Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


IE & Firefox Not loading Webpages (due to Malware)

  • This topic is locked This topic is locked
2 replies to this topic

#1 robogeek78


  • Members
  • 1 posts
  • Local time:01:41 PM

Posted 11 February 2009 - 11:04 PM

A friend Brought me a computer that will not load webpages in IE or Firefox, It doesn't even say page cannot be loaded. After a while the page thinks it is done but all it is a blank white screen. This apparently happended at or just after lots of malware, trojans got on the system. I have Tried Restoring a few DLLS using regsvr32. Deleted a few known malware registry keys, and then downloading and running Malwarebytes' Anti-Malware. I also Have Reset the HOSTS file back to default.

I am Pasting a DDS.txt Log That was run after a Scan from MalwareBytes'. I am also Attaching the Attach.txt log and the Log file from the Malwarebytes' scan.

I have run accross lots of different infections and been able to remove them cleanly but this one that disables all web browsing is new to me. Oh and Malwarebytes' was not able to connect to get new updates either. I assume because of the same issue.

Let me Know if you need anything else.

Thanks in advance for your assitance.

============== START DDS.TXT ==========================================

DDS (Ver_09-02-01.01) - NTFSx86
Run by Magee at 22:39:21.17 on Wed 02/11/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.588 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/?src=aim
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=localhost:7070
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\magee\gsiywi.exe \s,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.6.0_07\bin\jusched.exe
dRun: [brastk] c:\windows\system32\brastk.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [dbujzqxb.exe] c:\windows\dbujzqxb.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: text/html - {4a651e5e-d154-40e7-bf84-c53884967a8d} - c:\windows\system32\mst122.dll
Notify: cbXPjIyV - cbXPjIyV.dll
AppInit_DLLs: atbngv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {C5BF49A2-94F3-42BD-F434-3604812C8955} - No File
STS: {D5BF4552-94F1-42BD-F434-3604812C807D} - No File
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\yayyYSli

============= SERVICES / DRIVERS ===============

R0 wcbsrfee;wcbsrfee;c:\windows\system32\drivers\wcbsrfee.sys [2009-2-10 33920]
R1 nfr.sys;nfr.sys;c:\windows\system32\drivers\nfr.sys [2009-2-10 9216]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-1 108392]
R2 Logical Disk Manager (NDIS);Logical Disk Manager (NDIS);c:\program files\system\smss.exe [2009-2-10 30292]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-18 99376]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2008-7-8 59328]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090205.048\NAVENG.SYS [2009-2-5 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090205.048\NAVEX15.SYS [2009-2-5 876112]
S1 ethkvrdm;ethkvrdm;c:\windows\system32\drivers\ethkvrdm.sys [2009-2-10 138336]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-1 108392]
S4 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-4-4 2234296]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-10 45132]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-02-11 22:05 <DIR> --d----- c:\docume~1\magee\applic~1\Malwarebytes
2009-02-11 22:05 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-11 22:05 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 22:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-11 22:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-11 22:03 0 a------- C:\SDFix.exe
2009-02-11 00:46 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-02-11 00:36 <DIR> --d----- c:\windows\pss
2009-02-10 14:44 33,920 a------- c:\windows\system32\drivers\wcbsrfee.sys
2009-02-10 14:43 15,000 a------- c:\windows\system32\_rah3b8ffdnd.dll
2009-02-10 14:43 138,336 a------- c:\windows\system32\drivers\ethkvrdm.sys
2009-02-10 14:43 616 a------- c:\windows\system32\33.tmp
2009-02-10 14:43 32,256 a---h--- c:\documents and settings\magee\gsiywi.exe
2009-02-10 14:43 25,601 a------- c:\windows\system32\32.tmp
2009-02-10 14:43 66,560 ----h--- c:\windows\system32\secupdat.dat
2009-02-10 14:42 3,584 a------- c:\windows\dbujzqxb.exe
2009-02-10 14:40 41,984 a------- c:\windows\Ryimevurij.dll
2009-02-10 14:39 164,708 a------- c:\windows\system32\10.tmp
2009-02-10 14:39 <DIR> --d----- c:\program files\system
2009-02-10 14:39 9,216 a------- c:\windows\system32\drivers\nfr.sys
2009-02-10 14:39 2 a------- C:\819832500
2009-02-10 14:39 15,000 a------- c:\windows\system32\_hsfd83jfdg.dll
2009-02-10 14:38 72,704 a------- c:\windows\system32\fpijnwvv.dll
2009-02-10 14:38 129,024 a------- c:\windows\system32\cpwrljat.dll
2009-02-10 14:38 129,024 a------- c:\windows\system32\atbngv.dll
2009-02-10 14:37 129,024 a------- c:\windows\system32\qldtji.dll
2009-02-10 14:37 129,024 a------- c:\windows\system32\tflyspcq.dll
2009-02-07 22:52 1,569,650 a--sh--- c:\windows\system32\bqvyojmq.ini
2009-02-07 22:52 129,024 a------- c:\windows\system32\coqxlk.dll
2009-02-07 22:52 129,024 a------- c:\windows\system32\bxgiaxri.dll
2009-02-07 17:41 9,216 a------- c:\windows\system32\iehelper.dll
2009-02-06 22:51 129,024 a------- c:\windows\system32\yxjlhb.dll
2009-02-06 22:51 129,024 a------- c:\windows\system32\swwsshdv.dll
2009-02-06 22:51 85,637 a------- c:\windows\system32\ab57b6f9-09d1-20e0-cfe5-157a480f236a.exe
2009-02-06 22:49 1,569,650 a--sh--- c:\windows\system32\uoehcyqj.ini
2009-02-05 20:28 48,640 a------- c:\windows\system32\jkkJcCvt.dll
2009-02-05 20:20 48,640 a------- c:\windows\system32\pmnoOGWo.dll
2009-02-05 16:19 673,792 a------- c:\windows\system32\nseB.dll
2009-02-05 14:10 129,024 a------- c:\windows\system32\rsnali.dll
2009-02-05 14:10 129,024 a------- c:\windows\system32\smxffjxo.dll
2009-02-05 14:06 1,558,506 a--sh--- c:\windows\system32\yabyefbr.ini
2009-02-04 21:14 <DIR> --d----- c:\program files\common files\Download Manager
2009-02-04 13:55 129,024 a------- c:\windows\system32\cqmrpd.dll
2009-02-04 13:55 129,024 a------- c:\windows\system32\orhywlfp.dll
2009-02-03 22:17 <DIR> --d----- c:\program files\common files\rkff
2009-02-03 22:17 <DIR> --d----- c:\windows\rkff
2009-02-03 22:10 1,523,296 a--sh--- c:\windows\system32\jsscaxfk.ini
2009-02-03 22:05 129,024 a------- c:\windows\system32\gvovok.dll
2009-02-03 22:05 129,024 a------- c:\windows\system32\xothvele.dll
2009-02-02 22:05 85,301 a------- c:\windows\system32\cont_worldadmarketplace-remove.exe
2009-02-02 22:04 129,024 a------- c:\windows\system32\iggjyx.dll
2009-02-02 22:04 129,024 a------- c:\windows\system32\nouqwqxn.dll
2009-02-02 22:04 48,266 a------- c:\windows\system32\vemxnjxfar.exe
2009-02-02 21:50 <DIR> --dsh--- c:\windows\TWVnYW4
2009-02-02 21:35 <DIR> --d----- c:\docume~1\magee\applic~1\Twain
2009-02-02 21:30 <DIR> --d----- c:\program files\WebShow
2009-02-02 21:26 129,024 a------- c:\windows\system32\alfoef.dll
2009-02-02 21:26 129,024 a------- c:\windows\system32\lrjkdldm.dll
2009-02-01 21:24 1,508,456 a--sh--- c:\windows\system32\utqjdqvy.ini
2009-02-01 21:24 129,024 a------- c:\windows\system32\xgegvm.dll
2009-02-01 21:24 129,024 a------- c:\windows\system32\eywwsmde.dll
2009-02-01 21:23 457,569 a--sh--- c:\windows\system32\ilSYyyay.ini2
2009-02-01 21:23 32,372 a--sh--- c:\windows\system32\ilSYyyay.ini
2009-02-01 21:23 315,904 a------- c:\windows\system32\yayyYSli.dll.vir
2009-02-01 21:18 <DIR> --d----- c:\docume~1\magee\applic~1\cogad
2009-02-01 21:17 41,472 a------- c:\documents and settings\magee\s.exe
2009-02-01 21:03 <DIR> --d----- c:\program files\Common
2009-01-23 20:39 304,640 a------- c:\windows\system32\_brkfzabigly.dll
2009-01-20 21:57 <DIR> --d----- c:\program files\common files\Software Update Utility
2009-01-20 21:57 <DIR> --d----- c:\program files\AIM Toolbar
2009-01-20 21:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AIM Toolbar
2009-01-20 21:57 <DIR> --d----- c:\program files\AIM Search
2009-01-20 21:56 <DIR> --d----- c:\program files\AIM6

==================== Find3M ====================

2009-02-11 22:36 11,289 a------- c:\windows\system32\nvModes.dat
2009-01-12 22:14 3,266 a--sh--- c:\windows\system32\uFfilUvw.ini2
2009-01-03 22:40 41,495 a------- c:\documents and settings\magee\n.exe
2005-08-02 16:58 313,856 a--shr-- c:\windows\twvnyw4\command.exe
2005-07-29 16:24 472 a--shr-- c:\windows\twvnyw4\nqpBsqb.vbs

============= FINISH: 22:39:46.39 ===============

Attached Files

BC AdBot (Login to Remove)


#2 miekiemoes


    Malware Killer Dog

  • Malware Response Team
  • 19,420 posts
  • Gender:Female
  • Location:Belgium
  • Local time:08:41 PM

Posted 12 February 2009 - 01:53 AM


I have run accross lots of different infections and been able to remove them cleanly but this one that disables all web browsing is new to me.

From your log, I see this computer is still crippled with malware.
Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Anyway, to get the webpages to work again, you have to delete the proxysetting being set by malware.
To do this:

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:


Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes


    Malware Killer Dog

  • Malware Response Team
  • 19,420 posts
  • Gender:Female
  • Location:Belgium
  • Local time:08:41 PM

Posted 21 February 2009 - 06:33 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users