Can't access windows updates

[Blade81]

Hi

Let's try this

Creating & executing batch file
-------------------------------

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
regedit /a c:\regExport.txt "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS"
regedit /a c:\regExport2.txt "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv"

Double-click on fixes.bat file to execute it. Post contents of c:\regExport.txt & c:\regExport2.txt back here.

 

[azurablue]

Hi

I tried to fun fixes.bat, however the window opens and then closes immediately, with no result of any change made, let alone fix having been done. I remember Avast finding a virus "file.bat" not that long ago when I'd picked up a nasty trojan that I think could have been conficker c. Not sure to be exact, but it disabled all security settings and I was unable to even access websites that had the word antivirus or security in it. Luckily Avast fixed it all, however every time I logged on, it would warn me of "file.bat", of which it quarantined every time. Since then I've removed Avast and use Comodo instead.

Hope we're not running out of options! :sad:

Thanks!
Julie

 

[Blade81]

Hi

That was not meant to do anything else than create c:\regExport.txt & c:\regExport2.txt files. Can't you find these two files after running the batch?

 

[azurablue]

Hi!

Did a search and found them!!

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS]
"Type"=dword:00000020
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,66,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Background Intelligent Transfer Service"
"DependOnService"=hex(7):52,70,63,73,73,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled."
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,68,e3,0c,\
00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\Parameters]
"ServiceDll"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,71,6d,67,72,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\Enum]
"0"="Root\\LEGACY_BITS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001



REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,66,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Automatic Updates"
"ObjectName"="LocalSystem"
"Description"="Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site."

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\Parameters]
"ServiceDll"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,\
5c,77,75,61,75,73,65,72,76,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\Enum]
"0"="Root\\LEGACY_WUAUSERV\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

 

[Blade81]

Hi Julie

Run registry search tool with string 4ada505b.sys. Post back the results.

Re-run also GMER that I made you run in the beginning of this thread. Post back the report it gives.

 

[azurablue]

Hi Blade81

Ran Reg Tool for *4ada505b.sys* (with and without asterix either side) and nothing was found, and also ran GMER scan, as below.

Again, thanks for your help so far... it is really appreciated resent:





GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-06 09:47:06
Windows 5.1.2600 Service Pack 3


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

---- EOF - GMER 1.0.15 ----

 

[azurablue]

And finally we have lift off!!! :yahoo:

I went into regedit and edited permissions after manually finding both instances of %fystemroot%. This took a few goes though, as I'd change the image path "after" changing permissions, yet it would change back after clicking on something else. Anyhow, restarted the computer and AU and Bits is now working!!!!!

Whatever disabled them both and took away admin permissions is nasty and I just hope that all malware has now been removed. Argh, I've never had anything like this before! What's going on out there in virus world? :fear:

Can you recommend a really good "free" antivirus scanner? As you know I'm using comodo. The firewall is pretty good, but not sure about the antivirus. Is Avast better?

Thanks heaps for your help so far!!! :bow:

 

[Blade81]

Hi

Glad to hear situation got better May I see a fresh dds log, please? I'll then give you some final instructions based on that.

 

[azurablue]

Hi!

Wouldn't have been able to do it without your help! I've learnt so much from all of this. Does that mean I can be a security pro too? ::laugh::

DDS scan logs are below, although the 2nd one says not to post unless specifically requested, however there's some "funny business" at the end of the scan, but have no idea what it means.

Thanks!!
Julie

DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 19:39:30.62 on Mon 06/04/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.184 [GMT 10:00]

AV: COMODO Antivirus *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wscntfy.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [Acme.PCHButton] c:\progra~1\hppavi~1\pavilion\xphwwbp4\plugin\bin\PCHButton.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [WinCinemaMgr] "c:\program files\intervideo\common\bin\WinCinemaMgr.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SetDefPrt] c:\program files\brother\brmfl05a\BrStDvPt.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [Home Theater SchSvr] "c:\program files\common files\intervideo\schsvr\SchSvr.exe"
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177982790325
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180607378625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} - hxxp://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E001C731-5E37-4538-A5CB-8168736A2360} - hxxp://91.199.104.31/cab/ActiveQscan.cab
TCP: {54C6303B-7DBA-4795-9A6D-D4B26741E783} = 4.2.2.1,4.2.2.2
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-3-30 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-3-30 24336]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-3-30 700152]
S3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [2004-2-3 24192]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 SQTECH913D;913D Camera;c:\windows\system32\drivers\Capt913D.sys [2007-12-25 29696]
S3 SSNDIS5;SSNDIS5 NDIS Protocol Driver;c:\windows\system32\drivers\ssndis5.sys --> c:\windows\system32\drivers\SSNDIS5.sys [?]

=============== Created Last 30 ================

2009-04-06 12:47 <DIR> -cd----- c:\windows\system32\XPSViewer
2009-04-06 12:44 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-06 12:44 117,760 -c------ c:\windows\system32\prntvpt.dll
2009-04-06 12:44 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-06 12:44 1,676,288 -c------ c:\windows\system32\xpssvcs.dll
2009-04-06 12:44 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-06 12:44 575,488 -c------ c:\windows\system32\xpsshhdr.dll
2009-04-06 12:44 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-06 12:44 <DIR> -cd----- C:\d068b5b753a6badb6d
2009-04-06 11:05 <DIR> -cd----- c:\program files\common files\xing shared
2009-04-04 12:21 <DIR> -cd----- c:\program files\iPod
2009-04-04 12:21 <DIR> -cd----- c:\program files\iTunes
2009-04-04 12:21 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-04-04 12:12 <DIR> -cd----- c:\program files\Bonjour
2009-04-01 09:37 161,792 ac------ c:\windows\SWREG.exe
2009-04-01 09:37 98,816 ac------ c:\windows\sed.exe
2009-03-30 07:35 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-03-30 07:35 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-03-30 07:35 18,944 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2009-03-30 07:35 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2009-03-30 07:35 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2009-03-30 07:35 99,865 ac------ c:\windows\system32\dllcache\xlog.exe
2009-03-30 07:35 16,970 ac------ c:\windows\system32\dllcache\xem336n5.sys
2009-03-30 07:35 19,455 ac------ c:\windows\system32\dllcache\wvchntxx.sys
2009-03-30 07:35 12,063 ac------ c:\windows\system32\dllcache\wsiintxx.sys
2009-03-30 07:35 8,192 ac------ c:\windows\system32\dllcache\wshirda.dll
2009-03-30 07:33 69,632 ac------ c:\windows\system32\dllcache\umaxu12.dll
2009-03-30 07:32 7,040 ac------ c:\windows\system32\dllcache\snyaitmc.sys
2009-03-30 07:31 210,496 ac------ c:\windows\system32\dllcache\s3mvirge.dll
2009-03-30 07:30 75,776 ac------ c:\windows\system32\dllcache\philcam1.sys
2009-03-30 07:29 59,104 ac------ c:\windows\system32\dllcache\n9i128v2.dll
2009-03-30 07:28 47,616 ac------ c:\windows\system32\dllcache\memgrp.dll
2009-03-30 07:27 45,632 ac------ c:\windows\system32\dllcache\ip5515.sys
2009-03-30 07:26 907,456 ac------ c:\windows\system32\dllcache\hcf_msft.sys
2009-03-30 07:25 117,760 ac------ c:\windows\system32\dllcache\e100b325.sys
2009-03-30 07:24 72,832 ac------ c:\windows\system32\dllcache\cwbwdm.sys
2009-03-30 07:23 66,082 ac------ c:\windows\system32\dllcache\c_20106.nls
2009-03-30 07:22 36,224 ac------ c:\windows\system32\dllcache\an983.sys
2009-03-30 07:21 66,048 ac------ c:\windows\system32\dllcache\s3legacy.dll
2009-03-30 00:26 155,384 ac------ c:\windows\system32\guard32.dll
2009-03-30 00:26 110,992 ac------ c:\windows\system32\drivers\cmdguard.sys
2009-03-30 00:26 24,336 ac------ c:\windows\system32\drivers\cmdhlp.sys
2009-03-29 00:04 <DIR> -cd----- C:\Rooter$
2009-03-28 21:28 <DIR> -cd----- c:\program files\Windows Resource Kits
2009-03-28 02:32 253,688 ac------ c:\windows\system32\cssdll32.dll
2009-03-28 02:31 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Comodo
2009-03-28 02:31 <DIR> -cd----- c:\program files\COMODO
2009-03-27 23:57 <DIR> -cd----- c:\docume~1\owner\applic~1\Malwarebytes
2009-03-27 23:57 15,504 ac------ c:\windows\system32\drivers\mbam.sys
2009-03-27 23:57 38,496 ac------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 23:57 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-27 23:57 <DIR> -cd----- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 22:45 <DIR> -cd----- c:\program files\common files\Wise Installation Wizard
2009-03-27 22:29 <DIR> -cd----- c:\docume~1\owner\applic~1\QuickScan
2009-03-27 21:29 410,984 ac------ c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-04-06 11:04 348,160 ac------ c:\windows\system32\msvcr71.dll
2009-04-06 11:04 499,712 ac------ c:\windows\system32\msvcp71.dll
2009-02-09 21:13 1,846,784 ac------ c:\windows\system32\win32k.sys
2007-12-09 15:18 21,538 -c------ c:\program files\dll32sys.clx
2007-12-09 15:18 21,538 -c------ c:\program files\clogo1.bmp
2007-12-09 15:18 8,186 -c------ c:\program files\sys32init.clx
2007-12-09 15:18 8,186 -c------ c:\program files\clogo2.bmp
2007-12-09 15:18 3,760 -c------ c:\program files\uDigestV4.vid
2007-12-09 15:18 1,840 -c------ c:\program files\uDigestV3.vic
2007-12-09 15:18 880 -c------ c:\program files\uDigestV2.vib
2007-12-09 15:18 400 -c------ c:\program files\uDigestV1.via
2004-07-01 16:11 0 ac-sh--- c:\windows\sminst\HPCD.SYS
2008-08-06 08:48 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080620080807\index.dat

============= FINISH: 19:40:18.64 ===============



DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 1/05/2007 11:22:40 AM
System Uptime: 4/06/2009 2:27:48 PM (-1411 hours ago)

Motherboard: ASUSTeK Computer INC. | | Oxford
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | CPU 1 | 3000/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 70 GiB total, 49.145 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 0.338 GiB free.
E: is CDROM ()
F: is Removable
J: is Removable
K: is Removable
L: is Removable
M: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\77DC41E01800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\77DC41E01800
Service: NIC1394

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia 6131
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6131
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd

==== System Restore Points ===================

RP704: 9/02/2009 12:11:23 PM - System Checkpoint
RP705: 10/02/2009 12:38:48 PM - System Checkpoint
RP706: 11/02/2009 1:29:00 PM - System Checkpoint
RP707: 12/02/2009 1:26:21 AM - Software Distribution Service 3.0
RP708: 13/02/2009 8:04:56 AM - System Checkpoint
RP709: 14/02/2009 8:22:03 AM - System Checkpoint
RP710: 14/02/2009 5:06:53 PM - Installed iTunes
RP711: 15/02/2009 5:17:20 PM - System Checkpoint
RP712: 16/02/2009 5:50:43 PM - System Checkpoint
RP713: 18/02/2009 1:55:28 AM - Microsoft OneCare Protection Checkpoint
RP714: 19/02/2009 10:18:55 AM - System Checkpoint
RP715: 20/02/2009 10:50:27 AM - System Checkpoint
RP716: 21/02/2009 11:04:16 AM - System Checkpoint
RP717: 22/02/2009 11:24:24 AM - System Checkpoint
RP718: 23/02/2009 2:03:26 PM - System Checkpoint
RP719: 24/02/2009 2:49:17 PM - System Checkpoint
RP720: 25/02/2009 3:06:47 PM - System Checkpoint
RP721: 26/02/2009 3:17:36 PM - System Checkpoint
RP722: 27/02/2009 3:18:04 PM - System Checkpoint
RP723: 28/02/2009 3:41:05 PM - System Checkpoint
RP724: 1/03/2009 6:29:18 PM - System Checkpoint
RP725: 2/03/2009 6:38:10 PM - System Checkpoint
RP726: 3/03/2009 7:04:49 PM - System Checkpoint
RP727: 4/03/2009 8:26:29 PM - System Checkpoint
RP728: 6/03/2009 7:37:11 AM - System Checkpoint
RP729: 7/03/2009 7:45:27 AM - System Checkpoint
RP730: 7/03/2009 3:32:21 PM - Installed PC SpeedScan Pro
RP731: 7/03/2009 3:40:26 PM - Removed PC SpeedScan Pro
RP732: 8/03/2009 3:46:26 PM - System Checkpoint
RP733: 9/03/2009 5:05:37 PM - System Checkpoint
RP734: 10/03/2009 6:59:44 PM - System Checkpoint
RP735: 12/03/2009 1:00:08 AM - System Checkpoint
RP736: 13/03/2009 1:29:09 AM - System Checkpoint
RP737: 14/03/2009 2:42:40 AM - System Checkpoint
RP738: 15/03/2009 3:27:56 AM - System Checkpoint
RP739: 16/03/2009 4:27:56 AM - System Checkpoint
RP740: 17/03/2009 5:27:58 AM - System Checkpoint
RP741: 18/03/2009 6:27:57 AM - System Checkpoint
RP742: 19/03/2009 7:36:25 AM - System Checkpoint
RP743: 20/03/2009 8:01:24 AM - System Checkpoint
RP744: 21/03/2009 8:03:08 AM - System Checkpoint
RP745: 22/03/2009 9:03:10 AM - System Checkpoint
RP746: 23/03/2009 11:56:25 AM - System Checkpoint
RP747: 24/03/2009 1:45:15 PM - System Checkpoint
RP748: 25/03/2009 2:34:48 PM - System Checkpoint
RP749: 26/03/2009 3:01:51 PM - System Checkpoint
RP750: 27/03/2009 4:02:57 PM - System Checkpoint
RP751: 27/03/2009 8:33:38 PM - Cleaned registry with Windows Live OneCare safety scanner
RP752: 27/03/2009 9:28:31 PM - Installed Java(TM) 6 Update 13
RP753: 27/03/2009 9:42:09 PM - Installed Windows XP KB958644.
RP754: 27/03/2009 9:58:13 PM - Installed Windows XP KB960714.
RP755: 27/03/2009 10:46:03 PM - Installed SUPERAntiSpyware Free Edition
RP756: 28/03/2009 6:12:28 PM - Installed Windows XP KB958690.
RP757: 28/03/2009 6:29:42 PM - Installed Trend Micro Internet Security
RP758: 28/03/2009 9:28:32 PM - Installed Windows Resource Kit Tools - SubInAcl.exe
RP759: 28/03/2009 11:16:59 PM - Automatic Restore Point
RP760: 30/03/2009 1:02:12 AM - Installed Windows XP KB958644.
RP761: 30/03/2009 1:04:13 AM - Installed Windows XP KB958690.
RP762: 30/03/2009 1:05:26 AM - Installed Windows XP KB960225.
RP763: 30/03/2009 1:06:48 AM - Installed Windows XP KB938464-v2.
RP764: 30/03/2009 1:08:13 AM - Installed Windows XP KB958687.
RP765: 30/03/2009 1:11:48 AM - Installed Windows XP KB960715.
RP766: 30/03/2009 1:13:58 AM - Installed Windows XP KB961260.
RP767: 30/03/2009 1:16:10 AM - Installed Windows Media Player KB952069.
RP768: 31/03/2009 3:26:49 PM - System Checkpoint
RP769: 1/04/2009 9:34:45 AM - Removed Trend Micro Internet Security
RP770: 1/04/2009 9:38:15 AM - ComboFix created restore point
RP771: 2/04/2009 10:26:14 AM - System Checkpoint
RP772: 3/04/2009 11:20:09 AM - System Checkpoint
RP773: 3/04/2009 4:41:13 PM - Removed Java 2 Runtime Environment, SE v1.4.2_03
RP774: 3/04/2009 4:55:46 PM - Removed Java(TM) 6 Update 2
RP775: 3/04/2009 4:55:50 PM - Removed Java(TM) 6 Update 3
RP776: 3/04/2009 4:57:02 PM - Removed Java(TM) SE Runtime Environment 6 Update 1
RP777: 3/04/2009 5:06:42 PM - ComboFix created restore point
RP778: 3/04/2009 5:25:10 PM - Removed Adobe Reader 7.1.0
RP779: 3/04/2009 5:29:21 PM - Installed Adobe Reader 9.1.
RP780: 4/04/2009 5:35:59 PM - System Checkpoint
RP781: 5/04/2009 5:45:14 PM - System Checkpoint
RP782: 6/04/2009 11:04:30 AM - Removed Auction Sentry
RP783: 6/04/2009 11:06:56 AM - Removed eBay Toolbar
RP784: 6/04/2009 11:12:31 AM - Removed Java(TM) 6 Update 2
RP785: 6/04/2009 12:32:16 PM - Software Distribution Service 3.0

==== Installed Programs ======================


3D World Atlas
913D Camera
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1
Agere Systems PCI Soft Modem
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 4
Bonjour
Broderbund Home Design 5.1
Brother MFL-Pro Suite
COMODO Internet Security
Critical Update for Windows Media Player 11 (KB959772)
Easy Internet Sign-up
ERUNT 1.1j
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
HP Deskjet Preloaded Printer Drivers
HP Image Zone Plus 3.5
HP Software Update
HpSdpAppCoreApp
InterVideo Home Theater
InterVideo Teletext Epg Scanner
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
InterVideo WinDVDX
InterVideo WinDVRX
iTunes
Java(TM) 6 Update 13
KBD
Learning Ladder 3
Malwarebytes' Anti-Malware
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia Standard - WE 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft LifeCam
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
MSVC80_x86
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Multimedia Card Reader
MUSICMATCH® Jukebox
Nokia Connectivity Cable Driver
Nokia PC Suite
NVIDIA Display Driver
OptusNet DSL
PaperPort
PC-Doctor for Windows
PC Connectivity Solution
PhoTags Express
Photosmart 140,240,7200,7600,7700,7900 Series
PS2
PSShortcutsP
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
RealPlayer
RecordNow!
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Shockwave
Siemens Subscriber Networks SpeedStream DSL
Skype™ 3.8
Sonic Update Manager
SUPERAntiSpyware Free Edition
System Requirements Lab
Toolkit View(HP)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Updates from HP
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

3/04/2009 5:25:43 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
3/04/2009 5:24:28 PM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The system cannot find the file specified.
3/04/2009 5:24:28 PM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
3/04/2009 2:05:14 PM, error: Dhcp [1002] - The IP address lease 58.106.26.239 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
3/04/2009 1:16:27 PM, error: Dhcp [1002] - The IP address lease 10.1.1.3 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
3/04/2009 1:16:06 PM, error: Dhcp [1002] - The IP address lease 58.106.158.143 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
3/04/2009 12:13:48 PM, error: Dhcp [1002] - The IP address lease 58.106.31.162 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
3/04/2009 11:41:19 AM, error: Dhcp [1002] - The IP address lease 58.111.180.122 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
3/04/2009 10:18:18 AM, error: Dhcp [1002] - The IP address lease 58.111.180.211 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
3/04/2009 9:57:29 AM, error: Dhcp [1002] - The IP address lease 58.106.137.246 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
2/04/2009 9:44:04 PM, error: Dhcp [1002] - The IP address lease 122.111.94.81 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
2/04/2009 6:33:35 PM, error: Dhcp [1002] - The IP address lease 114.78.41.87 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
2/04/2009 3:34:34 PM, error: Dhcp [1002] - The IP address lease 58.106.46.254 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
1/04/2009 5:59:29 PM, error: Dhcp [1002] - The IP address lease 58.106.46.111 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
1/04/2009 5:23:28 PM, error: Dhcp [1002] - The IP address lease 114.78.32.179 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
1/04/2009 4:37:16 PM, error: Dhcp [1002] - The IP address lease 122.111.17.176 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
1/04/2009 12:15:15 PM, error: Dhcp [1002] - The IP address lease 58.111.182.140 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
1/04/2009 11:34:41 AM, error: Dhcp [1002] - The IP address lease 58.106.158.23 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
1/04/2009 11:26:22 AM, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The system cannot find the file specified.
1/04/2009 11:10:35 AM, error: Dhcp [1002] - The IP address lease 58.106.152.158 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
1/04/2009 9:32:30 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SfCtlCom with arguments "" in order to run the server: {1A65BAB7-30B1-4FB7-BC13-D00C28FCF605}
1/04/2009 9:08:57 AM, error: Dhcp [1002] - The IP address lease 122.111.12.236 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
1/04/2009 8:31:56 AM, error: Dhcp [1002] - The IP address lease 58.111.177.75 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
1/04/2009 7:48:44 AM, error: Dhcp [1002] - The IP address lease 122.105.156.72 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
31/03/2009 8:28:16 PM, error: Dhcp [1002] - The IP address lease 122.111.18.37 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
31/03/2009 6:34:19 PM, error: Dhcp [1002] - The IP address lease 0.0.0.0 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
31/03/2009 5:48:45 PM, error: Dhcp [1002] - The IP address lease 58.106.27.244 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
31/03/2009 5:08:58 PM, error: Dhcp [1002] - The IP address lease 58.111.179.195 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
31/03/2009 4:39:33 PM, error: Dhcp [1002] - The IP address lease 58.111.178.96 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
31/03/2009 4:13:32 PM, error: Dhcp [1002] - The IP address lease 58.111.181.50 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
3/04/2009 6:17:05 PM, error: Dhcp [1002] - The IP address lease 58.107.77.123 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
4/04/2009 1:54:10 AM, error: Dhcp [1002] - The IP address lease 58.111.181.29 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
4/04/2009 8:57:42 AM, error: Dhcp [1002] - The IP address lease 58.106.154.72 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
4/04/2009 9:45:52 AM, error: Dhcp [1002] - The IP address lease 58.107.76.225 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
4/04/2009 11:52:24 AM, error: Dhcp [1002] - The IP address lease 58.111.179.115 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
4/04/2009 6:21:21 PM, error: Dhcp [1002] - The IP address lease 58.111.180.123 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
4/04/2009 9:35:22 PM, error: Dhcp [1002] - The IP address lease 122.109.107.105 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
5/04/2009 12:31:58 AM, error: Service Control Manager [7034] - The COMODO Internet Security Helper Service service terminated unexpectedly. It has done this 1 time(s).
5/04/2009 2:54:34 AM, error: Dhcp [1002] - The IP address lease 122.111.19.211 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
5/04/2009 8:27:36 AM, error: Dhcp [1002] - The IP address lease 58.106.30.44 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
5/04/2009 10:20:51 AM, error: Dhcp [1002] - The IP address lease 122.105.159.83 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
5/04/2009 10:53:58 AM, error: Dhcp [1002] - The IP address lease 58.107.77.109 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
5/04/2009 6:26:23 PM, error: Dhcp [1002] - The IP address lease 122.111.92.210 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
6/04/2009 9:39:28 AM, error: Dhcp [1002] - The IP address lease 122.111.14.77 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
6/04/2009 10:28:39 AM, error: Dhcp [1002] - The IP address lease 122.105.152.17 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
6/04/2009 11:10:42 AM, error: Dhcp [1002] - The IP address lease 122.111.16.216 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
6/04/2009 11:43:18 AM, error: Service Control Manager [7028] - The wuauserv Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.
6/04/2009 11:46:27 AM, error: Dhcp [1002] - The IP address lease 58.111.183.33 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
6/04/2009 11:47:26 AM, error: Service Control Manager [7028] - The BITS Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.
6/04/2009 2:35:39 PM, error: Dhcp [1002] - The IP address lease 122.111.11.235 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
6/04/2009 4:00:40 PM, error: Dhcp [1002] - The IP address lease 122.111.14.85 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
6/04/2009 6:08:22 PM, error: Dhcp [1002] - The IP address lease 58.106.41.173 for the Network Card with network address 00112F05609A has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
6/04/2009 7:39:34 PM, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.

==== End Of File ===========================

 

[Blade81]

Hi

Let's try set rights for your user account to those two registry keys.


Download ERUNT
Save it to your desktop. Run and install this program.

In the box that opens ONLY choose
System registry.

Then click OK.

Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.


Click Start then Run
Type in regedit
Click Ok.

In left pane of registry editor, Navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv

Click once on the key name to highlight it and click on the Permission menu option under Edit. Uncheck Allow inheritible permissions and press copy. Click on everyone and put a checkmark in full control, press apply and ok.

Repeat with HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS key.

 

[azurablue]

Hi Blade

Ran ERUNT as suggested, however I'm confused with the next part in the Registry Editor :scratch:

I highlighted the key you outlined, clicked on edit and went into advanced to get to the permissions tab. "Inherent from parent the permission entries etc." was already unticked (is this the area you're talking about?), and I'm not sure about hitting "copy" as there's no copy button there? Under Permissions for Administrators, Full Control and Read are both already ticked so didn't need to do anything there. It's just the "inherent" and "copy" parts that confuse me. Argh, my beacon is shining brightly again!! :red:

Thanks!
Julie

 

[Blade81]

Hi Julie

If those permissions were already set as full control then no need to adjust anything with that. However, please see if group or usernames table (on permissions window) contains SYSTEM and if it has full control set.

 

[azurablue]

Nope! Nothing in Group or username table. None of the boxes are ticked on that table either. Only ticked boxes are on the security window, and they're Full Control and Read

 

[Blade81]

Hi

Could you attach a screenshot of either BITS or wuauserv permissions window, please? Picture usually gives better idea of situation

 

[azurablue]

Hi Blade

Screen shots of wuauscrv as requested


Thanks!
Julie

 

[Blade81]

Ok. That explains it better

Please do following in Permissions for wuauserv window:
1. Click Add.
2. In select users or groups window there's "Enter the object names to select" -listbox. Please write SYSTEM into that box and click Check Names -button. If name was correct it should appear underlined after that. Please click OK to close the window.
3. In Permissions window make sure SYSTEM is activated and then set Full Control & Read as allowed in Permissions table.

Repeat that same thing for BITS key.

 

[azurablue]

All done! :

Have I had some nasties or what?! :fear:

Am I clear now?

Julie

 

[Blade81]

Yes, I think it's time to wrap this topic up

You asked earlier if Avast would be good choice to replace Comodo Antivirus. Yes, that would be good one.


Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:

• Click START then RUN
• Now type "c:\documents and settings\Owner\Desktop\ComboFix.exe" /u in the runbox and click OK

Next we remove all used tools.

Please download OTMoveIt3 and save it to desktop.

• Double-click OTMoveIt3.exe.
• Click the CleanUp! button.
• Select Yes when the
  Begin cleanup Process?
  prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

• hosts file:
  • Every version of windows has a hosts file as part of them.
  • In a very basic sense, they are used to locate webpages.
  • We can customize a hosts file so that it blocks certain webpages.
  • However, it can slow down certain computers.
  • This is why using a hosts file is optional!!
  Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
  If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade

 

[azurablue]

Blade

All done and the computer is running like clockwork! I can't thank you enough for all your patience and help. This is the first time I've used these help forums.... and hopefully it will be the last! hehe. Meant in the nicest possible way of course.

Truly, you've saved me time and money.. and I've learnt a thing or 2 or well!

Here's to a "forever clean" machine. Is that even possible? hehe

Cheers! And thanks heaps!! :beerbeerb:

Julie :angel:

 

[Blade81]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.