1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Cannot Delete Content.IE5 Temp Internet Files, HDD Full

Discussion in 'Virus & Other Malware Removal' started by LagunaGTO, Feb 20, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. LagunaGTO

    LagunaGTO Account Closed Thread Starter

    Joined:
    Jan 27, 2011
    Messages:
    139
    Just a quick overview: I am a malware expert as well, just having difficulty with this one because it is remote and if it were in person, I'd pop the drive out and delete these files from a bay and make the drive my ***** or just re-image since this is a time sink...however, I cannot. I'm also running out of tools to fix the issue. So, feel free to be more technical and make it easier on yourself.


    OS: Windows 7 Enterprise x86 SP1
    Model: Dell
    CPU: Intel Pentium 4, 3.20GHz
    RAM: 4GB
    HDD Size: 80GB (74.47GB free)
    HDD Used Space: 73.42GB, Temporary Internet Files takes over 35GB.
    Browsers: Firefox and IE7 (NOW upgraded to IE9 manually)


    Symptom: 99% of the HDD is being used up and cannot delete the files taking up the space. Research is leading me to believe malware is camping somewhere causing this to happen.

    Windows Updates is currently not working as well. Gives the error as "Windows Update service is not running, please restart your machine." When looking at services, both 'Windows Updates' and 'Background Intelligent Transfer Service" are missing.










    Fixes Ran Thus Far:
    • Ran HJT and removed known problems, Deleted ~6 Problems. Used hijackthis.de for assistance.
    • Ran Kaspersky AVP Tool, Removed 1 Infection. Unfortunately no log.
    • Ran WinDirStat to locate what is taking up space.
      • Location of Most Size: C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
      • Contains about 20 folders all adding up in size. Some are hidden, some are not.
      • Deleting them by doing Shift + Del does nothing, just sits on "Preparing to Delete"
    • Ran MS FixIt @ http://support.microsoft.com/kb/260897
    • Manually moved Temp Internet Files folder, deleted old contents, moved back.
    • Manually installed IE9.
    • Ran Windows Update FixIt @ http://support.microsoft.com/mats/windows_update/
      • Says "Found no Problem"
    • Ran TDSSKiller. Found no threats.
    • Ran System Restore Utility on Kaspersky AVZ, items 1-16.
    • Host Files Cleared and Fixed, was filled with malware directs.
    • Ran Windows MSRT @ http://www.microsoft.com/security/pc-security/malware-families.aspx - No Infections Found.
    Please NOTE: GMER froze the first time while scanning once it reached the Content.IE5 folders. No CD emulation software is on the PC. I am running it again right now while awaiting assistance.



    Here are logs for the current state of the machine:


    HIJACKTHIS
    NOTE: I have tried removing the toolbars using HJT without success. Also, Bomgar is my remote client.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 1:28:56 PM, on 2/20/2013
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v9.00 (9.00.8112.16464)
    Boot mode: Normal
    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
    C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
    C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
    C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\UltraMon\UltraMon.exe
    C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
    C:\Program Files\UltraMon\UltraMonTaskbar.exe
    C:\Windows\system32\conhost.exe
    C:\Users\james biz\Desktop\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (file missing)
    O2 - BHO: Incredibar.com Helper Object - {6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} - C:\Program Files\Incredibar.com\incredibar\1.5.11.14\bh\incredibar.dll (file missing)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
    O2 - BHO: Vuze Remote - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (file missing)
    O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (file missing)
    O3 - Toolbar: Incredibar Toolbar - {F9639E4A-801B-4843-AEE3-03D9DA199E77} - C:\Program Files\Incredibar.com\incredibar\1.5.11.14\incredibarTlbr.dll (file missing)
    O4 - HKLM\..\Run: [F5D7050v3] C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
    O4 - HKCU\..\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE"
    O4 - HKUS\S-1-5-18\..\Run: [Bomgar_Cleanup_ZD285168953] cmd.exe /C rd /S /Q "C:\ProgramData\bomgar-scc-5124314B" & reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Bomgar_Cleanup_ZD285168953 /f (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Bomgar_Cleanup_ZD285168953] cmd.exe /C rd /S /Q "C:\ProgramData\bomgar-scc-5124314B" & reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Bomgar_Cleanup_ZD285168953 /f (User 'Default user')
    O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
    O4 - Global Startup: NETGEAR WNA3100 Genie.lnk = ?
    O4 - Global Startup: UltraMon.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bomgar Support Customer Client [1361378658] (bomgar-scc-1361378658) - Bomgar - C:\ProgramData\bomgar-scc-5124FD61\bomgar-scc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: HitmanPro 3.6 Crusader (Boot) (HitmanPro36CrusaderBoot) - Unknown owner - C:\Users\james biz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O22NN2QN\HitmanPro36[1].exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
    O23 - Service: WSWNA3100 - Unknown owner - C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe
    --
    End of file - 7475 bytes



    dds.txt LOG
    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 9.0.8112.16464 BrowserJavaVersion: 10.9.2
    Run by james biz at 13:30:42 on 2013-02-20
    Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3574.2751 [GMT -5:00]
    .
    AV: ESET NOD32 Antivirus 4.2 *Enabled/Outdated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET NOD32 Antivirus 4.2 *Enabled/Outdated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\ProgramData\bomgar-scc-5124FD61\bomgar-scc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\ProgramData\bomgar-scc-5124FD61\bomgar-scc.exe
    C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
    C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
    C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
    C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\UltraMon\UltraMon.exe
    C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
    C:\Windows\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\UltraMon\UltraMonTaskbar.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\UltraMon\UltraMonUiAcc.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Users\james biz\Desktop\HijackThis.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k SDRSVC
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    uSearch Page = www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    mStart Page = about:blank
    mSearch Page = www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    uSearchAssistant = about:blank
    mSearchAssistant = about:blank
    mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} -
    BHO: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} -
    BHO: Incredibar.com Helper Object: {6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} -
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
    BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} -
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
    TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} -
    TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} -
    TB: Incredibar Toolbar: {F9639E4A-801B-4843-AEE3-03D9DA199E77} -
    uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe
    uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
    mRun: [F5D7050v3] c:\program files\belkin\f5d7050v3\Belkinwcui.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    dRun: [Bomgar_Cleanup_ZD285168953] cmd.exe /C rd /S /Q "c:\programdata\bomgar-scc-5124314b" & reg delete hkcu\software\microsoft\windows\currentversion\Run /v Bomgar_Cleanup_ZD285168953 /f
    StartupFolder: c:\users\jamesb~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna3100\WNA3100.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ultramon.lnk - c:\windows\installer\{537056b7-32a4-4408-9b54-0341963c7c9c}\IcoUltraMon.ico
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    TCP: NameServer = 65.32.5.111 65.32.5.112 192.168.1.1
    TCP: Interfaces\{104104DD-8B2D-4351-A011-DF019C4C1197} : DHCPNameServer = 68.87.74.166 68.87.68.166
    TCP: Interfaces\{73F7DBFA-9C18-49E5-A0F7-A8F032E6D054} : DHCPNameServer = 65.32.5.111 65.32.5.112 192.168.1.1
    TCP: Interfaces\{73F7DBFA-9C18-49E5-A0F7-A8F032E6D054}\2656C6B696E6E2735623 : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{B9945357-0BAE-4160-8D75-69FF027E157E} : DHCPNameServer = 68.87.74.166 68.87.68.166
    TCP: Interfaces\{F63AF591-3385-4E2A-AFFB-76279E34C5BB} : DHCPNameServer = 68.87.74.166 68.87.68.166
    TCP: Interfaces\{FC3ED015-8B65-4F69-977A-1750213F3CA4} : DHCPNameServer = 192.168.1.1 75.75.75.75 75.75.76.76
    TCP: Interfaces\{FD314368-C5B4-463E-9AB9-3E9B17B82006} : DHCPNameServer = 75.75.75.75 75.75.76.76
    TCP: Interfaces\{FD314368-C5B4-463E-9AB9-3E9B17B82006}\54164702D4F627560234F6F6B6965637 : DHCPNameServer = 68.87.74.166 68.87.68.166
    TCP: Interfaces\{FD314368-C5B4-463E-9AB9-3E9B17B82006}\A657E69607562776C656E6E66627565677966696 : DHCPNameServer = 192.168.1.1
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WebCheck - <orphaned>
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\james biz\appdata\roaming\mozilla\firefox\profiles\dzfivk6h.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=WLETDF&PC=WLEM&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - about:home
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=994519&p=
    FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
    FF - plugin: c:\users\james biz\appdata\roaming\mozilla\firefox\profiles\dzfivk6h.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_149.dll
    FF - plugin: c:\windows\system32\npDeployJava1.dll
    FF - plugin: c:\windows\system32\npmproxy.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    FF - user.js: extensions.incredibar_i.newTab - false
    FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6R8O16kZ0D&loc=IB_TB&i=26&search=
    FF - user.js: extensions.incredibar_i.id - c89bd99e0000000000004c60de8299aa
    FF - user.js: extensions.incredibar_i.instlDay - 15686
    FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
    FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
    FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.148:35:41
    FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
    FF - user.js: extensions.incredibar_i.prdct - incredibar
    FF - user.js: extensions.incredibar_i.aflt - orgnl
    FF - user.js: extensions.incredibar_i.smplGrp - none
    FF - user.js: extensions.incredibar_i.tlbrId - base
    FF - user.js: extensions.incredibar_i.instlRef -
    FF - user.js: extensions.incredibar_i.dfltLng -
    FF - user.js: extensions.incredibar_i.excTlbr - false
    FF - user.js: extensions.incredibar_i.ms_url_id -
    FF - user.js: extensions.incredibar_i.upn2 - 6R8O16kZ0D
    FF - user.js: extensions.incredibar_i.upn2n - 92825558812001595
    FF - user.js: extensions.incredibar_i.productid - 26
    FF - user.js: extensions.incredibar_i.installerproductid - 26
    FF - user.js: extensions.incredibar_i.did - 10678
    FF - user.js: extensions.incredibar_i.ppd - 119
    FF - user.js: extensions.funmoods.hmpg - false
    FF - user.js: extensions.funmoods.hmpgUrl - hxxp://searchfunmoods.com/?f=1&a=aln&ir=aln&cd=2XzuyEtN2Y1L1QzuyE0CyCtD0D0EzztBzyzy0A0A0Dzyzy0EtN0D0Tzu0CtAyCtDtN1L2XzutBtFtBtFtCtFyEtDyB&cr=170806728
    FF - user.js: extensions.funmoods.dfltSrch - false
    FF - user.js: extensions.funmoods.srchPrvdr - Funmoods
    FF - user.js: extensions.funmoods.dnsErr - true
    FF - user.js: extensions.funmoods_i.newTab - false
    FF - user.js: extensions.funmoods.newTabUrl - hxxp://searchfunmoods.com/?f=2&a=aln&ir=aln&cd=2XzuyEtN2Y1L1QzuyE0CyCtD0D0EzztBzyzy0A0A0Dzyzy0EtN0D0Tzu0CtAyCtDtN1L2XzutBtFtBtFtCtFyEtDyB&cr=170806728
    FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://searchfunmoods.com/?f=3&a=aln&ir=aln&cd=2XzuyEtN2Y1L1QzuyE0CyCtD0D0EzztBzyzy0A0A0Dzyzy0EtN0D0Tzu0CtAyCtDtN1L2XzutBtFtBtFtCtFyEtDyB&cr=170806728&q=
    FF - user.js: extensions.funmoods.id - 4C60DE8299AAD99E
    FF - user.js: extensions.funmoods.instlDay - 15700
    FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
    FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
    FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.229:0:49
    FF - user.js: extensions.funmoods.prtnrId - funmoods
    FF - user.js: extensions.funmoods.prdct - funmoods
    FF - user.js: extensions.funmoods.aflt - aln
    FF - user.js: extensions.funmoods_i.smplGrp - none
    FF - user.js: extensions.funmoods.tlbrId - base
    FF - user.js: extensions.funmoods.instlRef - aln
    FF - user.js: extensions.funmoods.dfltLng -
    FF - user.js: extensions.funmoods.excTlbr - false
    FF - user.js: extensions.funmoods.autoRvrt - false
    FF - user.js: extensions.funmoods.envrmnt - production
    FF - user.js: extensions.funmoods.isdcmntcmplt - true
    FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2012-7-13 21472]
    R2 bomgar-scc-1361378658;Bomgar Support Customer Client [1361378658];c:\programdata\bomgar-scc-5124fd61\bomgar-scc.exe [2013-2-20 953280]
    R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2008-11-14 17184]
    R2 WSWNA3100;WSWNA3100;c:\program files\netgear\wna3100\WifiSvc.exe [2012-7-13 303360]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh6.sys [2012-7-13 1093888]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 HitmanPro36CrusaderBoot;HitmanPro 3.6 Crusader (Boot);"c:\users\james biz\appdata\local\microsoft\windows\temporary internet files\content.ie5\o22nn2qn\hitmanpro36[1].exe" /crusader:boot --> c:\users\james biz\appdata\local\microsoft\windows\temporary internet files\content.ie5\o22nn2qn\HitmanPro36[1].exe [?]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-2-19 40776]
    S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-1-29 30576]
    S3 netr73;Belkin Wireless 54G USB Network Driver;c:\windows\system32\drivers\netr73.sys [2011-2-5 552960]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-6-6 15872]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-6 52224]
    .
    =============== Created Last 30 ================
    .
    2013-02-20 18:21:29 7168 ----a-w- c:\programdata\[email protected]!-55810167-af1e-47c6-8d5b-c8a62b8f7018.tmp
    2013-02-20 16:57:38 -------- d-----w- c:\programdata\Kaspersky Lab
    2013-02-20 16:44:17 -------- d-----w- c:\programdata\bomgar-scc-5124FD61
    2013-02-20 03:38:47 10240 ----a-w- c:\windows\system32\drivers\uji2mte1.sys
    2013-02-20 02:31:54 -------- d-----w- c:\users\james biz\appdata\roaming\Webroot
    2013-02-20 00:22:31 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2013-02-20 00:22:13 -------- d-----w- c:\users\james biz\appdata\local\Programs
    .
    ==================== Find3M ====================
    .
    2013-02-20 01:02:27 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-02-20 01:02:27 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    .
    ============= FINISH: 13:31:42.85 ===============


    attach.txt LOG
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Enterprise
    Boot Device: \Device\HarddiskVolume2
    Install Date: 2/5/2011 9:48:14 AM
    System Uptime: 2/20/2013 1:20:56 PM (0 hours ago)
    .
    Motherboard: Dell Inc. | | 0F8098
    Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Microprocessor | 3192/800mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 74 GiB total, 0.98 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description:
    Device ID: ROOT\LEGACY_UTI2MTE1\0000
    Manufacturer:
    Name:
    PNP Device ID: ROOT\LEGACY_UTI2MTE1\0000
    Service:
    .
    ==== System Restore Points ===================
    .
    RP342: 2/20/2013 12:46:26 PM - Windows Modules Installer
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    AIM 7
    Aiseesoft MTS Converter 6.2.16
    Any Video Converter 3.2.7
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Belkin 54Mbps Wireless Network Adapter
    Belkin F5D8053 N Wireless USB Adapter
    Bonjour
    Brother P-touch Editor Version 4.1
    Brother Software
    Compatibility Pack for the 2007 Office system
    D3DX10
    Garmin USB Drivers
    Google Chrome
    iCloud
    Intel(R) Graphics Media Accelerator Driver
    iTunes
    Java 7 Update 9
    Java Auto Updater
    Java(TM) 6 Update 31
    Junk Mail filter update
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Corporation
    Microsoft IntelliPoint 8.0
    Microsoft IntelliType Pro 8.0
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    MobileMe Control Panel
    Mozilla Firefox 16.0.2 (x86 en-US)
    Mozilla Maintenance Service
    MSVCRT
    MSVCRT110
    NETGEAR WNA3100 wireless USB 2.0 adapter
    PDF Reader for Windows 7
    Photo Common
    QuickTime
    Rosetta Stone Version 3
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Skype&#8482; 5.1
    UltraMon
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Windows Driver Package - Garmin (grmnusb) GARMIN Devices (04/19/2012 2.3.1.0)
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Mail
    Windows Live Messenger
    Windows Live MIME IFilter
    Windows Live Photo Common
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    WinRAR archiver
    Wunderlist
    .
    ==== Event Viewer Messages From Past Week ========
    .
    2/20/2013 3:00:40 AM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
    2/20/2013 12:44:17 AM, Error: Service Control Manager [7034] - The Bomgar Support Customer Client [1361326411] service terminated unexpectedly. It has done this 1 time(s).
    2/20/2013 1:22:34 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
    2/20/2013 1:22:34 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
    2/20/2013 1:21:22 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    2/20/2013 1:21:22 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    2/20/2013 1:21:20 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    2/20/2013 1:21:16 PM, Error: Service Control Manager [7000] - The HitmanPro 3.6 Crusader (Boot) service failed to start due to the following error: The system cannot find the file specified.
    2/19/2013 9:11:00 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    2/19/2013 9:10:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    2/19/2013 9:10:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    2/19/2013 9:10:49 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    2/19/2013 9:10:43 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    2/19/2013 9:10:35 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\bcmihvsrv.dll Error Code: 21
    2/19/2013 9:10:21 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
    2/19/2013 9:10:17 PM, Error: Service Control Manager [7001] - The Fax service depends on the Print Spooler service which failed to start because of the following error: The dependency service or group failed to start.
    2/19/2013 9:10:17 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    2/19/2013 10:43:24 PM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
    2/19/2013 10:40:49 PM, Error: Service Control Manager [7003] - The SBSD Security Center Service service depends the following service: wscsvc. This service might not be installed.
    2/18/2013 7:18:06 AM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    2/18/2013 7:18:06 AM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.
    .
    ==== End Of File ===========================
     
  2. LagunaGTO

    LagunaGTO Account Closed Thread Starter

    Joined:
    Jan 27, 2011
    Messages:
    139
    Bump! I know this is a tough one, but I'm willing to try anything. Someone has got to be as interested as me in solving this!
     
  3. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    You say you are a Malware expert, but no Golden Shield next to your name?

    Lets start with removing all the temp files using TFC. Then run ADWCleaner to remove all the Adware which is very clear in the Firefox part of the logs, then RogueKiller to check for any serious infections.

    You should also uninstall both Java versions as they are out of date, the latest can be installed when the PC is clean.

    Download Temporary file cleaner and save it to the desktop.
    Double click on the icon to run it (it appears as a dark grey dustbin). For Windows 7 and Vista right click the icon and select Run as Administrator.
    When the window opens click on Start. It will close all running programs and clear the desktop icons.
    When complete you may be asked to reboot, if so accept the request and your PC will reboot automatically.

    Please run these two scans and post the logs:

    SCAN 1
    Click on this link to download : ADWCleaner and save it to your desktop.

    NOTE: If using Internet Explorer and you get an alert that stops the program downloading click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.

    Close your browser and click on this icon on your desktop: [​IMG]

    You will then see the screen below, click on the Delete button (as indicated), accept any prompts that appear and allow it to reboot the PC. When the PC has rebooted you will be presented with the report, copy & paste it into your next post.

    [​IMG]



    SCAN 2
    Download RogueKiller (by tigzy) and save direct to your Desktop.
    On the web page select the 32bit or 64bit button to match the bit rate of your version of Windows.

    • Quit all running programs.
    • Start RogueKiller.exe by double clicking on the icon.
    • Wait until Prescan has finished.
    • Ensure all boxes are ticked under "Report" tab.
    • Click on Scan.
    • Click on Report when complete. Copy/paste the contents of the report and paste into your next reply.
    • NOTE: DO NOT attempt to remove anything that the scan detects.

    [​IMG]
     
  4. LagunaGTO

    LagunaGTO Account Closed Thread Starter

    Joined:
    Jan 27, 2011
    Messages:
    139
    By expert, I meant off of this site, not on the site. Sorry for the confusion.

    I believe I have resolved this issue. I believe to have been both deep malware as well as corruption on the Temporary Internet Files. I let the delete sit all night and it actually started deleting after the removal from Kaspersky AVP. It just sat on "preparing for deletion" for over 4 hours.

    Thanks for the assistance with your two program suggestions. ADWCleaner finally removed those toolbars.

    I will mark this as solved.
     
  5. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    No worries.

    Glad to hear you got it fixed. ADWCleaner is an excellent tool for cleaning out Adware related toolbars, etc. I use it in nearly every thread to get all the rubbish out of the way. TFC would probably have done the same job on the Temp files and possibly a lot quicker as it stops all processes before running.

    If you get stuck again please don't hesitate to PM me.
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1090348

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice