Can not connect to internet except via Safe Mode

[rjmica]

Hi! I am trying to fix a friend's computer. I believe he may picked up a virus. The Dell computer is running Windows XP sp2 and will only connect to the internet in safe mode. I posted this problem on the Windows XP Support Forum and they refered me here.

Numerous attempts to restore the computer to various past dates have all been unsuccessful. I ran an online scan in safe mode with Trend Micro Housecall and it found "POSSIBLE_HIFRM-5" and several grayware, which it removed. It also found several Detected Vulneralbilities such as; MS01-028, MSO5-004, MS08-061, MS08-063, and so on, which it could not define, therefore, they were not removed.

I found Limewire on his computer, which I believe his son used, and uninstalled it. Your help would be deeply appreciated.

Also, the GMER Rootkit Scanner will not run properly on this computer. The Scan, Copy, and Save buttons are over top of Ads and Show All and nothing happens when you click the Scan button. This same file runs fine on my personal computer. So, I could not attach this log.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Dan at 18:08:46.73 on Thu 06/18/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.269 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\AOL\1153942526\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1153942526\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1153942526\ee\AOLServiceHost.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Dan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~2\COMCAS~1.DLL
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~2\COMCAS~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - No File
TB: {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [AIM] c:\progra~1\aim\aim.exe -cnetwait.odl
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: Dice City Roller by pogo - hxxp://game1.pogo.com/applet-6.8.2.23/ytz/ytz-en_US.cab
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} - hxxp://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {64D01C7F-810D-446E-A07E-456746835644} - hxxp://chill.comcast.net/Gameshell/online/en/abc_island/abcisland.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://www.gamehouse.com/realarcade-webgames/mysterypilt/SpinTopGamesLauncher.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A219C6A1-B503-42A9-95DC-A84B2CC1231F} - hxxp://playgames.comcast.net/online2/asianata/asianata.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://onlinedesigner.hgtv.com/images/app/view22rte.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://playgames.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/AbacastClient2.1.20.2.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dan\applic~1\mozilla\firefox\profiles\qrp5qwjl.default\
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

============= SERVICES / DRIVERS ===============

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2006-1-25 4064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-26 24652]
R3 ip_fw;ipfw kernel-mode driver;c:\windows\system32\drivers\ip_fw.sys [2009-5-29 28800]
S2 gupdate1c9afc95437522e;Google Update Service (gupdate1c9afc95437522e);c:\program files\google\update\GoogleUpdate.exe [2009-3-28 133104]
S2 ipfw;ipfw_helper;c:\windows\system32\2836.exe --> c:\windows\system32\2836.exe [?]
S3 Boonty Games;Boonty Games;c:\program files\common files\boonty shared\service\Boonty.exe [2008-10-7 69120]

=============== Created Last 30 ================

2009-06-18 13:41 <DIR> --d----- c:\program files\AVG
2009-06-18 13:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-06-15 22:43 664 a------- c:\windows\system32\d3d9caps.dat
2009-06-15 22:17 <DIR> --d----- c:\documents and settings\dan\.limewire
2009-06-15 00:42 <DIR> --d----- c:\docume~1\dan\applic~1\Symantec
2009-06-15 00:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-06-15 00:42 <DIR> --d----- c:\program files\Symantec
2009-06-15 00:42 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-06-12 14:51 57,344 a----r-- c:\windows\system32\BCMDMMOH.dll
2009-06-12 14:51 36,352 a----r-- c:\windows\system32\BCMSM136.dll
2009-06-06 23:16 <DIR> --d----- c:\program files\Trend Micro
2009-06-06 23:05 <DIR> --d----- c:\docume~1\dan\applic~1\Malwarebytes
2009-06-06 22:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-06 22:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-06 22:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 22:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-05 17:56 <DIR> --d----- c:\windows\pss
2009-05-29 09:19 28,800 a------- c:\windows\system32\drivers\ip_fw.sys

==================== Find3M ====================

2009-06-12 14:59 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-23 09:30 410,984 a------- c:\windows\system32\deploytk.dll
2008-04-02 00:25 0 a------- c:\program files\temp01
2006-02-23 16:38 774,144 a------- c:\program files\RngInterstitial.dll
2003-05-02 16:19 165,888 a------- c:\program files\setup3.exe
2003-03-12 06:25 431,383 a------- c:\program files\setup2.exe
2008-09-06 13:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 18:09:27.53 ===============

[rjmica]

BUMP, Please.

[rjmica]

BUMP, Please. (6 days)

[Ried]

Hello rjmica,

I'd really like to try to get a gmer scan to complete. Open Notepad and copy/paste the contents in the code box below, into Notepad.

Quote:

@copy /y gmer.exe gamer.exe
@Start gamer.exe -protect

Save this as owned.bat Choose to "Save type as - All Files"

It should look like this:

Place the batch next to gmer & double click to launch it.


Remember to configure and carry out the scan as follows:

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Please attach the ark.txt in your next reply along with a fresh dds.txt

[rjmica]

Hi Ried,

First let me say thank you for helping me with this problem.

I put owned.bat on the desktop with gmer and clicked owned, but I get the same thing. The program opens up with the Scan, Copy, and Save buttons higher than they should be (over top the ADS and SHOW ALL selections). Nothing happens when you click on Scan. This file works perfectly when run on another computer.

Is there something else I could try?

[Ried]

You're welcome. :)

Let's try another rootkit scanner:

Download RootRepeal from the following location and save it to your desktop:
RootRepeal

• Extract RootRepeal.exe from the zip archive.
• Open on your desktop.
• Click the tab.
• Click the button.
• Check all six boxes:
• Click Ok
• Check the box for your main system drive (Usually C:), and press Ok.
• Allow RootRepeal to run a scan of your system. This may take some time.
• Once the scan completes, click the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

[rjmica]

OK, that seemed to work. The RootRepeal file is attached.

[Ried]

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT- Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on combofix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

[rjmica]

ComboFix.txt is attached.

[rjmica]

Sorry. ComboFix.txt is attached now.

ComboFix 09-06-25.01 - Administrator 06/25/2009 19:58.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.373 [GMT -4:00]
Running from: c:\documents and settings\All Users\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dan\Favorites\games.url
c:\documents and settings\Rose\Local Settings\Temporary Internet Files\temp.dmf
c:\windows\system32\drivers\ip_fw.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BOONTY_GAMES
-------\Legacy_IPFW
-------\Legacy_IP_FW
-------\Service_Boonty Games
-------\Service_ip_fw
-------\Service_ipfw


((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 )))))))))))))))))))))))))))))))
.

2009-06-18 17:19 . 2009-06-18 17:19 33848 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 02:43 . 2009-06-18 19:01 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-16 02:29 . 2009-06-20 18:36 -------- d-----w- c:\documents and settings\Administrator\.limewire
2009-06-15 04:42 . 2009-06-20 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-15 04:42 . 2009-06-20 18:36 -------- d-----w- c:\program files\Symantec
2009-06-15 04:42 . 2009-06-20 18:36 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-15 03:00 . 2009-06-15 03:48 -------- d-----w- c:\documents and settings\Dan\Application Data\MSN6
2009-06-12 18:51 . 2002-06-05 22:46 57344 ----a-r- c:\windows\system32\BCMDMMOH.dll
2009-06-12 18:51 . 2002-06-05 22:46 36352 ----a-r- c:\windows\system32\BCMSM136.dll
2009-06-12 18:23 . 2008-04-13 16:44 2560 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
2009-06-07 03:16 . 2009-06-07 03:16 -------- d-----w- c:\program files\Trend Micro
2009-06-07 03:05 . 2009-06-07 03:05 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes
2009-06-07 02:20 . 2009-06-07 02:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-07 02:20 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-07 02:19 . 2009-06-20 18:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-07 02:19 . 2009-06-07 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-07 02:19 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-07 02:15 . 2009-06-07 02:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-07 02:14 . 2009-06-20 18:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-06-07 02:14 . 2009-06-22 22:25 -------- d-----w- c:\documents and settings\Administrator
2009-06-06 15:14 . 2007-05-25 20:52 351232 ----a-w- c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\qrp5qwjl.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
2009-06-06 15:14 . 2007-05-25 20:52 139264 ----a-w- c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\qrp5qwjl.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 13:13 . 2008-05-12 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-20 18:48 . 2009-06-18 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-20 18:48 . 2009-06-20 18:48 -------- d-----w- c:\program files\AVG
2009-06-20 18:47 . 2009-06-20 18:47 -------- d-----w- c:\documents and settings\Dan\Application Data\Symantec
2009-06-20 18:47 . 2009-06-20 18:47 -------- d-----w- c:\documents and settings\Rose\Application Data\Malwarebytes
2009-06-20 18:43 . 2008-06-26 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-20 18:43 . 2008-09-02 02:19 -------- d-----w- c:\documents and settings\Rose\Application Data\McAfee
2009-06-20 18:43 . 2006-01-25 20:58 -------- d-----w- c:\program files\McAfee.com
2009-06-20 18:37 . 2006-01-27 20:01 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-20 18:36 . 2006-11-26 18:43 -------- d-----w- c:\program files\LimeWire
2009-06-18 18:20 . 2007-09-01 15:00 -------- d-----w- c:\documents and settings\Liz\Application Data\COMCASTTOOLBAR
2009-06-12 18:59 . 2006-01-25 19:51 77423 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-06-09 00:02 . 2006-01-26 18:42 -------- d-----w- c:\documents and settings\Rose\Application Data\MSN6
2009-05-15 20:10 . 2007-10-27 19:00 -------- d-----w- c:\documents and settings\Rose\Application Data\Move Networks
2009-05-15 20:08 . 2009-05-15 20:08 34062 ----a-w- c:\documents and settings\Rose\Application Data\Move Networks\ie_bin\Uninst.exe
2009-05-15 20:08 . 2009-05-15 20:08 1047072 ----a-w- c:\documents and settings\Rose\Application Data\Move Networks\MoveMediaPlayer_071303000006.exe
2008-04-02 04:25 . 2008-04-02 04:25 0 ----a-w- c:\program files\temp01
2006-02-23 20:38 . 2006-02-23 20:38 774144 ----a-w- c:\program files\RngInterstitial.dll
2003-05-02 20:19 . 2006-01-25 20:16 165888 ----a-w- c:\program files\setup3.exe
2003-03-12 10:25 . 2006-01-25 20:14 431383 ----a-w- c:\program files\setup2.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-24 68856]
"AIM"="c:\progra~1\AIM\aim.exe" [2005-08-05 67160]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-24 5537792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-28 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-23 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-02-24 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"Hpppta"="c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe" [2000-08-15 98304]
"HostManager"="c:\program files\Common Files\AOL\1153942526\ee\AOLHostManager.exe" [2005-08-02 159832]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2002-06-05 65536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-02-24 1495040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\1153942526\\ee\\aolservicehost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"c:\\Documents and Settings\\Liz\\Local Settings\\Application Data\\Abacast\\Abaclient2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [1/25/2006 4:25 PM 4064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/26/2008 1:54 PM 24652]
S2 gupdate1c9afc95437522e;Google Update Service (gupdate1c9afc95437522e);c:\program files\Google\Update\GoogleUpdate.exe [3/28/2009 1:19 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2009-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2009-06-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-07 19:19]

2009-06-26 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-28 17:19]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
HKLM-Run-MPlay64 - c:\program files\common files\system\deb20818.exe
Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Dice City Roller by pogo - hxxp://game1.pogo.com/applet-6.8.2.23/ytz/ytz-en_US.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://www.gamehouse.com/realarcade-webgames/mysterypilt/SpinTopGamesLauncher.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 20:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1343024091-1284227242-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b7,0c,a8,6b,47,0e,0c,44,52,20,26,9b,52,b8,28,95,e3,bc,05,ed,f2,95,08,
5c,72,a9,fc,8b,fd,34,53,24,24,c8,c4,d3,9a,2b,6a,8d,8c,04,8c,6b,4a,7c,50,d8,\
"??"=hex:31,e2,ee,dd,87,19,e5,67,e0,65,3a,ff,98,07,3b,8c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(980)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\AIM\aim.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\AOL\1153942526\ee\AOLServiceHost.exe
c:\program files\Common Files\AOL\1153942526\ee\AOLServiceHost.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-06-26 20:12 - machine was rebooted [Dan]
ComboFix-quarantined-files.txt 2009-06-26 00:12

Pre-Run: 76,811,898,880 bytes free
Post-Run: 78,962,749,440 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

185

[Ried]

Hello rjmica,

Are you able to access the internet in Normal Mode now?

What AV is installed? I see that Norton and AVG were both recently installed, then uninstalled.

[rjmica]

Yes, I can now access the internet in normal mode. Thanks a million!

This is my friend's computer. He told me he installed and uninstalled Norton AV after he began having this problem. I tried to install AVG but it wouldn't install correctly, so I uninstalled it. I intend to reinstall AVG. Can I do it now? I also plan to install some antispyware.

Were you able to determine what caused this?

[Ried]

Hi rjmica,

Yes, these were the main culprits, which ComboFix took care of for us:

R3 ip_fw;ipfw kernel-mode driver;c:\windows\system32\drivers\ip_fw.sys [2009-5-29 28800]
S2 ipfw;ipfw_helper;c:\windows\system32\2836.exe --> c:\windows\system32\2836.exe [?]

Norton has not been fully unistalled. Go to the Control Panel>Add or Remove programs and uninstall the following:

LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)

While you're in there, uninstall the older versions of Java as they are no longer needed and could continue to pose a security risk:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 8
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1

========================================

Here is a very good free AV that can be installed:

Avira AntiVir Personal[/url].

Download, install, update definitions.

========================================

After you've completed the above, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:


Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

[rjmica]

Sorry, I've been away at work for a day and a half. Just got back late last night. Did everything you said above and attached report.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, June 28, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, June 28, 2009 16:10:28
Records in database: 2399674
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 86249
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:30:57


File name / Threat name / Threats count
C:\Program Files\Best Buy Games\Dream Day Honeymoon\Agatha_Christie-setup.exe Infected: Trojan.Win32.Inject.trs 1
C:\Program Files\Best Buy Games\Dream Day Honeymoon\Big_City_Adventure-setup.exe Infected: Trojan.Win32.Inject.ufu 1
C:\Program Files\Best Buy Games\Dream Day Honeymoon\Dream_Day_Wedding-setup.exe Infected: Trojan.Win32.Inject.kgm 1

The selected area was scanned.

[Ried]

I'd like to see how other AV's view these Best Buy Games.

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following:
  
  C:\Program Files\Best Buy Games\Dream Day Honeymoon\Agatha_Christie-setup.exe
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• If you get a message saying File has already been analyzed: click Reanalyze file now
• Once scanned, copy and paste the results in your next reply, or simply copy the link from the results page and post that.

[rjmica]

Here is the link. http://www.virustotal.com/analisis/e...d0c-1246217388

[Ried]

Thank you. I feel this is a false positive, but if it makes you more comfortable, you can delete the .exe's flagged by the online scan.

Panda is only reporting backups created during the course of this fix, and items in your System Restore cache which we will clear momentarily. minor adware that comes bundled with your machine by the manufacturer.

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
• Yellow for caution
• Red to stop

WOT has an addon available for both Firefox and IE.


SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[rjmica]

I have done everything you suggested in your previous post and everything seems to be performing normally now. I will return my friend's computer to him and give him your advice on preventing further problems.

Thanks again. You guys provide a much needed service and do it in a professional and efficient manner. All the best to you!!

[Ried]

You're welcome, and your kind words are greatly appreciated.


It's been a pleasure. Enjoy the upcoming week, rjmica.