\zedo.com

I do not visit any adult sites or any other malicious websites that would produce something like this. Websites I had visited in the past three hours that might have produced these spyware threats are: www.cnn.com, www.ebay.com, www.weather.com, www.yahoo.com, www.google.com, www.techspot.com, www.hsx.com, www.hotmail.com and www.aol.com

I am sure these quasi threats are not a big deal and pose no true harm. Trend Micro Housecall was able to successfully remove them. But when I remove Housecall from my computer later on today and reinstall my Trend Micro AV 2007, am I going to be vulerable again?

I do have my Firewall up
I do have my Trend AV
And I still have Malwarebuytes Anti-Malware installed.

What multiple anti-spyware programs do you suggest?
_________________

Edit: After having written the post above, I ran another Trend Micro Housecall and it picked up 5 more spyware programs and safely removed them. However, I had not visited any websites with the exception of this one. Actually, I did nothing except write the post above and walked away from the CPU for 5 minutes; ran a scan out of curiousity and found it picked up most of the same spyware listed above. Any thoughts?

 

[Blind Dragon]

you will pick up those very popular cookies even by visiting us here at techspot. Usually you will see Tribalfusion ones from here. My suggestion

First of all only use internet explorer if you absolutely have to: Here are 2 more secure browsers to choose from
1)Firefox -> http://www.mozilla.com/en-US/firefox/
2)Opera -> http://www.opera.com/

Second if you are going to use internet explorer:
Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
   • Change the Download signed ActiveX controls to Prompt
     
   • Change the Download unsigned ActiveX controls to Disable
     
   • Change the Initialize and script ActiveX controls not marked as safe to Disable
     
   • Change the Installation of desktop items to Prompt
     
   • Change the Launching programs and files in an IFRAME to Prompt
     
   • Change the Navigate sub-frames across different domains to Prompt
     
   • When all these settings have been made, click on the OK button.
     
   • If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.