BleepingComputer.com: Google redirect turned to nonfunctioning firefox

My laptop has been doing that redirect thing from google searches for the past week or so, but I didn't think anything of it, then after getting on here realized it could be a problem so I tried using Malwarebytes' Anti-Malware program and I couldn't get it to run. It would open and appear to be starting up then after I would start a scan it would just disappear as if it had never opened.

After some searching, I ran some other program that I heard was good for viruses (yes, I know that was probably a bad decision) and since then have not been able to use Mozilla Firefox or Internet Explorer to access the internet. I do have internet access, but Mozilla says "server not found" and IE says "cannot display the webpage" for anything I try. I don't make a habit of using suspicious sites or download junk, so I'm not sure what's gone wrong.

I've spent the past couple of days trying to find a solution without any luck. Today I ran Malwarebyte's again and it found 2 registry keys infected & quarantined them. I was hoping that fixed the problem, but it hasn't; now I've given up. Does anyone know what might have happened or how I could fix this?

Step 1 (For Windows XP): Go to your "Start Menu" > Click on "Control Panel" > Go to "Network Connections" or similar > Right-click on "Local Area Network > Click "Properties" > Click "Use these DNS settings" or similar > For Preferred DNS server: 8.8.8.8 > For Alternate DNS Server: 8.8.4.4
Step 1 (For Windows Vista & 7):

• Go the Control Panel.
• Click Network and Internet, then Network and Sharing Center, and click Change adapter settings.
• Select the connection for which you want to configure Google Public DNS. For example:
  • To change the settings for an Ethernet connection, right-click Local Area Connection, and click Properties.
  • To change the settings for a wireless connection, right-click Wireless Network Connection, and click Properties.
  If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
• Select the Networking tab. Under This connection uses the following items, select Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol Version 6 (TCP/IPv6) and then click Properties.
• Click Advanced and select the DNS tab. If there are any DNS server IP addresses listed there, write them down for future reference, and remove them from this window.
• Click OK.
• Select Use the following DNS server addresses. If there are any IP addresses listed in the Preferred DNS server or Alternate DNS server, write them down for future reference.
• Replace those addresses with the IP addresses of the Google DNS servers:
  • For IPv4: 8.8.8.8 and/or 8.8.4.4

Step 2: Try rerunning MalwareBytes in Safe Mode (With Networking)(Before you scan with MalwareBytes, update it)
If this doesn't work: Download and run RKill (http://www.bleepingcomputer.com/download/anti-virus/rkill) and SUPERAntiSpyware (http://www.superantispyware.com/)(Update First) in this order.

Hope this works!

Got to step 2 and when attempting to update malwarebytes I got an error: PROGRAM_ERROR_UPDATING (12163, 0, IsInternetConnected)

Un-updated malwarebytes didn’t turn up anything, but rkill gave me the following message:

Processes terminated by Rkill or while it was running:
C:\windows\system32\conime.exe
C:\windows\system32\conime.exe

(yes it did list it twice)

I also noticed while going through step 1 that when I hover over the internet connection icon it says that I’m connected & have been for over 6 hours, but when I go into the network sharing center it just says it’s “identifying…” I'm assuming that that is probably part of the problem but don't know what to even look for, but after randomly clicking on things, to see if there was anything else weird I could spot it gave me an error saying "windows has encountered an error saving the wireless profile. Specific error: IHV service is not available."

Hi cadmonkey,

to Bleeping Computer.

Please be advised that:

Quote

From this topic: http://www.bleepingcomputer.com/forums/topic182397.html This doesn't mean that others are not allowed to post advice in the Am I Infected forum, just that the only trusted advice is from members in the above groups.

---

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

• Do not run any other tool untill instructed to do so!
  
• Please do not attach logs or put logs in code boxes.
  
• Tell me about any problems that have occurred during the fix.
  
• Tell me of any other symptoms you may be having as these can also help.
  
• Do not run anything while running a fix.
  
• If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

---

Please download MiniToolBox and run it.

Checkmark following boxes:

• Report IE Proxy Settings
  
• Report FF Proxy Settings
  
• List content of Hosts
  
• List IP configuration
  
• List last 10 Event Viewer Log Errors
  
• List Installed Programs
  
• List Users, Partitions and Memory size

Click Go . Please put code boxes around just this entire log, like this, but without the letter x: [xcode] MiniToolBox log [/xcode]

Rerun Malwarebytes
Open Malwarebytes, click on the Update tab, and click the check for Updates button (as of this post, the latest update is 7840)

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If you have trouble updating, troubleshoot Malwarebytes' Anti-Malware


In your next reply, please include:

• MiniToolBox log
  
• Malwarebytes log
  
• Please provide a detailed description of any remaining problems, error messages, etc.

What did SUPERAntiSpyware come back with?

1) MiniToolBox log

 MiniToolBox by Farbar 
Ran by Meghan (administrator) on 04-10-2011 at 17:26:25
Windows Vista (TM) Home Premium Service Pack 2 (X86)

***************************************************************************

========================= IE Proxy Settings: ============================== 

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ============================== 

"network.proxy.no_proxies_on", "*.local"
"network.proxy.type", 4
Hosts file not detected in the default directory
========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : oid-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : RP614v4

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : RP614v4
   Description . . . . . . . . . . . : Atheros AR5007EG Wireless Network Adapter
   Physical Address. . . . . . . . . : 00-21-63-BF-49-56
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::3c26:195f:3498:f0af%11(Preferred) 
   Autoconfiguration IPv4 Address. . : 169.254.240.175(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 
   DNS Servers . . . . . . . . . . . : 8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek RTL8102E Family PCI-E Fast Ethernet NIC (NDIS 6.0)
   Physical Address. . . . . . . . . : 00-1E-33-89-3A-EF
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : isatap.{0A2E6BA9-3B42-4B4C-BBFB-E7D86FD7E9DB}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : isatap.Belkin
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : isatap.{073841FF-5BFD-4132-B13F-9B53D0BCB5AD}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 13:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : isatap.Belkin
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 14:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : 6TO4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 15:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : isatap.RP614v4
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  UnKnown
Address:  8.8.8.8

Ping request could not find host google.com. Please check the name and try again.

Server:  UnKnown
Address:  8.8.8.8

Ping request could not find host yahoo.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
 11 ...00 21 63 bf 49 56 ...... Atheros AR5007EG Wireless Network Adapter
 10 ...00 1e 33 89 3a ef ...... Realtek RTL8102E Family PCI-E Fast Ethernet NIC (NDIS 6.0)
  1 ........................... Software Loopback Interface 1
 15 ...00 00 00 00 00 00 00 e0  isatap.{0A2E6BA9-3B42-4B4C-BBFB-E7D86FD7E9DB}
 17 ...00 00 00 00 00 00 00 e0  isatap.Belkin
 12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
 13 ...00 00 00 00 00 00 00 e0  isatap.{073841FF-5BFD-4132-B13F-9B53D0BCB5AD}
 14 ...00 00 00 00 00 00 00 e0  isatap.Belkin
 16 ...00 00 00 00 00 00 00 e0  6TO4 Adapter
 18 ...00 00 00 00 00 00 00 e0  isatap.RP614v4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      169.254.0.0      255.255.0.0         On-link   169.254.240.175    281
  169.254.240.175  255.255.255.255         On-link   169.254.240.175    281
  169.254.255.255  255.255.255.255         On-link   169.254.240.175    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link   169.254.240.175    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link   169.254.240.175    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 11    281 fe80::/64                On-link
 11    281 fe80::3c26:195f:3498:f0af/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/03/2011 06:00:51 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/29/2011 05:42:14 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/29/2011 00:43:59 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/29/2011 00:43:16 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 0.0.0.0, time stamp 0x4d334d98, faulting module iexplore.exe, version 0.0.0.0, time stamp 0x4d334d98, exception code 0x40000015, fault offset 0x0008cb40,
process id 0x700, application start time 0xiexplore.exe0.

Error: (09/29/2011 00:22:34 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/29/2011 00:22:04 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/29/2011 11:46:59 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/29/2011 11:46:26 AM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/29/2011 04:58:42 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/27/2011 08:15:23 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (10/03/2011 06:00:51 PM) (Source: Service Control Manager) (User: )
Description: stcy

Error: (10/03/2011 06:00:51 PM) (Source: Service Control Manager) (User: )
Description: MCSTRM%%2

Error: (10/03/2011 06:00:51 PM) (Source: Service Control Manager) (User: )
Description: IP HelperTdx

Error: (10/03/2011 06:00:51 PM) (Source: Service Control Manager) (User: )
Description: DNS ClientTdx

Error: (10/03/2011 06:00:51 PM) (Source: Service Control Manager) (User: )
Description: DHCP ClientTdx

Error: (10/01/2011 02:48:18 AM) (Source: DCOM) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (09/30/2011 00:22:24 PM) (Source: DCOM) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (09/29/2011 00:40:48 PM) (Source: DCOM) (User: )
Description: 1084wuauserv{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error: (09/29/2011 00:22:34 PM) (Source: Service Control Manager) (User: )
Description: spldr
stcy
Wanarpv6

Error: (09/29/2011 00:22:34 PM) (Source: Service Control Manager) (User: )
Description: IP HelperTdx


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Adobe Flash Player 10 ActiveX (Version: 10.2.159.1)
Adobe Flash Player 10 Plugin (Version: 10.1.102.64)
Adobe Reader 8.1.2 (Version: 8.1.2)
Adobe Reader 8.2.0 (Version: 8.2.0)
Amazon Links (Version: 1.0)
Apple Application Support (Version: 1.5.1)
Apple Mobile Device Support (Version: 3.4.0.25)
Apple Software Update (Version: 2.1.1.116)
Atheros Driver Installation Program (Version: 5.2)
Atheros Wi-Fi Protected Setup Library
Bonjour (Version: 2.0.5.0)
Camera Assistant Software for Toshiba (Version: 1.7.193.0508L)
CD/DVD Drive Acoustic Silencer (Version: 2.02.03)
Cisco EAP-FAST Module (Version: 2.1.6)
Cisco LEAP Module (Version: 1.0.12)
Cisco PEAP Module (Version: 1.0.13)
Compatibility Pack for the 2007 Office system (Version: 12.0.6425.1000)
DVD MovieFactory for TOSHIBA (Version: 5.51)
GearDrvs (Version: 5.0.0.2)
HP LaserJet P1000 series
HPCarePackCore (Version: 10.0.0.1)
HPCarePackProducts (Version: 1.0.0.1)
hppMSRedist (Version: 1.00.0000)
hppusgP1000 (Version: 1.1.0.1)
HPSSupply (Version: 2.1.1.0000)
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
iTunes (Version: 10.2.2.12)
Java(TM) 6 Update 6 (Version: 1.6.0.60)
LG USB Modem driver
Malwarebytes' Anti-Malware version 1.51.0.1200 (Version: 1.51.0.1200)
MarketResearch (Version: 100.0.170.000)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Office 2007 Primary Interop Assemblies (Version: 12.0.4518.1014)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Home and Student 2007 (Version: 12.0.6425.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Suite Activation Assistant (Version: 2.9)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual Studio 2005 Tools for Office Runtime (Version: 8.0.60940.0)
Microsoft Works (Version: 9.7.0621)
Microsoft XML Parser (Version: 8.20.8730.4)
Mozilla Firefox (3.6.22) (Version: 3.6.22 (en-US))
MrvlUsgTracking (Version: 1.0.7)
MSXML 4.0 SP2 (KB941833) (Version: 4.20.9849.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
Music Oasis (Version: 1.0.0)
NetAssistant (Version: 3.8.3)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
Palm Desktop by ACCESS (Version: 6.4.0.0)
QuickBooks (Version: 19.0.4011.705)
QuickBooks Product Listing Service (Version: 2.0.148)
QuickBooks Simple Start 2009 (Plus Pack) (Version: 19.0.4011.705)
QuickBooks Simple Start 2009 (Version: 19.0.4011.705)
QuickBooks Simple Start Free Starter Edition (Version: )
QuickTime (Version: 7.69.80.9)
Realtek 8169 8168 8101E 8102E Ethernet Driver (Version: 1.00.0000)
Realtek High Definition Audio Driver (Version: 6.0.1.5599)
Realtek USB 2.0 Card Reader (Version: )
Skype Toolbars (Version: 5.3.7280)
Skype™ 5.3 (Version: 5.3.108)
SupportSoft Assisted Service (Version: 15)
Synaptics Pointing Device Driver (Version: 10.1.8.0)
TOSHIBA Assist (Version: 2.01.08)
TOSHIBA ConfigFree (Version: 7.2.20)
TOSHIBA Desktop Links (Version: 1.7)
TOSHIBA Disc Creator (Version: 2.0.1.3)
TOSHIBA DVD PLAYER (Version: 1.31.14)
TOSHIBA Extended Tiles for Windows Mobility Center (Version: 1.01.00)
TOSHIBA Face Recognition (Version: 2.0.2.32)
TOSHIBA Hardware Setup (Version: 2.00.08)
TOSHIBA Recovery Disc Creator (Version: 2.0.0.2)
Toshiba Registration (Version: 1.00.0000)
TOSHIBA Service Station (Version: 1.1.14)
TOSHIBA Software Modem (Version: 2.1.77 (SM2177ALD04))
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password (Version: 2.00.04)
TOSHIBA Value Added Package (Version: 1.1.24)
Visual Studio 2005 Tools for Office Second Edition Runtime
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series (Version: 9.00.3374)

========================= Memory info: ===================================

Percentage of memory in use: 30%
Total physical RAM: 2939.25 MB
Available physical RAM: 2052.56 MB
Total Pagefile: 6084.78 MB
Available Pagefile: 5257.97 MB
Total Virtual: 2047.88 MB
Available Virtual: 1958.14 MB

========================= Partitions: =====================================

1 Drive c: (SQ004816V03) (Fixed) (Total:224.17 GB) (Free:123.44 GB) NTFS

========================= Users: ========================================

User accounts for \\OID-PC

Administrator            ASPNET                   Guest                    
Meghan                   Nick                     oid                      


**** End of log ****
 

2) Malwarebyte's
I'm having problems with this. I downloaded it from my working desktop, but because my laptop can't connect to the internet, it cannot update when I run it on there. When I open it, it says the database is outdated by 128 days (last updated in May 2011, I believe) and when I click for it to update an error pops up saying "PROGRAM_ERROR_UPDATING (12163, 0, IsInternetConnected)"

Hi cadmonkey,

You're having trouble with Malwarebytes because you don't have an Internet connection. Let's try to fix that.

Let's reset your router....

Click on the Start menu. In the search box, type in:
cmd
Right click on cmd and select Run as Administrator.

In Command Prompt window that opens, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"


Turn the computer off.

On your router, you'll find a pinhole marked "Reset".
Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
NOTE. Simple router disconnecting from a power source will NOT do.

Turn your computer back on.

NOTE. You may need to re-check your router security settings, as described HERE

Restore Hosts File
Open Notepad.
Copy and Paste the following text into it:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#  	102.54.94.97 	rhino.acme.com      	# source server
#   	38.25.63.10 	x.acme.com          	# x client host

127.0.0.1   	localhost

Go File>Save As and...

1. Name the file hosts (no extension)
2. Make sure, "Save as type:" is set to "All Files (*.*)
3. Make sure the file is saved to C:\WINDOWS\SYSTEM32\DRIVERS\ETC folder



Rerun MiniToolBox

Checkmark following boxes:

• Reset FF Proxy Settings
  
• List content of Hosts
  
• List IP configuration

Click Go . Please put code boxes around just this entire log, like this, but without the letter x: [xcode] MiniToolBox log [/xcode]

1) Resetting the router didn't seem to go so well, lots of words like 'failed' and 'unavailable' popped up. Here's what it said for each one:

ipconfig /flushdns
Windows IP Configuration
Could not flush the DNS Resolver Cache: Function failed during execution.

ipconfig /registerdns
Windows IP Configuration
Registration of DNS records failed: The RPC server is unavailable.

ipconfig /release
Windows IP Configuration
An error occurred while releasing interface Wireless Network Connection : The RPC server is unavailable.
No operation can be performed on Local Area Connection while it has its media disconnected.

ipconfig /renew
Windows IP Configuration
An error occurred while releasing interface Wireless Network Connection : The RPC server is unavailable.
No operation can be performed on Local Area Connection while it has its media disconnected.

net stop "dns client"
The DNS Client service is not started.
More help is available by typing NET HELPMSG 3521.

net start "dns client"
The dependency service does not exist or has been marked for deletion.


2) Completed with no problems.

3) MiniToolBox results:

 MiniToolBox by Farbar 
Ran by Meghan (administrator) on 05-10-2011 at 00:33:38
Windows Vista (TM) Home Premium Service Pack 2 (X86)

***************************************************************************

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

Hosts file not detected in the default directory
========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : oid-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : RP614v4

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : RP614v4
   Description . . . . . . . . . . . : Atheros AR5007EG Wireless Network Adapter
   Physical Address. . . . . . . . . : 00-21-63-BF-49-56
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::3c26:195f:3498:f0af%11(Preferred) 
   Autoconfiguration IPv4 Address. . : 169.254.240.175(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 
   DNS Servers . . . . . . . . . . . : 8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek RTL8102E Family PCI-E Fast Ethernet NIC (NDIS 6.0)
   Physical Address. . . . . . . . . : 00-1E-33-89-3A-EF
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : isatap.{0A2E6BA9-3B42-4B4C-BBFB-E7D86FD7E9DB}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : isatap.Belkin
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : isatap.{073841FF-5BFD-4132-B13F-9B53D0BCB5AD}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 13:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : isatap.Belkin
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 14:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : 6TO4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 15:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : isatap.RP614v4
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  UnKnown
Address:  8.8.8.8

Ping request could not find host google.com. Please check the name and try again.

Server:  UnKnown
Address:  8.8.8.8

Ping request could not find host yahoo.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
 11 ...00 21 63 bf 49 56 ...... Atheros AR5007EG Wireless Network Adapter
 10 ...00 1e 33 89 3a ef ...... Realtek RTL8102E Family PCI-E Fast Ethernet NIC (NDIS 6.0)
  1 ........................... Software Loopback Interface 1
 15 ...00 00 00 00 00 00 00 e0  isatap.{0A2E6BA9-3B42-4B4C-BBFB-E7D86FD7E9DB}
 17 ...00 00 00 00 00 00 00 e0  isatap.Belkin
 12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
 13 ...00 00 00 00 00 00 00 e0  isatap.{073841FF-5BFD-4132-B13F-9B53D0BCB5AD}
 14 ...00 00 00 00 00 00 00 e0  isatap.Belkin
 16 ...00 00 00 00 00 00 00 e0  6TO4 Adapter
 18 ...00 00 00 00 00 00 00 e0  isatap.RP614v4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      169.254.0.0      255.255.0.0         On-link   169.254.240.175    281
  169.254.240.175  255.255.255.255         On-link   169.254.240.175    281
  169.254.255.255  255.255.255.255         On-link   169.254.240.175    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link   169.254.240.175    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link   169.254.240.175    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 11    281 fe80::/64                On-link
 11    281 fe80::3c26:195f:3498:f0af/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

**** End of log ****

This post has been edited by cadmonkey: 05 October 2011 - 12:54 AM

Hi cadmonkey,

Let's try repairing corrupt operating system files.
Please follow the directions here: http://www.bleepingcomputer.com/forums/topic43051.html

Click on the Start menu, in the search box type in: services.msc Right click on Services and click on Run As Administrator.
Scroll down to Remote Procedure Call (RPC). Make sure the Startup Type is Automatic. If it does not say Automatic, try right clicking on the Remote Procedure Call service, click on Properties, and click on the Startup type: dropdown menu to change it to Automatic.
Also make sure the Status says Started. If the Status does not say Started, right click on the Remote Procedure Call service and click on Start.

Also make sure the following services have a Status of Started and a Startup Type of Automatic (the same instructions as above):

• DHCP Client
  
• DNS Client

Please let me know if you get any errors when following these instructions.

Rerun MiniToolBox

Checkmark following boxes:

• Report IE Proxy Settings
  
• Report FF Proxy Settings
  
• List content of Hosts
  
• List IP configuration
  
• List Winsock Entries
  
• List last 10 Event Viewer Log Errors

Click Go . Please put code boxes around just this entire log, like this, but without the letter x: [xcode] MiniToolBox log [/xcode]

I couldn't get through step 1, so I didn't go to steps 2 or 3.

I wasn't able to find i386 and when I tried to run SFC.EXE /SCANNOW as an administrator it went back to the desktop and was as though I had done nothing.

Where do I go from here?

Hi cadmonkey,

Let's skip step 1 and do steps 2 and 3 for now.

RPC was already listed as automatic & started.

DHCP not started, right clicked to start it and got the following error:
Windows could not start the DHCP Client service on Local Computer.
Error 1075: The dependency service does not exist or has been marked for deletion.

DNS not started, right clicked to start it and got the following error:
Windows could not start the DNS Client service on Local Computer.
Error 1075: The dependency service does not exist or has been marked for deletion.

Please re-run MiniToolBox, but only check the List last 10 Event Viewer Log Errors option. Then copy and paste the log in your next reply.

MiniToolBox results:

 MiniToolBox by Farbar 
Ran by Meghan (administrator) on 05-10-2011 at 21:29:55
Windows Vista (TM) Home Premium Service Pack 2 (X86)

***************************************************************************

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/05/2011 03:32:21 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/04/2011 11:58:07 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/04/2011 11:38:24 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/04/2011 07:56:31 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\MEGHAN\DESKTOP\VIDEOS\PICTURES> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog

Details:
	A device attached to the system is not functioning.   (0x8007001f)

Error: (10/04/2011 07:56:31 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\MEGHAN\DESKTOP\VIDEOS\PICTURES> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog

Details:
	A device attached to the system is not functioning.   (0x8007001f)

Error: (10/04/2011 07:55:21 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/03/2011 06:00:51 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/29/2011 05:42:14 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/29/2011 00:43:59 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (09/29/2011 00:43:16 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 0.0.0.0, time stamp 0x4d334d98, faulting module iexplore.exe, version 0.0.0.0, time stamp 0x4d334d98, exception code 0x40000015, fault offset 0x0008cb40,
process id 0x700, application start time 0xiexplore.exe0.


System errors:
=============
Error: (10/05/2011 05:24:43 PM) (Source: Service Control Manager) (User: )
Description: DNS ClientTdx

Error: (10/05/2011 05:21:31 PM) (Source: Service Control Manager) (User: )
Description: DHCP ClientTdx

Error: (10/05/2011 04:48:54 PM) (Source: Service Control Manager) (User: )
Description: 30000Netman

Error: (10/05/2011 03:32:21 PM) (Source: Service Control Manager) (User: )
Description: stcy

Error: (10/05/2011 03:32:21 PM) (Source: Service Control Manager) (User: )
Description: MCSTRM%%2

Error: (10/05/2011 03:32:21 PM) (Source: Service Control Manager) (User: )
Description: IP HelperTdx

Error: (10/05/2011 03:32:21 PM) (Source: Service Control Manager) (User: )
Description: DNS ClientTdx

Error: (10/05/2011 03:32:21 PM) (Source: Service Control Manager) (User: )
Description: DHCP ClientTdx

Error: (10/05/2011 03:30:03 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 1:02:58 AM on 10/5/2011 was unexpected.

Error: (10/05/2011 00:18:25 AM) (Source: Service Control Manager) (User: )
Description: DNS ClientTdx


Microsoft Office Sessions:
=========================

**** End of log ****

Hi cadmonkey,

On the computer that's not infected, please download SystemLook from one of the links below and save it to a flash drive or CD.
Download Mirror #1
Download Mirror #2

Then copy and paste SystemLook.exe to the desktop of the infected computer.

• Double-click SystemLook.exe to run it.
  
• Type the following into the main textfield:
  

  :service
  DHCP
  Dnscache
  NSI
  TDX
  AFD
  
  :reg
  HKLM\system\currentcontrolset\services\dhcp

  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt