Winsock error on IE, but Firefox ok

[ken123286]

I can't get internet explorer to run. I have received the following diagnostic message Error attempting to validate the Winsock base providers: 2 error Not all base service provider entries could be found in the winsock catalog. A reset is needed.
Firefox does run ok.

I tried the command promopt for the reset and tried a fixit winsock reset
program with no resolution.

I have attempted to attach the hijack log.
I have ran Malware with no detected problems. I use microsoft's security essentials fire wall.
I couldn't figure out how to down load the Sysspec log so here's some basics on the system:
Dell with windows XP and service pac 3
Internet ex 8.0.6001.18702
Ram is 1022 MB
The system analysis said "no firewall detected" even though I am using Microsoft security essentials.

I hope this supplies the important information.

Thanks,
Ken123286

 

[raybay]

What is the model of computer, or service tag, and how old is it.
You may have an infestation or a hard ware failure....

 

[Bobbye]

Ken, if you would like us to check the system for malware, please follow the steps HERE.

When you have finished, please include the logs in your next reply.
There is not enough information in the HJT log to determine anything. the make and model of the system don't make any significant difference at this point.

Please don't run any other cleaning programs or scans while I am helping you, unless I instruct you to. Don't use a Registry editor or make Registry changes. And it would be best if you refrained from trying to make Winsock changes until we determine what the problem it.

 

[ken123286]

raybay - bobbye,

System service tags (from the invoice) Edit: Service tag number has been removed.
dell dimension 3000; intel celeron 2.40 ghz
Purchased March 2005
Only hardware upgrade was adding a second 512 from crucial.
I will try the cleaning process, but might not get it going for 5 or 7 days. Today is a little tied up and then I will be traveling for several days.

Thanks for the assistance.
Ken 123286

 

[Bobbye]

Okay- I'll make a note not to close in the usual 5 days. I removed your Service tag number. You should not have been asked for that.

Bobbye, Ken is coming back. Wait 7 days for reply.

 

[ken123286]

ran the 8 step process

Bobbye,


I have attached the logs from the four processes.

Problems along the way:
1. Wasn't sure if I had an anti virus program. Downloaded Avira before I realized the microsoft sec. essentials was one. Avira downloaded ok, however it would not update. Said there was an error in the update process. Tried it several times. I have it turn off (I hope).

After running the steps of the removal process, I went back to verify I had the last version of Java. I went to add/remove programs to find it. While looking for Java, the Avira program popped up (I thought I had turned it off) saying it had found "TR/Dropper.Gen" in a walmart photo program. That program has been on the hard drive for several years. It ask me to apply or cancel. I canceled because I think you didn't want me to do anything. Again I hope. Especially since I had already run the logs requested.

I think I had the latest version of Java (6.0), (update 6.0). So I didn't download or remove old programs.

Not sure how windows or Microsoft is updating if I can't use Internet Ex.

Hope I did this OK.

Thanks,
Ken123286

 

[Bobbye]

Ken, the Java you need is v6 update 20. So you can update to this, then go to Add/Remove Programs in the Control Panel and remove all the entries for Java v6u6

Check this site Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.[/list]
==========================
Run this please:
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

By the way, I worked with someone who had backed up emails that were 4 years old>> they all had an email Worm in them! Thus your picture might have slipped through! I'll check the logs and see.

 

[ken123286]

eset sanner

Got java with update 20 and removed old version.
Couldn't get eset to run. It ask me to download something because it wasn't internet ex.
I did that, but it says it can't get update . Is proxy configured? When I click on configure I get a window with several boxes which allows me to type but I am afraid I don't know what to type into the boxes.

Boxes: Proxy address, port, user name, and Password.
What would you like me to do now?

Thanks,
ken123286

 

[Bobbye]

Download and run LSP-Fix

• 
  [1][Download LSP-Fix and Save to its own directory on the desktop..
  [2] Double-click on the file to open.
  [3] In the left hand column, you should see the nwprovau.dll/b] files listed.
  [o[Click on it to highlight
  [o] Click the arrow in the middle of the screen that points to the right
  [4]This will move the filename to the right-hand column labeled Remove
  [o]NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"
  [5] Once the file has been transferred to the Remove column, click Finish at the bottom of the screen.
  [6]You'll be presented with a results screen showing the file was removed from the Winsock layer entries in the registry.
  [7] Close the LSPFix .

Rescam with HijackThis. The LSP nwprovau.dll entries should be gone.
=====================================
You also now have too many AV programs and firewalls:

The system analysis said "no firewall detected" even though I am using Microsoft security essentials.

I don't know if MSE has a firewall, but it does have an antivirus program.
Please remove Avira.
Also, if MSE does have a firewall, then you need to remove Online Armour. There should be only one antivirus program and one firewall. Multiples of either can leave the system more vulnerable and also slow it down.
=============================
Reopen HijackThis to 'do system scan only.' Check the following processes if present:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

Close all Windows except HJT and click on "Fix Checked"

Try IE and the Eset scan now- reboot the computer first.

 

[ken123286]

Internet ex. back online

Ran the LSP fix, IE is back.
Ran HJT, the nwprovau.dll was gone.
Ran HJT found all the process with the exception of 010 - unknown..nwprovau.dll (The one which was removed)
Check marked them, ran the fix.
Ran Eset scan, no viruses or infected files found. That took 1.5 hrs.
Removed online Armour and Avira and Eset. Not sure I was supposed to remove Eset, got carried away when it offered the option in a box with a check mark.

One question. The note from Avira which indicated it had found something in a Walmart photo program, is that something that should be addressed? I haven't used the program in several years. Should I just remove it.

Sorry, Windows in the firewall, not MSE.

Bobbye, thank you, thank you, thank you,

Ken123286

 

[Bobbye]

Ken, I'll have you run the Eset online virus scan. IF it picks up the Walmart picture or program, I'll have you remove it. If it doesn't, I'd consider it a False Positive.

Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

IT should run okay for you now. We do need an lone scan to be sure nothing was missed. If Eset still doesn't work, I have you do a Kaspersky scan now that you have IE back.

If it's clean, I'll have you remove all the tools we used and the logs they created.

If the Walmart program is something you no longer use, it should be uninstalled. See if it has it's own uninstaller first. If not, use Add/remove Programs in Control Panel. The use Windows explorer: My Computer> Double click on Local Drive (C)> Programs> find the program folder and do a right click> delete on it.

Empty the Recycle Bin when through.

 

[ken123286]

Ran Eset

Deleted walmart photo program.
Ran eset scaner from internet explorer. Attaching the log.
I haven't noticed any problems (anymore) with IE.

Thanks,
Ken 123286

 

[Bobbye]

Clean log. Could you please just run a quick scan with HijackThis to make sure any aren't any entries to remove. Then I'll have you remove the cleaning tools and old restore points:

Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

 

[ken123286]

Here's the log. Won't be back for several days. Traveling Again.
Thanks.
Ken 123286

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:23:54 PM, on 5/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1114302294078
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Unknown owner - C:\Program Files\Maxtor\Sync\SyncServices.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 5910 bytes

 

[Bobbye]

Okay, looks good. I'll leave this for you and you can do it when you get back:

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Let me know if I can be of anymore help.

(Ken is traveling)