# Solved: Can't access Microsoft websites.



## Stubby (Jul 13, 2002)

I've read most of the forums concerning this problem, but have yet to come up with a solution. I'm running XP on two laptops side by side (both wireless). One has no problem, but I can't access either microsoft.com or symantec.com (I've just switched both laptops to Kaspersky). Can anyone help? Thanks.


----------



## ~Candy~ (Jan 27, 2001)

See the first post in this forum for instuctions on how to download, install, run, and post a Hijack This log for the problem computer.


----------



## Stubby (Jul 13, 2002)

Here's the Hijack log. I had already had it prepared in case it was needed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:14 AM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://www.americangreetings.b719.cn/ultrashim.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 8024 bytes


----------



## Stubby (Jul 13, 2002)

bump


----------



## dvk01 (Dec 14, 2002)

Delete any existing version of ComboFix you have sitting on your desktop

Download ComboFix from *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again afterwards before connecting to the net*
--------------------------------------------------------------------
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

 * WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts *
*Please do not re-connect your machine back to the Internet until Combofix has completely finished.*
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Double click on *combofix.exe* & follow the prompts.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****​


----------



## Cookiegal (Aug 27, 2003)

Whoops. Derek was faster.


----------



## ~Candy~ (Jan 27, 2001)

Thanks Derek :up:

Stubby, I asked for assistance on the hijack this log 

LOL @ Karen  Thanks for looking too


----------



## Stubby (Jul 13, 2002)

Thanks guys (and gals). I'll report back with the results soon.


----------



## Stubby (Jul 13, 2002)

O.K. When I download combofix, my anti-virus says it contains a virus "heur.Invader". Now what?


----------



## ~Candy~ (Jan 27, 2001)

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


From Derek's post above.


----------



## Stubby (Jul 13, 2002)

O.K. Here's the logs for Combofix and HijackThis.

ComboFix 08-01-09.2 - Ownern 2008-01-09 9:17:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.470 [GMT -8:00]
Running from: C:\Documents and Settings\Ownern\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\new_drv.sys
C:\WINDOWS\system32\pfxzmtaim.dll
C:\WINDOWS\system32\pfxzmtforum.dll
C:\WINDOWS\system32\pfxzmtgtal.dll
C:\WINDOWS\system32\pfxzmticq.dll
C:\WINDOWS\system32\pfxzmtsmt.dll
C:\WINDOWS\system32\pfxzmtsmtspm.dll
C:\WINDOWS\system32\pfxzmtwbmail.dll
C:\WINDOWS\system32\pfxzmtymsg.dll
C:\WINDOWS\system32\sfxzmtforum.dll
C:\WINDOWS\system32\sfxzmtsmt.dll
C:\WINDOWS\system32\sfxzmtsmtspm.dll
C:\WINDOWS\system32\sfxzmtwbmail.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NEW_DRV

((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))
.

2008-01-09 09:16 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-06 15:09 . 2008-01-06 15:09	7,467,056	--a------	C:\Temp\spybotsd15.exe
2008-01-06 15:02 . 2008-01-06 15:02 d--------	C:\Program Files\Trend Micro
2008-01-06 15:01 . 2008-01-06 15:01	812,344	--a------	C:\Temp\HJTInstall.exe
2008-01-02 08:01 . 2008-01-07 11:16	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-01-02 08:01 . 2008-01-02 08:01	1,409	--a------	C:\WINDOWS\QTFont.for
2007-12-31 11:22 . 2007-12-31 11:22 d--------	C:\Program Files\Kaspersky Lab
2007-12-31 11:22 . 2008-01-09 09:29 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-31 11:22 . 2008-01-09 09:29	7,911,712	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-31 11:22 . 2008-01-09 09:28	168,480	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-31 11:22 . 2008-01-09 09:27	106,580	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-31 11:22 . 2007-12-31 12:21	91,492	--a------	C:\WINDOWS\system32\drivers\klin.dat
2007-12-31 11:22 . 2007-12-31 12:21	85,860	--a------	C:\WINDOWS\system32\drivers\klick.dat
2007-12-31 11:22 . 2008-01-09 09:27	16,844	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-30 09:07 . 2007-12-30 09:07 d--------	C:\KAV
2007-12-30 09:01 . 2007-12-30 09:07	24,760,584	--a------	C:\Temp\kav7.0.0.125en.exe
2007-12-30 08:30 . 2006-04-11 06:24 d--------	C:\Documents and Settings\Administrator\Application Data\Intuit
2007-12-30 08:30 . 2007-12-05 18:11 d--------	C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-12-29 16:53 . 2007-12-29 16:53 d--------	C:\Documents and Settings\All Users\Application Data\PopCap
2007-12-22 22:58 . 2007-10-10 15:56	824,832	--a------	C:\WINDOWS\system32\oldwn.tmp
2007-12-22 22:58 . 2007-12-29 07:25	87,040	--a------	C:\WINDOWS\system32\dllcache\ws2_32.dll
2007-12-22 22:58 . 2004-08-04 00:00	82,944	--a------	C:\WINDOWS\system32\oldws.tmp
2007-12-22 22:58 . 2007-12-22 22:58	8,704	--a------	C:\WINDOWS\system32\sporder.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-07 00:17	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-03 16:56	---------	d-----w	C:\Program Files\Motorola Phone Tools
2008-01-01 23:24	---------	d-----w	C:\Program Files\SlySoft
2008-01-01 23:03	---------	d-----w	C:\Documents and Settings\Ownern\Application Data\1clickPro
2007-12-12 22:08	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-04 18:47	---------	d-----w	C:\Documents and Settings\Ownern\Application Data\Apple Computer
2007-12-04 18:40	---------	d-----w	C:\Program Files\QuickTime
2007-12-04 18:40	---------	d-----w	C:\Program Files\iTunes
2007-12-04 18:40	---------	d-----w	C:\Program Files\iPod
2007-12-04 18:40	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-04 18:37	---------	d-----w	C:\Program Files\Common Files\Apple
2007-12-04 18:37	---------	d-----w	C:\Program Files\Apple Software Update
2007-12-04 18:37	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple
2007-12-04 15:54	---------	d-----w	C:\Program Files\VideoLAN
2007-12-04 14:45	9,733,451	----a-w	C:\vlc-0.8.6d-win32.exe
2007-12-03 21:57	---------	d-----w	C:\Program Files\Common Files\Download Manager
2007-12-03 21:54	128,336	----a-w	C:\Download_WMAConvert-Download.exe
2007-12-02 01:27	---------	d-----w	C:\Program Files\Rhapsody
2007-11-23 23:07	515,200	----a-w	C:\WINDOWS\system32\drivers\WmaCDriverV32.sys
2007-11-23 23:07	3,768	----a-w	C:\WINDOWS\system32\drivers\WmaCVideo32.sys
2007-11-21 14:43	---------	d-----w	C:\Program Files\DivX
2007-11-13 10:25	20,480	----a-w	C:\WINDOWS\system32\drivers\secdrv.sys
2006-11-27 04:31	92,064	----a-w	C:\Documents and Settings\Ownern\mqdmmdm.sys
2006-11-27 04:31	9,232	----a-w	C:\Documents and Settings\Ownern\mqdmmdfl.sys
2006-11-27 04:31	79,328	----a-w	C:\Documents and Settings\Ownern\mqdmserd.sys
2006-11-27 04:31	66,656	----a-w	C:\Documents and Settings\Ownern\mqdmbus.sys
2006-11-27 04:31	6,208	----a-w	C:\Documents and Settings\Ownern\mqdmcmnt.sys
2006-11-27 04:31	5,936	----a-w	C:\Documents and Settings\Ownern\mqdmwhnt.sys
2006-11-27 04:31	4,048	----a-w	C:\Documents and Settings\Ownern\mqdmcr.sys
2006-11-27 04:31	25,600	----a-w	C:\Documents and Settings\Ownern\usbsermptxp.sys
2006-11-27 04:31	22,768	----a-w	C:\Documents and Settings\Ownern\usbsermpt.sys
2006-09-05 19:40	81,920	----a-w	C:\Documents and Settings\Ownern\Application Data\ezpinst.exe
2006-09-05 19:40	47,360	----a-w	C:\Documents and Settings\Ownern\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-11 10:59 68856]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 16:13 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 02:27 1015808]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29 102400]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages	REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\AT&T Self Support Tool\AT&T Self Support Tool.lnk
backup=C:\WINDOWS\pss\AT&T Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Panasonic\LUMIX Simple Viewer\LUMIX Simple Viewer.lnk
backup=C:\WINDOWS\pss\LUMIX Simple Viewer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ownern^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2006-06-29 18:06 126976 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2006-06-29 18:06 1848150 C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 18:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2005-08-01 13:26 233534 C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a------ 2006-05-22 12:26 694272 C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2005-12-22 07:57 405504 C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-26 16:13 1207080 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 15:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 15:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-04-13 10:09 49152 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2005-08-24 06:51 442455 C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
--a------ 2005-09-30 04:33 120464 C:\SWSETUP\INETSEC06\US\Setup\SymLT\CfgWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
--a------ 2007-11-06 09:58 2577120 C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a------ 2005-12-12 10:39 94208 C:\Program Files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
--------- 2005-10-11 09:23 1187840 C:\Windows\SMINST\RecGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--------- 2006-02-09 08:52 643072 C:\Windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2005-12-07 21:57 30208 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
--a------ 2004-11-02 22:59 218240 C:\SWSETUP\INETSEC06\US\Support\SymSC\SYMWMIIS\SymSC\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 12:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-11 10:59 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
--a------ 2006-06-30 05:31 1106386 C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FastUserSwitchingCompatibility"=3 (0x3)

R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" [2006-04-14 10:07]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 01:06]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2006-04-14 10:04]
S3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys [2007-11-23 15:07]
S3 WmaCVideo32;WmaCVideo32;C:\WINDOWS\system32\DRIVERS\WmaCVideo32.sys [2007-11-23 15:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{099eba41-4527-11db-a34d-0014a5bed83d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-01-07 17:36:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 09:29:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
.
Completion time: 2008-01-09 9:32:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-09 17:32:37
.
2007-12-12 22:11:26	--- E O F ---


----------



## dvk01 (Dec 14, 2002)

you have a nasty virus that Kaspersky should have been able to disinfect

as it couldn't I assume that no updates to kaspersky have been done since the virus hit in december

hopefully this online scanner can disinfect it, if not do you have your windows cd as we might need it

http://www.bitdefender.com/scan8/

bitdefender is one of the few antivirus sites that it isn't blocking according to last updates


----------



## Stubby (Jul 13, 2002)

Derek,

I ran bitdefender. It found and deleted several except Pandex. Still can't connect to microsoft. I re-ran combofix and hijack this. Here are the new logs.


----------



## dvk01 (Dec 14, 2002)

I am seeing if we can get Combofix updated to deal with this one

it is an infected/replaced ws2_32.dll and wininet.dll
that has been set to block access to various Antivirus & Microsoft sites

If he can't do it quick enough then we can do a manual fix but hopefully by later today CF will have been updated to cope with it

If this site isn't blocked, read about it here http://vil.nai.com/vil/content/v_143438.htm


----------



## Stubby (Jul 13, 2002)

Thanks Derek,

I'll be out most of the day so I'll check back when I return.


----------



## dvk01 (Dec 14, 2002)

in the mean time lets get some copies of these files so we can see what else is lurking in them

Open Notepad and copy and paste the text in the code box below into it:


```
http://forums.techguy.org/malware-removal-hijackthis-logs/669116-can-t-access-microsoft-websites.html#post5496924

Suspect::
C:\WINDOWS\system32\oldwn.tmp
C:\WINDOWS\system32\dllcache\ws2_32.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\oldws.tmp
C:\WINDOWS\system32\dllcache\wininet.dll
C:\WINDOWS\system32\wininet.dll
C:\WINDOWS\temp\me.log
```
save the notepad file to your desktop & call it CFScript.txt

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*

at the end it will pop up an alert & ask you to send the zip file it will create

please follow those instructions


----------



## dvk01 (Dec 14, 2002)

let me know when you have uploaded the files so we can give you a fix that should work


----------



## Stubby (Jul 13, 2002)

Derek,

Here's the new logs after following your instruction (.zip sent to combofix)


----------



## dvk01 (Dec 14, 2002)

Haven't receivd the zip file

was a zip file called something like [38][email protected] created on your desktop

if so

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

the zip file combofix made on desktop


----------



## Stubby (Jul 13, 2002)

It should be on it's way


----------



## dvk01 (Dec 14, 2002)

download the attached zip file

unzip it to desktop & then boot to safe mode

once in safe mode 
double click the bat file it will place there

when run the first time, it will rename the tmp files back to their original names. Reboot & produce a log. and everything should be OK

BUT

If you lose internet connectivity after reboot, reboot once more. If that fails to restore connectivity, run the batch once more which will undo the renaming. It shall reboot & produce another log

post the logs back here & let us know if it works and you can get to Microsoft & other antivirus sites

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## dvk01 (Dec 14, 2002)

Also there must be a file somewhere we haven't found yet where it keeps the list of blocked sites as I can't see the list inside either of the files unless it is encrypted in a form I haven't seen before

after the renaming has been done & everything seems OK

then please do this

download gmer rootkit detector from http://gmer.net

unzip it & double click the gmer.exe file

select rootkit tab & press scan

when it has finished press copy & post back the log it makes

and also

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.
In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *CHECKED*
In the *Files Modified Within* group select *60 days* Make sure Non-Microsoft only is *CHECKED*
In the *File String Search* group select *ALL*
in the *Additional scans sections* please press select *all *and then *unselect* event viewer. *uncheck *non-microsoft only 
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file 
Use the * Reply* button and *attach the notepad file here*. I will review it when it comes in.


----------



## Stubby (Jul 13, 2002)

I can now access the problematic websites! Thanks to you! Here's all the reports you asked for. Anything else you need? And also, can I delete all the apps we installed?


----------



## dvk01 (Dec 14, 2002)

hold off deleting anything yet as we still have a bit more to do and I need to go through the logs

what you need to do next is go to system32 folder & right click 
C:\WINDOWS\system32\wininet.dll select copy & then open system32/dllcache folder 

find a blank spot & right click it & select paste

repeat for C:\WINDOWS\system32\ws2_32.dll

that puts backup copies there so windows can use them if it needs to if anything damages tehm again

I will post back after looking through all the other logs


----------



## Stubby (Jul 13, 2002)

Done


----------



## dvk01 (Dec 14, 2002)

I can't see any problems in winpfind except a couple of left over symantec drivers from a previous NOrton install but they are harmless

I am getting the gmer log double checked as I'm not sure on a few entries and will let you know as soon as I hear

in the mean time do this

*Your Java is out of date.* Older versions have vulnerabilities that malware can use to infect your system.
*Please follow these steps to remove older version Java components and update.*

*Updating Java:* 

Download the latest version of *Java Runtime Environment (JRE) 6*. 
Scroll down to where it says "_The J2SE Runtime Environment (JRE) allows end-users to run Java applications_". 
Click the "*Download*" button to the right. 
Check the box that says: "*Accept*_ License Agreement_". 
The page will refresh. 
Click on the link to download _Windows Offline Installation_ with or without Multi-language and save to your desktop. 
Close any programs you may have running - especially your web browser. 
Go to *Start* > *Control Panel* double-click on *Add/Remove* programs and remove all older versions of Java. 
Check any item with Java Runtime Environment (JRE or J2SE) in the name. 
Click the *Remove* or *Change/Remove* button. 
Repeat as many times as necessary to remove each Java versions. 
Reboot your computer once all Java components are removed. 
Then from your desktop double-click on the download to install the newest version.


----------



## Stubby (Jul 13, 2002)

O.K. Java taken care of.


----------



## dvk01 (Dec 14, 2002)

The gmer log shows that teh C:\WINDOWS\system32\ws2_32.dll might be rrinfected again but we aren't sure as it could be Kasperky hooking into it

lets examine a copy of it to check

download the attached CFScript.txt to your desktop

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*

at the end it will pop up an alert & ask you to send the zip file it will create

please follow those instructions


----------



## Stubby (Jul 13, 2002)

Here's the new ones.


----------



## Stubby (Jul 13, 2002)

Derek,

I don't know if this is related or not: I have windows automatic update turned on, and it keeps installing the same file "Installing Microsoft SQL Server 2005 Express Edition Service Pack 2 (KB 921896) (update 1 of 1). In the last hour, it has installed it three times. No error messages.


----------



## dvk01 (Dec 14, 2002)

I don't think that is related to the problem

the ws2_32.dll is fine & not reinfected so it was just Kaspersky in the gmer log causing the entries

lets clear up the rest of this one

then you can post in XP forum about the update problem

Please download  ATF Cleaner by Atribune

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

*If you use Firefox browser as well as Internet Explorer or instead of it then also do this step*

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

*If you use Opera browser as well as Internet Explorer or instead of it then also do this step*

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.

Please *download* the *OTMoveIt by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt.exe* to run it.
press cleanup & it will search for and delete/uninstall all the tools we have used to fix your problems and all their backup folders and then delete itself when you next reboot

then 
Turn off system restore by following instructions here 
http://www.thespykiller.co.uk/index.php?page=8
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point. Now Empty Recycle bin on desktop

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place


----------



## Stubby (Jul 13, 2002)

Thanks Derek. All taken care of. And I donated to your fund.

Pat


----------



## dvk01 (Dec 14, 2002)

Thanks Pat

any more problems come back

I'm sure someone in XP forum can help with the update problem but looking at a google search on it, it has thousands of entries about that particular update being problematical and often not needed


----------



## ~Candy~ (Jan 27, 2001)

:up: Just getting a little caught up guys. Glad to see this one had a good outcome. I've marked it solved.


----------

