IBM Thinkpad G41 running XP

Malware showed up yesterday. Fake antivirus popup claimed application can not be executed. Saw three different popup windows, tried clicking out/dismissing the popups but they kept coming back. Then it started Internet Explorer and tried to access some porn site. Shut it down. Disconnected from network.

Restarted and tried running Spybot. While it ran, these popups kept appearing every few seconds. Spybot takes 3 hours to run, for a while I kept dismissing popups but gave up. When Spybot finished, it showed one red thing. It would not let me start the fix process, it just beeped when I tried clicking on Fix.

Tried a system restore to an earlier date. No better.

Tried running Spybot from command line with /autoupdate and /autofix /onlyspyware, it starts but can not finish, the PC shuts off.

Tried this a number of times, it boots, program starts, PC shuts off.

Tried a number of times to get into Safe Mode. Usually PC shuts off after it fllls the screen with the page showing a list of drivers.

Changed the BIOS date back a year and was able to boot to Safe Mode. Was able to start Spybot, it ran for a minute, maybe two, and then the PC shut off.

Now using an old 98 PC to go online and search for help.

This morning I found this forum. I see others had similar infection but have not seen anyone with the PC-shutting-itself-off symptom.

As soon as I can figure out what DDS means, I will try to find (?) it, download (?) it, and see if I can get the laptop to run long enough to run it.
---------------------------------
Hello scooperman,


As soon as I can figure out what DDS means, I will try to find (?) it, download (?) it, and see if I can get the laptop to run long enough to run it.

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Post #2. Hope that helps. :)

Best regards.
-------------------------------------
yes that helped.

Sometimes it stays on longer than a couple minutes. I am on it right now so I am typing fast. Want to get these uploaded.

DDS instructions said to zip the text files and attach, hope it works.

In advance, thank you for any assistance.

DDS (Ver_10-03-17.01) - NTFSx86
Run by JR at 14:24:57.41 on Thu 06/24/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.619 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
C:\Program Files\Nero\Nero8\InCD\InCD.exe
E:\PEACHT~1\PeachtreePrefetcher.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
svchost.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Documents and Settings\JR\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [TrackPointSrv] tp4serv.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [UC_Start] c:\program files\ibm\updater\\ucstartup.exe
mRun: [UC_SMB]
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [<NO NAME>]
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [QCTRAY] c:\program files\thinkpad\connectutilities\QCTRAY.EXE
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [QuickTime Task] "E:\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero8\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero8\incd\InCD.exe
mRun: [Prolific_OneButton] c:\program files\usbfast\OneBtn.exe
mRun: [PeachtreePrefetcher.exe] "e:\peacht~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - e:\msoffi~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\msoffi~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Notify: QConGina - QConGina.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
LSA: Notification Packages = scecli pwdmon
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jr\applic~1\mozilla\firefox\profiles\nizs9fet.default\
FF - plugin: e:\plugins\npqtplugin.dll
FF - plugin: e:\plugins\npqtplugin2.dll
FF - plugin: e:\plugins\npqtplugin3.dll
FF - plugin: e:\plugins\npqtplugin4.dll
FF - plugin: e:\plugins\npqtplugin5.dll
FF - plugin: e:\plugins\npqtplugin6.dll
FF - plugin: e:\plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - e:\firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
e:\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
e:\firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
e:\firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
e:\firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
e:\firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
e:\firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
e:\firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\firefox\greprefs\all.js - pref("network.proxy.type", 5);
e:\firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
e:\firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
e:\firefox\greprefs\all.js - pref("browser.formfill.debug", false);
e:\firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
e:\firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
e:\firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
e:\firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
e:\firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
e:\firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
e:\firefox\greprefs\all.js - pref("accelerometer.enabled", true);
e:\firefox\greprefs\all.js - pref("html5.enable", false);
e:\firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
e:\firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
e:\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
e:\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
e:\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
e:\firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
e:\firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
e:\firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
e:\firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
e:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
e:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
e:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
e:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
e:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
e:\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
e:\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
e:\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ASMBATT;ASMBATT;c:\windows\system32\drivers\ASMBATT.SYS [2008-9-19 4992]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2008-9-19 16384]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2008-7-10 53032]
R2 PEDRV;P&E Microcomputer System PCI Driver.;c:\windows\system32\drivers\pedrv.sys [2000-8-3 23296]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive software\psql\bin\w3dbsmgr.exe [2007-9-5 455968]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1980-1-1 13904]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-7-6 30192]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\drivers\olcamudp.sys [2008-9-22 10379]
S3 PLTurbh;Prolific turbo filter driver for hdd;c:\windows\system32\drivers\plturbh.sys [2009-7-6 9728]
S3 PLTurbo;Prolific turbo filter driver for odd;c:\windows\system32\drivers\plturbo.sys [2009-7-6 9984]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2008-9-19 12288]

=============== Created Last 30 ================

2010-06-23 22:17:22 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-06-24 13:01:00 90112 ----a-w- c:\windows\DUMP4016.tmp
2010-04-03 07:33:56 2365288 ----a-w- c:\windows\system32\dllcache\WMVCore.dll
2009-07-06 15:35:27 1990640 ----a-w- c:\program files\GoogleDesktopSetup.exe
2009-06-29 14:15:07 1951432 ----a-w- c:\program files\ppviewer.exe
2008-10-07 15:35:50 20 --sha-w- c:\windows\WINPROD.DLL
2009-08-26 22:53:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082620090827\index.dat

============= FINISH: 14:26:55.84 ===============

Hello,

Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab, uncheck files option and then click scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply. Copy-paste also contents of fresh dds.txt log.

I tried twice. The first time, it stayed ON long enough to download and start GMER, it ran for a minute and then BSOD with "IRQL_NOT_LESS_OR_EQUAL" error. The second time, after it booted it wanted to report errors to Microsoft so I hooked up the cable and let it do so. Then I started the downloaded exe again and it seemed to be running OK, but of course after a couple of minutes the PC shut down, that's what it does now. Unless someone can tell me how to keep it powered up, I won't be able to run anything that takes more than a couple minutes.

I have looked for BIOS options that might have anything to do with turning off the PC but can't find anything abnormal looking. I used the blue button to check the Thinkpad configuration options, even changed the power management to a setting for never going into a power-saving or sleep mode, and it still shuts off a few minutes after power-up.

Another thing. I don't type quickly. This post editor logs me off before I get my post written. Can I change the timeout setting?

Last week after this started, I tried to do a Windows update but was unable to find IE anywhere on this PC. I tried accessing Microsoft with Firefox but it refused to play, insisted I must use IE. I did a soft shutdown and the Windows popup saying it was doing an update showed up, so I let it do its thing. It took a long time, maybe 30 minutes.

This morning I was doing what you asked, booted up the laptop, download GMER, run it, it shuts off. Repeat, tried running a couple more times, it powered off. Then I noticed that IE was back. So after a few tries/fails with GMER what the heck I used IE to access Microsoft and had it send the latest updates.

Next boot, it would get as far as the Welcome screen and then shut off. A couple of times I saw a flash of an error message and then it would power off. The message would say "the requested operation was..." and then it was gone before I could read the rest.

For an hour and a half, I tried booting, and it never made it to XP, shut off during boot. (Still can't safe boot, that shuts off too.) Eventually I gave up and threw in the XP cd and tried a cd boot. It did some loading and said it would start Windows, and then of course it just powered off. Then more boot attempts without CD, would not finish, powered off same as before. Tried the cd with the F2 option, got to a screen which looks DOSish, typed HELP to see what was there. I didn't want to mess with stuff I didn't understand but the SCAN option for BOOTCFG seemed safe so I tried that and ... it powered off.

Now at about 2 hours of unfinished boots, finally it booted to XP and I quickly hit Task Manager to see if I could recognize anything, watched that for a bit as the screen refreshed a few times, didn't see anything useful to me.

Hit the Access IBM icon. This is similar to hitting the blue keyboard button during boot, but in Windows it looks prettier and seems to have some more functions. I went looking for hardware configuration, anything that might affect power down, or battery saving, of hibernate, and I seemed to get it into a higher-power mode, the screen is brighter and I told it to never hibernate.

The PC has stayed on now for a whopping ten minutes. So I am trying GMER again and it is running. Net post I will let you know if it finished.

Hi,

Please try to run gmer by having just sections checked (in safe mode if needed).

GMER started with all the boxes checked. I did not see your previous instruction to leave "Files" unchecked, I did see the instruction to not check the "Show All" box.

It has been running for 3 hours now. Do you want me to stop it and change to just "Sections" or let it run?

If it takes much longer (shouldn't take hours) try with sections only.

I let it run for another hour and then gave up. It had not finished the C drive.
I unclicked all the boxes except for Sections, and restarted it.

The previous attempt to run GMER was showing about a dozen lines of text in its screen when I told it to stop. I re-ran it with only Sections selected, after half an hour it finished. Only one line of text showing. I tried Copy to clipboard and then opened Notepad, it opened and I pasted, but when I attempted to save the text file everything died, Notepad froze. I figured the information was still in the paste buffer so I attempted to get online, and this froze, could not connect to the internet.

In the GMER screen I see this:
Type: Init
Name: C:\\WINDOWS\System32\Drivers\PEDRV.SYS
Value entry point in "init secton (0B986CE00)

I need to shut down now and go home, will be back in the morning.

Restarted, one more attempt, ran DDS before going home. Just attached dds.zip and attach.zip.

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

1. here is ComboFix.txt
2. I will reply with new dds output next.

1. attached are the zipped dds output files

2. my first impression is that ComboFix must have done something good. Formerly, after pressing a key or moving the mouse you had to wait to see if anything would happen. Laptop is responding to keys and mouse normally. Clicks to start programs (e.g. the browser) respond rapidly.

3. a note: the how-to instructions for ComboFix at bleepingcomputer have a link to download a zipped tool to remove TeaTimer. The link is broken, gives 404 error. I used another PC to search around, could not find it, found most people gave up and just uninstalled Spybot before trying to run ComboFix, so that's what I did, I uninstalled Spybot before running ComboFix.

4. while I wait for responses from you, I could be learning more about how to protect my PC once you believe the bugs are gone. If you could recommend a site or resource for me to study, please do so.

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:



DirLook::
c:\windows\system32\%commonprogramfiles%



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (both 9.3 and update 9.3.2) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 20 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Ran the CFScript thing with ComboFix. I did the Adobe and Java uninstalls, I did the new Java install. Did not install Acrobat. (Is there any way I can run my PC without this Java stuff?) Ran ATFCleaner. Started Kaspersky Online Scanner. After 5 hours it was only 40% finished and I had to leave. I left it running overnight. This morning when I arrived there was nothing on the screen except the desktop, no programs running. How can I determine if KOS finished, where would I find its report?

Hi,

Did you have any other programs running there? I wonder if the system rebooted itself at some point during the process. Kaspersky online scanner won't store log anywhere without user commands.

I'd suggest defragging the hard drive and then running Kaspersky scanner again.

no other programs were running. I am trying to do nothing on this PC, except what you tell me to do.

I will defrag and Kaspersky again. Hope it goes faster this time. When it started yesterday, it took a long time to download stuff, and it got slower and slower as it neared completion of its download. Maybe 2 hours to download. It seemed to be running OK, and was showing that it had found bad stuff, when I left.

Ok. Let me know if same thing happens again with Kaspersky and we'll try something else.

Took 2+ hours to defrag C, only 22% free. So I uninstalled some stuff I never use. Then I uninstalled the new Java and reinstalled it on my E: partition to try to get back a little C drive space. Then started Kaspersky scan, it took over 7 hours.

Attachments:

DDS.txt
Attach.zip
ComboFixlog.txt
Kas_scan.txt

Again, thank you for your patience, expertise, and assistance.

Hi,

Can't see Kaspersky report attached.

now uploading the scan

5299

Hello again,

Delete these files if found:
C:\Documents and Settings\JR\Application Data\Sun\Java\Deployment\cache\6.0\1\3df62381-76fa5895
C:\Documents and Settings\JR\Application Data\Sun\Java\Deployment\cache\6.0\23\5d65b6d7-2915a709

Check suspicious looking emails in these boxes and delete if found any:
C:\Documents and Settings\JR\Application Data\Thunderbird\Profiles\4fwcyvjw.default\Mail\mail.vigproducts-1.com\Sent
C:\Documents and Settings\JR\Application Data\Thunderbird\Profiles\4fwcyvjw.default\Mail\mail.vigproducts.com\Inbox
C:\Documents and Settings\JR\Application Data\Thunderbird\Profiles\4fwcyvjw.default\Mail\mail.vigproducts.com\Sent

Any issues left?

you said:
"
Delete these files if found:
C:\Documents and Settings\JR\Application Data\Sun\Java\Deployment\cache\6.0\1\3df62381-76fa5895
C:\Documents and Settings\JR\Application Data\Sun\Java\Deployment\cache\6.0\23\5d65b6d7-2915a709"

OK, deleted.

"
Check suspicious looking emails in these boxes and delete if found any:
C:\Documents and Settings\JR\Application Data\Thunderbird\Profiles\4fwcyvjw.default\Mail\mail.vigproducts-1.com\Sent
C:\Documents and Settings\JR\Application Data\Thunderbird\Profiles\4fwcyvjw.default\Mail\mail.vigproducts.com\Inbox
C:\Documents and Settings\JR\Application Data\Thunderbird\Profiles\4fwcyvjw.default\Mail\mail.vigproducts.com\Sent"

I assume these folders are the folders where Thunderbird puts my email. I have two email accounts so maybe that's why there are two Sent folders in your list. I will start reviewing and deleting now.

"Any issues left? "

The laptop was on for a couple days, never powered off, while trying to get all those scans done. Last night I powered it off. Today on power up, I get an official-looking popup pointing to the taskbar suggesting that my antivirus was turned off and asking me if I wanted to fix it, click here. I did not click it, the original infection popup looked just like that. In fact, I have no current antivirus tool on this pc, so maybe its really just a Windows detection thing and its OK.

In fact, I have no current antivirus tool on this pc, so maybe its really just a Windows detection thing and its OK.
Yes, that would explain it. I've included some antivirus protection suggestions below among some other things.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK



Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.


hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Run Secunia vulnerability check here (http://secunia.com/vulnerability_scanning/online/) and fix its findings.
Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html)
Avast! (http://www.avast.com/eng/download-avast-home.html)
Good commercial ones are from:
Kaspersky (http://www.kaspersky.com/homeuser) and
ESET (http://www.eset.com/products/index.php)
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

I printed out your post, I will do the steps you mentioned.

It booted with an error that it could not run PeachtreePrefetcher.exe .
First thing I did after boot was to go online to look for your latest post. Yesterday, Firefox installed an update. This morning, Firefox started up with an error screen, saying it was having troubles recovering my windows and tabs, it wanted to know if I wanted to continue with my previous session or start a new one, I started new.

Last night, I recall shutting down the PC normally, and then shutting off the AC power strip. The AC strip also powers the Ethernet hub. This morning the laptop battery was dead, no juice. That never happened before.

1. System Restore off/reboot/on done.
2. uninstall ComboFix done.
3. OTC Cleanup done.
4. updating Windows what a PITA. Won't run from Firefox, must use IE. I never use IE and would uninstall it if that were possible. So I have to get IE first. Downloaded IE8 update, then when I tried to start it Microsoft complained about something called the Drive Letter Access add-on, said it was not compatible. I have no idea what that does. Clicked on something that allowed IE to run. All of your Tools Options were already selected. Note no "sub-frames" in the list, just "frames".
5. updated Windows. Allowed all updates except Microsoft .NET Framework update. Microsoft .NET Framework is not installed on this computer.
6. Office update: Microsoft included an Office update in the previous "update Windows" step.

This afternoon I will move on to the "keep clean" steps in your list.

Allowed all updates except Microsoft .NET Framework update. Microsoft .NET Framework is not installed on this computer.
There may be some programs that trigger .NET update offer. I'd install all important updates offered.

antivirus and firewall installed. The PC has been running well now for 3 days, except for the Peachtree accounting program is still zorched. I will reinstall it from CD.

I think you fixed it. Thank you.

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.