Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vundo.gen.y and vundo.gen.ab on my pc


  • This topic is locked This topic is locked
64 replies to this topic

#1 dan2424

dan2424

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 22 February 2009 - 01:22 PM

I recently somehow ended up w/ vundo on my pc. Symptoms are tons of popups in internet explorer and firefox, windows security alert saying automatic updates are turned off and can't be turned back on, and inability to do system restore. I also get a message at startup that some disc cannot be found...clicking cancel allows me to continue with startup.

Thanks in advance...all help is appreciated.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Daniel Dunnavant at 13:10:22.65 on Sun 02/22/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.136 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\udaterui.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Daniel Dunnavant\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=proxy.rhodes.edu:80
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.yahoo.com
mSearchAssistant = hxxp://www.yahoo.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {24c26f6c-0eb8-41c2-a500-e6b4d33c6fc4} - c:\windows\system32\awtqpMEx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {C38C2701-1F5A-4A80-BAB2-877CC92C9A9F} - No File
BHO: {d2ca0d8f-c21e-4220-90c4-752dcbec753f} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\datavi~1.lnk - c:\program files\common files\dataviz\DvzIncMsgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office2000\office10\OSA.EXE
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
IE: Coupons - file://c:\program files\couponsandoffers\system\temp\couponsandoffers_script0.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! Pool 2 - hxxp://download2.games.yahoo.com/games/clients/y/poti_x.cab
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} - hxxp://205.159.125.199/central/02030105/cccabs/CleverContent.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {11113111-1411-1611-8111-111111111413} - mhtml:file://c:\nul.mht!http://www.capital-systems.net//browser.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4AD7DA15-AB2F-4C91-BEF5-3876DA4A2CCC} - hxxp://www.cambridgesoft.com/plugins/activex/install/NetInstall.cab
DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} - hxxp://office.microsoft.com/productupdates/content/opuc.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - hxxp://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_0.ocx
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126805225593
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - hxxp://www.installengine.com/engine/isetup.cab
DPF: {9B8D3E79-A732-4EC0-AEEE-8AF8CDF10D8A} - hxxp://installer.palmsource.com/PSIWebStub.dll
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - hxxp://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} - hxxp://chat.yahoo.com/cab/yvwrctl.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: efcARlmJ - efcARlmJ.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: cpqbks.dll vvmfmr.dll wwphlr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\daniel~1\applic~1\mozilla\firefox\profiles\hsiext2s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-5-8 59904]
R1 NEOFLTR_630_13725;Juniper Networks TDI Filter Driver (NEOFLTR_630_13725);c:\windows\system32\drivers\NEOFLTR_630_13725.sys [2008-11-21 64480]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2008-3-14 103744]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2007-11-26 29184]
R3 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2007-11-26 221191]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2005-5-8 117024]
S0 inzqkzzr;inzqkzzr;c:\windows\system32\drivers\unmgggtf.sys []
S2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe --> c:\program files\navnt\rtvscan.exe [?]
S4 WinDefend;Windows Defender Service;c:\program files\windows defender\MsMpEng.exe [2006-4-3 14032]

=============== Created Last 30 ================

2009-02-22 13:06 125,440 a------- c:\windows\system32\vwiebirf.dll
2009-02-21 09:12 1,607,788 ---sh--- c:\windows\system32\hytegtof.ini
2009-02-21 09:12 72,704 a------- c:\windows\system32\fotgetyh.dll
2009-02-21 05:34 122,356 a------- c:\windows\system32\blumylvo.dll
2009-02-20 17:36 123,904 a------- c:\windows\system32\mouhqljj.dll
2009-02-20 05:36 123,904 a------- c:\windows\system32\nohyar.dll
2009-02-20 05:36 123,904 a------- c:\windows\system32\duygxlra.dll
2009-02-19 22:23 <DIR> --d----- c:\windows\pss
2009-02-19 17:38 115,056 -------- c:\windows\system32\elyctuda.dll
2009-02-19 15:27 <DIR> --d----- c:\program files\Cobian Backup 8
2009-02-19 05:38 120,896 -------- c:\windows\system32\iblvihwk.dll
2009-02-18 17:38 120,896 -------- c:\windows\system32\waudjmuv.dll
2009-02-18 05:39 124,928 -------- c:\windows\system32\ygszxe.dll
2009-02-18 05:38 124,928 -------- c:\windows\system32\cbbxxibg.dll
2009-02-17 22:53 0 -------- c:\windows\webica.ini
2009-02-17 22:45 <DIR> --d----- c:\program files\Juniper Networks
2009-02-17 22:45 18 -------- C:\pending.un
2009-02-17 22:45 <DIR> --d----- c:\docume~1\daniel~1\applic~1\Juniper Networks
2009-02-17 22:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Juniper Networks
2009-02-17 22:42 <DIR> --d----- c:\docume~1\daniel~1\applic~1\ICAClient
2009-02-17 22:42 <DIR> --d----- c:\windows\system32\Resource
2009-02-17 22:42 <DIR> --d----- c:\program files\Citrix
2009-02-17 18:03 <DIR> --d----- c:\program files\3ivx
2009-02-17 18:02 <DIR> --d----- c:\program files\muvee Technologies
2009-02-17 18:02 <DIR> --d----- c:\program files\common files\muvee Technologies
2009-02-17 17:36 124,416 -------- c:\windows\system32\fgdiht.dll
2009-02-17 17:36 124,416 -------- c:\windows\system32\dpuomubt.dll
2009-02-17 05:39 124,416 -------- c:\windows\system32\blsiht.dll
2009-02-17 05:39 124,416 -------- c:\windows\system32\xgutwyyq.dll
2009-02-16 17:39 120,896 -------- c:\windows\system32\wxglyxaq.dll
2009-02-16 17:36 50,816 -------- c:\windows\system32\cirrfjuc.dll
2009-02-16 05:25 <DIR> --d----- C:\VundoFix Backups
2009-02-15 17:32 2,600 a--sh--- c:\windows\system32\xEMpqtwa.ini2
2009-02-15 17:32 2,204 a------- c:\windows\inzqkzzr
2009-02-15 17:32 2,600 a--sh--- c:\windows\system32\xEMpqtwa.ini
2009-01-31 18:04 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-31 18:03 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-31 18:03 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-01-31 18:03 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-31 18:03 117,760 -------- c:\windows\system32\prntvpt.dll
2009-01-31 18:03 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-31 18:03 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-01-31 18:03 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll

==================== Find3M ====================

2009-02-04 13:52 68,632 -------- c:\docume~1\daniel~1\applic~1\GDIPFONTCACHEV1.DAT
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2009-01-08 07:50 410,984 -------- c:\windows\system32\deploytk.dll
2009-01-08 01:24 0 -------- c:\windows\system32\drivers\senekarodiqxdn.sys
2009-01-08 01:24 0 -------- c:\windows\system32\drivers\seneka.sys
2009-01-08 01:21 1,932 -------- c:\windows\system32\senekalog.dat
2008-12-19 04:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 04:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 00:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 00:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-10-02 16:22 32,768 ---sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100220081003\index.dat

============= FINISH: 13:12:58.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:33 AM

Posted 28 February 2009 - 04:06 PM

Hello dan2424,

Sorry for the delay. We have many logs backed up.

Since it has been a few days, please post a fresh DDS log and we will go from there.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 dan2424

dan2424
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 01 March 2009 - 12:02 AM

Since my initial post, my symptoms have morphed:
1. My desktop wallpaper has been changed to a warning statement "Warning Dangerous Spyware: Many viruses were found on your computer such as: Trojan horse, PassCapture, etc. Your personal information can fall into in the "third hands". Please check up the computer with a special software"
2. Red X in the bottom right corner with popup bubble stating "Warning! Security report Your computer is infected! It recommended to start spyware cleaner tool.
3. Occasionally, and it seems randomly, the computer will go the a blue screen with alot of text after which point I have to restart the system... haven't written down all what it says yet.
4. Google and Yahoo searches on IE and Firefox now bring up pages with apparently fake search results...clicking on any of these send me to ad popups....and it is very frustrating to no longer be able to do searches.
5. Certain websites (including bleepingcomputer!) are inaccessible for some reason on ie and on firefox...i am typing this on a second computer and have transferred the dds and attach files via a flash drive.

Once again, thanks in advance.



DDS (Ver_09-02-01.01) - NTFSx86
Run by Daniel Dunnavant at 23:43:19.03 on Sat 02/28/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.13 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Network Associates\Common Framework\udaterui.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Daniel Dunnavant\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=proxy.rhodes.edu:80
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.yahoo.com
mSearchAssistant = hxxp://www.yahoo.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {C38C2701-1F5A-4A80-BAB2-877CC92C9A9F} - No File
BHO: {d2ca0d8f-c21e-4220-90c4-752dcbec753f} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Framework Windows] frmwrk32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\datavi~1.lnk - c:\program files\common files\dataviz\DvzIncMsgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office2000\office10\OSA.EXE
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Coupons - file://c:\program files\couponsandoffers\system\temp\couponsandoffers_script0.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! Pool 2 - hxxp://download2.games.yahoo.com/games/clients/y/poti_x.cab
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} - hxxp://205.159.125.199/central/02030105/cccabs/CleverContent.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {11113111-1411-1611-8111-111111111413} - mhtml:file://c:\nul.mht!http://www.capital-systems.net//browser.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4AD7DA15-AB2F-4C91-BEF5-3876DA4A2CCC} - hxxp://www.cambridgesoft.com/plugins/activex/install/NetInstall.cab
DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} - hxxp://office.microsoft.com/productupdates/content/opuc.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - hxxp://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_0.ocx
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126805225593
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - hxxp://www.installengine.com/engine/isetup.cab
DPF: {9B8D3E79-A732-4EC0-AEEE-8AF8CDF10D8A} - hxxp://installer.palmsource.com/PSIWebStub.dll
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - hxxp://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} - hxxp://chat.yahoo.com/cab/yvwrctl.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: efcARlmJ - efcARlmJ.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: cpqbks.dll vvmfmr.dll wwphlr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\daniel~1\applic~1\mozilla\firefox\profiles\hsiext2s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-5-8 59904]
R1 NEOFLTR_630_13725;Juniper Networks TDI Filter Driver (NEOFLTR_630_13725);c:\windows\system32\drivers\NEOFLTR_630_13725.sys [2008-11-21 64480]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2008-3-14 103744]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2007-11-26 29184]
R3 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2007-11-26 221191]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2005-5-8 117024]
S0 inzqkzzr;inzqkzzr;c:\windows\system32\drivers\unmgggtf.sys []
S2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe --> c:\program files\navnt\rtvscan.exe [?]
S4 WinDefend;Windows Defender Service;c:\program files\windows defender\MsMpEng.exe [2006-4-3 14032]

=============== Created Last 30 ================

2009-02-26 23:47 439 a------- c:\windows\system32\win32hlp.cnf
2009-02-26 14:36 1,394 a------- c:\windows\system32\ahtn.htm
2009-02-26 14:36 4,785 a------- c:\windows\system32\warning.gif
2009-02-26 14:35 106,946 a------- c:\windows\system32\drivers\531396d.sys
2009-02-26 14:35 104,960 a------- c:\windows\system32\ntdll64.exe
2009-02-26 14:35 1 a------- c:\windows\system32\uniq.tll
2009-02-26 14:35 2 a------- C:\16462536
2009-02-26 14:35 8,704 a------- C:\uagxble.exe
2009-02-26 14:35 30,720 a------- c:\windows\system32\frmwrk32.exe
2009-02-26 14:35 30,720 a------- C:\tjaq.exe
2009-02-26 14:34 78,848 a------- c:\windows\system32\pdjvrodn.dll
2009-02-26 01:57 113,596 a------- c:\windows\system32\hwbbrdqa.dll
2009-02-25 13:58 120,896 a------- c:\windows\system32\gvivuebr.dll
2009-02-25 01:53 122,356 a------- c:\windows\system32\snsmtumt.dll
2009-02-24 13:52 120,896 a------- c:\windows\system32\airtdijw.dll
2009-02-24 01:10 122,356 a------- c:\windows\system32\kpcsjjff.dll
2009-02-23 13:14 123,816 a------- c:\windows\system32\omcvxpqd.dll
2009-02-23 01:11 116,516 a------- c:\windows\system32\nxktgtie.dll
2009-02-21 05:34 122,356 a------- c:\windows\system32\blumylvo.dll
2009-02-19 22:23 <DIR> --d----- c:\windows\pss
2009-02-19 17:38 115,056 -------- c:\windows\system32\elyctuda.dll
2009-02-19 15:27 <DIR> --d----- c:\program files\Cobian Backup 8
2009-02-19 05:38 120,896 -------- c:\windows\system32\iblvihwk.dll
2009-02-18 17:38 120,896 -------- c:\windows\system32\waudjmuv.dll
2009-02-17 22:53 0 -------- c:\windows\webica.ini
2009-02-17 22:45 <DIR> --d----- c:\program files\Juniper Networks
2009-02-17 22:45 18 -------- C:\pending.un
2009-02-17 22:45 <DIR> --d----- c:\docume~1\daniel~1\applic~1\Juniper Networks
2009-02-17 22:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Juniper Networks
2009-02-17 22:42 <DIR> --d----- c:\docume~1\daniel~1\applic~1\ICAClient
2009-02-17 22:42 <DIR> --d----- c:\windows\system32\Resource
2009-02-17 22:42 <DIR> --d----- c:\program files\Citrix
2009-02-17 18:03 <DIR> --d----- c:\program files\3ivx
2009-02-17 18:02 <DIR> --d----- c:\program files\muvee Technologies
2009-02-17 18:02 <DIR> --d----- c:\program files\common files\muvee Technologies
2009-02-16 17:39 120,896 -------- c:\windows\system32\wxglyxaq.dll
2009-02-16 17:36 50,816 -------- c:\windows\system32\cirrfjuc.dll
2009-02-16 05:25 <DIR> --d----- C:\VundoFix Backups
2009-02-15 17:32 14,900 a--sh--- c:\windows\system32\xEMpqtwa.ini2
2009-02-15 17:32 2,204 a------- c:\windows\inzqkzzr
2009-02-15 17:32 5,807 a--sh--- c:\windows\system32\xEMpqtwa.ini
2009-01-31 18:04 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-31 18:03 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-31 18:03 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-01-31 18:03 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-31 18:03 117,760 -------- c:\windows\system32\prntvpt.dll
2009-01-31 18:03 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-31 18:03 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-01-31 18:03 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll

==================== Find3M ====================

2009-02-04 13:52 68,632 -------- c:\docume~1\daniel~1\applic~1\GDIPFONTCACHEV1.DAT
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2009-01-08 07:50 410,984 -------- c:\windows\system32\deploytk.dll
2009-01-08 01:24 0 -------- c:\windows\system32\drivers\senekarodiqxdn.sys
2009-01-08 01:24 0 -------- c:\windows\system32\drivers\seneka.sys
2009-01-08 01:21 1,932 -------- c:\windows\system32\senekalog.dat
2008-12-19 04:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 04:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 00:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 00:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-10-02 16:22 32,768 ---sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100220081003\index.dat

============= FINISH: 23:45:10.21 ===============

Attached Files


Edited by dan2424, 01 March 2009 - 12:06 AM.


#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:33 AM

Posted 01 March 2009 - 12:39 AM

Hi dan2424,

Is this a business, corporate, work computer or server?


We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

Edited by SifuMike, 01 March 2009 - 12:50 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 dan2424

dan2424
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 01 March 2009 - 01:04 AM

SifuMike,

I downloaded the file on my 2nd computer and transferred it to my infected computer's desktop, but when I double-clicked, nothing happened. Restarted the computer, but still nothing... for some reason the file won't open.

Also, another symptom I just remembered: I can no longer use task manager. States it has been disabled by the administrator.


Thanks.

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:33 AM

Posted 01 March 2009 - 01:05 AM

Is this a business, corporate, work computer or server?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 dan2424

dan2424
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 01 March 2009 - 01:09 AM

This is my personal home computer.

And for a while (like >1 yr) I get an error when I start up the computer stating that windows defender cannot start. Where can I go to disable the real time protection?

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:33 AM

Posted 01 March 2009 - 01:12 AM

Hi dan2424,


We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your McAfee VirusScan Antivirus and Windows Defender before running ComboFix, as they will prevent it from running.

To disable your Windows Defender Real-time Protection
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

If that does not work, then uninstall Windows Defender. We can reinstall it later.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT
It is a simple procedure that will only take a few moments of your time. It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 01 March 2009 - 01:13 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 dan2424

dan2424
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 01 March 2009 - 01:18 AM

I'm sorry, this may be dumb, but I honestly have no clue where or how to open windows defender. I don't think it is running on my computer secondary to some error i've had for quite a while

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:33 AM

Posted 01 March 2009 - 01:20 AM

It is running on your computer. I see it in your log. :thumbup2:

Did you read my previous post?.

If that does not work, then uninstall Windows Defender. We can reinstall it later.


Edited by SifuMike, 01 March 2009 - 01:21 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 dan2424

dan2424
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 01 March 2009 - 01:41 AM

so i downloaded combofix and transferred it to the desktop of my infected system (cannot access any of the download sites from that system). just like with the mbam file, when i click on the combofix file nothing happens at all. tried restarting, still nothing. windows defender is now uninstalled and my mcafee and firewall were disabled. after trying to start combofix, my desktop remains active as if i never clicked anything
thanks

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:33 AM

Posted 01 March 2009 - 02:13 AM

Dan,

We will use another program.

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Change the Rootkit Scan setting from "No" to Yes.
  • Click the Extras button under "Additional Scans".
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck

  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
If the file is too big to post, then you can upload it to me here. Let me know when you upload it.

Edited by SifuMike, 01 March 2009 - 02:39 AM.
updated OTscanit2

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 dan2424

dan2424
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 01 March 2009 - 02:28 AM

404-Not found when I try to download the otscanit file

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:33 AM

Posted 01 March 2009 - 02:30 AM

try it again.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 dan2424

dan2424
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 01 March 2009 - 02:39 AM

thanks for the prompt replies...

Non-microsoft is not a choice under drivers, the choices are none, safe list, and all.
Also Reg-BotCheck is not an option under additional scans




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users