Posting of Log Files

Hi,

This post is a carry-over from a post at http://forum.majorgeeks.com/showthread.php?p=835704&posted=1#post835704. I originally posted under software because I thought that I needed to change settings in either Windows or Sygate firewall. My original questions were about being deluged with requests from Sygate to allow dll permissions, some files that Sygate was asking me to permit that I researched and found that they may be malware, and ASP.NET and Background Intelligent Transfer Service wouldn't start. I received a message when I tried to ASP.Net that said, "aspnet_state could not be read." I decided to run Trend Micro Housecall and received this message: "MS06-033 -Vulnerability in asp.net could not allow information disclosure." It turned out that the problems with my pc might be due to malware though.

All of the required programs that I was able to run showed no malware. I couldn't run BitDefender in either Safe Mode with Networking or in normal mode. A box popped up that had a yellow triangle in it with the words "yes" "no" in it (no other words). When I pressed either yes or no, the box closed and nothing happened.

SpyBot found that I don't use Microsoft Firewall and Automatic Updates aren't enabled.

I've attached newfiles.txt, runkeys.txt and hijackthis 082206.log to this post. I'll also be attaching a document that I created. I ran SpyNoMore and it found a number of problems with my pc but it wouldn't fix them unless I buy the program. I put the information that it gave me into a .doc file and it's attached to the next message. I don't know if these are legitimate problems since none of the other programs found the problems but I'd appreciate it if someone would tell me how to fix the problems if they are problems.

My pc still runs extremely slow. There are times that I have to wait about a minute to open a file and I have to double click it a second time for it to open. The same happens with things like Turn Off Computer, opening a website, opening Control Panel, etc. This doesn't happen each time, but often. It always takes between 30 to 45 seconds for files and websites to open. When I check a box, it takes about 3 to 4 seconds before it's checked. There are times when I have 2 instances of iexplore.exe, java, or AVG running. I always have at least 5 or 6 instances of svchost.exe running. Also, when I scroll, it's choppy.

I use Dial-a-Fix to run Idle Tasks every few days, but in Windows Task Manager, my System Idle Process runs at about 40% and about 3 or 4 times a minute, it will spike to between 80% to 100% for periods that last about 10 seconds (I have 768M of RAM).

A couple of times, when I rebooted, a message popped up for about 10 seconds. Part of it says "Instruction at 0x6a2a2fec" but I couldn't catch the rest of it because the box closed too fast.

ASP.NET finally started and is on Automatic (I don't know why it started . . . it didn't start when I tried to start it). Background Intelligent Transfer Service won't start. I receive a message that says, "The system cannot find the specified file."

I also have Messenger and I can't uninstall it.

eSellerateEngine.dll is still in C:\Windows, so it may not be the virus file. http://www.2-spyware.com/file-esellerateengine-dll.html (courtesy of TimW)

Since receiving message that I need to start ASP.NET, I just completed a Trend Micro House Call. It found that ASP.NET is a vulnerability and recommended that I clean it, and I did. It also gave me a link to Microsoft site entitled, "Microsoft Security Bulletin MS06-033
Vulnerability in ASP.NET Could Allow Information Disclosure (917283)."
ASP.NET http://www.microsoft.com/technet/security/Bulletin/MS06-033.mspx

I found a neat little feature on SpyBot though. There's a setting for Start-Up items and you can pick and choose which items you don't want to start. Before I found this handy tool, I tried to uninstall QuickTime and Yahoo Messenger but they wouldn't uninstall, so I deleted all of the files that a search brought up (using hidden and system files). When I rebooted, QuickTime and Yahoo Messenger were still in my system tray. So I was happy that SpyBot has this feature.

This is about all the information that I can give you, as meager as it is. I'd appreciate it if someone could check the attached files and/or recommend additional tests that I can run to see if there's more malware in my pc.

 

This is the document that I created that contains the results of the SpyNoMore scan. Please review the information and let me know what you think. Are they really malware and, if they are, how can I remove them.

Thanks again . . . Denise

 

Ooops . . . forgot to attach the file in the last post *blushing*, so I'm attaching it to this post.

Denise

 

Thanks, chaslang, for your review and recommendations.

I uninstalled SpyNoMore and Spyware Doctor right after I ran their scans because they were versions that had to be paid for.

I looked thoroughly at the results of the Panda scan page and didn't see any button, link or otherwise to request a copy of the results, and I clicked on a few things just to see if something would pop up, but nothing did. I know that there's more information in the results of the scan than the fact that it found 0 of everything, but the option to create a log or report wasn't on the page. I'll run it again in Safe Mode with Networking though.

I reset webpages every few weeks and I did it when I booted up a few minutes ago.

As to the remainder of your recommendations, I'll be starting on them very shortly.

Thanks again . . . Denise

 

Hi chaslang . . .

I got down your list as far as

C:\Windows\eSellerateEngine.dll doesn't appear in Windows Explorer. I unchecked Do not show hidden folders and Hide protected operating system files. When I browse for the file, it's in the folder C:\Windows and when I search for it, the search results shows that it's in C:\Windows.

Before I proceed with the remaining steps, I thought I should ask you if I should delete it with a browse.

And I'll make sure that I click on Local Disks when I run the scan again.

Denise

 

The file does exist. It is located in C:\Windows. I can click on my C drive, click on Windows and the file eSellerateEngine.dll is located there.

When I do a search for the file, it shows up in the results of the search. The location is reported to be in C:\Windows.

When I open Windows Explorer, I cannot locate the file.

My question is: Does the file have to be deleted only through Windows Explorer or can I open C:\Windows and delete the file?

Denise

 

Yes, Sahib!

Only folders show up in my Windows Explorer. All of the miscellaneous files that are in my C:\Windows folder don't show up when using Windows Explorer, except for files that are named $NtUninstallKB904706$. I have Windows XP. So I double-checked because it might have been just as bad to remove the file while not in Safe Mode for all I knew . . . that's why I'm here. I read the READ Me and I followed your directions. . . I'm good at that.

Now . . . do you have high blood pressure?

 

They're unchecked . . . have been since I started the procedure last night.

I'm attaching the new HJT log.

My pc is running faster, as it used to, but it ran faster the last time I followed procedures, but then the speed degraded to a crawl within 10 days. Maybe all the bad files/errors weren't completely corrected the first time.

I had originally posted my pc problems in the Software forum because I thought that Sygate/Windows needed setting changes. I was referred to Malware Removal, so here I am . . . and thanks for your help

I'll be doing the fix for problems with ASP.NET and BITS not running now. I'll go into dos and I'll let you know if there's an error.

Denise

 

I followed the procedure you gave me, all except for changing my home page. When I ran winupfix.cmd, the following was received:

When I typed NET HELPMSG 3521, it said

I'm going to run another Panda scan and I'll post the results in the morning.

Thanks again for your help.

Denise

 

All of the services are started except BITS. It's set on Manual but wouldn't start. I received an error message that stated:

"Could not start the Background Intelligent Transfer Service on Local Computer. Error 2: The system cannot find the file specified."

The Log On tab contains Profile 1 - Enabled. The path to the executable is
C:\WINDOWS\system32\svchost.exe -k netsvcs.

Denise

 

I've already tried it. My Windows XP disc came with SP1 only. When it asks me for SP2, it won't accept the SP2 file that I downloaded from Microsoft that's in my hdd. I also burned SP2 to a data disc but it still won't accept it.

Thanks much for all your help.

Denise

 

chaslang, I don't know what file it's looking for. It asks me to put my SP2 disk into the drive. When I direct it to the SP2 file in my pc, it tells me that it's not the original and asks me to put the original disk into the drive. When I put the one that I burned into the drive, it tells me that it's not the original and asks me to put the original disk in the drive. I've had my Windows XP with SP1 on it for a long time. Microsoft downloaded SP2 to me and it was installed. So I don't know why my pc thinks I had an original SP2 disk.

Denise

 

This did the trick. BITS has started and it's on automatic.

Thanks chaslang and Halo

Denise

 

Will this work for Windows XP Home edition? My daughter's pc is a mess . . . she doesn't try to fix it, but I thought that I'd try to clean hers up a bit. I've run CCleaner, RegSeeker, PC onPoint, flushed DNS, deleted cookies/online and offline files/cleared history, repaired permisions, registered dll's, etc, but it crashes constantly.

When I have the time, I'll run the whole gamut of tests at http://forums.majorgeeks.com/showthread.php?t=35407 , but I thought that I'd give this a try if it's compatible with XP Home.

Denise

 

Ok, thanks.

Denise

P.S. I found out the reason for my inability to run BitDefender. The free program is good for only 30 days. I uninstalled the BitDefender program that was in my pc, downloaded a new version, and I received the same message (that my 30-day limit has expired).

 

I tried both ways. When I was in Safe Mode with Networking, as discussed in a previous post, and in regular mode, BD will not run a scan for me. I get a box with a yellow triangle in it with the words "yes" and "no". Maybe I phrased it improperly, but when I downloaded the program, I couldn't get it to scan for me either. If anyone lives near Connecticut, they are welcome to come to my home and try it. . . you're all welcome . . . food's on the house, BYOB.

Denise

 

I did use the 30-day free trial and I tried to run the on-line scanner. Both of them wouldn't run for me.

I didn't have the 30-trial until I decided to try the downloaded version. It must have kept a history and knew that I ran the program from Safe Mode with Networking over 30 days ago because I received the message as soon as I downloaded, installed and tried to run it.

I receive the same message for both of them: a box with an exclamation point in it with the words "yes" and "no," and the program wouldn't run if I clicked on yes or no.

In order to uninstall it via your method, I have to close all windows and I'm in the middle of a project, so I'll try it later.

Thanks for your advice.

Denise