BleepingComputer.com: Fake security, search engines hijacked, and no sound

I think that all these problems are related as they all came at the same time. I did run combo fix before I knew better. It seemed to fix the problem, but then I got something from the World guns website, and everything seemed to hit at once. I have run Malwarebytes, AVG, Spybot search and destroy, and Avira. They have all found and removed malware, but the problems persist.

Currently the fake security is calling itself "Malware Protection" and has a Windows shield on my desktop.

My wife tried the Windows backup. I've tried the Seagate Dashboard (E drive) backup. We also can only run in safe mode or as the owner. We cannot get into our names at startup.

I have the DDS logs. I apologise, but I don't have a way to zip them. GMER has failed to finish twice. It gets so far and then I get the encountered a problem, program has to close, do you want to send the information.... I've also run defogger.

I would like to add that I am concerned that my external hard drive might be infected as well. I care more about the information on that than I do on the main hard drive.

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 11:04:40 on 2011-05-29
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.85 [GMT -4:00]
.
AV: *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - No File
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Power2GoExpress] NA
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Security Protection] c:\documents and settings\all users\application data\defender.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [eBook Library Launcher] c:\program files\sony\reader\data\bin\launcher\Reader Library Launcher.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Memeo Instant Backup] c:\program files\memeo\autobackup\MemeoLauncher2.exe --silent --no_ui
mRun: [Memeo AutoSync] c:\program files\memeo\autosync\MemeoLauncher2.exe --silent
mRun: [Memeo Send] c:\program files\memeo\memeo send\MemeoLauncher.exe --silent
mRun: [Seagate Dashboard] c:\program files\seagate\seagate dashboard\MemeoLauncher.exe --silent --no_ui
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: NoDesktop =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - hxxps://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {23A2712A-7A4F-4D0C-822C-D7BA9974447B} - hxxps://registration.rr.com/RegHelper.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
============= SERVICES / DRIVERS ===============
.
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2010-4-22 25824]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2010-4-30 14088]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-7-1 69692]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-5-28 38224]
.
=============== Created Last 30 ================
.
2011-05-28 17:33:03 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
2011-05-28 17:32:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-28 16:34:13 -------- d-----w- c:\documents and settings\owner\local settings\application data\Apple Computer
2011-05-28 05:51:44 -------- d-sh--w- c:\documents and settings\owner\IECompatCache
2011-05-28 03:30:57 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-05-28 03:26:39 -------- d-sh--w- c:\documents and settings\owner\PrivacIE
2011-05-28 03:25:50 -------- d-----w- c:\documents and settings\owner\local settings\application data\kinoma
2011-05-28 03:25:45 -------- d-----w- c:\documents and settings\owner\application data\Memeo
2011-05-28 03:25:43 -------- d-----w- c:\documents and settings\owner\application data\Seagate
2011-05-23 19:51:31 -------- d-sha-r- C:\cmdcons
2011-05-18 18:32:16 -------- d--h--w- c:\documents and settings\all users\application data\AVAST Software
2011-05-18 18:32:16 -------- d-----w- c:\program files\AVAST Software
2011-05-18 18:13:02 -------- d--h--w- c:\documents and settings\all users\application data\Kaspersky Lab Setup Files
2011-05-18 18:08:52 -------- dc-h--w- c:\documents and settings\all users\application data\{91EC863D-D912-4466-91CC-9489A4A2ADD3}
2011-05-18 17:29:21 -------- d-----w- c:\windows\system32\MpEngineStore
2011-05-15 15:20:56 -------- d--h--w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-05-15 15:20:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-13 13:11:54 523842 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-05-12 18:48:35 98816 ----a-w- c:\windows\sed.exe
2011-05-12 18:48:35 89088 ----a-w- c:\windows\MBR.exe
2011-05-12 18:48:35 256512 ----a-w- c:\windows\PEV.exe
2011-05-12 18:48:35 161792 ----a-w- c:\windows\SWREG.exe
2011-05-12 18:20:32 -------- d--h--w- c:\documents and settings\all users\application data\AVG Security Toolbar
2011-05-12 04:59:42 -------- d-----w- C:\$AVG
2011-05-12 04:11:06 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-05-12 04:07:04 -------- d--h--w- c:\documents and settings\all users\application data\AVG10
2011-05-12 04:04:24 -------- d--h--w- c:\documents and settings\all users\application data\MFAData
2011-05-12 03:51:25 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-12 03:51:25 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-12 03:45:09 -------- d--h--w- c:\program files\common files\xing shared
2011-05-12 01:37:19 -------- d--h--w- c:\documents and settings\all users\application data\Malwarebytes(2)
.
==================== Find3M ====================
.
2011-05-13 17:09:13 0 -c--a-w- c:\windows\Jcudifasocukexug.bin
2011-03-07 05:33:50 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ---ha-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ---ha-w- c:\windows\system32\win32k.sys
2010-03-02 16:31:53 363008 ---ha-w- c:\program files\rkill.com
2010-03-02 16:28:45 290816 ---ha-w- c:\program files\exeHelper.com
.
============= FINISH: 11:05:59.32 ===============

I also need to add that I can only get into the owner logon, windows resize themselves at random, searches take me to sites with advertisements when I click on the results, my sound works for a few minutes to a few hours then quits, and my desktop (when I could still logon as me) and contents of folders were not viewable even after I went to control panel/tools dropdown/folder options/view/show desktop items.

Basically I'm at the point where if you guys can't help, I'm probably going to have to throw this computer out. I think I've been hit with multiple attacks, and I haven't been able to figure anything out.

EDIT: Posts merged ~Budapest

This post has been edited by Budapest: 29 May 2011 - 05:03 PM
Reason for edit: Moved from XP to Malware Removal Logs.

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you.

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

• Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  
  
• Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  
  
• If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  
  
• In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  
  
• If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  
  
• Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  
  
• Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  
  
• I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
  Because of this, you must reply within three days failure to reply will result in the topic being closed!
  
  
• Please do not PM me directly for help. If you have any questions, post them in this topic.
  
  
• Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
  Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Running Flash Disinfector
Download Flash_Disinfector.exe by sUBs from HERE and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  
• Wait until it has finished scanning and then exit the program.
  
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


NEXT:



Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.

Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)

In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

• Double-click on RKUnhookerLE.exe to start the program.
  Vista/Windows 7 users right-click and select Run As Administrator.
  
• Click the Report tab, then click Scan.
  
• Check Drivers, Stealth Code, and uncheck the rest.
  
• Click OK.
  
• Wait until it's finished and then go to File > Save Report.
  
• Save the report to your Desktop.
  
• Copy and paste the contents of the report into your next reply.

-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



NEXT:


Running OTL

We need to create a FULL OTL Report

• Please download OTL from here:
  
  • Main Mirror
    
  • Mirror
  
  
• Save it to your desktop.
  
• Double click on the icon on your desktop.
  
• Click the "Scan All Users" checkbox.
  
• Change the "Extra Registry" option to "SafeList"
  
• Push the button.
  
• Two reports will open, copy and paste them in a reply here:
  
  • OTL.txt <-- Will be opened
    
  • Extras.txt <-- Will be minimized

NEXT:


Please provide an update on how things are running in your next reply.

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.