Web and Mail Shield won't start

I have friend with a pc running Windows XP service pack 3 that started going to some weird sites on IE. It had MSE running which then stated that it was switched off and wouldn’t start again. So I uninstalled and put avast free on. I also put on super anti-spyware and malbytes malware. All 3 scanned and found various things. (spyware first, avast second, malware third). Avast then scanned again and did a boot time scan which found and quarantined about 30 things, which i then cleared out. Now chrome started to behave strangely and IE now wouldn’t load any pages. So I did another set of scans which finished with a boot time avast scan - now avast says web shield and mail shield are switched off - fix now and turn on have no effect.
I have tried Kaspersky TDSSKiller, Avast Anti-Rootkit and GMER. (locked files are sptd.sys and safeboot.sys).
no joy. Tried re-installing MSE - wont connect to the net for updates - so wont work - wont scan as service isnt installed. (now uninstalled again.

I suspect this PC has quite a devious rootkit/trojan/malware combo. Can anyone help?

When you suspect something like a rootkit, you have to exercise extreme caution as incorrect removal of malware found can have serious consequences. The more anti-virus applications you install the more likely you are going to have conflict issues even after removal there may be remnants.

The problem with the mail and web shields could be one or it could be your firewall blocking avastSvc.exe. What is the firewall on this XP system ?

Uninstall possible remnants of previously installed AVs see, http://singularlabs.com/uninstallers/security-software/, this has a collection of manufactures removal tools, so that should remove any remnants, registry, etc.

This probably needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

Windows firewall won’t start. There isn’t a firewall on the router. Avast did work previously on this computer on this network.
Here are the logs from the last few days from mbam, aswmbr and otl. I will also post again in a minute with the anti spyware logs.

A new symptom - outlook won’t start.

So I have now disabled the network.

Here are the super anti-spyware logs.

A malware removal specialist has been informed of your topic.

Please just stick to the scans requested in the “information on Logs to assist in cleaning malware” topic or those requested by the malware removal specialist.

I thought they would be of interest as they do list 1067 files found - mostly cookies but some trojans which were removed.

Cookies are not a security issue, you should block third party cookies in your browser and periodically clear your cookies, browser settings can be set to clear history/cookies/cache on closing the browser. That however means some sites that require cookies to remember your settings etc. won’t remember them.

Any help, chaps?

Now Outlook won’t start. Turned the network adaptor back on - but it won’t connect to the internet anymore. When I hit ‘repair’ in the adaptor it says can’t access TCP/IP stack.

Run MBAM in safe mode - found nothing… :-\

You’ll need to wait for one of the specialists. :slight_smile:

The malware removal specialists are volunteers and have other commitments too (work), so in that limited time they can be very busy at times.

As irksome as it is, there will be delays due to differing time zones and availability of the volunteer malware removal specialists.

Hi there we have a nice assortment here of various rootkits and trojans

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL SRV - File not found [On_Demand | Stopped] -- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0HTBB6X5\B-Service.exe -- (B-Service) SRV - File not found [Auto | Stopped] -- C:\windows\TEMP\ayvirrdbup.exe service -- (0040331241683126mcinstcleanupAlerter) SRV - File not found [Auto | Stopped] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\004033~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -- (0040331241683126mcinstcleanup) SRV - [2012/06/06 09:16:00 | 000,185,856 | ---- | M] () [Auto | Running] -- C:\Program Files\Web Assistant\ExtensionUpdaterService.exe -- (Web Assistant Updater) DRV - File not found [Kernel | Auto | Stopped] -- C:\windows\system32\drivers\yfxsjiq.sys -- (tdpqhhzhczmx) DRV - File not found [Kernel | System | Stopped] -- system32\rbadma.sys -- (rbadma) DRV - File not found [Kernel | System | Stopped] -- C:\windows\system32\drivers\ilnqjbvl.sys -- (ilnqjbvl) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\Web Assistant\Firefox [2012/07/06 11:33:26 | 000,000,000 | ---D | M] O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\Web Assistant\Extension32.dll () O2 - BHO: (CescrtHlpr Object) - {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Program Files\facemoods.com\facemoods\1.4.17.2\bh\facemoods.dll File not found O3 - HKLM\..\Toolbar: (facemoods Toolbar) - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files\facemoods.com\facemoods\1.4.17.2\facemoodsTlbr.dll File not found O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKU\S-1-5-21-3155757178-1639063472-2327323849-500\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O4 - HKLM..\Run: [facemoods] "C:\Program Files\facemoods.com\facemoods\1.4.17.2\facemoodssrv.exe" /md I File not found O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\tbhcn.lnk = C:\Documents and Settings\Administrator\Application Data\BrowserCompanion\tbhcn.exe ()

:Reg
[HKEY_CLASSES_ROOT\CLSID{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
“”=“%systemroot%\system32\wbem\wbemess.dll”
[-HKCU\Software\Classes\clsid{12d0253a-7c96-815c-11e0-3034bbd97cc0}]

:Files
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
C:\Program Files\facemoods.com
C:\Program Files\Web Assistant
C:\Documents and Settings\Administrator\Application Data\BrowserCompanion
C:\windows\Installer{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Documents and Settings\LocalService\Local Settings\Application Data{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[]Accept the disclaimer and allow to update if it asks
[
]Allow the installation of the recovery console

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

NEXT

Right click the link below and select Save As… to your desktop
https://dl.dropbox.com/u/73555776/BITSxp.reg
Double click the reg file and allow to merge
Reboot

FINALLY

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

https://dl.dropbox.com/u/73555776/AdwCleaner.GIF

Once done it will ask to reboot, allow this
On reboot a log will be produced please attach that

OTL stops at ‘Killing Processes - Don’t interrupt’ and just sits there. I left it over night.

Should I uninstall MBAM first?

I only ask that as if I go through task manager and start killing processes, when I kill MBAM - the mouse still works but you can’t click on anything or get any response from the keyboard. Maybe this is what is happening when OTL stops MBAM???!?

OK. It looks like it was MBAM as once I uninstalled it and rebooted - OTL ran fine.

I have attached the log files.

Computer seems a lot faster now and the browsers pop up with out incidence.

However a) Outlook still won’t start - I get a window that says “Cannot start Office Outlook. Cannot open the Outlook Window. The set of folders cannot be opened. The information store could not be opened.”

b) I’ve reinstalled Avast - Network, Mail and Web Shield will not start.

Combo fix log broken into two parts…

second part

Could you re-run combofix please as the last portion was corrupted

For the Outlook problem

Go Start-Run and type in :
Outlook.exe /resetnavpane (Notice the space between exe and /)

What error do you get for Network shield and Mail shield

Combo-fix comes up with a window that says “No windows recover console found. Without this it will not be possible to fix more serious errors” Would you like Combo-fix to download and install this? This will require internet access.

Unfortunately that machine still doesnt have internet access. Ipconfig wont even work.

using the /resetnavpane line starts outlook but results in a pop up window saying exactly the same thing.

Can I get windows recovery console from this computer and put it on a memory stick?

Oh and the error when I hit the ‘fix this’ button on avast is a pop up that says “The following components can not be started. Network Shield”

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Note: It is important that it is saved directly to your desktop


With malware infections being as they are today, it’s strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft’s website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that’s appropriate for your Operating System. Download the file & save it as it’s originally named.

Note: If you have SP3, use the SP2 package.


Transfer all files you just downloaded, to the desktop of the infected computer.


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif

[*]Drag the setup package onto ComboFix.exe and drop it.

[*]Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

http://img.photobucket.com/albums/v706/ried7/whatnext.png

[*]At the next prompt, click ‘Yes’ to run the full ComboFix scan.

[*]When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.