Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed "Data Restore", now IE 'stopped working'?


  • This topic is locked This topic is locked
24 replies to this topic

#1 Narbley

Narbley

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 11 October 2011 - 10:07 AM

Hey all. I had an infection by 'Data Restore' and followed some great instructions here on how to remove it. I have gone through all that and things are mostly working again. (Although, the UNHIDE program doesn't quite seem to be unhiding everything, and many things in my Start menu list are still 'empty'.) That isn't the major question at the moment. I am now periodically getting a message that "Internet Explorer has stopped working; you can 'Restart', 'Look for Solutions', etc. I haven't been using Internet Explorer explicity (i.e. I don't browse with it, nor load it up.) Oh, I have also had trouble getting Windows Update to run. I checks in and shows the list, but then it doesn't actually download anything (stuck at 0KB, 0%).

I have run through the steps for removing Data Restore again (running MBAM right now), but so far it hasn't found anything. I haven't had a chance to try running UNHIDE in safe mode, or stuff like that. I am mostly wondering if others have had experience with this being a left-over symptom of Data Restore, or and indication that I have something more serious.

Thanks,
Narbley

OK, some progress...sort of.

I found a description of Unhide.exe (http://www.bleepingcomputer.com/forums/topic405109.html) and went to the temp folders they describe and copied them over. I still had many things that were showing as "(empty)" when I thought that they shouldn't be. So I dug around and manually looked at those folders in the TEMP dir and yes, they were empty there, too. So I searched for the content that I THOUGHT should be there, and in many cases, it wasn't there either. OK, fine, I don't have a photographic memory of my Start Menu.

But what I didn't find in the TEMP folders were the copies that correspond to my Quick Launch/Pinned items, and I KNOW that I did have many of those. I use them everyday. So those are missing, although rather easy to recreate (but annoying).

Second item is that SOME folders SHOULD have stuff in them, like Administrative Tools. That shows as "(empty)" on both the Browse list on the left side of the Start menu, as well as the "System" side of the start menu on the right. (I have it configured to show up in both places.) Going to that directory through the Control Panel also reveals that it is empty. So they are apparently correct in showing it as empty, but where did they go? If you go into Control Panel -> System & Security, Admin Tools is listed as a category, with 4 or 5 options showing there. Clicking those DOES cause them to launch, but clicking on the "Administrative Tools" link to go into the full list of tools reveals an empty folder.

And the last thing, I had a Windows Update that ran a few days before this all started, and I thought to try and use that to restore things. But it doesn't show on my list. The only restore points are the ones that I have managed to get to run just yesterday, after all this infection started. Curiously, my Update History does show that I had some successful Updates made in that time frame I mentioned (a few days before this started).

Oh, and yes, I have managed to get Update to work; I just had to wait for it the fully complete. The progress meter never metered. But it eventually finished.

--Narb

Edited by boopme, 12 October 2011 - 12:04 PM.


BC AdBot (Login to Remove)

 


#2 Narbley

Narbley
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 12 October 2011 - 01:40 PM

Further progress: I have fixed my missing Admin Tools shortcuts. I used this procedure:
http://www.sevenforums.com/tutorials/29965-administrative-tools-restore-shortcuts.html

Now, why are my Task Bar pinned apps not showing? They are in the folder, but they don't display. When I create new links for these apps (from Start Menu -> right click on app -> Pin to Task Bar) I get a new copy of that app in that same folder. The new one shows up fine. No, they aren't hidden. I opened the properties of each one and they were identical that I could see. Very odd.

-- Narb

#3 Narbley

Narbley
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 12 October 2011 - 01:45 PM

Oh, further progress: After finishing the various Windows Updates that were still listed, my periodic "Internet Explorer has stopped working" errors have, well, stopped showing up.

Getting closer to feeling like this thing is back in order.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:41 AM

Posted 13 October 2011 - 12:52 PM

Hello, seee if the info here helps you along the virus is of the same family L@@K
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Narbley

Narbley
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 13 October 2011 - 12:56 PM

Well, just got another 'IE has stopped working' message; so they HAVEN'T gone away with the updates. And after that happens my Firefox comes up and asks if I want it to be default. (It always has been and should be; I never set IE to default myself.)

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:41 AM

Posted 13 October 2011 - 01:14 PM

You also may still be infected.. Do not run a TEMP or registry file cleaner or the files will be gone.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Narbley

Narbley
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 13 October 2011 - 02:44 PM

I have been running another MBAM scan this morning. I also turned on MS's Security Essentials scanner (I was trying to find something that would look for further rootkit possibilities). It caught a Trojan Downloader (Java/OpenConection.OU) file on the C: drive (which MBAM had missed apparently). I let it take care of the file.

I will start going through your instructions soon! Thanks for the reply.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:41 AM

Posted 13 October 2011 - 02:51 PM

For Rootkits,,,,,
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Narbley

Narbley
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 13 October 2011 - 04:11 PM

I was looking for Gmer at one point and found reference to the fact that it doesn't work with 64-bit OS installations. Is that true?

#10 Narbley

Narbley
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 13 October 2011 - 07:02 PM

Here's the Minitoolbox report:

MiniToolBox by Farbar
Ran by Justin (administrator) on 13-10-2011 at 16:43:48
Windows 7 Home Premium Service Pack 1 (X64)

***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================


127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com

There are 15063 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled taskoffload=disabled
set interface interface="Wireless Network Connection" forwarding=disabled advertise=disabled mtu=1300 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled
set interface interface="Local Area Connection" forwarding=disabled advertise=disabled mtu=1300 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled
set interface interface="Bluetooth Network Connection" forwarding=disabled advertise=disabled mtu=1300 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled
set interface interface="Wireless Network Connection 2" forwarding=disabled advertise=disabled mtu=1300 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled
set interface interface="Local Area Connection 2" forwarding=disabled advertise=disabled mtu=1300 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Phobos
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hsd1.or.comcast.net.

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Atheros AR8131 PCI-E Gigabit Ethernet Controller
Physical Address. . . . . . . . . : E0-CB-4E-3D-48-9E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : hsd1.or.comcast.net.
Description . . . . . . . . . . . : Atheros AR9285 Wireless Network Adapter
Physical Address. . . . . . . . . : 00-25-D3-F3-78-AD
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::7cac:46b:27b7:d6ff%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.9(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, October 13, 2011 4:24:10 PM
Lease Expires . . . . . . . . . . : Friday, October 14, 2011 4:24:11 PM
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 234890707
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-BB-DA-EF-00-25-D3-F3-78-AD
DNS Servers . . . . . . . . . . . : 192.168.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{73F8AEDF-EA82-4A25-AF60-F3470D8C2B82}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.hsd1.or.comcast.net.:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : hsd1.or.comcast.net.
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:433:151b:b38c:ad99(Preferred)
Link-local IPv6 Address . . . . . : fe80::433:151b:b38c:ad99%14(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.0.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
Name: google.com
Addresses: 173.194.33.18
173.194.33.17
173.194.33.20
173.194.33.19
173.194.33.16


Pinging google.com [173.194.33.48] with 32 bytes of data:
Reply from 173.194.33.48: bytes=32 time=49ms TTL=51
Reply from 173.194.33.48: bytes=32 time=45ms TTL=51

Ping statistics for 173.194.33.48:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 45ms, Maximum = 49ms, Average = 47ms
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.0.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.

Pinging yahoo.com [98.139.180.149] with 32 bytes of data:
Reply from 98.139.180.149: bytes=32 time=125ms TTL=48
Reply from 98.139.180.149: bytes=32 time=116ms TTL=48

Ping statistics for 98.139.180.149:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 116ms, Maximum = 125ms, Average = 120ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
11...e0 cb 4e 3d 48 9e ......Atheros AR8131 PCI-E Gigabit Ethernet Controller
10...00 25 d3 f3 78 ad ......Atheros AR9285 Wireless Network Adapter
1...........................Software Loopback Interface 1
26...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.9 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.9 281
192.168.0.9 255.255.255.255 On-link 192.168.0.9 281
192.168.0.255 255.255.255.255 On-link 192.168.0.9 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.9 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.9 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 58 ::/0 On-link
1 306 ::1/128 On-link
14 58 2001::/32 On-link
14 306 2001:0:4137:9e76:433:151b:b38c:ad99/128
On-link
10 281 fe80::/64 On-link
14 306 fe80::/64 On-link
14 306 fe80::433:151b:b38c:ad99/128
On-link
10 281 fe80::7cac:46b:27b7:d6ff/128
On-link
1 306 ff00::/8 On-link
14 306 ff00::/8 On-link
10 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\wshbth.dll [36352] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 07 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\wshbth.dll [47104] (Microsoft Corporation)
x64-Catalog5 06 C:\Program Files\Bonjour\mdnsNSP.dll [193024] (Apple Inc.)
x64-Catalog5 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 08 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/13/2011 04:09:07 PM) (Source: Application Error) (User: )
Description: Faulting application name: explorer.exe, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: SHELL32.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c9a6
Exception code: 0xc0000005
Fault offset: 0x000000000009a749
Faulting process id: 0x1510
Faulting application start time: 0xexplorer.exe0
Faulting application path: explorer.exe1
Faulting module path: explorer.exe2
Report Id: explorer.exe3

Error: (10/13/2011 03:14:10 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (10/13/2011 03:12:30 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (10/13/2011 03:11:42 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "imaging1".Error in manifest or policy file "imaging2" on line imaging3.
The element imaging appears as a child of element urn:schemas-microsoft-com:asm.v1^assembly which is not supported by this version of Windows.

Error: (10/13/2011 02:40:46 PM) (Source: Application Error) (User: )
Description: Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000000b93114
Faulting process id: 0xb84
Faulting application start time: 0xExplorer.EXE0
Faulting application path: Explorer.EXE1
Faulting module path: Explorer.EXE2
Report Id: Explorer.EXE3

Error: (10/13/2011 08:48:31 AM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 9.0.8112.16421, time stamp: 0x4d76255d
Faulting module name: SDHelper.dll, version: 1.6.2.14, time stamp: 0x2a425e19
Exception code: 0xc0000005
Fault offset: 0x00001c61
Faulting process id: 0xea4
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (10/12/2011 00:18:27 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (10/12/2011 00:16:49 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (10/11/2011 02:06:12 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7601.17514, time stamp: 0x4ce79912
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x8bfffffa
Faulting process id: 0xa78
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (10/11/2011 02:04:50 PM) (Source: Microsoft-Windows-RestartManager) (User: Justin)Justin
Description: Application or service 'Windows Explorer' could not be restarted.


System errors:
=============
Error: (10/13/2011 04:24:13 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (10/13/2011 07:33:28 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (10/12/2011 09:08:56 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (10/12/2011 11:13:39 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (10/12/2011 10:52:25 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (10/12/2011 08:16:18 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (10/12/2011 07:01:52 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (10/11/2011 02:08:46 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (10/11/2011 01:51:33 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (10/11/2011 01:08:21 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================


========================= Memory info: ===================================

Percentage of memory in use: 41%
Total physical RAM: 4061.02 MB
Available physical RAM: 2369.34 MB
Total Pagefile: 8120.24 MB
Available Pagefile: 6266.71 MB
Total Virtual: 4095.88 MB
Available Virtual: 3983.34 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:116.44 GB) (Free:38.1 GB) NTFS
2 Drive d: (DATA) (Fixed) (Total:225.99 GB) (Free:127.39 GB) NTFS

========================= Users: ========================================

User accounts for \\PHOBOS

Administrator ASPNET Erika
Ethan Guest Justin

========================= Minidump Files ==================================

No minidump file found

**** End of log ****

#11 Narbley

Narbley
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 13 October 2011 - 08:12 PM

Went ahead and Gmer anyway. Here's the output:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-13 18:06:08
Windows 6.1.7601 Service Pack 1
Running: 9lrrc44s-g-m-e-r.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243d8db1a
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243d8db1a (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6UI080HX\fw-nonplayer-bannerCADX7MZH.htm 0 bytes
File C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OR2ULZVV\adholder[2].htm 0 bytes
File C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OR2ULZVV\adholder[3].htm 0 bytes
File C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OR2ULZVV\adholder[4].htm 0 bytes
File C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S6KV6SA2\fw-nonplayer-banner[8].htm 0 bytes
File C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S6KV6SA2\fw-nonplayer-banner[9].htm 1301 bytes
File C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S6KV6SA2\sandbox[5].htm 9711 bytes
File C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S6KV6SA2\login_status[3].htm 1154 bytes
File C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S6KV6SA2\fw-nonplayer-banner[10].htm 0 bytes
File C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S6KV6SA2\fw-nonplayer-banner[11].htm 0 bytes
File C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UY2PQ38Q\new-found-glory-radiosurgery-music-video[1].htm 536608 bytes
File C:\Users\Justin\AppData\Roaming\Microsoft\Windows\Cookies\RO0W08GU.txt 2146 bytes
File C:\Users\Justin\AppData\Roaming\Microsoft\Windows\Cookies\TQZYFGCG.txt 514 bytes

---- EOF - GMER 1.0.15 ----

#12 Narbley

Narbley
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 13 October 2011 - 08:27 PM

Quick Scan w/ MBAM showed no infected files.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:41 AM

Posted 13 October 2011 - 09:12 PM

Go here and Reset Internet Explorer settings.
You can probably just click the FIX-IT button.

Yhe Installed programs portion of Mini Toolbox did not show in the log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Narbley

Narbley
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 13 October 2011 - 09:42 PM

Yeah, I noticed that it didn't show anything. Odd. I didn't edit anything, I just copied what was there. I was concerned about the 15k+ entries in the HOSTS file, though. That is very strange (to me). I have run it a number of times and it always comes back with an empty field there.

Will try the IE changes you suggested.

Edited by Narbley, 13 October 2011 - 09:49 PM.


#15 Narbley

Narbley
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 13 October 2011 - 10:06 PM

Hmm...I still seem to be experiencing lots of site redirection from Google's results. I click on a Wikipedia entry and I get redirected two or three sites away from that (based on the history list). And this is Firefox! :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users