Incomplete malware(zlob) removal

[Blade81]

Cannot open the file: mk: @MSITStore\Software\Installs\Spybot - Search & Destroy\Help\English.chm

Hi

Download http://www.dougknox.com/xp/fileassoc/xp_chm_fix.zip to your desktop. Extract the archive to find xp_chm_fix.reg. Double click on it and allow to merge items into registry.

This IP address starts with 10.25.x.x, the last two changing often. For example, I looked up on 10.25.192.132 and 10.25.193.125 with no success. The signal is blocked is both incoming and outgoing. Less common IPs are blocked too, but are much rarer. I get one of these messages like every 15 minutes.

Those IP addresses are from private IP address space. Is your system connected in some local area network?

Ah, my removable drives are usually labelled H:\. About this file, H:\ntde1ect.com
, has the virus spread to my pen drives, cellphones, or music players?

Yes, you should reformat those removable drives you've used in your system. Otherwise they'll infect other system when plugged in.

 

[Khan]

No luck

I downloaded, and added that to the registry successfully. But that didn't work out. Suggestions? Compiled HTML? Hmm, using Firefox didn't work out!
Cannot open the file: mk: @MSITStore:\Software\Installs\Spybot - Search & Destroy\Help\English.chm
Yes, this computer uses Shared Internet - using LANs to access dialled broadband Internet - however, in 'My Network Places', I can't seem to find any other systems. May be I could change my computer privacy settings in some way?

 

[Blade81]

I downloaded, and added that to the registry successfully. But that didn't work out. Suggestions? Compiled HTML? Hmm, using Firefox didn't work out!
Cannot open the file: mk: @MSITStore\Software\Installs\Spybot - Search & Destroy\Help\English.chm

Hi

Please try instructions given here.

Yes, this computer uses Shared Internet - using LANs to access dialled broadband Internet - however, in 'My Network Places', I can't seem to find any other systems. May be I could change my computer privacy settings in some way?

This is more like a networking issue. You might want to ask about it at Pc Pitstop forums after we've finished here

 

[Khan]

It worked!

:laugh::bigthumb:
Yipeeee! It worked! I just downloaded MJsDiag and ran it up! It worked Blade! I didn't need to delete the files in step 2!
Logfile:MJsDiagnostics
MJ's Help Report

A common problem with HTML Help 1.x is DLLs not correctly registered during installation. This utility checks all components and registers DLLs if required. We also report if the RoboHelp DLL is registered, and if MS Help 2 components are installed and registered.

After running the report, try running your program again to see if the fault has cleared.
General Info

Report EXE: C:\Documents and Settings\MANSIB\Desktop\MJsDiag.exe
Report Run Date: 10/13/2008 11:10:03 AM
Report EXE Version: 2.7.2.0
Download URL: http://helpware.net/downloads/

Operating System: Windows NT 5.1.2600
SysLocale.DefaultLCID: 0x0409 (1033)
SysLocale.PriLangID: 0x0009 (9)
SysLocale.SubLangID: 0x0001 (1)
DecimalSeparator: .

HH Installed: YES
HH Version: 5.2.3790.2847
HH Friendly Version: > 1.4a

H2 Installed: NO
H2 Version:

IE Installed: YES
IE Version: 6.0.2900.3354
IE Friendly Version: Internet Explorer 6 (Windows XP SP2)

NT Administrator

NT Admin Check: Current user has full administor privileges: YES

HTML Help Run-time Components

File Registered OK: C:\WINDOWS\system32\hhctrl.ocx (Version: 5.2.3790.2847)
File Registered OK: C:\WINDOWS\system32\itss.dll (Version: 5.2.3790.2453)
File Registered OK: C:\WINDOWS\system32\itircl.dll (Version: 5.2.3790.2453)

File Found: C:\WINDOWS\system32\hhctrl.ocx
Version = 5.2.3790.2847
Registry Info: {adb880a6-d8ff-11cf-9377-00aa003b7a11}
ClassName = HHCtrl Object
InProcServer32 = C:\WINDOWS\system32\hhctrl.ocx
ProgID = Internet.HHCtrl.1
DLL is Found and Registered OK = YES

File Found: C:\WINDOWS\system32\itss.dll
Version = 5.2.3790.2453
Registry Info: {5D02926A-212E-11D0-9DF9-00A0C922E6EC}
ClassName = Microsoft InfoTech IStorage System
InProcServer32 = C:\WINDOWS\system32\itss.dll
ProgID = MSITFS1.0
DLL is Found and Registered OK = YES

File Found: C:\WINDOWS\system32\itircl.dll
Version = 5.2.3790.2453
Registry Info: {4662DAA5-D393-11D0-9A56-00C04FB68BF7}
ClassName =
InProcServer32 = C:\WINDOWS\system32\itircl.dll
ProgID = ITIR.WordWheelBuild.4
DLL is Found and Registered OK = YES


For HH Version Info See: http://helpware.net/htmlhelp/hh_info.htm

HTML Help 1.x Registry Settings

Description: If present this Key can disable HH Shortcuts and HH WinHelp commands on the local PC
Reference: KB 810687, KB 323180

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\
Value: HelpQualifiedRootDir (string value) =
-> Report: Policy is not enabled. HH Shortcuts are not restricted on local machine.

Description: This key can be used to enable Hhctrl.ocx ActiveX Visual controls on servers
Reference: KB 892675

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions
Value: UrlAllowList (string value) =
Value: MaxAllowedZone (string value) =
-> Report: Settings reported for information only.

Description: This key allows MS programs such as iexplore.exe to open ITS file that do not have a .CHM file extension
Reference: KB 873343

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HelpRestrictions\AllowedExtensions
-> Report: No special file extensions have been enabled on this PC.

Description: This key can be used to allow access to remote ITS files
Reference: Win 2003 SP1, KB 896054

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions
Value: UrlAllowList (string value) =
Value: MaxAllowedZone (string value) =
Value: NestedProtocolList (string value) =
-> Report: Settings reported for information only.

For HH Registry Info See: http://helpware.net/htmlhelp/hh_info.htm#hh14

HTML Help 1.x Workshop Components

*** HH Workshop not found or not installed correctly. Try reinstalling.

File not found: C:\Program Files\itcc.dll


*** File Not Found: hha.dll

KeyHelp OCX by Keyworks.net - KeyHelp.ocx

This is for information only. KeyHelp is a 3rd party DLL.
*** KeyHelp.ocx is not registered or not installed!
*** You can register your KeyHelp.ocx using the "Register a DLL" button.
*** KeyHelp.ocx could be installed anywhere on your PC by normally resides in the Windows System folder.

For More Info See: http://keyworks.net/

RoboHelp DLL by eHelp/Macromedia - HHActiveX.dll

This is for information only. HHActiveX is a 3rd party DLL.
*** HHActiveX.dll is not registered or not installed!
*** You can register your HHActiveX.dll using the "Register DLL..." button.
*** HHActiveX.dll could be installed anywhere on your PC.

For More Info See: http://www.macromedia.com/

MS Help 2 Run-time Components

*** MS Help 2 NOT installed on this PC

Thanks a million!:bigthumb:
I scanned up with MalwareBytes Anti-Malware, Spybot S&D, and AVG. They came up clean. I defragmented the drives(using Defraggler and Disk Defragmenter) and Windows Registry(using Glary Utilities). I cleaned up the registry(which showed my Kazaa, knight and other malwares were empty).

Logfile:HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:17 AM, on 10/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Software\Installs\AVG\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
D:\Software\Installs\AVG\avgrsx.exe
D:\Software\Installs\AVG\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
D:\Software\Installs\ZoneAlarm\zlclient.exe
D:\Software\Installs\AVG\avgtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\igfxsrvc.exe
D:\Mozilla Firefox\firefox.exe
D:\Software\Installs\AVG\avgui.exe
D:\Software\Installs\AVG\avgscanx.exe
D:\Software\Installs\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Software\Installs\AVG\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Software\Installs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] D:\Software\Installs\AVG\avgtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED9B4A79-D761-4424-8623-80F86ABC7671}: NameServer = 10.15.0.10 10.15.0.11
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Software\Installs\AVG\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\Software\Installs\AVG\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\Software\Installs\AVG\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4814 bytes

And about that IP address, I decided to ask my ISP first about it. It still comes up.:bighug::yahoo:

 

[Blade81]

You're welcome & thanks for the nice card :


Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

• Download SpywareBlaster
  Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
  kill bits
  in the registry, so that certain activex controls can't install.
  If you don't know what activex controls are, see here
  You can download SpywareBlaster here here
  SpywareBlaster tutorial
  
• hosts file:
  • Every version of windows has a hosts file as part of them.
  • In a very basic sense, they are used to locate webpages.
  • We can customize a hosts file so that it blocks certain webpages.
  • However, it can slow down certain computers.
  • This is why using a hosts file is optional!!
  Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
  If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade

 

[Khan]

Looking good!

1. Restarted System Restore.
2. Uninstalled Combofix.
3. Using Automatic Updates, I installed Security Updates for CAPICOM. I have no idea what that was.
4. Changed Internet Explorer settings. I changed settings for Trusted Sites to Medium-Low to stop the 'You are going to an encrypted page.' messages.
5. Installed SpywareBlasterm, updated it, and clicked on 'Enable All Protection'.
6. Updated everything from IM to AV. Removed HijackThis(hopefully I won't need it now) and quite a few games. I can't remove Ubuntu! Clicking on the remove button, or directly accessing the Uninstall icon doesn't work. Whenever I boot up, I get the 'Choose Operating System' message. I plan to upgrade to SP3 before installing Ubuntu as the 2nd OS.
7. Perhaps because of high security settings, using Internet Explorer from other programs(for example, clicking on the 'New Mail' button in Yahoo Messenger) gives me an error message like '<url> not found'. Not to worry, I made Firefox my default browser, and have fun by ridiculing everyone who uses Internet Explorer!:FF:
8. Did NOT install Hosts files, because the computer is slow already with all these processes I refrained from installing before the Shock.
9. Firefox add-ons are very useful, but probably not as useful as 17 running together. So I uninstalled some, disabled some, but still I just can't reduce active add-ons to less than 5!
10. My annoying habit of testing every freeware in this planet has caused remnants of them remaining after uninstallation. I'll delete the folders at least.

 

[Blade81]

Good. Looks like we are ready then, aren't we?

 

[Blade81]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.