Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Page cannot be displayed, firewall shuts itself off. Ongoing problem.


  • This topic is locked This topic is locked
44 replies to this topic

#1 trishycamp

trishycamp

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:38 AM

Posted 28 April 2013 - 10:10 AM

As directed I am starting a new topic.

 

Previous topic and all the steps I have done are here:

 

http://www.bleepingcomputer.com/forums/t/492473/windows-firewall-shuts-itself-off/

 

 

Windows firewall shuts itself off on restart and in multiple browsers page cannot be displayed unless I try 4-5 times.  Unsure of which virus I have as multiple attempts to fix are all unsuccessful.

 

 

I am attaching the zipped attach log and here is the dds log:

 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.4.1
Run by Trisha at 10:50:25 on 2013-04-28
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.511.201 [GMT -4:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1313168045\ee\AOLSoftware.exe
C:\Program Files\AVG SafeGuard toolbar\vprot.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.aol.com/?ncid=customie8
uWindow Title = Windows Internet Explorer provided by AOL
uDefault_Page_URL = hxxp://www.aol.com/?ncid=customie8
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uURLSearchHooks: <No Name>:  - LocalServer32 - <no file>
BHO: AutorunsDisabled - <orphaned>
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
EB: Canon Easy-WebPrint EX: {21347690-EC41-4F9A-8887-1F4AEE672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [HostManager] c:\program files\common files\aol\1313168045\ee\AOLSoftware.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
mRun: [vProt] "c:\program files\avg safeguard toolbar\vprot.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uPolicies-Explorer: NoDriveTypeAutoRun = dword:157
mPolicies-Explorer: NoDriveTypeAutoRun = dword:60
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Hidden%20Expedition%20-%20Titanic/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} - hxxp://www.winkflash.com/photo/loaders/SAXFile.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader57.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1359923186140
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.winkflash.com/photo/loaders/ImageUploader4.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - hxxp://www.pcpitstop.com/mhLbl.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Hidden%20Expedition%20-%20Titanic/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP32EP1-13926/webex/ieatgpc.cab
DPF: {E41BA393-9078-424E-9554-9DB5126F5F4C} - hxxp://www.shockwave.com/content/dreamchronicles2/sis/dream2web.1.0.0.13.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab
DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://cvs.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{02038A21-8A58-4378-AB5E-88F9CC3B236D} : DHCPNameServer = 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\26.0.1410.64\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-4-24 34592]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-9-30 3712]
S2 vToolbarUpdater15.1.0;vToolbarUpdater15.1.0;c:\program files\common files\avg secure search\vtoolbarupdater\15.1.0\toolbarupdater.exe --> c:\program files\common files\avg secure search\vtoolbarupdater\15.1.0\ToolbarUpdater.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-4-25 40776]
S4 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-8-11 116608]
S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2011-2-21 1527900]
.
=============== File Associations ===============
.
ShellExec: EasyShare.exe: Preview="c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe"
.
=============== Created Last 30 ================
.
2013-04-26 19:05:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2013-04-26 13:44:03 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2013-04-26 13:44:00 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2013-04-26 13:43:59 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2013-04-26 13:43:55 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2013-04-26 13:43:52 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2013-04-26 13:43:27 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2013-04-26 13:43:21 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2013-04-26 13:43:20 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2013-04-26 13:43:16 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2013-04-26 13:43:14 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2013-04-26 13:41:53 64605 -c--a-w- c:\windows\system32\dllcache\vvoice.sys
2013-04-26 13:40:56 94720 -c--a-w- c:\windows\system32\dllcache\umaxud32.dll
2013-04-26 13:39:57 222336 -c--a-w- c:\windows\system32\dllcache\trid3dm.sys
2013-04-26 13:39:54 315520 -c--a-w- c:\windows\system32\dllcache\trid3d.dll
2013-04-26 13:39:50 34375 -c--a-w- c:\windows\system32\dllcache\tpro4.sys
2013-04-26 13:39:46 42496 -c--a-w- c:\windows\system32\dllcache\tp4res.dll
2013-04-26 13:39:45 82944 -c--a-w- c:\windows\system32\dllcache\tp4mon.exe
2013-04-26 13:39:42 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll
2013-04-26 13:39:12 4992 -c--a-w- c:\windows\system32\dllcache\toside.sys
2013-04-26 13:39:09 230912 -c--a-w- c:\windows\system32\dllcache\tosdvd03.sys
2013-04-26 13:39:06 241664 -c--a-w- c:\windows\system32\dllcache\tosdvd02.sys
2013-04-26 13:39:02 28232 -c--a-w- c:\windows\system32\dllcache\tos4mo.sys
2013-04-26 13:38:58 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys
2013-04-26 13:38:52 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2013-04-26 13:38:49 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll
2013-04-26 13:38:48 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys
2013-04-26 13:38:44 17129 -c--a-w- c:\windows\system32\dllcache\tdkcd31.sys
2013-04-26 13:38:40 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2013-04-26 13:38:29 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys
2013-04-26 13:38:21 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys
2013-04-26 13:38:18 36640 -c--a-w- c:\windows\system32\dllcache\t2r4mini.sys
2013-04-26 13:38:14 172768 -c--a-w- c:\windows\system32\dllcache\t2r4disp.dll
2013-04-26 13:38:00 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys
2013-04-26 13:36:51 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2013-04-26 13:36:47 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2013-04-26 13:36:36 24660 -c--a-w- c:\windows\system32\dllcache\spxupchk.dll
2013-04-26 13:36:25 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys
2013-04-26 13:36:22 106584 -c--a-w- c:\windows\system32\dllcache\spdports.dll
2013-04-26 13:36:18 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys
2013-04-26 13:36:15 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2013-04-26 13:36:12 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
2013-04-26 13:36:09 114688 -c--a-w- c:\windows\system32\dllcache\sonypi.dll
2013-04-26 13:36:06 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys
2013-04-26 13:36:03 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2013-04-26 13:36:02 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2013-04-26 13:34:58 238592 -c--a-w- c:\windows\system32\dllcache\sisgrv.dll
2013-04-26 13:33:55 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2013-04-26 13:32:59 79872 -c--a-w- c:\windows\system32\dllcache\rwia430.dll
2013-04-26 13:31:57 45312 -c--a-w- c:\windows\system32\dllcache\ql12160.sys
2013-04-26 13:30:57 173696 -c--a-w- c:\windows\system32\dllcache\philcam2.sys
2013-04-26 13:29:59 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll
2013-04-26 13:28:59 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2013-04-26 13:27:58 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2013-04-26 13:27:50 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2013-04-26 13:27:45 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2013-04-26 13:27:39 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2013-04-26 13:27:37 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2013-04-26 13:27:26 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2013-04-26 13:27:23 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2013-04-26 13:27:22 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2013-04-26 13:27:15 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2013-04-26 13:27:11 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2013-04-26 13:27:06 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2013-04-26 13:27:00 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2013-04-26 13:25:58 25065 -c--a-w- c:\windows\system32\dllcache\lmndis3.sys
2013-04-26 13:24:59 88192 -c--a-w- c:\windows\system32\dllcache\irda.sys
2013-04-26 13:23:59 38528 -c--a-w- c:\windows\system32\dllcache\ibmvcap.sys
2013-04-26 13:22:57 289887 -c--a-w- c:\windows\system32\dllcache\hsf_fall.sys
2013-04-26 13:21:58 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2013-04-26 13:20:58 34816 -c--a-w- c:\windows\system32\dllcache\esuimg.dll
2013-04-26 13:19:56 19594 -c--a-w- c:\windows\system32\dllcache\e100isa4.sys
2013-04-26 13:18:59 110592 -c--a-w- c:\windows\system32\dllcache\dc260usd.dll
2013-04-26 13:17:58 49182 -c--a-w- c:\windows\system32\dllcache\cem56n5.sys
2013-04-26 13:16:59 37568 -c--a-w- c:\windows\system32\dllcache\avmwan.sys
2013-04-26 13:15:10 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2013-04-26 12:55:30 -------- d-----w- c:\program files\Tweaking.com
2013-04-25 19:43:17 -------- d-----w- c:\program files\Microsoft Security Client
2013-04-25 18:44:16 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-04-25 18:41:49 -------- d-----w- c:\documents and settings\trisha.trisha-e03fb8ca\local settings\application data\WinZip Courier
2013-04-25 18:41:44 -------- d-----w- c:\documents and settings\all users.windows\application data\WinZipEC
2013-04-25 18:41:32 -------- d-----w- c:\documents and settings\trisha.trisha-e03fb8ca\local settings\application data\assembly
2013-04-24 13:55:26 -------- d-----w- c:\documents and settings\trisha.trisha-e03fb8ca\local settings\application data\AVG Secure Search
2013-04-24 04:40:55 -------- d-----w- c:\documents and settings\trisha.trisha-e03fb8ca\local settings\application data\AVG SafeGuard toolbar
2013-04-24 04:40:40 -------- d-----w- c:\documents and settings\all users.windows\application data\AVG SafeGuard toolbar
2013-04-24 04:40:33 -------- d-----w- c:\documents and settings\trisha.trisha-e03fb8ca\application data\AVG SafeGuard toolbar
2013-04-24 04:40:29 34592 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-04-24 04:40:22 -------- d-----w- c:\program files\AVG SafeGuard toolbar
2013-04-24 04:03:23 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-24 04:03:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-04-23 21:23:19 -------- d-----w- c:\windows\system32\wbem\repository\FS
2013-04-23 21:23:19 -------- d-----w- c:\windows\system32\wbem\Repository
2013-04-23 21:21:57 -------- d-----w- c:\program files\GIMP-2.0
2013-04-23 21:21:35 -------- d-----w- c:\program files\LimeWire
2013-04-23 21:20:36 -------- d-----w- c:\program files\Lavasoft
2013-04-23 21:20:15 -------- d-----w- c:\program files\MAGIX
2013-04-23 21:20:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-04-23 21:20:14 -------- d-----w- c:\documents and settings\all users.windows\application data\SUPERAntiSpyware.com
2013-04-23 21:20:11 -------- d-----w- c:\documents and settings\trisha.trisha-e03fb8ca\application data\SUPERAntiSpyware.com
2013-04-23 21:20:02 -------- d-----w- c:\documents and settings\trisha.trisha-e03fb8ca\application data\Malwarebytes
2013-04-23 21:20:02 -------- d-----w- c:\documents and settings\all users.windows\application data\Malwarebytes
2013-04-23 13:13:19 -------- d-----w- c:\documents and settings\trisha.trisha-e03fb8ca\application data\SUPERAntiSpyware(2).com
2013-04-23 13:12:23 -------- d-----w- c:\documents and settings\all users.windows\application data\SUPERAntiSpyware(2).com
2013-04-23 03:13:36 -------- d-----w- c:\program files\Microsoft Security Client(2)
2013-04-23 01:03:32 -------- d-----w- C:\RECYCLER(2)
2013-04-22 23:27:51 -------- d-----w- C:\cmdcons
2013-04-22 16:43:15 -------- d-----w- c:\documents and settings\all users.windows\application data\Spybot - Search & Destroy
2013-04-02 17:38:36 -------- d-----w- c:\documents and settings\trisha.trisha-e03fb8ca\local settings\application data\Deployment
.
==================== Find3M  ====================
.
2013-03-17 22:28:37 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-17 22:28:37 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06:31 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:25:02 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:08:47 385024 ----a-w- c:\windows\system32\html.iec
2013-02-27 07:56:51 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-12 00:32:23 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
.
============= FINISH: 10:56:48.73 ===============
 

 



BC AdBot (Login to Remove)

 


#2 trishycamp

trishycamp
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:38 AM

Posted 28 April 2013 - 12:46 PM

Also, I have MSE but unable to open it as it blinks and shuts itself down.



#3 trishycamp

trishycamp
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:38 AM

Posted 01 May 2013 - 08:21 AM

Can anyone help?



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,014 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:38 AM

Posted 02 May 2013 - 01:16 PM

Greetings Trisha and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

===================================================

Ground Rules:

  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. As you can imagine things are quite busy these days.  Please allow me some time to review the information you have provided and I will reply as soon as possible.

 


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 trishycamp

trishycamp
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:38 AM

Posted 02 May 2013 - 01:42 PM

Great, Thank you!



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,014 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:38 AM

Posted 02 May 2013 - 04:14 PM

Hi Trisha,

I again want to thank you for your patience. I know it is frustrating if your computer doesn't run properly. We will see if we can fix that!

There are a couple of issues I would like to address and then get down to some work. There is a lot I would like to get through in this first post. If necessary, you can utilize another computer to download the programs and then transfer the files to the infected computer. However, the update process in aswMBR must be done on the infected computer. Hopefully you will be able to accomplish that.

Please consider and then do this for me.

===================================================

Spybot S&D No Longer Recommended

--------------------

MVPS.org is no longer recommending Spybot S&D due to poor testing results. (scroll down on the web site and read under Freeware Antispyware Products)

I strongly recommend uninstalling Spybot Search & Destroy. The presence of this program can make cleaning your computer more difficult.

If you choose to uninstall please go to Start, Control Panel, Add/Remove Programs (or Programs and Features) and uninstall the program.

===================================================

P2P Warning

--------------------

Going over your logs I noticed that you have Limewire installed. It is pretty much certain that if you continue to use P2P programs, you will get infected again.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall Limewire, however that choice is up to you. If you choose to remove the program, you can do so via Start > Control Panel > Add/Remove Programs.

If you are still leaning toward using this program, please take a look at this information about Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition, it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities. .

If you wish to keep it, please do not use it until we are completely done and your machine is determined to be clean and updated.

===================================================

AdwCleaner by Xplode - Delete Adware

-------------------
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browser
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on Delete
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[S1].txt
===================================================

Junkware Removal Tool by thisisu

-------------------
  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

RogueKiller by Tigzy

--------------------
  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • For Vista/7 users right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • When prompted, Click Scan
  • When the Status box shows Scan Finished click Delete
  • Click Report
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply
===================================================

aswMBR

--------------------
  • Download aswMBR and save it to your desktop.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs. If you need to attempt this a couple times please do so
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.

aswMBR1.png

  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.

aswMBR2.png

  • Please post the contents of the log in your next reply.
NOTE: aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • AdwCleaner log
  • Junkware log
  • RogueKiller log
  • aswMBR log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 trishycamp

trishycamp
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:38 AM

Posted 02 May 2013 - 05:13 PM

Hi,

 Spybot is deleted. Didn't even realize Limewire was still in computer. It wasn't in add/remove programs but I did delete one file and the folder.

 

Here is the log for ADW Cleaner:

 

# AdwCleaner v2.300 - Logfile created 05/02/2013 at 18:16:28
# Updated 28/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Trisha - TRISHYDESK
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Trisha.TRISHA-E03FB8CA\Local Settings\Temporary Internet Files\Content.IE5\RV457ANR\adwcleaner[1].exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Deleted : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4B5C-9287-DA72D38F4FE6}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v26.0.1410.64

*************************

AdwCleaner[R1].txt - [3333 octets] - [25/04/2013 16:42:38]
AdwCleaner[R2].txt - [1487 octets] - [02/05/2013 18:15:28]
AdwCleaner[S1].txt - [3458 octets] - [25/04/2013 16:43:13]
AdwCleaner[S2].txt - [1311 octets] - [02/05/2013 18:16:28]

########## EOF - C:\AdwCleaner[S2].txt - [1371 octets] ##########

 



#8 trishycamp

trishycamp
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:38 AM

Posted 02 May 2013 - 05:26 PM

JRT log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.3 (04.29.2013:2)
OS: Microsoft Windows XP x86
Ran by Trisha on Thu 05/02/2013 at 18:31:57.45
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 05/02/2013 at 18:35:39.37
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 



#9 trishycamp

trishycamp
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:38 AM

Posted 02 May 2013 - 05:29 PM

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Trisha [Admin rights]
Mode : Remove -- Date : 05/02/2013 18:42:56
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] JRT[1].exe -- C:\Documents and Settings\Trisha.TRISHA-E03FB8CA\Local Settings\Temporary Internet Files\Content.IE5\5DICD4RU\JRT[1].exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 4 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HDS728080PLAT20 +++++
--- User ---
[MBR] 191ecd317818214e36b5d28f3165d6e1
[BSP] 2fcca1686ae92ad738d5d8d249d80117 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 78520 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_05022013_02d1842.txt >>
RKreport[1]_S_05022013_02d1842.txt ; RKreport[2]_D_05022013_02d1842.txt



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,014 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:38 AM

Posted 02 May 2013 - 06:04 PM

Hi Trisha,

I would like you to run these programs now.

===================================================

Farbar's MiniToolBox

--------------------
  • Please download MiniToolBox, save it to your desktop
  • Please close any Firefox browsers you may have open
  • Double click the icon to launch the program
  • Make sure the following options are checked:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log

  • Click Go and once the scan is completed a Result.txt Notepad document will open on your desktop
  • Please copy and paste the contents in your reply
===================================================

Farbar's Service Scanner

--------------------
  • Please download Farbar Service Scanner, save it to your desktop, and run it.
  • Make sure the following options are checked:

Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender

  • Press Scan
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Result log
  • FSS log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 trishycamp

trishycamp
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:38 AM

Posted 02 May 2013 - 06:23 PM

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-02-05 11:28:08
-----------------------------
11:28:08.000    OS Version: Windows 5.1.2600 Service Pack 3
11:28:08.000    Number of processors: 2 586 0x403
11:28:08.000    ComputerName: TRISHYDESK  UserName: Trisha
11:28:10.812    Initialize success
11:30:29.500    AVAST engine defs: 13020500
11:31:35.437    The log file has been saved successfully to "C:\Documents and Settings\Trisha.TRISHA-E03FB8CA\My Documents\aswMBR.txt"

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-05-02 18:46:11
-----------------------------
18:46:11.125    OS Version: Windows 5.1.2600 Service Pack 3
18:46:11.125    Number of processors: 2 586 0x403
18:46:11.125    ComputerName: TRISHYDESK  UserName: Trisha
18:46:11.968    Initialize success
18:46:13.625    AVAST engine defs: 13042901
18:46:22.906    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:46:22.906    Disk 0 Vendor: HDS728080PLAT20 PF2OA21B Size: 78533MB BusType: 3
18:46:23.000    Disk 0 MBR read successfully
18:46:23.000    Disk 0 MBR scan
18:46:23.765    Disk 0 Windows XP default MBR code
18:46:23.781    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        78520 MB offset 63
18:46:24.718    Disk 0 scanning sectors +160810650
18:46:25.406    Disk 0 scanning C:\WINDOWS\system32\drivers
18:46:44.937    Service scanning
18:47:04.421    Modules scanning
18:47:14.734    Disk 0 trace - called modules:
18:47:14.750    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS
18:47:14.750    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8336fab8]
18:47:14.750    3 CLASSPNP.SYS[ba0f8fd7] -> nt!IofCallDriver -> \Device\0000006a[0x833bc1a8]
18:47:14.750    5 ACPI.sys[ba05f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x83369940]
18:47:15.250    AVAST engine scan C:\WINDOWS
18:47:33.703    AVAST engine scan C:\WINDOWS\system32
18:49:58.093    AVAST engine scan C:\WINDOWS\system32\drivers
18:50:13.171    AVAST engine scan C:\Documents and Settings\Trisha.TRISHA-E03FB8CA
19:24:16.015    AVAST engine scan C:\Documents and Settings\All Users.WINDOWS
19:36:24.125    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Trisha.TRISHA-E03FB8CA\My Documents\MBR.dat"
19:36:24.125    The log file has been saved successfully to "C:\Documents and Settings\Trisha.TRISHA-E03FB8CA\My Documents\aswMBR.txt"

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-05-02 18:46:11
-----------------------------
18:46:11.125    OS Version: Windows 5.1.2600 Service Pack 3
18:46:11.125    Number of processors: 2 586 0x403
18:46:11.125    ComputerName: TRISHYDESK  UserName: Trisha
18:46:11.968    Initialize success
18:46:13.625    AVAST engine defs: 13042901
18:46:22.906    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:46:22.906    Disk 0 Vendor: HDS728080PLAT20 PF2OA21B Size: 78533MB BusType: 3
18:46:23.000    Disk 0 MBR read successfully
18:46:23.000    Disk 0 MBR scan
18:46:23.765    Disk 0 Windows XP default MBR code
18:46:23.781    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        78520 MB offset 63
18:46:24.718    Disk 0 scanning sectors +160810650
18:46:25.406    Disk 0 scanning C:\WINDOWS\system32\drivers
18:46:44.937    Service scanning
18:47:04.421    Modules scanning
18:47:14.734    Disk 0 trace - called modules:
18:47:14.750    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS
18:47:14.750    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8336fab8]
18:47:14.750    3 CLASSPNP.SYS[ba0f8fd7] -> nt!IofCallDriver -> \Device\0000006a[0x833bc1a8]
18:47:14.750    5 ACPI.sys[ba05f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x83369940]
18:47:15.250    AVAST engine scan C:\WINDOWS
18:47:33.703    AVAST engine scan C:\WINDOWS\system32
18:49:58.093    AVAST engine scan C:\WINDOWS\system32\drivers
18:50:13.171    AVAST engine scan C:\Documents and Settings\Trisha.TRISHA-E03FB8CA
19:24:16.015    AVAST engine scan C:\Documents and Settings\All Users.WINDOWS
19:36:24.125    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Trisha.TRISHA-E03FB8CA\My Documents\MBR.dat"
19:36:24.125    The log file has been saved successfully to "C:\Documents and Settings\Trisha.TRISHA-E03FB8CA\My Documents\aswMBR.txt"
19:36:45.937    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Trisha.TRISHA-E03FB8CA\My Documents\MBR.dat"
19:36:45.937    The log file has been saved successfully to "C:\Documents and Settings\Trisha.TRISHA-E03FB8CA\My Documents\aswMBR.txt"

 



#12 trishycamp

trishycamp
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:38 AM

Posted 02 May 2013 - 06:27 PM

Farbar Service Scanner Version: 14-04-2013
Ran by Trisha (administrator) on 02-05-2013 at 19:40:39
Running from "C:\Documents and Settings\Trisha.TRISHA-E03FB8CA\Local Settings\Temporary Internet Files\Content.IE5\C9ENTPZ1"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(10) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0B00000005000000010000000200000003000000040000000A0000005600000006000000070000000800000009000000
IpSec Tag value is correct.

**** End of log ****



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,014 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:38 AM

Posted 03 May 2013 - 09:09 PM

Hi Trisha,

 

Sorry I cross posted you yesterday. 

Can you run MiniToolBox for me. I know you ran it in Am I Infected but I would like to see a fresh copy.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 trishycamp

trishycamp
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:38 AM

Posted 04 May 2013 - 09:41 AM

MiniToolBox by Farbar  Version:21-04-2013
Ran by Trisha (administrator) on 04-05-2013 at 09:38:23
Running from "C:\Documents and Settings\Trisha.TRISHA-E03FB8CA\Local Settings\Temporary Internet Files\Content.IE5\RV457ANR"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

 

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

 

127.0.0.1       localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com

There are 15361 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

VIA Rhine II Fast Ethernet Adapter = Local Area Connection 3 (Disconnected)
Realtek RTL8139 Family PCI Fast Ethernet NIC = Local Area Connection 4 (Connected)

# ----------------------------------
# Interface IP Configuration        
# ----------------------------------
pushd interface ip

# Interface IP Configuration for "Local Area Connection 4"

set address name="Local Area Connection 4" source=dhcp
set dns name="Local Area Connection 4" source=dhcp register=PRIMARY
set wins name="Local Area Connection 4" source=dhcp

popd
# End of interface IP configuration

 

Windows IP Configuration

 

        Host Name . . . . . . . . . . . . : TRISHYDESK

        Primary Dns Suffix  . . . . . . . :

        Node Type . . . . . . . . . . . . : Unknown

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No

        DNS Suffix Search List. . . . . . : tampabay.rr.com

 

Ethernet adapter Local Area Connection 4:

 

        Connection-specific DNS Suffix  . : tampabay.rr.com

        Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC

        Physical Address. . . . . . . . . : 00-E0-52-BC-A7-7B

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 192.168.1.125

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.1.1

        DHCP Server . . . . . . . . . . . : 192.168.1.1

        DNS Servers . . . . . . . . . . . : 192.168.1.1

        Lease Obtained. . . . . . . . . . : Friday, May 03, 2013 2:52:14 PM

        Lease Expires . . . . . . . . . . : Friday, May 10, 2013 2:52:14 PM

Server:  UnKnown
Address:  192.168.1.1

Name:    google.com
Addresses:  173.194.37.9, 173.194.37.14, 173.194.37.0, 173.194.37.1
   173.194.37.2, 173.194.37.3, 173.194.37.4, 173.194.37.5, 173.194.37.6
   173.194.37.7, 173.194.37.8

 

Pinging google.com [173.194.37.14] with 32 bytes of data:

 

Reply from 173.194.37.14: bytes=32 time=31ms TTL=50

Reply from 173.194.37.14: bytes=32 time=33ms TTL=50

 

Ping statistics for 173.194.37.14:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 31ms, Maximum = 33ms, Average = 32ms

Server:  UnKnown
Address:  192.168.1.1

Name:    yahoo.com
Addresses:  98.139.183.24, 206.190.36.45, 98.138.253.109

 

Pinging yahoo.com [206.190.36.45] with 32 bytes of data:

 

Reply from 206.190.36.45: bytes=32 time=184ms TTL=47

Reply from 206.190.36.45: bytes=32 time=170ms TTL=47

 

Ping statistics for 206.190.36.45:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 170ms, Maximum = 184ms, Average = 177ms

 

Pinging 127.0.0.1 with 32 bytes of data:

 

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

 

Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 e0 52 bc a7 7b ...... Realtek RTL8139 Family PCI Fast Ethernet NIC
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.125   20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
      192.168.1.0    255.255.255.0    192.168.1.125   192.168.1.125   20
    192.168.1.125  255.255.255.255        127.0.0.1       127.0.0.1   20
    192.168.1.255  255.255.255.255    192.168.1.125   192.168.1.125   20
        224.0.0.0        240.0.0.0    192.168.1.125   192.168.1.125   20
  255.255.255.255  255.255.255.255    192.168.1.125   192.168.1.125   1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\system32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 19 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (05/03/2013 07:29:15 PM) (Source: Application Hang) (User: )
Description: Hanging application WINWORD.EXE, version 11.0.8350.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (05/01/2013 10:31:23 PM) (Source: Application Hang) (User: )
Description: Hanging application WINWORD.EXE, version 11.0.8350.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (04/28/2013 01:50:54 PM) (Source: Application Hang) (User: )
Description: Hanging application WINZIP32.EXE, version 28.0.10381.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (04/26/2013 10:53:35 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Cannot install the component C:\Documents and Settings\Trisha.TRISHA-E03FB8CA\Desktop\SWPRV.DLL into the COM+ application 'MS Software Shadow Copy Provider' [0x80110401].

Error: (04/26/2013 10:47:31 AM) (Source: WinMgmt) (User: )
Description: Failed to load MOF C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\SERVICEMODEL.MOF while recovering repository file.

Error: (04/26/2013 10:47:30 AM) (Source: WinMgmt) (User: )
Description: Failed to load MOF C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET.MOF while recovering repository file.

Error: (04/26/2013 10:47:30 AM) (Source: WinMgmt) (User: )
Description: Failed to load MOF C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CLR.MOF while recovering repository file.

Error: (04/26/2013 10:47:30 AM) (Source: WinMgmt) (User: )
Description: Failed to load MOF C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\ASPNET.MOF while recovering repository file.

Error: (04/26/2013 10:45:53 AM) (Source: WinMgmt) (User: )
Description: Failed to load MOF C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\SERVICEMODEL.MOF while recovering repository file.

Error: (04/26/2013 10:45:52 AM) (Source: WinMgmt) (User: )
Description: Failed to load MOF C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET.MOF while recovering repository file.

System errors:
=============
Error: (05/04/2013 09:17:00 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (05/04/2013 04:17:00 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (05/03/2013 11:17:00 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (05/03/2013 06:17:01 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (05/03/2013 01:17:00 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (05/03/2013 08:17:00 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (05/03/2013 03:17:00 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (05/02/2013 10:17:01 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (05/02/2013 05:17:02 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (05/02/2013 00:17:00 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Microsoft Office Sessions:
=========================
Error: (05/03/2013 07:29:15 PM) (Source: Application Hang)(User: )
Description: WINWORD.EXE11.0.8350.0hungapp0.0.0.000000000

Error: (05/01/2013 10:31:23 PM) (Source: Application Hang)(User: )
Description: WINWORD.EXE11.0.8350.0hungapp0.0.0.000000000

Error: (04/28/2013 01:50:54 PM) (Source: Application Hang)(User: )
Description: WINZIP32.EXE28.0.10381.0hungapp0.0.0.000000000

Error: (04/26/2013 10:53:35 AM) (Source: VSS)(User: )
Description: C:\Documents and Settings\Trisha.TRISHA-E03FB8CA\Desktop\SWPRV.DLLMS Software Shadow Copy Provider0x80110401

Error: (04/26/2013 10:47:31 AM) (Source: WinMgmt)(User: )
Description: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\SERVICEMODEL.MOF

Error: (04/26/2013 10:47:30 AM) (Source: WinMgmt)(User: )
Description: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET.MOF

Error: (04/26/2013 10:47:30 AM) (Source: WinMgmt)(User: )
Description: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CLR.MOF

Error: (04/26/2013 10:47:30 AM) (Source: WinMgmt)(User: )
Description: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\ASPNET.MOF

Error: (04/26/2013 10:45:53 AM) (Source: WinMgmt)(User: )
Description: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\SERVICEMODEL.MOF

Error: (04/26/2013 10:45:52 AM) (Source: WinMgmt)(User: )
Description: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET.MOF

**** End of log ****

 



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,014 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:38 AM

Posted 04 May 2013 - 10:13 AM

Could you please update me about your current symptoms.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users