Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with spyware/malware/virus?

  • Please log in to reply
1 reply to this topic

#1 Muscles00GT


  • Members
  • 1 posts
  • Local time:08:48 AM

Posted 08 January 2009 - 02:18 PM

About a week or so ago I noticed my computer was infected with what I presumed was spyware. Ads were popping up like crazy and it just got progressively worse. My computer would freeze and run extremely slow. I have Verizon FIOS and the connection is usually very quick. I use Mozilla Firefox as my explorer and sometimes when I would go to Google to search for anything, 20+ Firefox windows would just pop up immediately. Now, my computer freezes routinely and often takes a good 6-10 times to restart in order for me to just get onto the internet :thumbsup: . My wallpaper displayes a flashing "WARNING Dangerous Spyware" message that says, "Many viruses were found on your computer such as: Trojan horse, Pass Capture, etc. Your personal information can fall into third hands." I assume this is just another part of the whole spyware/malware/virus thing. In addition, when I am online, the links that are usually highlighted in blue are now in red and at the top of my explorer window are messages such as, "Warning your computer is in Danger please perform quick scan," or "You have 18 trojans that need scanning immediately," and so forth. I really have no clue what I'm infected with, but I hope someone can point me in the right direction. I'd appreciate any help greatly!!!

DDS (Ver_09-01-07.01) - NTFSx86
Run by Bob at 14:06:09.10 on Thu 01/08/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.145 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1125535077\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1125535077\ee\AOLServiceHost.exe
c:\program files\common files\aol\1125535077\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1125535077\ee\AOLServiceHost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bob.HOMECOMPUTER\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWindow Title = Microsoft Internet Explorer presented by Comcast
uURLSearchHooks: H - No File
mWinlogon: Shell=Explorer.exe,
mWinlogon: Userinit=c:\windows\system32\userinit.exe,vlieodx.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~1\tools\iesdpb.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [quvpe] c:\windows\system32\uhkwdx.exe reg_run
uRun: [09cb02e8.exe] c:\documents and settings\bob.homecomputer\local settings\application data\09cb02e8.exe
uRun: [f641b882.exe] c:\documents and settings\bob.homecomputer\local settings\application data\f641b882.exe
uRun: [Download] "c:\program files\support.com\bin\DDGet.exe" 120 "http://media2.comcast.net/anon.comcastonline2/support/comcastsupport/DesktopDoctor1.5.1.exe" "DesktopDoctor1.5.1.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WinSpywareProtect] "c:\documents and settings\all users.windows\application data\adsl software ltd\winspywareprotect\Winspywareprotect.exe" /autorun
uRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_03\bin\jusched.exe
mRun: [win320804-8051985] c:\windows\win320804-8051985.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [Ixoquvasaxogapog] rundll32.exe "c:\windows\Ncejidelujo.dll",e
mRun: [Fdoqopiran] rundll32.exe "c:\windows\omohalafun.dll",e
mRun: [Framework Windows] frmwrk32.exe
dRun: [Spyware Doctor] "c:\program files\spyware doctor\swdoctor.exe" /Q
StartupFolder: c:\docume~1\bob~1.hom\startm~1\programs\startup\realve~1.lnk - c:\program files\real vegas online\casino.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~1\tools\iesdpb.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\temp\ntdll64.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: Controls Folder - c:\windows\system32\m864lijq18oe.dll
AppInit_DLLs: xpydgr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {eb9f614b-ea44-40d0-8829-542e4f254739} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\iiffFuVp

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bob~1.hom\applic~1\mozilla\firefox\profiles\v5csrm3m.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npskilljamloader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npssp32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {20F898EC-C873-487D-B24D-0D237C24A1A6} - c:\documents and settings\julie.homecomputer\local settings\application data\{20F898EC-C873-487D-B24D-0D237C24A1A6}
FF - HiddenExtension: XUL Cache: {49E81F35-8305-4245-A0DE-ECB1C2C27DAA} - c:\documents and settings\bob.homecomputer\local settings\application data\{49E81F35-8305-4245-A0DE-ECB1C2C27DAA}
FF - HiddenExtension: XUL Cache: {4991B397-E993-47FA-AB1A-C14FD8F808E2} - c:\windows\system32\config\systemprofile\local settings\application data\{4991b397-e993-47fa-ab1a-c14fd8f808e2}\

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 ikhfile;File Security Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhfile.sys [2006-5-22 30656]
R1 ikhlayer;Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhlayer.sys [2006-5-22 51456]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-30 201320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-30 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-30 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-30 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-30 40488]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-30 359248]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-4-30 144704]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-18 24652]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-30 33832]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe [2002-9-3 5120]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]

=============== Created Last 30 ================

2009-01-08 13:56 4,785 a------- c:\windows\system32\warning.gif
2009-01-08 13:44 3,530 a------- c:\windows\system32\tmp.reg
2009-01-07 16:44 1,347 a------- c:\windows\system32\ahtn.htm
2009-01-07 12:39 73,216 a------- c:\windows\system32\ffkuz.dll
2009-01-06 17:36 111,616 a------- c:\windows\system32\NTDLL64.EXE
2009-01-06 15:52 137,728 a------- c:\windows\system32\xpydgr.dll
2009-01-06 15:52 137,728 a------- c:\windows\system32\cxjxxnmc.dll
2009-01-06 12:31 <DIR> --d----- c:\docume~1\bob~1.hom\applic~1\SUPERAntiSpyware.com
2009-01-06 11:09 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2009-01-06 11:08 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-06 03:00 491 a------- c:\windows\system32\win32hlp.cnf
2009-01-06 02:40 111,616 ac------ c:\windows\system32\dllcache\userinit.exe
2009-01-06 01:05 1 a------- c:\windows\system32\uniq.tll
2009-01-06 01:05 24,576 a------- c:\windows\system32\frmwrk32.exe
2009-01-06 01:05 24,576 a------- c:\windows\system32\pcload.exe
2009-01-05 18:29 133,120 a------- c:\windows\uduhoneniqe.dll
2009-01-05 11:49 128,000 a------- c:\windows\system32\rsqqrl.dll
2009-01-05 11:49 128,000 a------- c:\windows\system32\kfwfdikd.dll
2009-01-05 11:43 91,648 a------- c:\windows\system32\cxqlxbvu.dll
2009-01-05 11:43 1,307,382 ---sh--- c:\windows\system32\uvbxlqxc.ini
2009-01-05 00:28 1,307,356 ---sh--- c:\windows\system32\oyxfbufl.ini
2009-01-05 00:25 128,000 a------- c:\windows\system32\nujyrb.dll
2009-01-05 00:25 128,000 a------- c:\windows\system32\woxtthoe.dll
2009-01-04 00:26 1,307,356 ---sh--- c:\windows\system32\yqammjvs.ini
2009-01-04 00:23 134,144 a------- c:\windows\system32\pzquup.dll
2009-01-04 00:23 134,144 a------- c:\windows\system32\slmtxdol.dll
2009-01-02 19:26 134,144 a------- c:\windows\system32\tlnmrm.dll
2009-01-02 19:26 134,144 a------- c:\windows\system32\nyeeymma.dll
2009-01-01 22:57 132,608 a------- c:\windows\system32\viswmn.dll
2009-01-01 22:57 132,608 a------- c:\windows\system32\lsbaxhgp.dll
2009-01-01 22:54 1,307,356 ---sh--- c:\windows\system32\cmrsoojf.ini
2009-01-01 10:22 0 a------- c:\windows\system32\mcrh.tmp
2008-12-31 22:56 130,560 a------- c:\windows\system32\bfwshi.dll
2008-12-31 22:56 130,560 a------- c:\windows\system32\bejqugmx.dll
2008-12-31 22:53 1,307,356 ---sh--- c:\windows\system32\ojebfbiv.ini
2008-12-31 22:53 89,600 a------- c:\windows\system32\vibfbejo.dll
2008-12-30 23:01 1,307,356 ---sh--- c:\windows\system32\wqmpopxy.ini
2008-12-30 22:58 126,976 a------- c:\windows\system32\pnlqnx.dll
2008-12-30 22:58 126,976 a------- c:\windows\system32\tbapctqa.dll
2008-12-29 23:03 131,584 a------- c:\windows\system32\ayhfei.dll
2008-12-29 23:03 131,584 a------- c:\windows\system32\csmvngdg.dll
2008-12-29 22:54 87,552 a------- c:\windows\system32\fqkhungm.dll
2008-12-29 22:54 1,308,204 ---sh--- c:\windows\system32\mgnuhkqf.ini
2008-12-28 22:54 1,306,974 ---sh--- c:\windows\system32\qdjjectc.ini
2008-12-27 23:23 133,120 a------- c:\windows\omohalafun.dll
2008-12-27 23:11 40,448 a------- c:\windows\Ncejidelujo.dll
2008-12-27 23:11 40,448 a------- c:\windows\system32\k9261108.exe
2008-12-27 22:49 1,306,974 ---sh--- c:\windows\system32\qugwpcmj.ini
2008-12-27 22:46 705,779 a--sh--- c:\windows\system32\pVuFffii.ini2
2008-12-27 22:46 705,779 a--sh--- c:\windows\system32\pVuFffii.ini
2008-12-27 22:40 35,328 a------- c:\windows\system32\prunnet.exe

==================== Find3M ====================

2009-01-06 02:39 111,616 a------- c:\windows\system32\userinit.exe
2008-12-12 00:57 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2008-11-29 17:58 82,944 a------- c:\windows\system32\IEDFix.C.exe
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 05:37 659,456 a------- c:\windows\system32\wininet.dll
2008-10-15 13:48 262,144 a------- C:\ntuser.dat
2006-05-19 19:09 1,961 a------- c:\documents and settings\bob.homecomputer\ordertempopt.bin

============= FINISH: 14:08:20.06 ===============

Attached Files

Edited by Muscles00GT, 08 January 2009 - 02:20 PM.

BC AdBot (Login to Remove)


#2 Thunder


  • Members
  • 3,294 posts
  • Gender:Male
  • Location:Belgium
  • Local time:03:48 PM

Posted 09 January 2009 - 06:29 PM

Hello Muscles00GT and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Download LSPFix and extract it to your desktop.
Don't use it yet.
A tutorial on the use of thsi tool can be found here : http://www.bleepingcomputer.com/tutorials/using-lsp-fix-to-remove-spyware/

3. Please download ComboFix from one of the locations below, and save it to your Desktop.


Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

4. Run LSPFix.
Close all windows on your computer.
Double click on Lspfix to run it.
Put a checkmark in the 'I know what I'm doing' checkbox.
Now move any instances of "ntdll64.dll" into the remove box using the >> button.
Press the Finish button.

Whatever happens, make believe it was intended to ...
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
Stand Up & Be Counted --> Posted Image <-- And make a difference

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users