I am having virus problems with my computer.
I am running Windows XP.
I am using Avast Antivirus. (unable to update due to infection)

I have run Combofix with support help from my internet provider. Combofix did help and support claimed I was cured. But, something is still wrong.

Malwarebytes found "Hijack.Start me".
Spybot S&D found "Click.GiftLoad" and "Right Media".

Current Problems:
Antivirus will not update.
Windows Security all showing off (and unable to turn on)- Firewall Off, Automatic Updates Off, Virus Protection Out of Date.

After boot up I get window with the following: "One of the filess containing the systems registry data had to be recovered by use of a log or alternate copy. The recovery was successful."

Thanks for your help.

DDS information below.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Elizabeth at 19:15:58.26 on Mon 04/11/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2045.1436 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Elizabeth\Local Settings\Temporary Internet Files\Content.IE5\HOQAIUZU\dds[1].scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - No File
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161244032125
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170353015125
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} - file:///C:/Program%20Files/InterCAP/ActiveCGM/ActiveX/Acgm.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\elizab~1\applic~1\mozilla\firefox\profiles\ekpaoktg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101053100&s=
FF - component: c:\documents and settings\elizabeth\application data\mozilla\firefox\profiles\ekpaoktg.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\components\XPATLCOM.dll
FF - plugin: c:\documents and settings\elizabeth\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\elizabeth\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\elizabeth\application data\Move Networks
.
---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101053100&s=);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
============= SERVICES / DRIVERS ===============
.
R0 tdrpman147;Acronis Try&Decide and Restore Points filter (build 147);c:\windows\system32\drivers\tdrpm147.sys [2008-11-12 971232]
R0 VVBackd5;VVBackd5;c:\windows\system32\drivers\VVBackd5.sys [2007-1-30 180074]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-11 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-4-11 301528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-4-11 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-4-11 42184]
S0 avxyleb;avxyleb;c:\windows\system32\drivers\tugjlow.sys --> c:\windows\system32\drivers\tugjlow.sys [?]
S0 yunklug;yunklug; [x]
S1 sffgmxbw;sffgmxbw;\??\c:\windows\system32\drivers\sffgmxbw.sys --> c:\windows\system32\drivers\sffgmxbw.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-29 136176]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-02-23 14:04:21 40648 ----a-w- c:\windows\avastSS.scr
2011-02-03 03:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 01:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600JS-70SGB0 rev.20.06C04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A5C4AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000005b[0x8A59F6C8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP0T0L0-3[0x8A55BB00]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1a; MOV DI, 0x61a; PUSH DI; MOV CX, 0x1e6; REP MOVSB ; RET ; MOV SI, 0x7ae; MOV CL, 0x5; CMP BYTE [SI+0x4], 0x77; JZ 0x2c; ADD SI, 0x10; }
user != kernel MBR !!!
copy of MBR has been found in sector 1 !
.
============= FINISH: 19:20:54.10 ===============


7307

Hi,

Post c:\ComboFix.txt contents.

Sorry for the delay I was out of town and away from my computer.

Thanks for your help.

Combo Fix Text Log attached.

Hi,


Combo Fix Text Log attached.
Seems that it didn't get attached after all.

I'm sorry. At first I just copy and pasted and it was too big. Then I did the attachment. I see the attached file was too big also. Sorry.

Here lets try again, zipped.

Thank You for Helping.

Hi,

Let's run ComboFix (and DDS after that) again. Instructions below.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Ok

Three Files attached.

The DDS created two files, I included both.

Thanks again.

Hi again,

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Open notepad and copy/paste the text in the quotebox below into it:



Driver::
avxyleb
yunklug
sffgmxbw
File::
c:\windows\system32\drivers\tugjlow.sys
c:\windows\system32\drivers\sffgmxbw.sys
RenV::
c:\program files\QuickTime\qttask .exe
Firefox::
FF - ProfilePath - c:\documents and settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ekpaoktg.default\
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101053100&s=
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101053100&s=);user_pref(yahoo.ytff.general.dontshowhpoffer, true



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one ((Adobe Reader X + 10.0.1 update for it)) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).

Uninstall these old Javas:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 7
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1


* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked.
Click Scan
Wait for the scan to finish.


Post back its report, fresh dds logs and above mentioned ComboFix resultant log.

All done.

After this post I will have to be away from computer untill tomorrow.

Thanks Again for your help.

See Logs and reports attached.

Hi,

1. Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select cure and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

No threats found with TDSSKiller.

Report Attached

Thanks for you help.

Good. Please uninstall QuickTime Player and reinstall if needed to make it work properly again (one of its files couldn't be fixed).

How's the system running now? Are there any issues left?

I Uninstalled QuickTime.

I seem to still have protection problems and Windows Security Center still shows items not working or OFF.

I still can't get virus updates or program updates with Avast. Getting this error - "error: Cannot connect to server" and after attempt "Last encountered error: Cannot connect to download 810.avast.com (75.125.243.154.80)"

Also, cannot get Window updates (even from website) and/or unable to turn on "Automatic Updates". In Windows Security Center I cannot get Automatic Updates "ON" and Virus Protection indicates "OUT OF DATE". I was able to get Firewall ON.

I do have a good internet connection and can browse.

Other computer functions seem good.

Thanks for your continued help.

Let's see if this finds anything:
Download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it
Click the Scan button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply.

Also, let's check the connection:
Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the quote box into a new file:



@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
ping -n 2 google.com
route print
)
start Log1.txt
del %0



Go to the File menu at the top of the Notepad and select Save as.
Select save in: desktop
Fill in File name: test.bat
Save as type: All file types (*.*)
Click save.
Close the Notepad.
Locate and double-click test.bat on the desktop.
A notepad opens, copy and paste the content it (log1.txt) to your reply.

Another odd issue that is still happening: After booting I get a window with this message - "One of the files containing the systems registry data had to be recovered by use of a log or alternate copy. The recovery was successful." with a (OK) box.

aswMBR.txt file attached

Thank You

Here is Log1.txt


Windows IP Configuration



Host Name . . . . . . . . . . . . : Theresa

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection 2:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection

Physical Address. . . . . . . . . : 00-16-76-D2-27-07

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.12

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 192.168.0.1

Lease Obtained. . . . . . . . . . : Thursday, April 21, 2011 10:42:33 AM

Lease Expires . . . . . . . . . . : Thursday, April 28, 2011 10:42:33 AM

Server: UnKnown
Address: 192.168.0.1

Name: google.com
Addresses: 74.125.227.20, 74.125.227.18, 74.125.227.19, 74.125.227.16
74.125.227.17



Pinging google.com [74.125.227.17] with 32 bytes of data:



Reply from 74.125.227.17: bytes=32 time=17ms TTL=56

Reply from 74.125.227.17: bytes=32 time=18ms TTL=56



Ping statistics for 74.125.227.17:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 17ms, Maximum = 18ms, Average = 17ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 16 76 d2 27 07 ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.12 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.12 192.168.0.12 20
192.168.0.12 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.12 192.168.0.12 20
224.0.0.0 240.0.0.0 192.168.0.12 192.168.0.12 20
255.255.255.255 255.255.255.255 192.168.0.12 192.168.0.12 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None

Hi,


After booting I get a window with this message - "One of the files containing the systems registry data had to be recovered by use of a log or alternate copy. The recovery was successful." with a (OK) box.
Please run disk check by following instructions here (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/kbtip.mspx). Let's see if that helps.

Ran Disk Check as instructed. No indication of problems or repairs during or after the scan.

Sorry, Still getting the same "Windows-Registry Recovery" message after boot. And still can not get security items working (Firewall ON; Austomatic Updates OFF; Virus Protection OFF) and unable to update Avast. Otherwise system seems to running ok.

Thanks.

Hi,

That error message is tricky since it existed before I started assisting making it hard to tell what triggered the error in first place.

Have you tried to reinstall Avast to see if it can update itself after that? Some infections harm antivirus program installation so that the program must be reinstalled.

I Uninstalled and then reinstalled Avast. After install it will try to update and then has warning that it was not able to update. I then go to "Maintenance" then "Update" and try manually to update.

Sorry, the results are the same. Cannot update "Program" or "Virus Definitions".

Also not able to perform "windows" update.

Thanks for your help.

When attempting to update Avast (after successful install) I get an error.

At first it appears the update process is normal but then I quickly get this.

"Error: Cannot connect to server"

Thanks

Hi,

Do you have a router in use? If yes, are there any other computers accessing internet via that same router without any issues?

Yes, another computer (not networked) is connected to the same router and that computer is working fine. And I'm using Avast on that computer too.

I did see that "Windows Security" now shows Virus Protection ON. But Windows "Automatic Updates" is OFF.

When I go to the windows update site (http://www.update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us) I get to the site and click on "express".

I then get this

([Error number: 0x80070424] The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.)

Thanks again

Hi,

Please try this (http://support.microsoft.com/kb/971058) to fix Windows Update issue.

The "Fix It" button or Fix It link does not work, I click it and get a new window but with a blank window and no activity.

Should I use the "fix it myself", manual method shown below the Fix It section?

Thanks

Hi,

Let's try this:
1. Download Dial-a-Fix archive file here (http://wiki.lunarsoft.net/wiki/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles).
2. Extract contents to suitable place (e.g. your desktop) and navigate to that location.
3. Double-click Dial-a-Fix.exe file to execute the program.
4. Checkmark Fix Windows Update -checkbox. It's possible that the program checks some options automatically after that. Leave those untouched and click GO -button.

When tool has finished, reboot and see if you're able to access Windows Update.

Excellent. Dial a Fix worked! I am now able to update windows (26 High-Priority updates installed). Thank You for the fix.

Now I just need some type of virus protection. Avast is working but outdated. Avast is still not able to update program or latest virus definitions.

Thank you for your help.

Hi,

You have Microsoft Windows recovery console option visible for a few seconds when you start the system, right? Another question is do you have installation media for Acronis True Image Home around? If yes and you're still getting that error at startup then it might be related to broken Acronis installation and reinstall will be needed (don't reinstall yet though).

Regarding Avast issue, please check that firewall is not blocking it and that Internet Explorer doesn't have proxy settings enabled:
1. Open Internet Explorer, click "Tools" and then click "Internet Options."

2. Click the "Connections" tab and then click on "LAN Settings."

3. Uncheck the box marked "Use a proxy server for this connection" and then hit the "OK" button. The changes you made will be immediately applied. See if Avast is able to update itself after that.

Yes I do have the Microsoft Windows recovery console option visible.

I uninstalled Acronis.

"Use a proxy server for this connection" was already unchecked. Therefore, I made no changes.

Rebooted. And, sorry, no difference.

The automatic Avast virus update still not working (it has a warning notice).

Windows Security Center showing Virus Protection "OUT OF DATE". Trying manual update does not work but showed this message after attempt...

"Last encountered error: Cannot connect to download743.avast.com(208.43.71.142:80)"

Thanks again for your help

Hi,

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

fixmbr (allow the change)

6. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading. Post fresh dds logs.

Thanks,

Followed Recovery Console instructions.

Ran DDS scan. Avast was running (but not updated) and I had a few Avast warnings while running DDS, I ignored Avast and always allowed DDS to run "normally". Maybe I should have stopped Avast before running DDS scan?

I can re-run DDS with Avast OFF if I need to. See DDS logs as attachments.

As always, Thank You for your help.

Hi,

Please uninstall Avast temporarily by following instructions here (http://www.avast.com/uninstall-utility). When done, post fresh dds logs.

PS. Windows Live OneCare safety scanner is not supported anymore and can be uinstalled to save some space.

Sorry for the slow reply.

I uninstalled Avast with aswclear.exe.

FYI - During the uninstall process the "Windows - Registry Recovery" window with "One of the files containing the systems registry data had to be recovered by use of a log or alternate copy. The recovery was successful." with [Ok] button, kept popping up. (The same message as I get after boot up) It popped up many times (maybe 6 to 10).

I uninstaslled Window Live OneCare after I ran DDS logs.

Logs attached.

Many thanks for your help.

Hi,

When exactly did that recovery error begin to occur? You mentioned it in the first post of this topic but when and after what episode it occured first time?

That is a hard question.

I first noticed it on a morning start awhile back. But so many things have been happening during this virus problem, I can't say what happen prior to seeing it. It was after getting the infection.

Sorry, I can't help anymore than this.

Thanks

Hi,

I got one more thing to try. If it fails then my recommendation is to backup important stuff and reformat.

You'll need to have your XP installation media ready for this.

Click start->run-> type sfc /scannow and press enter. Follow the instructions given.

I have a XP disc but it is not the original disc for this computer. My problem computer came pre-loaded with XP and I don't have a disc for it. Will it be ok to use my other XP disc?

Thanks for helping.

Yes, if that's installation disc for XP Home Edition.

Some good news, I found my original XP Home Edition disc that came with the computer (unopened). So I know I am using a good copy.

I ran the "sfc /scannow". It asked for the XP disc, I inserted disc and clicked "retry". The scan continued and finished with no other notices or sign of changes. (I never really noticed any activity with the cd drive?) I rebooted and still had the "Windows - Registry Recovery" window pop up after boot (it appears before clicking on the user icon).

I re-ran the "sfc /scannow" with the XP disc already in th drive (so it would not have to ask for it). It ran without asking for disc and completed again without any notices, just ran and the progress box just disappears when finished.

Rebooted again and no change, still have the "Windows - Registry Recovery" notice.

If I could get some virus protection working, I guess I could live with the "Windows - Registry Recovery" popup.

Sorry for the delay in my reply.

Thanks for all your help.

Hi,


If I could get some virus protection working, I guess I could live with the "Windows - Registry Recovery" popup.
Those two may be connected. I recommend to backup your important data and then do a reformat.

Yes, I wish there was something easier than a re-format.

We uninstalled Avast and I have not reinstalled it. Sould I try to download Avast again and see if it works? (In case the "sfc /scannow" fixed something.)

I have Windows XP Professional, could I install it (sort of an upgrade)? Or, could I upgrade to Windows 7 and find a cure?

I have a compatable (same type drive) external hard drive (not connected to computer). Is there an easy way to setup the external drive with a fresh XP install and then transfer everything to the new drive (including programs files and data)? Then I could just swap the old drive with the newer external drive?

Thanks

I have heard of a repair install process for XP. (Available by booting from the CD disc). Is that something that will work or help? Or maybe the sfc /scannow already did something like that?

Hi,

You may try repair install process but I still think backup & reformat gives more successful result.

Got new harddrive. Did fresh install of XP Home from CD. Reloaded all drivers. Internet connection working.

Now trying to update windows. I cannot update windows. I get to update page, click express, after trying to check for updates I get "error number 0x80072EFE" and "The website has encountered a problem and cannot display the page you are trying to view. The options below might help you solve the problem."

Sorry, I am a problem that just won't go away.

Good news... My other problems are gone.

Thanks

Hi,

Post fresh dds logs, please.

I am sending this from another computer. I was able to log into this forum, but I could not send a reply. I tried to to attach log files but could not upload, then just copied and pasted and then it would not submit a reply. It would try, then just quit and show something like "...cannot display this page..."

Logs attached.

Thanks for your help.

Hi,

Download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it
Click the Scan button to start scan.

On completion of the scan click save log, save it to your desktop and post in your next reply.

Here is the log.

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-04 11:21:50
-----------------------------
11:21:50.828 OS Version: Windows 5.1.2600 Service Pack 2
11:21:50.828 Number of processors: 2 586 0x605
11:21:50.828 ComputerName: DESK UserName:
11:21:51.140 Initialize success
11:21:53.359 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:21:53.359 Disk 0 Vendor: WL160GSA872 15.01H15 Size: 152627MB BusType: 3
11:21:55.390 Disk 0 MBR read successfully
11:21:55.390 Disk 0 MBR scan
11:21:55.390 Disk 0 Windows XP default MBR code
11:21:57.390 Disk 0 scanning sectors +312560640
11:21:57.421 Disk 0 scanning C:\WINDOWS\system32\drivers
11:21:59.843 Service scanning
11:22:00.578 Disk 0 trace - called modules:
11:22:00.593 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
11:22:00.593 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89bb8ab8]
11:22:00.593 3 CLASSPNP.SYS[ba8e905b] -> nt!IofCallDriver -> \Device\00000053[0x89beb968]
11:22:00.593 5 ACPI.sys[ba77f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89be8d98]
11:22:00.593 Scan finished successfully
11:22:14.984 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Office\Desktop\MBR.dat"
11:22:14.984 The log file has been saved successfully to "C:\Documents and Settings\Office\Desktop\aswMBR.txt"


aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-04 11:26:19
-----------------------------
11:26:19.765 OS Version: Windows 5.1.2600 Service Pack 2
11:26:19.765 Number of processors: 2 586 0x605
11:26:19.765 ComputerName: DESK UserName:
11:26:20.031 Initialize success
11:26:22.265 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:26:22.265 Disk 0 Vendor: WL160GSA872 15.01H15 Size: 152627MB BusType: 3
11:26:24.296 Disk 0 MBR read successfully
11:26:24.296 Disk 0 MBR scan
11:26:24.296 Disk 0 Windows XP default MBR code
11:26:26.296 Disk 0 scanning sectors +312560640
11:26:26.328 Disk 0 scanning C:\WINDOWS\system32\drivers
11:26:28.671 Service scanning
11:26:29.390 Disk 0 trace - called modules:
11:26:29.406 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
11:26:29.406 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89bb8ab8]
11:26:29.406 3 CLASSPNP.SYS[ba8e905b] -> nt!IofCallDriver -> \Device\00000053[0x89beb968]
11:26:29.406 5 ACPI.sys[ba77f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89be8d98]
11:26:29.406 Scan finished successfully
11:27:07.453 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Office\Desktop\MBR.dat"
11:27:07.453 The log file has been saved successfully to "C:\Documents and Settings\Office\Desktop\aswMBR.txt"




Thanks

Hi,

See if you're able to download and install service pack 3 here (http://www.microsoft.com/downloads/en/details.aspx?FamilyId=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en) (change the language if your OS is different from English before clicking download)

Service Pac 3 is downloading now.

After download and intstall I will test system by trying Windows update and trying to submit a reply to this thread.

Still using another computer for forum reply.

Thanks

Success!!

All updated, then continued to recheck untill no updates available.

Submitting this reply on computer.

Thanks

Great :) Any issues/questions left?

I have installed Avast.

What other protection do you reccomend I need, to help prevent future problems.

Thanks for helping me.

Hi,

Having a couple of antispyware scanners would be good too. For example Spybot and MBAM.

Also, I recommend to install Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/). That helps to detect vulnerable programs and get those patched. Most infections exploit existing vulnerabilities to sneak into system. When system is fully patched risk of getting infected is lower.

Thank you very much for your help. I think this will be take care of my problems.

bbmoon

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.