[RKinner]

Odd. It hung during the startup so I was sure we would get an error.

Start, Run, cmd, OK to bring up a command window. Type with an Enter after each line:

net  start  >  \junk.txt

notepad  \junk.txt

copy and paste the text from notepad to your next reply. That will show me what services are running.

[Advertisements]

These Windows services are started:

Akamai NetSession Interface
Application Layer Gateway Service
Automatic Updates
avast! Antivirus
COM+ Event System
CryptSvc
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
DNS Client
Error Reporting Service
Event Log
Fast User Switching Compatibility
Help and Support
HTTP SSL
Infrared Monitor
IPSEC Services
Network Connections
Network Location Awareness (NLA)
Plug and Play
Print Spooler
Protected Storage
Remote Access Connection Manager
Remote Procedure Call (RPC)
Remote Registry
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
SSDP Discovery Service
System Event Notification
System Restore Service
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Terminal Services
Themes
WebClient
Windows Audio
Windows Firewall/Internet Connection Sharing (ICS)
Windows Management Instrumentation
Windows Time
Wireless Zero Configuration
Workstation
wscsvc

The command completed successfully.

[General Field Marshal]

These Windows services are started:

Akamai NetSession Interface
Application Layer Gateway Service
Automatic Updates
avast! Antivirus
COM+ Event System
CryptSvc
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
DNS Client
Error Reporting Service
Event Log
Fast User Switching Compatibility
Help and Support
HTTP SSL
Infrared Monitor
IPSEC Services
Network Connections
Network Location Awareness (NLA)
Plug and Play
Print Spooler
Protected Storage
Remote Access Connection Manager
Remote Procedure Call (RPC)
Remote Registry
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
SSDP Discovery Service
System Event Notification
System Restore Service
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Terminal Services
Themes
WebClient
Windows Audio
Windows Firewall/Internet Connection Sharing (ICS)
Windows Management Instrumentation
Windows Time
Wireless Zero Configuration
Workstation
wscsvc

The command completed successfully.

[RKinner]

Start, Run, cmd, OK to bring up a command window. Type with an Enter after each line:

net start bits

Does it start or say it is already running or give an error?


Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application. Reboot.

2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application

[RKinner]

It's after midnight here so I've got to go to bed. Have you see any sign of it getting updates from microsoft?

[General Field Marshal]

"net" command brings up words like ACCOUNT, COMPUTER, CONFIG, etc.

"start" command opens another window

"bits" command gets "'bits' is not recognized as an internal or external command, operable program, or batch file"

{VEW log to follow)

[RKinner]

"net start bits" is one line so just type all three words then hit Enter.

[General Field Marshal]

VEW Application log:

Vino's Event Viewer v01c run on Windows XP in English
Report run at 05/12/2011 12:28:30 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 05/12/2011 12:17:13 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Java Quick Starter service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 05/12/2011 12:17:13 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Bonjour Service service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 05/12/2011 12:17:13 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Apple Mobile Device service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 05/12/2011 12:17:13 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Ati HotKey Poller service failed to start due to the following error: The system cannot find the file specified.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 05/12/2011 12:25:50 AM
Type: warning Category: 0
Event: 27 Source: E1000
Intel® PRO/1000 MT Mobile Connection Link has been disconnected.

Log: 'System' Date/Time: 05/12/2011 12:24:42 AM
Type: warning Category: 0
Event: 1007 Source: Dhcp
Your computer has automatically configured the IP address for the Network Card with network address 00112543FA7A. The IP address being used is 169.254.40.165.

Log: 'System' Date/Time: 05/12/2011 12:14:01 AM
Type: warning Category: 0
Event: 1007 Source: Dhcp
Your computer has automatically configured the IP address for the Network Card with network address 00054E4D2E8E. The IP address being used is 169.254.37.184.

Log: 'System' Date/Time: 05/12/2011 12:12:31 AM
Type: warning Category: 0
Event: 1003 Source: Dhcp
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00054E4D2E8E. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Log: 'System' Date/Time: 05/12/2011 12:10:21 AM
Type: warning Category: 0
Event: 1073 Source: USER32
The attempt to reboot DESERT7210 failed


VEW Application log:

Vino's Event Viewer v01c run on Windows XP in English
Report run at 05/12/2011 12:28:30 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 05/12/2011 12:17:13 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Java Quick Starter service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 05/12/2011 12:17:13 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Bonjour Service service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 05/12/2011 12:17:13 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Apple Mobile Device service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 05/12/2011 12:17:13 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Ati HotKey Poller service failed to start due to the following error: The system cannot find the file specified.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 05/12/2011 12:25:50 AM
Type: warning Category: 0
Event: 27 Source: E1000
Intel® PRO/1000 MT Mobile Connection Link has been disconnected.

Log: 'System' Date/Time: 05/12/2011 12:24:42 AM
Type: warning Category: 0
Event: 1007 Source: Dhcp
Your computer has automatically configured the IP address for the Network Card with network address 00112543FA7A. The IP address being used is 169.254.40.165.

Log: 'System' Date/Time: 05/12/2011 12:14:01 AM
Type: warning Category: 0
Event: 1007 Source: Dhcp
Your computer has automatically configured the IP address for the Network Card with network address 00054E4D2E8E. The IP address being used is 169.254.37.184.

Log: 'System' Date/Time: 05/12/2011 12:12:31 AM
Type: warning Category: 0
Event: 1003 Source: Dhcp
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00054E4D2E8E. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Log: 'System' Date/Time: 05/12/2011 12:10:21 AM
Type: warning Category: 0
Event: 1073 Source: USER32
The attempt to reboot DESERT7210 failed


How exactly do I check for Microsoft updates?

[RKinner]

Copy the text in the code box by highlighting and Ctrl + c

:processes
killallprocesses

:files
net start bits
sc config JavaQuickStarterService start= disabled /c
sc config Bonjour Service start= disabled /c
sc config Ati HotKey Poller start= disabled /c
sc config Apple Mobile Device start= disabled /c
sc config "Bonjour Service" start= disabled /c
sc config "Ati HotKey Poller" start= disabled /c
sc config "Apple Mobile Device" start= disabled /c


:Commands
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open IE, Look under Tools or under Security and you should see Windows Updates. Click on it and see if you get to the windows update site. If you do then see if you can download and install all critical updates. IF there are no critical updates try one of the smaller optional updates.

[General Field Marshal]

OTL log:

========== PROCESSES ==========
All processes killed
========== FILES ==========
File\Folder net start bits not found.
< sc config JavaQuickStarterService start= disabled /c >
[SC] ChangeServiceConfig SUCCESS
C:\Documents and Settings\Primo\Desktop\malware stuff\cmd.bat deleted successfully.
C:\Documents and Settings\Primo\Desktop\malware stuff\cmd.txt deleted successfully.
< sc config Bonjour Service start= disabled /c >
Modifies a service entry in the registry and Service Database.
SYNTAX:
sc <server> config [service name] <option1> <option2>...
CONFIG OPTIONS:
NOTE: The option name includes the equal sign.
type= <own|share|interact|kernel|filesys|rec|adapt>
start= <boot|system|auto|demand|disabled>
error= <normal|severe|critical|ignore>
binPath= <BinaryPathName>
group= <LoadOrderGroup>
tag= <yes|no>
depend= <Dependencies(separated by / (forward slash))>
obj= <AccountName|ObjectName>
DisplayName= <display name>
password= <password>
C:\Documents and Settings\Primo\Desktop\malware stuff\cmd.bat deleted successfully.
C:\Documents and Settings\Primo\Desktop\malware stuff\cmd.txt deleted successfully.
< sc config Ati HotKey Poller start= disabled /c >
Modifies a service entry in the registry and Service Database.
SYNTAX:
sc <server> config [service name] <option1> <option2>...
CONFIG OPTIONS:
NOTE: The option name includes the equal sign.
type= <own|share|interact|kernel|filesys|rec|adapt>
start= <boot|system|auto|demand|disabled>
error= <normal|severe|critical|ignore>
binPath= <BinaryPathName>
group= <LoadOrderGroup>
tag= <yes|no>
depend= <Dependencies(separated by / (forward slash))>
obj= <AccountName|ObjectName>
DisplayName= <display name>
password= <password>
C:\Documents and Settings\Primo\Desktop\malware stuff\cmd.bat deleted successfully.
C:\Documents and Settings\Primo\Desktop\malware stuff\cmd.txt deleted successfully.
< sc config Apple Mobile Device start= disabled /c >
Modifies a service entry in the registry and Service Database.
SYNTAX:
sc <server> config [service name] <option1> <option2>...
CONFIG OPTIONS:
NOTE: The option name includes the equal sign.
type= <own|share|interact|kernel|filesys|rec|adapt>
start= <boot|system|auto|demand|disabled>
error= <normal|severe|critical|ignore>
binPath= <BinaryPathName>
group= <LoadOrderGroup>
tag= <yes|no>
depend= <Dependencies(separated by / (forward slash))>
obj= <AccountName|ObjectName>
DisplayName= <display name>
password= <password>
C:\Documents and Settings\Primo\Desktop\malware stuff\cmd.bat deleted successfully.
C:\Documents and Settings\Primo\Desktop\malware stuff\cmd.txt deleted successfully.
< sc config "Bonjour Service" start= disabled /c >
[SC] ChangeServiceConfig SUCCESS
C:\Documents and Settings\Primo\Desktop\malware stuff\cmd.bat deleted successfully.
C:\Documents and Settings\Primo\Desktop\malware stuff\cmd.txt deleted successfully.
< sc config "Ati HotKey Poller" start= disabled /c >
[SC] ChangeServiceConfig SUCCESS
C:\Documents and Settings\Primo\Desktop\malware stuff\cmd.bat deleted successfully.
C:\Documents and Settings\Primo\Desktop\malware stuff\cmd.txt deleted successfully.
< sc config "Apple Mobile Device" start= disabled /c >
[SC] ChangeServiceConfig SUCCESS
C:\Documents and Settings\Primo\Desktop\malware stuff\cmd.bat deleted successfully.
C:\Documents and Settings\Primo\Desktop\malware stuff\cmd.txt deleted successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.22.3 log created on 12062011_000819

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

No critical updates available, I was able to install one of the smaller ones

[RKinner]

That's about all I see so I think we can clean up now.

We need to clean up System Restore. Follow Jim's procedure here:
http://aumha.net/vie...581099691bf108f


You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You probably do not have the latest Java (Java™ 6 Update 29 or 7 update 1). Get the latest at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Note on Java and Firefox. For some reason Java does not remove old consoles from Firefox. Any time you update Java you should do Firefox, Add-ons, Extensions and disable any old Java Consoles

They will look like: Java Console 6.xx. The xx corresponds to the update number. When they switch to 7 update 0 then it will be Java Console 7.

Multiple Java Consoles will slow down the Firefox boot. After any change to Firefox or its extension you should run Speedyfox. (Mentioned later.)



Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron

[General Field Marshal]

Thanks again!!!