Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search results redirected


  • Please log in to reply
2 replies to this topic

#1 PJ the Barbarian

PJ the Barbarian

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 10 February 2009 - 03:41 PM

EDIT: LOOK BELOW FOR POSSIBLE SOLUTION

First, here are my DDS logs:

DDS.txt:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Paul at 14:24:24.90 on 2009-02-10
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1344 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Paul\Desktop\Firefox Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
BHO: {d19a8757-f51b-4154-988d-1ee2c6733c0c} - c:\windows\system32\fccCSlIb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AGEIA PhysX SysTray] c:\program files\ageia technologies\TrayIcon.exe
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn311\wlancfg5.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartw~1.lnk - c:\program files\netgear\wg121 configuration utility\wlancfg8.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\bthg04mb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2005-9-14 77312]
S3 krdpdre;krdpdre;\??\c:\docume~1\paul\locals~1\temp\krdpdre.sys --> c:\docume~1\paul\locals~1\temp\krdpdre.sys [?]
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\windows\system32\drivers\wg121nd5.sys [2007-11-8 337184]

=============== Created Last 30 ================

2009-02-10 12:42 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-10 12:42 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-10 12:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-10 12:28 388,608 a------- c:\windows\system32\CF12908.exe
2009-02-10 12:28 <DIR> --d----- C:\ComboFix
2009-02-10 12:22 <DIR> --d----- C:\VundoFix Backups
2009-02-10 12:01 4 a------- c:\windows\paoqwrrf
2009-02-06 23:48 <DIR> --d----- c:\docume~1\paul\applic~1\Malwarebytes
2009-02-06 23:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-06 23:44 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-02-06 23:21 302,080 -------- c:\windows\system32\ssqPgHbb.dll
2009-02-06 23:04 161,792 a------- c:\windows\SWREG.exe
2009-02-06 23:04 98,816 a------- c:\windows\sed.exe
2009-02-06 14:54 2,412 a------- c:\windows\orgcxsyi
2009-02-04 23:25 <DIR> --d----- c:\docume~1\paul\applic~1\GetRightToGo
2009-02-04 10:18 <DIR> --d----- c:\program files\Black Isle

==================== Find3M ====================

2006-01-25 11:30 456,768 a------- c:\windows\inf\wpn311\WPN311.sys
2005-01-27 10:59 35,232 a------- c:\windows\inf\wpn311\ME_INST.EXE
2005-01-27 10:59 26,112 a------- c:\windows\inf\wpn311\install.exe
2003-12-18 09:33 20,102 a------- c:\program files\Readme.txt
2003-09-03 05:46 10,960 a------- c:\program files\EULA.txt

============= FINISH: 14:24:33.79 ===============



and attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2007-04-19 20:24:43
System Uptime: 2009-02-10 12:33:04 (2 hours ago)

Motherboard: Shuttle Inc | | FX22V10
Processor: AMD Athlon™ 64 X2 Dual Core Processor 4200+ | Socket M2 | 2199/200mhz
Processor: AMD Athlon™ 64 X2 Dual Core Processor 4200+ | Socket M2 | 2199/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 74.359 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VIA Rhine II Fast Ethernet Adapter
Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_01021019&REV_78\3&2411E6FE&0&90
Manufacturer: VIA Technologies, Inc.
Name: VIA Rhine II Fast Ethernet Adapter
PNP Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_01021019&REV_78\3&2411E6FE&0&90
Service: FET5X86V

==== System Restore Points ===================

RP141: 2009-02-06 23:22:19 - System Checkpoint
RP142: 2009-02-06 23:22:21 - System Checkpoint
RP143: 2009-02-06 23:22:22 - System Checkpoint
RP144: 2009-02-06 23:22:23 - System Checkpoint
RP145: 2009-02-06 23:22:24 - System Checkpoint
RP146: 2009-02-06 23:22:25 - System Checkpoint
RP147: 2009-02-06 23:22:26 - System Checkpoint
RP148: 2009-02-06 23:22:28 - System Checkpoint
RP149: 2009-02-06 23:22:29 - System Checkpoint
RP150: 2009-02-06 23:22:30 - System Checkpoint
RP151: 2009-02-06 23:22:32 - System Checkpoint
RP152: 2009-02-06 23:22:32 - System Checkpoint
RP153: 2009-02-06 23:22:33 - System Checkpoint
RP154: 2009-02-06 23:22:37 - System Checkpoint
RP155: 2009-02-06 23:22:38 - System Checkpoint
RP156: 2009-02-06 23:22:39 - System Checkpoint
RP157: 2009-02-06 23:22:39 - System Checkpoint
RP158: 2009-02-06 23:22:39 - System Checkpoint
RP159: 2009-02-06 23:22:40 - System Checkpoint
RP160: 2009-02-06 23:22:40 - System Checkpoint
RP161: 2009-02-06 23:22:42 - System Checkpoint
RP162: 2009-02-06 23:22:43 - System Checkpoint
RP163: 2009-02-06 23:22:43 - System Checkpoint
RP164: 2009-02-06 23:22:43 - System Checkpoint
RP165: 2009-02-06 23:22:43 - Configured SAS10
RP166: 2009-02-06 23:22:43 - System Checkpoint
RP167: 2009-02-06 23:22:44 - System Checkpoint
RP168: 2009-02-06 23:22:45 - System Checkpoint
RP169: 2009-02-06 23:22:46 - Removed Ventrilo Client
RP170: 2009-02-06 23:22:46 - Installed Ventrilo Client
RP171: 2009-02-06 23:22:47 - System Checkpoint
RP172: 2009-02-06 23:22:48 - System Checkpoint
RP173: 2009-02-06 23:22:49 - System Checkpoint
RP174: 2009-02-06 23:22:50 - System Checkpoint
RP175: 2009-02-06 23:22:50 - System Checkpoint
RP176: 2009-02-06 23:22:51 - System Checkpoint
RP177: 2009-02-06 23:22:52 - System Checkpoint
RP178: 2009-02-06 23:22:53 - System Checkpoint
RP179: 2009-02-06 23:22:53 - System Checkpoint
RP180: 2009-02-06 23:22:55 - System Checkpoint
RP181: 2009-02-06 23:22:55 - System Checkpoint
RP182: 2009-02-06 23:22:56 - System Checkpoint
RP183: 2009-02-06 23:22:57 - System Checkpoint
RP184: 2009-02-06 23:22:58 - System Checkpoint
RP185: 2009-02-06 23:22:59 - System Checkpoint
RP186: 2009-02-06 23:23:00 - System Checkpoint
RP187: 2009-02-06 23:23:00 - System Checkpoint
RP188: 2009-02-06 23:23:00 - System Checkpoint
RP189: 2009-02-06 23:23:01 - System Checkpoint
RP190: 2009-02-06 23:23:01 - System Checkpoint
RP191: 2009-02-06 23:23:02 - System Checkpoint
RP192: 2009-02-06 23:23:02 - System Checkpoint
RP193: 2009-02-06 23:23:03 - System Checkpoint
RP194: 2009-02-10 12:41:30 - Removed DAEMON Tools
RP195: 2009-02-06 23:23:04 - System Checkpoint
RP196: 2009-02-06 23:23:04 - System Checkpoint
RP197: 2009-02-06 23:23:05 - System Checkpoint
RP198: 2009-02-06 23:23:05 - System Checkpoint
RP199: 2009-02-06 23:23:05 - System Checkpoint
RP200: 2009-02-06 23:23:05 - System Checkpoint
RP201: 2009-02-06 23:23:06 - System Checkpoint
RP202: 2009-02-06 23:23:06 - System Checkpoint
RP203: 2009-02-06 23:23:06 - System Checkpoint
RP204: 2009-02-06 23:23:08 - System Checkpoint
RP205: 2009-02-06 23:23:09 - System Checkpoint
RP206: 2009-02-06 23:23:10 - System Checkpoint
RP207: 2009-02-06 23:23:10 - System Checkpoint
RP208: 2009-02-06 23:23:10 - System Checkpoint
RP209: 2009-02-06 23:23:10 - System Checkpoint
RP210: 2009-02-06 23:23:10 - System Checkpoint
RP211: 2009-02-06 23:23:11 - System Checkpoint
RP212: 2009-02-06 23:23:11 - System Checkpoint
RP213: 2009-02-06 23:23:11 - System Checkpoint
RP214: 2009-02-06 23:23:13 - System Checkpoint
RP215: 2009-02-06 23:23:14 - System Checkpoint
RP216: 2009-02-06 23:23:14 - System Checkpoint
RP217: 2009-02-06 23:23:15 - System Checkpoint
RP218: 2009-02-06 23:23:15 - System Checkpoint
RP219: 2009-02-06 23:23:16 - System Checkpoint
RP220: 2009-02-06 23:23:16 - System Checkpoint
RP221: 2009-02-06 23:23:18 - Installed Icewind Dale II
RP222: 2009-02-06 23:23:18 - Removed Icewind Dale II
RP223: 2009-02-06 23:23:19 - Installed Neverwinter Nights 2
RP224: 2009-02-06 23:23:19 - Installed Windows Installer KB893803v2.
RP225: 2009-02-06 23:23:20 - Installed DirectX
RP226: 2009-02-06 23:23:20 - Installed Storm of Zehir
RP227: 2009-02-06 23:23:21 - Installed Mask of the Betrayer
RP228: 2009-02-06 23:23:22 - Installed Storm of Zehir
RP229: 2009-02-06 23:23:24 - System Checkpoint
RP230: 2009-02-06 23:23:25 - Last known good configuration
RP231: 2009-02-06 23:23:27 - ComboFix created restore point
RP232: 2009-02-06 23:24:22 - Last known good configuration
RP233: 2009-02-08 00:05:21 - System Checkpoint
RP234: 2009-02-09 01:34:44 - System Checkpoint
RP235: 2009-02-10 02:22:43 - System Checkpoint
RP236: 2009-02-10 12:41:32 - Removed Ad-Aware
RP237: 2009-02-10 14:23:15 - Removed DAEMON Tools

==== Installed Programs ======================

7-Zip 4.42
Adobe Flash Player 10 ActiveX
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.1
Adobe Shockwave Player
AGEIA PhysX v2.3.3
AGEIA PhysX v7.07.24
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Decoder
ATI Display Driver
ATI HYDRAVISION
ATI Multimedia Center
ATI Multimedia Center 9.09
ATI Parental Control
ATI Problem Report Wizard
ATI Remote Wonder
ATI Remote Wonder 3.02
AuthorScript Engine 1.0
AutoUpdate
Baldur's Gate™ II - Throne of Bhaal ™
Bonjour
CDDRV_Installer
DAO
DDS Converter 2.1
DivX Codec
DivX Converter
DivX Web Player
Dual-Core Optimizer
e-PDF To Word Converter v2.5
FontCreator 5.6
GTK+ 2.10.6-1 runtime environment
GUIDE PLUS+™ for Windows® System - ATI
HijackThis 2.0.2
iTunes
Java™ 6 Update 2
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
KhalSetup
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Game Studios Common Redistributables Pack 1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft MSDN 2005 Express Edition - ENU
Microsoft Office XP Professional
Microsoft Press Readiness Review Suite 70-270
Microsoft Press Readiness Review Suite 70-271
Microsoft Silverlight
Microsoft SQL Server Native Client
Microsoft Visual Basic 2005 Express Edition - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
Mozilla Firefox (3.0.6)
Mozilla Thunderbird (2.0.0.19)
NETGEAR WPN311 Wireless Adapter
Neverwinter Nights 2
NTFS Undelete v0.93
NVIDIA Drivers
Platform
PopCap Browser Plugin
QuickTime
Real Alternative 1.60
Realtek AC'97 Audio
RiffTrax DVD Player
SAS10
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Sid Meier's Civilization 4
SiSoftware Sandra Lite XII.SP1
The GIMP 2.2.14
Trillian
Unity Web Player
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Ventrilo Client
VIA Platform Device Manager
VIA Rhine-Family Fast-Ethernet Adapter
WebFldrs XP
WG121 Smart Wizard
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver

==== Event Viewer Messages From Past Week ========

2009-02-04 09:06:38, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00146CBFA8CC. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
2009-02-04 07:28:11, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: stwlfbus
2009-02-04 10:30:25, error: viasraid [9] - The device, \Device\Scsi\viasraid1, did not respond within the timeout period.
2009-02-06 14:48:38, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
2009-02-06 16:43:33, error: nv [14] - Unknown error on CMDre 00000001 00000080 00000000 00000005 00000006
2009-02-06 18:58:52, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
2009-02-06 18:58:52, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
2009-02-06 19:03:46, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: orgcxsyi stwlfbus
2009-02-06 23:22:05, error: Service Control Manager [7000] - The paoqwrrf service failed to start due to the following error: The system cannot find message text for message number 0x%1 in the message file for %2.
2009-02-07 00:01:52, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: orgcxsyi paoqwrrf stwlfbus
2009-02-10 12:27:03, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2009-02-10 12:27:06, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2009-02-10 12:27:19, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
2009-02-10 12:27:54, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
2009-02-10 12:28:21, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2009-02-10 12:28:21, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2009-02-10 12:28:21, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
2009-02-10 12:28:21, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2009-02-10 12:28:21, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2009-02-10 12:28:21, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2009-02-10 12:28:21, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss stwlfbus Tcpip

==== End Of File ===========================


Some details:

I first had a search result redirect problem about a month ago. I thought I had fixed it, but the problem recurred. I do not know if I got the same or a similar virus again, or if I failed to completely remove it the first time.

This week it has recurred. As of this morning MBAM detected several infections and attempted to clean them. According to the MBAM logs:

When I ran the scan the first time, it detected 7 registry keys, 7 memory modules, 5 registry values, 1 registry data item, and 9 files infected. All of these were listed as type trojan.vundo.h. It reported that it had successfully cleaned all of this except for the memory modules and the 7 files associated with them, which would be deleted on reboot. I restarted.

after the restart, I ran it again and it detected 14 registry keys, 3 registry values, and 5 files that were infected and needed to be removed. One of the files would have to be removed on restart. It labelled the infections as either trojan.vundo, trojan.agent, or rootkit.agent. One of the rootkit agent files (C:\WINDOWS\system32\Drivers\njxppiiz.sys) was listed as "delete on reboot."

When I rebooted and ran the scan a third time, njxppiiz.sys was the only infection it found, and again it said it would delete on reboot.

After this reboot, and ever since, MBAM detects nothing. However, my search results are still redirected occaisionally. It seems that they are almost always redirected if I choose to open them in a new tab (about 90%), and sometimes redirected if I simply click to open them in my current tab (about 25%).

The first time I had the virus, a month ago, it disabled teatimer and prevented me from using housecall at trend.com. This time I am able to use housecall but it detects nothing. Any help would be appreciated.

I have also tried vundofix, with no success.

A few more details if they help:

The most common thing I see when I click a google search result is "waiting for clickfraudmanager" followed by a site from monstermarketplace or couponmountain or some other nonsense like that.

another edit with some details that may help:

15-20 minutes of experimentation seems to indicate that only Firefox is affected, IE may not be.

Edited by PJ the Barbarian, 11 February 2009 - 06:26 AM.


BC AdBot (Login to Remove)

 


#2 PJ the Barbarian

PJ the Barbarian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 11 February 2009 - 06:25 AM

I have solved this problem through research and trial and error,

I would like to share my findings.

Here is what's happening, as best I understand it: my malware scans were coming up clean because my registry, system32 folder, etc. ARE CLEAN. The virus left me a present in my firefox installation.

IF you are getting google searches redirected through www.clickfraudmanager.com in FIREFOX 3.0 specifically, do the following:

Go to C:\Program Files\Mozilla Firefox\extensions (assuming that's your installation directory)

drag one of the folders to the desktop, or otherwise remove it from the extensions folder without deleting it.

Try to google search for some random terms and open 5-10 links (I believe I searched for terms as varied as "problematic," "boats," and "training." What you search for doesn't matter). If you're still getting redirected you have removed the wrong extension. Keep trying, one at a time, until you find the one that's the problem.

EDIT: forgot a step. When you think you've found it, verify that you've found it by putting it back and seeing if you get redirected again. If so, KILL IT WITH FIRE!

For me the problem folder was named {970E142F-23AE-4968-BBA0-BEE1B16DEBE2}.

I have zipped up this folder and would like to know where to submit it, to maybe have our favorite malware scanners recognize it. Please let me know where to send it.

From other sources I have been told that two addons can prevent this problem in the future: one is called Web of Trust (WOT), and the other is called NoScript.

Again it's important to note that this information will only help you in the following situation:

1) You use Firefox 3.0

2) You had Vundo or some other virus whose primary symptom was pop-ups and/or redirected search results

3) You have removed the virus (I believe that MBAM killed the virus itself for me)

4) but search results, specifically in Firefox, are still redirecting. (Test this by trying some searches in another browser, like IE.)


I see a lot, lot, lot of threads that seem to have this problem in the past week or so. I hope this helps someone.

Edited by PJ the Barbarian, 11 February 2009 - 06:28 AM.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:50 AM

Posted 11 February 2009 - 11:03 AM

Thanks for that explanation.. Two things..
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 12.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


Now if all is clean then...
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users