Help Please, infected computer

[shelf life]

Hi,

Combofix shouldn't be used by individuals unless you know what you are doing. Its a tool to help in the removal of malware, its not a scanner like MBAM is.
MBAM is excellent, always check for updates before using it. Its good practice to keep it (and all software) updated even if you dont scan that much.

Looks like a service may have been left behind:
look in C:/Program Files/Ares
you can delete the Ares folder.

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

Hows it all looking on your end now?

 

[40luv]

Hi,

Thank you for your assistance, much appreciated.

I uninstalled combofix.
I deleted the Ares folder.
I fixed checked the 023 from the hjt scan.

It's looking good at this end, even resolved the firefox ssl protocol problem.

Any suggestions for real time anti virus?

Thanks again.

 

[shelf life]

your welcome. For AV I like free myself.
AVG:
http://free.avg.com/

AVAST:
http://www.avast.com/

AVIRA:
http://www.free-av.com/en/download/index.html

CLAMWIN:
http://www.clamwin.com/content/view/18/46/

You can make a new restore point. The how and why:

One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

If all is good, some info for you:

Reducing Your Risk To Malware:
The Short Version:

1) It is essential to Keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. This is also true for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there status here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, links or popups.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing.*

8) Install and understand the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer.

10) If your habits include: warez, cracks etc or you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

 

[40luv]

Thanks for the recommendations.

I am logged on as the administrator but when i right click on My Computer>Properties, there is no system restore tab!

I was able to get to system restore via Start>Help and Support>System Restore>System Restore Settings and the check and unckecked "Turn Off System Restore". Is this ok.

Why did i not get the system restore tab? (see paragraph 2)

Also why can i not turn on Automatic Updates in Windows Security Center, Firewall is on.

 

[40luv]

I'm liking mbam, i'm gonna run it daily.

Will Perform quick scan be sufficient or should i run Full scan everytime.

I'm learning Tks again.

 

[shelf life]

hi,

dont know why theres no tab. the other way will work fine also for making a new restore point.

Automatic Updates

go to start>run and type in cmd
at the prompt >_
copy paste whats below and press enter
close the window
reboot computer
see if you can start Auto updates

sc start bits

quick scan be sufficient or should i run Full scan everytime

I suppose everyday a quick scan would do, and maybe a full scan once a week or so. It really depends on your computing habits. Read through that top 10 list I posted. The paid version of MBAM offers autoupdates and real time protection.

 

[40luv]

Hi,

I followed ur direction,

go to start>run and type in cmd
at the prompt >_
copy paste whats below and press enter
close the window
reboot computer
see if you can start Auto updates

I get a message "The system cannot find the file specified"

 

[shelf life]

ok do this instead. start>run and type in services.msc
click ok
the Windows service panel will open
under the name column look for:

Background Intelligent Transfer Service

right click on it and select properties.
under the general tab:

the Startup type should be: Automatic. If its not change it
The Service Status should say Started, if its not change it
by clicking the Start button
click ok
reboot computer

see if that solves it.

 

[40luv]

No it did not solve it, I got the following error message:

Could not start the Background Intelligent Transfer Service service on local computer.

Error 2: The system cannot find the file specified

 

[shelf life]

ok try this also;

start>run and type in cmd
click ok or enter
at the prompt >_
copy/paste in the code below and click enter;
close window, reboot, cross fingers

sc start wuauserv

 

[40luv]

This is what i got,


StartService Failed 1058:

The service cannot be started, either because it is disabled or either because it has no enabled devices associated with it.

 

[40luv]

Seems like something is missing and or i'm not being recognized as administrator although i am log in as such.

 

[shelf life]

no joy yet.

see if you can stop and start system beep;

at the >_ prompt like before type:

sc stop beep

the "state" in the list should say: stopped

then
sc start beep

the state should return: running

You may get some more helpful info if you go to the windows update website.
with BITS not running it should fail there also. You may get some error messages from the web site that may provide a solution.

http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

Also please post another hjt log

 

[40luv]

This is what i got:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Ron>sc stop beep

SERVICE_NAME: beep
TYPE : 1 KERNEL_DRIVER
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

 

[40luv]

Here is Hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:48 AM, on 3/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124415122515
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/netset/install/gtdownls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - C:\Program Files\Ares\chatServer.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7096 bytes

 

[shelf life]

ok it stopped. You can do sc start beep to get it going.

since that appears ok then I wouldnt think you should have any problem starting the BITS or wuauserv service, which requires you to be admin.

did you visit windows updates for any suggestions on the error messages?

you might also try sfc /scannow

Look here for a guide:
http://www.updatexp.com/scannow-sfc.html

 

[40luv]

Okay well i have followed everything you've instructed (and i thank you) but nothing seems to be working.
I have gone the windows update site but it cannot/will not update my system and when i try to do as the website directs, i get an "access denied".

I'm very frustrated at this point.

Firefox seems to be running okay, but there is some websites i visit that i need Explorer.

How do i do a complete reload. By that i mean wipe everything out then reinstall original files. i have the system disk from purchase of pc. Thanks.

 

[shelf life]

Your welcome. Sorry I couldnt resolve it for you. Your best bet for doing a re-install would be the computer manuf. website. I build my own and have never used a recovery CD or recovery partition on a hard drive. It may be as easy as popping in the CD and picking a option from the list.
Most commercial computer vendors maintain informative web sites with helpful information. Read up on the info first. You might have several options;

Reinstall Windows
Reformat and reinstall Windows
Restore to factory defaults.

For sure the second option will wipe the Hard Drive. The other two may retain your data. This is the info you want to know before preceding. As a precaution for all of them you might want to pull off any data that you created and you dont want to lose, like documents, photos etc. USB flash drives are inexpensive and can hold up to GB's of data. Burning CD's are another option. There are also online storage sites that you can upload data to. The one I use is kind of slow as it transfers via Java applet, but its free up to 50GB: http://www.adrive.com/plans
Spend some time at your computer vendors website before you proceed.
When all is done make Windows update your first stop. If I can help you feel free to post back.