Windos updates not working & explorer redirect to windowsclick

**Arpainse** · 2009-03-16, 22:44

Dropped text file as advised, Mcafee was running but managed to stop before clicking OK I believe.
Searches still seem ok, and able to start spybot from icon which I could not before.

ComboFix 09-03-15.01 - HP_Administrator 2009-03-16 21:33:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1506 [GMT 0:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\system32\3717511021.dat
c:\windows\system32\admparset.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\3717511021.dat
c:\windows\system32\admparset.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))
.

2009-03-16 20:07 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-16 20:07 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-15 16:47 . 2009-03-15 16:47 <DIR> d-------- c:\program files\Trend Micro
2009-03-15 16:28 . 2009-03-15 16:28 <DIR> d-------- c:\program files\ERUNT
2009-03-14 17:12 . 2009-03-14 17:20 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-14 17:12 . 2009-03-14 17:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-07 08:38 . 2009-03-07 08:38 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-03-06 23:35 . 2007-08-28 01:59 17,254 --a------ c:\windows\system32\nvwsapps.xml
2009-03-06 18:52 . 2009-03-06 18:52 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\The Creative Assembly
2009-03-06 17:16 . 2009-03-16 17:47 <DIR> d-------- c:\program files\Steam
2009-03-06 17:14 . 2009-03-06 17:14 <DIR> d-------- c:\windows\Logs
2009-03-06 17:14 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2009-03-04 21:18 . 2009-03-04 21:20 <DIR> d-------- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 21:21 --------- d-----w c:\program files\Common Files\Adobe
2009-03-16 20:07 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-10 19:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-10 19:42 --------- d-----w c:\program files\Java
2009-03-06 20:39 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-28 13:10 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-12 15:37 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-10 19:54 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\HorizonWimba
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-08 08:53 --------- d-----w c:\program files\McAfee
2009-01-16 21:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-19 09:10 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2007-01-07 14:36 251 ----a-w c:\program files\wt3d.ini
2007-01-26 15:46 22 --sha-w c:\windows\SMINST\HPCD.sys
2008-10-25 07:29 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102520081026\index.dat
.

------- Sigcheck -------

2005-03-14 08:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-04-20 12:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 16:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 10:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 11:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 10:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-10 04:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys
2005-03-14 07:55 359808 0e66b538096a6529d1ac66e78eb0d5c8 c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 11:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 19:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2007-10-30 17:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 19:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 11:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys
2008-06-20 11:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-03-16_18.41.55.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-16 20:56:41 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_20c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-22 143360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-28 8466432]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2008-07-10 5129504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-10 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2007-08-28 c:\windows\system32\nwiz.exe]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-09-21 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-09-21 27136]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Sierra\\Empire Earth\\Empire Earth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-09-05 206096]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-12-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2007-01-07 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2007-01-07 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-16 21:35:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-16 21:37:39
ComboFix-quarantined-files.txt 2009-03-16 21:37:37
ComboFix2.txt 2009-03-16 18:42:45

Pre-Run: 119,653,748,736 bytes free
Post-Run: 119,644,409,856 bytes free

165 --- E O F --- 2009-03-16 06:43:30

**pskelley** · 2009-03-16, 22:50

Sounds good, let's see if we can wrap up like this.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update McAfee and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
http://www.mcafee.com/us/support/

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/m...wcomputer.html
http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/m...revention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/m...oes/Links.html
http://www.microsoft.com/windows/ie/...rotection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/com.../browsing.mspx

**Arpainse** · 2009-03-16, 23:56

Nothing found by MBAM.
The only thing that is a bit wierd is when I try to run the PSI file it is giving an error message of "not a Valid Win32 application"
The same is true of the download for Suna Java 12 after clearing the old programs.

Once again thanks for your time.

**Arpainse** · 2009-03-17, 00:02

Also seem to be still struggling to get Windows updates to apply. Not sure if this is related.

**pskelley** · 2009-03-17, 00:18

Let's get another opinion please.

Do an online scan with Kaspersky Online Scanner

http://www.kaspersky.com/kos/eng/par...=1213442456390

1. Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
2. Click on the Accept button and install any components it needs.
3. The program will install and then begin downloading the latest definition files.
4. After the files have been downloaded on the left side of the page in the Scan section select My Computer
5. This will start the program and scan your system.
6. The scan will take a while, so be patient and let it run.
7. Once the scan is complete, click on View scan report
8. Now, click on the Save Report as button.
9. Save the file to your desktop.
10. Copy and paste that information in your next post

**Arpainse** · 2009-03-17, 00:37

For some reason the Java applet won't run. I've cleared the old ones out and confirmed latest is installed.
As it's late here I'm going to have to call it quits for the night. Appreciate all your help so far.

Arp

**pskelley** · 2009-03-17, 00:40

Ok...keep me posted

**Arpainse** · 2009-03-17, 20:54

Hi Again

FYI I checked Microsoft update history and it seems I've downloaded KB96771 everyday for the last few weeks, the website says successfully each time. After the cleanout yesterday it moved onto the next download.

MBAM clear again

McAfee came up with the Three following (sorry don't know how to get a log)
Generic!Artemis D:\\I386\APPS\APP30904\src\msworks\pss\WKS8xp.exe
Generic!Artemis D:\\I386\APPS\APP30904\src\msworks\pss\WKS8RM9x.exe
RemAdm-Prolaunch!171 C:\\Recycle\s-1-5-21-3050337275-3621425527-3587646958-1007\Dc1.exe

When I uninstalled combo fix as per instructions the true name shortcut disappeared leaving the Combo-fix icon on the desktop, which I just highlighted and deleted.

Kaspersky was still unable to run after the pop up saying run, just gave a message about Java unable to run.

I have yet to delete the items picked up by MacAfee Justin case.

I also note the odd reference to drive D in some logs, this is the Recovery drive if that helps.

I have to go away for a few days, should be back Friday hopefully, so if I take a while to reply it’s not that I’m ungrateful for your time.

**pskelley** · 2009-03-17, 21:47

1) Look here for help with your Windows Updates issues:
http://v4.windowsupdate.microsoft.com/troubleshoot/
If that does not do it, ask for help here:
http://support.microsoft.com/

2) "McAfee came up with the Three following (sorry don't know how to get a log)"
Have McAfee delete or quarantine these files.
Generic!Artemis D:\\I386\APPS\APP30904\src\msworks\pss\WKS8xp.exe
Generic!Artemis D:\\I386\APPS\APP30904\src\msworks\pss\WKS8RM9x.exe

C:\\Recycle <<< the Recycle Bin on the Desktop, open it and delete what is there.

3) Combo-fix icon on the desktop <<< you did the correct thing

4) "I have yet to delete the items picked up by MacAfee Justin case."
Delete or quarantine anything McAfee finds.

5) "I also note the odd reference to drive D in some logs, this is the Recovery drive if that helps."
I have no idea? You would have to show me exactly what you are seeing.

6) Kaspersky was still unable to run after the pop up saying run
Don't worry about Kaspersky, everyone can not run it.

7) I suggest a diagnostic scan here:
http://www.pcpitstop.com/pcpitstop/default.asp
registry free and you will be able to post the test results for me to view.

Thanks

**Arpainse** · 2009-03-17, 23:07

Not sure if I've done this right

http://www.pcpitstop.com/betapit/sec.asp?conid=21877956

Least it shows why some games run a bit slow!

Thread: Windos updates not working & explorer redirect to windowsclick

Thread Tools

Display

Posting Permissions