Issues in brief, then details:
Cannot open Internet Options. Administrator in safe mode can’t access the Internet. Scans found and quarantined MediaPlex, Trojan.FakeAlert, PUM.Hijack.HomePageControl. Strange behavior at a shopping site. Have previously been unable to complete an update of IE8 (using XP Pro).
I’ve got a few things happening, and I’m not sure which is causing what. So please excuse me if this is either too much or not the appropriate information.
I discovered a couple of days ago, that I cannot access Internet Options in either the Control Panel or IE Tools>Options, either as a user with administrator privileges or as Administrator, in safe mode. I don’t know how long this problem has been present.
There is still an Internet Options icon in the Control Panel, but when I click on it, a box flickers on the screen for a split second, and doesn’t stay onscreen.
I normally have Internet Options locked inside IE, using Spybot’s IE Tweaks and more recently, SpywareBlaster settings, too. I tried unblocking access to Internet Options from IE’s Tools>Options and from SpywareBlaster settings, but when I select Options, again a box blinks on the screen, but doesn’t remain up.
Also, after discovering this problem, first time I logged into safe mode, as Administrator, I could access the Internet, but the second time I logged into safe mode as Administrator, I could not connect to the Internet.
I first realized I couldn’t bring up Internet Options, when I tried to access it right after I’d visited an online shopping site, which I believe is legit, but had a strange experience, with it. I went to enter a test account (not my real info), just so it would tell me the shipping charges, and found that I appeared to actually be *in* someone else’s registered account! I tried to set up my own test account, changing all the info, and it had not asked for any payment method info yet. Instead of asking me to choose the shipping mode, which it was supposed to do next, it said, “Order accepted”! I immediately contacted the website through their online contact form, and asked them to cancel the order (which I assume was charged to the other customer) and to contact me about using their site.
However, since problems immediately arose, I’ve been afraid to go to my yahoo email.
*By the way, is it safe to use online email, at this point?
I notice now, too, that when I hover the pointer over My Computer, in the Start menu, along with Local Disc (:C), the DVD drive, My Documents and Shared Documents, there’s an icon for the Control Panel. Am I that inobservant, that I never noticed that there, before, or is that not normally there?
A scan with Spybot S&D brought up MediaPlex tracking cookie as a threat, which had not appeared before in recent or previous scans. I then downloaded and ran Malwarebytes, which found:
Trojan.FakeAlert and
PUM.Hijack.HomePageControl.
But I wonder if the PUM is only detecting my setting for locking IE Tools>Options, with IE Tweaks? The same PUM seemed to reappear in the Malwarebytes scan, after I reapplied the setting. Avira scans didn’t detect any problems.
All three of these malwares were quarantined by Spybot S&D and Malwarebytes, and now scans by them are clean. Avira scans are still clean.
I tried a System Restore twice, only going back about 10 days the first time, and then 12 days back, and the non-access to Internet Options is still present.
The other possible factor is that within the past 3 months or so, I’ve tried a couple of times to update IE8, the last time fairly recently, but the updates wouldn’t complete. I already had IE8, but there seemed to be a slightly more recent version, and with XP, I can’t go to IE9. But when the update automatically restarted the computer and try to apply personal preferences to IE, it would hang and never complete. I had to cold boot it, as I recall. I gather that it may be my user profiles are not set up correctly, so that I’m updating IE in my normal user account, which has administrative privileges, but it wants to update in the Administrator account, which perhaps should be sharing the user preferences with the other account, but it isn’t. I don't know how to fix that.
Some programs requiring Administrator’s privileges do recognize this user account as having them.
In any case, the IE updates not completing and issues between the Administrator and user accounts may have something to do with Internet Options access, I don’t know. Again, Internet Options currently won’t open in either user account.
Lastly, I haven’t been able to run ESET’s online scanner. When I tried to run it, it told me I need administrator’s privileges, even though this account has them. I tried the suggestion on the ESET FAQ, to change the registry key and eliminate a possible killbit, but found that the long key number mentioned is not under LOCAL_MACHINE/SOFTWARE, etc, in my registry. In my registry, it’s under HKEY_USERS. In a search of my registry, no “compatibility flags” was found.
Thank you very much, for your expertise and attention to helping me with this!
My fresh DDS.txt report, attach.txt attached:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by user at 11:08:29 on 2011-12-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1357 [GMT -8:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.safer-networking.org/en/index.html
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB3393] command.com /c del "c:\windows\SchedLgU.Txt"
uRunOnce: [SpybotDeletingD6191] cmd.exe /c del "c:\windows\SchedLgU.Txt"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [SpybotDeletingA3123] command.com /c del "c:\windows\SchedLgU.Txt"
mRunOnce: [SpybotDeletingC9596] cmd.exe /c del "c:\windows\SchedLgU.Txt"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250215367203
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250221790218
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{D32D97C7-A7FE-48E4-9546-8EC79641D39E} : DhcpNameServer = 192.168.0.1 205.171.3.25
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-7 11608]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-4-8 228216]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-4-8 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2010-4-8 29560]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-7 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-7 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-7 66616]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2010-4-8 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2010-4-8 3364856]
S0 cerc6;cerc6; [x]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\flashplayerupdateservice.exe --> c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [?]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2010-10-28 91841]
.
=============== Created Last 30 ================
.
2011-12-06 12:18:18 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-06 12:02:19 -------- d-----w- c:\program files\ERUNT Registry Backup Tool
2011-12-06 00:58:25 -------- d-----w- c:\documents and settings\user\local settings\application data\Sun
2011-12-06 00:39:56 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-05 18:42:13 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-05 18:42:13 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-04 21:07:07 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes
2011-12-04 21:06:54 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-04 21:06:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-01 13:38:03 -------- d-----w- c:\program files\SpywareBlaster(2)
.
==================== Find3M ====================
.
2011-12-06 00:39:32 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-01 19:32:54 69792 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-01 19:32:54 417952 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2011-10-21 15:30:37 516692 ----a-w- c:\windows\vampsUninst.exe
2011-10-21 15:30:06 1903021 ----a-w- c:\windows\vamps.scr
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 11:10:45.30 ===============