Windows firewall does not stay on - what is SABKUTIL?

I posted "XP SP3 had 177+ bugs - ran MG cleanup - issue with RootRepeal" on 8-21-10, 12:59 regarding my neighbor's infected computer.

She has received one of those balloon pop-up messages in the tray once or twice since I cleaned her computer, about the Windows firewall not being turned on, but when she went to check the Windows firewall it was on so we crossed our fingers and just kept watching it.

Now, however, I am really not sure if she is finally free of infections because when we opened Outlook Express and double-clicked on an email with jpg photo attachment sent from a cell phone, we got the same old message about the Windows firewall not being on. But this time when we checked, it was true: the firewall was in fact not on. (We turned it on.)

The computer has also continued to be very slow, although simple age could adequately explain that. So I don't know how worried to be.

Today I updated and ran Spybot Search & Destroy in safe mode with networking. It found nothing. She herself updates and runs Super Antispyware and Malwarebytes every day; and yesterday she ran both in safe mode. Also found nothing. (She also runs CCleaner and ATF Cleaner, has a current version of Norton running, and I have Spyware Blaster running there too.)

I poked around the Event Viewer. Maybe I didn't look in the right place, but I saw no reference to Windows firewall stopping on its own.

I did see a couple of errors there that keep recurring. One said "The Epson Printer Status Agent2 service failed to start due to the following error: The system cannot find the file specified." This was an old printer that no longer exists and I had tried to uninstall everything associated with it. I figured this was something I missed. So I disabled it from the Event Viewer. Hope that was right?

A similar-sounding error in Event Viewer referred to SABKUTIL. I ran out of time to work on my neighbor's computer, so tried to research this on my own computer after I came home and am not sure what to make of it. Makes me nervous.

I also tried to install the FileHippo update checker for her. The app apparently installed OK, but would not run. It said I would need to install V2.0.50727 or V4.0 of .NET Framework first. I have not had time to figure out how to do that yet.

Questions:

Maybe we need to contact her ISP (Verizon) to find out if they have any software firewall running that would somehow interfere with the Windows firewall?

And/or I could install a better firewall like Comodo(?) and then be sure to disable the Windows firewall.

Or could there be a persistent infection, and do you think I need to start over with the whole MajorGeeks cleanup again?

Thank you, thank you, thank you in advance!

Janet

 

Kestrel13! thank you.

I do appreciate your kind attention to my logs, attached. I was unable to run RootRepeal in either normal or safe mode (hangs on initialization).

Before running your procedures I installed the Comodo free firewall and used it to block a few things that I was not sure of, including that Epson Printer service. I have not seen where it has hurt the running of the computer, and it might in fact have helped. It seems faster.

Re: SABKUTIL - since my last post I noticed that SuperAntiSpyware's publisher is SuperAdBlocker.com (which I do not remember ever seeing before, though maybe I wasn't looking); and yes, she does run SuperAntiSpyware on this computer. I uninstalled and reinstalled it to be sure what I was dealing with.

Awaiting your response with much gratitude,
Janet

 

Thank you so much for the help, Kestrel13!

I didn't think I had Windows' own firewall on. The computer, in Security Center, was telling me that it was turned off. Are my logs telling you different? Because this is where I came in, with the Windows firewall being mysteriously turned on and off.

The reason I thought I could have both Norton and Comodo running was because the Norton that is running is only an antivirus, and the Comodo is only a firewall. I tried to deselect the antivirus when installing Comodo. Did my logs show you two antiviruses and/or two firewalls running at the same time?

I don't yet know whether the computer's owner had been receiving a Quote of the Day; I'm waiting for a response from her. But I know she would want to kill anything dangerous, so meanwhile I deselected 'Simple TCP/IP Services' in the Windows Components and rebooted.

Before rerunning MGTools I did uninstall the Comodo anyway (can always reinstall, or revert to Windows firewall).

I ran MGTools in normal mode but with no internet connectivity (physically disconnected). Hope this did not interfere, because it never did give me a prompt for the HijackThis license, not yesterday and not today. Today it ran and created a new MGlogs.zip with timestamp 9/11/2010 12:26 PM in the C: drive which I am attaching.

Previously (see "XP SP3 had 177+ bugs - ran MG cleanup - issue with RootRepeal" 8-21-10, 12:59) when I tried to uninstall HijackThis I wound up with some files that had to be removed manually, possibly because I had renamed the executable and then renamed it back. TimW said I could just go ahead and delete the leftover TrendMicro folder and its backup contents, which I did. Could the way I uninstalled HijackThis be an issue?

I await your instructions!

thanks much,
Janet

 

Thanks Kestrel13!

Firewall:
I reinstalled the Comodo firewall. I found that the software package I used earlier was not the MG recommended download. MG's choice contained just the firewall; it has no antivirus to be careful not to install. So I downloaded yours this time (installer name has cfw in it, instead of cis). Good catch, thank you. It's less confusing now. Yes, I turned Windows firewall off.

Comodo crashed on me once tonight while the computer was rebooting; it said it had to close. I restarted again and it seemed okay. The same thing happened once yesterday, first the crash and then okay when I restarted. Crossing my fingers that it will work better than the Windows firewall!

Quotes:
My friend says she knows nothing about these quotes. In her email she receives "Daily Quotes" but that's in Outlook Express; it shouldn't have anything to do with a TCP/IP service.

Yesterday I ran searches for file names containing 'quotes' and found these two, including the one you questioned:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\quotes
C:\I386\QUOTES._
Both files' properties show that they were last modified 8/29/2002 7:00 AM.

Today CCleaner picked up an unused file extension '._' (dot underscore, same as the file I had found in the I386 folder above). I only ran a scan for Registry issues just to see, but without fixing them yet, as I didn't want to destroy any evidence.

HijackThis:
Trying to run analyse.exe I got Error #75 - Path/File access error. It said my system had denied access to the Hosts file and gave a workaround involving a manual edit. I did not edit the Hosts file yet, preferring to hear from you if I should do that. I was able to run analyse.exe in safe mode. I'm attaching both versions of the log. I guess I will attach the full text of the error message too, though you probably know it by heart.

Other:
Before reinstalling the Comodo firewall today I again had issues with Windows firewall being turned off. Once it got turned back on again spontaneously, another time I had to turn it back on manually, but in the process of this when I went to Windows Security Center I got a message that "Due to an unidentified problem, Windows cannot display Windows Firewall settings." The computer, fortunately, was physically disconnected from the Internet this whole time.

Prior to this I had been in User Account Control changing settings. In the end I put things back the way they had been, but I fooled around with creating a new Administrator account with a password. I was then going to change the user account she's been using to a restricted account. I backed off when I saw that I was going to wipe out whatever passwords might be stored with the account. Instead I deleted the new Administrator account I had just created. Then I tried turning on the Guest account, thinking maybe she could just use that when she has no Admin to do. But I think it was after that I had issues with the firewall turning off. I turned the Guest account back off again. Did something try to take advantage of the Guest account, I wonder?

By the way, I changed the User Account name today from "Bob & Gin" to "Bob and Gin" because I saw in some of the logs that the special character was causing some kind of truncation. The program was apparently expecting a command to follow the ampersand and didn't find it. I wonder if this could have been responsible for the issues I was having with the MGTools not running to completion? (Or the RootRepeal hanging?)

One last worry:
Going back through my notes I see where I found a shortcut in My Documents\My Music.
The shortcut was named Sample Music, but its properties told me it was pointing to C:\Documents and Settings\All Users\Application Data.
I deleted the shortcut.
Then I uninstalled Picasa because I found the executable in a strange place, not with the other programs. It was in c:\Documents and Settings\BOB & GIN D[rest of user name]\Picasa2.
After that I found a folder on the desktop, created that day, 9/9/10, named %SystemDrive%. It contained a series of nested folders:
Documents and Settings
BOB & GIN D[rest of user name]
Application Data
Microsoft
System Certificates
My
Certificates
CRLs
CTLs
These last 3 were all in the folder named 'My' and all were empty. I put that whole %SystemDrive% folder in the recycle bin too.

This was all just before I opened the new thread for help on MajorGeeks. It didn't seem at the time like it was relevant, but boy could I be wrong, so I offer it belatedly with many apologies if I've blindsided you.

Sorry, I tried to write shorter but couldn't.

Once again, thank you so much.
Janet

 

Kestrel13!, no luck here.

I created the CFscript.txt using code provided; shut down antivirus/antispyware and firewall; exited all browsers; dragged CFscript.txt onto ComboFix.exe. It started to run but the computer stopped a couple times to ask me whether I wanted to allow it to run or not. It also asked how I wanted to run it, as which user. I accepted the selection of the current user, Bob and Gin D[rest of user name], and unchecked an item on the line below that in the same dialog box (something about disallowing certain functions; in other words I allowed everything).

The result was a message: Installation failed.

Should I have tried to run it in safe mode? I have done nothing so far, just turned the antivirus and firewall back on and disconnected cable from Internet while I wait for new instructions.

Also I did not proceed to run MGtools. Wasn't sure if I should or shouldn't.

I hope I didn't do anything wrong by placing a line return at the end of the last line of code in the CFscript.txt (to bring the cursor to the next, empty, line).

Please advise!

thanks much,
Janet

 

Hello TimW,

Thanks for taking a look!

The issue up to yesterday has been that the Windows firewall keeps getting mysteriously turned off. I've stamped out over 175 infections on this machine, but am still nervous with not being able to keep the firewall on. Last night I installed a Comodo firewall and turned off the Windows firewall. So far so good with Comodo, but it's too early to really tell.

I think my other issue is not malware, it's operator error. Today I tried and failed to run ComboFix according to Kestrel13!'s instructions (to go after those two files with 'quotes' in the name). I thought I had stopped Comodo before running ComboFix, but apparently not because I see a lot of executables blocked in Comodo, all seeming to be parts of ComboFix. So probably my fault. Please let me know if I should try again.

My third problem might be software, not malware. Earlier I could not get MGtools to run to completion, and yesterday analyse.exe would not run correctly. I think I saw a reference somewhere to having to have the right .NET Framework software installed for these to run correctly. I wonder if installing a newer version would help. This machine is not even up to v2.0.

Hope I've answered the question. Thanks so much for the assist.
Janet

 

Weelll, I hate to stick my neck out but I have to say right now she's running real sweet, just like a good little computer should. We'll see what tomorrow brings.

Everything is working per your projections, TimW (gotta love that Comodo firewall), and I am deeply indebted to you and to Kestrel13! for your kind attentions.

Side note: I've been pondering whether to reinstall my friend's Picasa for her (in the right place this time), and was delighted to find a most useful entry in the Software forum that might allow me to do it: "Picasa + web browser = unusable system (hijackthis log attached)." I thanked scwtech for the artful workaround posted there. Thank you also, TimW, for pointing me in the direction of the Software forum!

cheers,
Janet