Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE will not go to search engines unless IP Address is keyed-please help


  • Please log in to reply
15 replies to this topic

#1 thundergod76

thundergod76

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:20 AM

Posted 31 July 2013 - 09:17 PM

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 7.0.6000.16981
Run by GARNETT FUMC at 20:58:15 on 2013-07-31
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3061.2254 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\Pmxmiced.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\GARNETT FUMC\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version8\TeamViewer.exe
C:\Program Files\TeamViewer\Version8\tv_w32.exe
c:\program files\teamviewer\version8\TeamViewer_Desktop.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0071204
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [PMX Daemon] ICO.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRunOnce: [NoIE4StubProcessing] c:\windows\system32\reg.exe delete "hklm\software\microsoft\active setup\Installed Components" /v "NoIE4StubProcessing" /f
StartupFolder: c:\docume~1\garnet~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\garnett fumc\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1375313790125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{A4A8D09F-B525-4FED-BB34-7C4FAE2A6759} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{A4A8D09F-B525-4FED-BB34-7C4FAE2A6759} : DHCPNameServer = 192.168.2.1
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\garnett fumc\application data\mozilla\firefox\profiles\p69v9xsj.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-7-31 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-7-31 175176]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 211560]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-7-31 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-7-31 369584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-7-31 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-7-31 66336]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-7-31 46808]
R2 TeamViewer8;TeamViewer 8;c:\program files\teamviewer\version8\TeamViewer_Service.exe [2013-7-31 4153184]
R2 WENCRNT4;WENCRNT4;c:\windows\system32\drivers\WENCRNT4.sys [2009-2-6 122368]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2008-1-14 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2008-1-14 14336]
S2 5660;5660;\??\c:\docume~1\garnet~1\locals~1\temp\5660.sys --> c:\docume~1\garnet~1\locals~1\temp\5660.sys [?]
.
=============== Created Last 30 ================
.
2013-08-01 00:34:27 920064 ------w- c:\windows\system32\SET160.tmp
2013-08-01 00:34:27 67072 ------w- c:\windows\system32\SET165.tmp
2013-08-01 00:34:27 630272 ------w- c:\windows\system32\SET168.tmp
2013-08-01 00:34:27 6017536 ------w- c:\windows\system32\SET166.tmp
2013-08-01 00:34:27 55296 ------w- c:\windows\system32\SET167.tmp
2013-08-01 00:34:27 247808 ------w- c:\program files\internet explorer\SET174.tmp
2013-08-01 00:34:27 2005504 ------w- c:\windows\system32\SET16C.tmp
2013-08-01 00:34:27 184320 ------w- c:\windows\system32\SET16D.tmp
2013-08-01 00:34:27 1215488 ------w- c:\windows\system32\SET161.tmp
2013-08-01 00:34:27 105984 ------w- c:\windows\system32\SET162.tmp
2013-08-01 00:34:26 11112960 ------w- c:\windows\system32\SET16E.tmp
2013-08-01 00:30:58 -------- dc-h--w- c:\windows\ie8
2013-08-01 00:21:04 -------- d-----w- c:\documents and settings\garnett fumc\application data\TeamViewer
2013-08-01 00:19:10 -------- d-----w- c:\program files\TeamViewer
2013-08-01 00:12:46 388096 ----a-r- c:\documents and settings\garnett fumc\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2013-08-01 00:12:44 -------- d-----w- c:\program files\Trend Micro
2013-08-01 00:03:35 -------- d-----w- C:\e668f32c2a39922d8add3392dc9b57
2013-07-31 23:18:57 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-07-31 23:18:56 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-07-31 23:18:56 175176 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-07-31 23:18:54 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-07-31 23:18:40 41664 ----a-w- c:\windows\avastSS.scr
2013-07-31 23:18:13 -------- d-----w- c:\program files\AVAST Software
2013-07-31 22:52:38 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2013-07-31 22:09:44 -------- d-----w- c:\documents and settings\garnett fumc\application data\Malwarebytes
2013-07-31 22:09:31 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-07-31 22:09:29 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-07-31 22:09:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-07-31 14:10:45 7143960 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e57ff809-7b72-48f6-9db9-54a8f40e8602}\mpengine.dll
2013-07-29 14:14:19 7143960 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-07-19 19:55:26 -------- d-----w- c:\windows\system32\MRT
.
==================== Find3M  ====================
.
2013-06-19 02:50:08 211560 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-06-12 17:01:17 71048 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-12 17:01:17 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-08 04:55:44 385024 ------w- c:\windows\system32\html.iec
2013-06-07 21:56:06 43520 ------w- c:\windows\system32\licmgr10.dll
2013-06-07 21:56:05 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-06-07 21:30:54 78336 ------w- c:\windows\system32\ieencode.dll
2013-06-04 07:23:02 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40:45 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-09 05:28:02 1543680 ------w- c:\windows\system32\wmvdecod.dll
.
============= FINISH: 20:58:44.46 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 AM

Posted 05 August 2013 - 01:21 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List installed programs

  • Click Go and copy/paste the log (Result.txt) into your next post.

    Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


#3 thundergod76

thundergod76
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:20 AM

Posted 10 August 2013 - 06:02 PM

Here is the log file you requested:

 

MiniToolBox by Farbar  Version: 13-07-2013
Ran by GARNETT FUMC (administrator) on 10-08-2013 at 10:12:36
Running from "C:\Documents and Settings\GARNETT FUMC\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

 

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"network.proxy.type", 0

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

::1             localhost

127.0.0.1       localhost

========================= IP Configuration: ================================

Intel® 82562V-2 10/100 Network Connection = Local Area Connection (Connected)

# ----------------------------------
# Interface IP Configuration        
# ----------------------------------
pushd interface ip

# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=static addr=208.67.222.222 register=PRIMARY
add dns name="Local Area Connection" addr=208.67.220.220 index=2
set wins name="Local Area Connection" source=dhcp

popd
# End of interface IP configuration

 

Windows IP Configuration

 

        Host Name . . . . . . . . . . . . : FUMC

        Primary Dns Suffix  . . . . . . . :

        Node Type . . . . . . . . . . . . : Unknown

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No

 

Ethernet adapter Local Area Connection:

 

        Connection-specific DNS Suffix  . :

        Description . . . . . . . . . . . : Intel® 82562V-2 10/100 Network Connection

        Physical Address. . . . . . . . . : 00-1A-A0-9F-2B-84

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 192.168.2.4

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.2.1

        DHCP Server . . . . . . . . . . . : 192.168.2.1

        DNS Servers . . . . . . . . . . . : 208.67.222.222

                                            208.67.220.220

        Lease Obtained. . . . . . . . . . : Saturday, August 10, 2013 10:07:10 AM

        Lease Expires . . . . . . . . . . : Tuesday, August 13, 2013 10:07:10 AM

Server:  resolver1.opendns.com
Address:  208.67.222.222

Name:    google.com
Address:  87.125.87.103

 

Pinging google.com [87.125.87.103] with 32 bytes of data:

 

Reply from 87.125.87.103: bytes=32 time=65ms TTL=51

Reply from 87.125.87.103: bytes=32 time=64ms TTL=51

 

Ping statistics for 87.125.87.103:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 64ms, Maximum = 65ms, Average = 64ms

Server:  resolver1.opendns.com
Address:  208.67.222.222

Name:    yahoo.com
Addresses:  206.190.36.45, 98.138.253.109, 98.139.183.24

 

Pinging yahoo.com [206.190.36.45] with 32 bytes of data:

 

Reply from 206.190.36.45: bytes=32 time=125ms TTL=52

Reply from 206.190.36.45: bytes=32 time=66ms TTL=52

 

Ping statistics for 206.190.36.45:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 66ms, Maximum = 125ms, Average = 95ms

 

Pinging 127.0.0.1 with 32 bytes of data:

 

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

 

Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1a a0 9f 2b 84 ...... Intel® 82562V-2 10/100 Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1     192.168.2.4   20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
      192.168.2.0    255.255.255.0      192.168.2.4     192.168.2.4   20
      192.168.2.4  255.255.255.255        127.0.0.1       127.0.0.1   20
    192.168.2.255  255.255.255.255      192.168.2.4     192.168.2.4   20
        224.0.0.0        240.0.0.0      192.168.2.4     192.168.2.4   20
  255.255.255.255  255.255.255.255      192.168.2.4     192.168.2.4   1
Default Gateway:       192.168.2.1
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\system32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/31/2013 05:59:02 PM) (Source: Application Hang) (User: )
Description: Hanging application avast.setup, version 8.0.1489.300, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (06/21/2013 01:39:28 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (06/12/2013 02:14:35 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (06/12/2013 02:14:35 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (04/19/2013 02:07:15 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.19412, fault address 0x0014cc7f.
Processing media-specific event for [iexplore.exe!ws!]

Error: (03/28/2013 09:05:45 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.

Error: (03/27/2013 09:04:38 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.

Error: (03/27/2013 09:04:37 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.

Error: (03/26/2013 11:33:22 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.

Error: (03/20/2013 02:25:31 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

System errors:
=============
Error: (08/10/2013 10:07:53 AM) (Source: SideBySide) (User: )
Description: Generate Activation Context failed for C:\Program Files\AVAST Software\Avast\avastUI.exe.
Reference error message: The operation completed successfully.
.

Error: (08/10/2013 10:07:53 AM) (Source: SideBySide) (User: )
Description: Resolve Partial Assembly failed for Microsoft.VC90.MFC.
Reference error message: The referenced assembly is not installed on your system.
.

Error: (08/10/2013 10:07:53 AM) (Source: SideBySide) (User: )
Description: Dependent Assembly Microsoft.VC90.MFC could not be found and Last Error was The referenced assembly is not installed on your system.

Error: (08/10/2013 10:07:47 AM) (Source: Service Control Manager) (User: )
Description: The 5660 service failed to start due to the following error:
%%2

Error: (08/09/2013 09:05:35 AM) (Source: Service Control Manager) (User: )
Description: The 5660 service failed to start due to the following error:
%%2

Error: (08/09/2013 09:05:24 AM) (Source: SideBySide) (User: )
Description: Generate Activation Context failed for C:\Program Files\AVAST Software\Avast\avastUI.exe.
Reference error message: The operation completed successfully.
.

Error: (08/09/2013 09:05:24 AM) (Source: SideBySide) (User: )
Description: Resolve Partial Assembly failed for Microsoft.VC90.MFC.
Reference error message: The referenced assembly is not installed on your system.
.

Error: (08/09/2013 09:05:24 AM) (Source: SideBySide) (User: )
Description: Dependent Assembly Microsoft.VC90.MFC could not be found and Last Error was The referenced assembly is not installed on your system.

Error: (08/08/2013 04:53:19 PM) (Source: Service Control Manager) (User: )
Description: The 5660 service failed to start due to the following error:
%%2

Error: (08/08/2013 04:53:06 PM) (Source: SideBySide) (User: )
Description: Generate Activation Context failed for C:\Program Files\AVAST Software\Avast\avastUI.exe.
Reference error message: The operation completed successfully.
.

Microsoft Office Sessions:
=========================
Error: (07/31/2013 05:59:02 PM) (Source: Application Hang)(User: )
Description: avast.setup8.0.1489.300hungapp0.0.0.000000000

Error: (06/21/2013 01:39:28 PM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (06/12/2013 02:14:35 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (06/12/2013 02:14:35 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (04/19/2013 02:07:15 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.6001.18702mshtml.dll8.0.6001.194120014cc7f

Error: (03/28/2013 09:05:45 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabThe data is invalid.

Error: (03/27/2013 09:04:38 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabThe data is invalid.

Error: (03/27/2013 09:04:37 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabThe data is invalid.

Error: (03/26/2013 11:33:22 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabThe data is invalid.

Error: (03/20/2013 02:25:31 PM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

=========================== Installed Programs ============================

Active Disk
Adobe AIR (Version: 3.7.0.1860)
Adobe Flash Player 11 ActiveX (Version: 11.7.700.224)
Adobe Reader XI (11.0.02) (Version: 11.0.02)
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOLIcon (Version: 1.00.0000)
avast! Free Antivirus (Version: 8.0.1489.0)
Browser Address Error Redirector (Version: 1.00.0000)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Conexant D850 PCI V.92 Modem
Dell Automated PC TuneUp (Version: 1.0.3085)
Dell DataSafe Online (Version: 1.0.15)
Dell Driver Reset Tool (Version: 1.02.0000)
Dell Support Center (Version: 2.0.07282)
Dell System Restore (Version: 2.00.0000)
Digital Line Detect (Version: 1.10)
Documentation & Support Launcher (Version: 1.00.0000)
Dropbox (Version: 2.2.13)
EarthLink Setup Files (Version: 2005.2.178.0.2.2)
Font Installer
Games, Music, & Photos Launcher (Version: 1.00.0000)
Google Desktop (Version: -)
Google Earth Plug-in (Version: 7.1.1.1888)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.5.4209.2358)
Google Update Helper (Version: 1.3.21.153)
HiJackThis (Version: 1.0.0)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Internet Service Offers Launcher (Version: 1.00.0000)
IomegaWare 4.0.3
J2SE Runtime Environment 5.0 Update 6 (Version: 1.5.0.60)
Kindle Previewer (Version: 2.4)
Learn2 Player (Uninstall Only)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Plus! Digital Media Edition Installer (Version: 1.1.0.3514)
Microsoft Plus! Photo Story 2 LE (Version: 1.1.0.3463)
Microsoft Security Client (Version: 4.3.0215.0)
Microsoft Security Essentials (Version: 4.3.215.0)
Microsoft Works (Version: 08.05.0818)
Modem Diagnostic Tool (Version: 1.0.17.2)
Mouse Suite for Desktop Computers (Version: 2.50.025)
Mozilla Firefox 22.0 (x86 en-US) (Version: 22.0)
Mozilla Maintenance Service (Version: 22.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB954459) (Version: 6.20.1099.0)
NetWaiting (Version: 2.5.12)
NetZeroInstallers (Version: 1.0.0)
PhotoFiltre
PowerDVD (Version: 7.0)
QualxServ Service Agreement (Version: 1.11.0000)
QuickTime
QuickVerse 7.0
Realtek High Definition Audio Driver
Roxio Creator Audio (Version: 3.3.0)
Roxio Creator BDAV Plugin (Version: 3.3.0)
Roxio Creator Copy (Version: 3.3.0)
Roxio Creator Data (Version: 3.3.0)
Roxio Creator DE (Version: 3.3.0)
Roxio Creator Tools (Version: 3.3.0)
Roxio Drag-to-Disc (Version: 9.0)
Roxio Express Labeler (Version: 2.1.0)
Roxio MyDVD DE (Version: 9.0.116)
Roxio Update Manager (Version: 3.0.0)
SearchAssist
Sonic Activation Module (Version: 1.0)
TeamViewer 8 (Version: 8.0.20202)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Viewpoint Media Player
WebFldrs XP (Version: 9.50.7523)
Windows Driver Package - Conexant (winachsf) Modem  (07/03/2007 7.67.00.50) (Version: 07/03/2007 7.67.00.50)
Windows Driver Package - Realtek Semiconductor Corp. HD Audio Driver (09/02/2008 5.10.0.5697) (Version: 09/02/2008 5.10.0.5697)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 10 (Version: 9.00.3636)
Windows Media Player 11
Windows XP Service Pack 3 (Version: 20080414.031525)

**** End of log ****

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 AM

Posted 11 August 2013 - 07:11 AM

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

#5 thundergod76

thundergod76
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:20 AM

Posted 13 August 2013 - 01:41 PM

  • Here is the ComboFix Log that I ran This afternoon.
  • Thank you for all your help!
ComboFix 13-08-11.02 - GARNETT FUMC 08/13/2013 13:27:05.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3061.2393 [GMT -5:00]
Running from: c:\documents and settings\GARNETT FUMC\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\GARNETT FUMC\My Documents\~WRL0003.tmp
c:\documents and settings\GARNETT FUMC\My Documents\~WRL3521.tmp
c:\documents and settings\GARNETT FUMC\My Documents\~WRL4043.tmp
c:\documents and settings\GARNETT FUMC\WINDOWS
c:\windows\system32\Thumbs.db
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_5660
-------\Service_5660
.
.
((((((((((((((((((((((((( Files Created from 2013-07-13 to 2013-08-13 )))))))))))))))))))))))))))))))
.
.
2013-08-12 14:09 . 2013-07-02 06:54 7143960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E78169E2-361F-41DE-AF38-FBF3D2183CBE}\mpengine.dll
2013-08-10 15:17 . 2013-07-02 06:54 7143960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-08-01 00:30 . 2013-08-01 00:32 -------- dc-h--w- c:\windows\ie8
2013-08-01 00:21 . 2013-08-10 15:24 -------- d-----w- c:\documents and settings\GARNETT FUMC\Application Data\TeamViewer
2013-08-01 00:19 . 2013-08-01 00:19 -------- d-----w- c:\program files\TeamViewer
2013-08-01 00:12 . 2013-08-01 00:12 388096 ----a-r- c:\documents and settings\GARNETT FUMC\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-08-01 00:12 . 2013-08-01 00:12 -------- d-----w- c:\program files\Trend Micro
2013-07-31 23:18 . 2013-05-09 08:58 229648 ----a-w- c:\windows\system32\aswBoot.exe
2013-07-31 23:18 . 2013-07-31 23:18 -------- d-----w- c:\program files\AVAST Software
2013-07-31 22:52 . 2013-08-13 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2013-07-31 22:48 . 2013-07-31 22:48 -------- d-----w- c:\documents and settings\GARNETT FUMC\Local Settings\Application Data\Mozilla
2013-07-31 22:48 . 2013-07-31 22:48 -------- d-----w- c:\program files\Mozilla Maintenance Service
2013-07-31 22:09 . 2013-07-31 22:09 -------- d-----w- c:\documents and settings\GARNETT FUMC\Application Data\Malwarebytes
2013-07-31 22:09 . 2013-07-31 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-07-31 22:09 . 2013-07-31 22:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-07-31 22:09 . 2013-04-04 19:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-07-19 19:55 . 2013-07-19 19:57 -------- d-----w- c:\windows\system32\MRT
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-19 02:50 . 2010-03-26 03:30 211560 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-06-12 17:01 . 2012-12-04 15:08 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-12 17:01 . 2011-06-07 15:08 71048 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-08 04:55 . 2004-08-10 17:51 385024 ------w- c:\windows\system32\html.iec
2013-06-07 21:56 . 2004-08-10 17:51 920064 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:56 . 2004-08-10 17:51 43520 ------w- c:\windows\system32\licmgr10.dll
2013-06-07 21:56 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-06-07 21:30 . 2013-06-07 21:30 78336 ------w- c:\windows\system32\ieencode.dll
2013-06-04 07:23 . 2004-08-10 17:51 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2004-08-10 17:51 1876736 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\GARNETT FUMC\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\GARNETT FUMC\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\GARNETT FUMC\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\documents and settings\GARNETT FUMC\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-04 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PMX Daemon"="ICO.EXE" [2006-11-08 49152]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-04 1838592]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-06-20 995176]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-02 16851456]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-10-03 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-04 98304]
.
c:\documents and settings\GARNETT FUMC\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\GARNETT FUMC\Application Data\Dropbox\bin\Dropbox.exe /systemstartup [2013-8-2 28057256]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-3 24576]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\GARNETT FUMC\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\TeamViewer\\Version8\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version8\\TeamViewer_Service.exe"=
.
R2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [8/10/2013 10:28 AM 4308320]
R2 WENCRNT4;WENCRNT4;c:\windows\system32\drivers\WENCRNT4.sys [2/6/2009 3:58 PM 122368]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [1/14/2008 12:19 PM 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [1/14/2008 12:19 PM 14336]
S1 MpKslb906e483;MpKslb906e483;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E78169E2-361F-41DE-AF38-FBF3D2183CBE}\MpKslb906e483.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E78169E2-361F-41DE-AF38-FBF3D2183CBE}\MpKslb906e483.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 12:30 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 12:30 PM 135664]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-04 17:01]
.
2013-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 17:30]
.
2013-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 17:30]
.
2013-08-13 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-06-20 23:05]
.
2013-08-13 c:\windows\Tasks\User_Feed_Synchronization-{ED04C755-E314-4530-8341-7054AC66C54F}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{A4A8D09F-B525-4FED-BB34-7C4FAE2A6759}: NameServer = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\GARNETT FUMC\Application Data\Mozilla\Firefox\Profiles\p69v9xsj.default\
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-KindlePreviewer - j:\my manuscripts\BOOKS UNDER CONTRACT\MYSTERY ANTHOLOGY\Kindle Previewer\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-08-13 13:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1435026888-844853960-434583953-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3844)
c:\windows\system32\WININET.dll
c:\program files\TeamViewer\Version8\tv_w32.dll
c:\documents and settings\GARNETT FUMC\Application Data\Dropbox\bin\DropboxExt.19.dll
c:\program files\Iomega\DriveIcons\IMGHOOK.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\pmxscrll.dll
c:\windows\system32\PMXCOMM.dll
c:\windows\system32\PMXHOOKS.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\system32\ICO.EXE
c:\windows\system32\Pmxmiced.exe
c:\windows\RTHDCPL.EXE
c:\documents and settings\GARNETT FUMC\Application Data\Dropbox\bin\Dropbox.exe
c:\windows\system32\wscntfy.exe
c:\program files\TeamViewer\Version8\TeamViewer.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\teamviewer\version8\TeamViewer_Desktop.exe
c:\program files\TeamViewer\Version8\tv_w32.exe
.
**************************************************************************
.
Completion time: 2013-08-13 13:34:44 - machine was rebooted
ComboFix-quarantined-files.txt 2013-08-13 18:34
.
Pre-Run: 296,093,974,528 bytes free
Post-Run: 296,309,477,376 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 1986F5BFF4C3C927377316449C221D92
5CB90281D1A59B251F6603134774EEC3

Attached Files


Edited by nasdaq, 14 August 2013 - 06:39 AM.
ComboFix log posted.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 AM

Posted 14 August 2013 - 06:43 AM



Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please restart the computer before running this security check.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#7 thundergod76

thundergod76
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:20 AM

Posted 14 August 2013 - 01:59 PM

The problem still persists is that www.google.com and www.bing.com will not come up in the browser. Google's site will if I key the IP address in the address bar. It appears all other search engines will come up by URL. Below are the logs you requested.

Thanks again for your help!

 

# AdwCleaner v3.000 - Report created14/08/2013at13:32:59
# Updated 13/08/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : GARNETT FUMC - FUMC
# Running from : C:\Documents and Settings\GARNETT FUMC\Desktop\adwcleaner.exe

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Program Files\Viewpoint

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\Program Files\TeamViewer\Version8\TeamViewer.exe]
Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe]
Key Deleted : HKLM\Software\CToolbar
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\Software\Viewpoint
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [CustomizeSearch] - hxxp://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Setting Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [SearchAssistant] - hxxp://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

-\\ Mozilla Firefox v22.0 (en-US)

Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP

[ File : C:\Documents and Settings\GARNETT FUMC\Application Data\Mozilla\Firefox\Profiles\p69v9xsj.default\prefs.js ]

Line Deleted : user_pref("plugin.blocklisted.npviewpoint", true);

*************************

AdwCleaner[0].txt - [2706 octets] - [14/08/2013 13:32:59]

########## EOF - C:\AdwCleaner\AdwCleaner[0].txt - [2765 octets] ##########

 

******************************************************************************************************

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.4.5 (08.13.2013:1)
OS: Microsoft Windows XP x86
Ran by GARNETT FUMC on Wed 08/14/2013 at 13:40:12.39
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 08/14/2013 at 13:42:49.65
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

******************************************************************************************************************

 

 Results of screen317's Security Check version 0.99.72 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 Microsoft Security Essentials   
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Adobe Reader XI 
 Mozilla Firefox 22.0 Firefox out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 6%
````````````````````End of Log``````````````````````



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 AM

Posted 15 August 2013 - 07:58 AM

The logs are clean.

Is the problem persisting?

#9 thundergod76

thundergod76
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:20 AM

Posted 15 August 2013 - 12:57 PM

Yes. The problem is still there. It only seems to affect the google.com and bing.com search engines. Other search engines come up fine.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 AM

Posted 15 August 2013 - 12:59 PM

Remove Chrome using the Add/Remove Programs applet.

Restart the computer normally.

Reinstall Chrome.

How is it now?

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 AM

Posted 21 August 2013 - 10:07 AM

Are you still with me?

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 AM

Posted 27 August 2013 - 09:50 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 AM

Posted 30 August 2013 - 08:48 AM

This topic has been re-opened at the request of the person who originally posted.

#14 thundergod76

thundergod76
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:20 AM

Posted 03 September 2013 - 12:50 PM

nasdaq,

 

The problem still persists. I was unable to directly download the chrome installer to the computer in question. I downloaded it to my home machine and transferred it to the affected computer. After installing, Chrome shows the same symptoms as IE. When I first bring up Chrome, it goes to the account sign in page successfully. When I hit SKIP, it goes to the App Search Page after a little wait. If I try to go to the Google Search page, it just sits at the "Waiting for www.google.com..." until it eventually times out and gives an error about the page not being available.

 

Thanks,

Steve



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:20 AM

Posted 03 September 2013 - 01:25 PM

The problem is mostly in your settings for the network.

I suggest you start a new topic in the Networking forum
http://www.bleepingcomputer.com/forums/forum21.html

Submit a fresh log from the Minibox tool.
I suggest you check all the boxes before your run the tool.

Post the log in the new topic and describe your poblem.

This is really not my forte.

If you need to return to this topic please do.
I will keep it open for 6 days.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users