Tech Support Forum - View Single Post - Can not connect to internet except via Safe Mode

rjmica · 06-18-2009, 07:08 PM

Hi! I am trying to fix a friend's computer. I believe he may picked up a virus. The Dell computer is running Windows XP sp2 and will only connect to the internet in safe mode. I posted this problem on the Windows XP Support Forum and they refered me here.

Numerous attempts to restore the computer to various past dates have all been unsuccessful. I ran an online scan in safe mode with Trend Micro Housecall and it found "POSSIBLE_HIFRM-5" and several grayware, which it removed. It also found several Detected Vulneralbilities such as; MS01-028, MSO5-004, MS08-061, MS08-063, and so on, which it could not define, therefore, they were not removed.

I found Limewire on his computer, which I believe his son used, and uninstalled it. Your help would be deeply appreciated.

Also, the GMER Rootkit Scanner will not run properly on this computer. The Scan, Copy, and Save buttons are over top of Ads and Show All and nothing happens when you click the Scan button. This same file runs fine on my personal computer. So, I could not attach this log.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Dan at 18:08:46.73 on Thu 06/18/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.269 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\AOL\1153942526\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1153942526\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1153942526\ee\AOLServiceHost.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Dan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~2\COMCAS~1.DLL
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~2\COMCAS~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - No File
TB: {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [AIM] c:\progra~1\aim\aim.exe -cnetwait.odl
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: Dice City Roller by pogo - hxxp://game1.pogo.com/applet-6.8.2.23/ytz/ytz-en_US.cab
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} - hxxp://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {64D01C7F-810D-446E-A07E-456746835644} - hxxp://chill.comcast.net/Gameshell/online/en/abc_island/abcisland.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://www.gamehouse.com/realarcade-webgames/mysterypilt/SpinTopGamesLauncher.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A219C6A1-B503-42A9-95DC-A84B2CC1231F} - hxxp://playgames.comcast.net/online2/asianata/asianata.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://onlinedesigner.hgtv.com/images/app/view22rte.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://playgames.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/AbacastClient2.1.20.2.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dan\applic~1\mozilla\firefox\profiles\qrp5qwjl.default\
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

============= SERVICES / DRIVERS ===============

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2006-1-25 4064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-26 24652]
R3 ip_fw;ipfw kernel-mode driver;c:\windows\system32\drivers\ip_fw.sys [2009-5-29 28800]
S2 gupdate1c9afc95437522e;Google Update Service (gupdate1c9afc95437522e);c:\program files\google\update\GoogleUpdate.exe [2009-3-28 133104]
S2 ipfw;ipfw_helper;c:\windows\system32\2836.exe --> c:\windows\system32\2836.exe [?]
S3 Boonty Games;Boonty Games;c:\program files\common files\boonty shared\service\Boonty.exe [2008-10-7 69120]

=============== Created Last 30 ================

2009-06-18 13:41 <DIR> --d----- c:\program files\AVG
2009-06-18 13:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-06-15 22:43 664 a------- c:\windows\system32\d3d9caps.dat
2009-06-15 22:17 <DIR> --d----- c:\documents and settings\dan\.limewire
2009-06-15 00:42 <DIR> --d----- c:\docume~1\dan\applic~1\Symantec
2009-06-15 00:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-06-15 00:42 <DIR> --d----- c:\program files\Symantec
2009-06-15 00:42 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-06-12 14:51 57,344 a----r-- c:\windows\system32\BCMDMMOH.dll
2009-06-12 14:51 36,352 a----r-- c:\windows\system32\BCMSM136.dll
2009-06-06 23:16 <DIR> --d----- c:\program files\Trend Micro
2009-06-06 23:05 <DIR> --d----- c:\docume~1\dan\applic~1\Malwarebytes
2009-06-06 22:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-06 22:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-06 22:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 22:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-05 17:56 <DIR> --d----- c:\windows\pss
2009-05-29 09:19 28,800 a------- c:\windows\system32\drivers\ip_fw.sys

==================== Find3M ====================

2009-06-12 14:59 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-23 09:30 410,984 a------- c:\windows\system32\deploytk.dll
2008-04-02 00:25 0 a------- c:\program files\temp01
2006-02-23 16:38 774,144 a------- c:\program files\RngInterstitial.dll
2003-05-02 16:19 165,888 a------- c:\program files\setup3.exe
2003-03-12 06:25 431,383 a------- c:\program files\setup2.exe
2008-09-06 13:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 18:09:27.53 ===============