Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Mad-crazy Infection has taken over my Desktop, Taskbar messages, and IE

  • Please log in to reply
7 replies to this topic

#1 DangerMom


  • Members
  • 21 posts
  • Gender:Female
  • Location:Duncanville, Texas
  • Local time:11:12 AM

Posted 10 May 2009 - 04:43 AM

I am already having to start this over again because my prior page was commandeered by this mess...

I am using AdAware Premium version. AAW has detected and cleaned something I did not write down, but it has reasserted itself. AAW says it has blocked a couple of processes: "ntdll64.exe", process identified as "TR/Crypt.XPACK.Gen"; "lmn_setup.exe", process identified as "DR/Small.cgi". I don't know how well it has worked though, as whatever this is has changed my desktop to a black background with a flashing Malware Warning message in the center. I also keep getting a Security Warning message in my taskbar. Within IE, I am getting some random advertising popups, occassionally my page will change to another one without warning, and on IMDB (only site so far) any link I clicked didn't work but only brought up a new advertising page. Even now, I am typing a few lines, then copying to another version of this same page so I won't lose all my typing if it gets changed again.

As per instruction on your Malware Removal instruction page, I have run DDS.scr and am including the resulting information with this post. I hope you can help, I don't know what effect this will have when my son gets home Monday and needs to continue his online college courses!!

Thank you ever so much for your help!!

DDS.txt file...

DDS (Ver_09-03-16.01) - NTFSx86
Run by Jeri Bolin at 4:14:08.53 on Sun 05/10/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.158 [GMT -5:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\Jeri Bolin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - e:\program files\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {daf7a908-7ba4-4b04-98ef-eb91c81cde9d} - c:\windows\system32\BASSMO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON WorkForce 500 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieqa.exe /fu "c:\windows\temp\E_SB4.tmp" /EF "HKCU"
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [autochk] rundll32.exe c:\docume~1\jeribo~1\protect.dll,_IWMPEvents@16
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Framework Windows] frmwrk32.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16
StartupFolder: c:\docume~1\jeribo~1\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - d:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~2.lnk - d:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\jeri bolin\start menu\programs\imvu\Run IMVU.lnk
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - e:\my documents\buddy\icq6.5\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: real.com\account
Trusted Zone: realarcade.com\www
Trusted Zone: torrentzilla.org
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll
DPF: {2ADE19BB-1E79-4EC4-976E-AC74339ADD76} - hxxp://ghimireinc.serveftp.com/ActiveViewGUI.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3E90FFF5-1347-45B9-91F6-DA47926E9697} - hxxp://www.newhomebasedccr.com/test/PlaNetSysInfo.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210135733452
DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} - hxxp://ghimireinc.serveftp.com/ActiveView.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: NameServer =,
TCP: {8443D8E5-3AEE-4B23-B4AD-5EAD9BFEB22B} =,
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli msexavc.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-31 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 953168]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;\??\c:\windows\system32\drivers\awrtpd.sys --> c:\windows\system32\drivers\AWRTPD.sys [?]
S3 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter;\??\c:\windows\system32\drivers\awrtrd.sys --> c:\windows\system32\drivers\AWRTRD.sys [?]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]

=============== Created Last 30 ================

2009-05-09 23:39 27,648 a------- c:\windows\system32\lmn_setup.exe
2009-05-09 20:20 1,400 a------- c:\windows\system32\ahtn.htm
2009-05-09 20:20 4,785 a------- c:\windows\system32\warning.gif
2009-05-09 20:20 104,960 a------- c:\windows\system32\ntdll64.exe
2009-05-09 20:20 1 a------- c:\windows\system32\uniq.tll
2009-05-09 20:18 19,456 a------- c:\windows\system32\frmwrk32.exe
2009-05-09 20:17 19,456 a------- c:\windows\system32\loader49.exe
2009-05-09 19:54 <DIR> --d----- c:\docume~1\jeribo~1\applic~1\AVS4YOU
2009-05-09 19:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-05-09 19:48 <DIR> --d----- c:\program files\AVS4YOU
2009-05-09 19:47 <DIR> --d----- c:\program files\common files\AVSMedia
2009-05-09 19:47 1,700,352 a------- c:\windows\system32\GdiPlus.dll
2009-05-09 19:47 24,576 a------- c:\windows\system32\msxml3a.dll
2009-05-01 09:15 <DIR> --d----- c:\documents and settings\jeri bolin\tmp
2009-04-26 06:17 <DIR> --d----- c:\docume~1\jeribo~1\applic~1\Ludia
2009-04-26 06:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Ludia
2009-04-16 14:21 <DIR> --d----- c:\program files\common files\xing shared

==================== Find3M ====================

2009-04-25 03:04 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-25 03:03 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-24 20:04 304,144 a------- c:\windows\sysguard.exe
2009-04-01 06:43 5,501 a------- c:\windows\system32\uacinit.dll
2009-04-01 06:43 66,048 a------- c:\windows\system32\UACpmnhydbe.dll
2009-04-01 06:43 18,944 a------- c:\windows\system32\UACmtdilwyq.dll
2009-04-01 06:43 17,408 a------- c:\windows\system32\UAChnlqkqla.dll
2009-04-01 06:43 19,968 a------- c:\windows\system32\UACixtppuxn.dll
2009-04-01 06:43 50,688 a------- c:\windows\system32\drivers\UACenepkhqv.sys
2009-04-01 06:43 23,552 a------- c:\windows\system32\UACcwalhabi.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-02-18 16:37 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-05-17 06:07 47,360 ac------ c:\docume~1\jeribo~1\applic~1\pcouffin.sys
2008-05-07 16:30 774,144 a------- c:\program files\RngInterstitial.dll

============= FINISH: 4:16:04.04 ===============

Attached Files

BC AdBot (Login to Remove)


#2 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • Gender:Male
  • Location:@localhost
  • Local time:12:12 PM

Posted 20 May 2009 - 06:03 PM


log is several days old. If you still need help- reply back with a update on your malware situation.

How Can I Reduce My Risk to Malware?

#3 DangerMom

  • Topic Starter

  • Members
  • 21 posts
  • Gender:Female
  • Location:Duncanville, Texas
  • Local time:11:12 AM

Posted 22 May 2009 - 01:00 PM

It has been a few days since I could even get on the internet. Since my last post, my pc went into serious decline and got to where I couldn't even boot Windows. I bit the bullet and tried to restore with my recovery disks, but the recovery process failed. After that I was REALLY screwed, and ended up borrowing Windows software from a friend to get things fixed back. Well...

Windows is now starting up ok, and the only thing affected was my C drive. I don't think I have any more virus issues, but now a handful of my drivers are missing - including my ethernet controller, USB controller, audio controller, and PCI modem controller. So now, I have no internet, and have only just today been able to get somewhere that I could use another computer. I'm having a little bit of trouble finding somewhere to download the drivers - every site I go to wants to scan my system and update them for me, which obviously will not work from a different computer. But I've just started looking here at BC, and I am persistent. I am also confident, but if all else fails I will get back to this computer and post a new ticket.

Thanks for your help, sorry it didn't come sooner or things may not have gone so far!

#4 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • Gender:Male
  • Location:@localhost
  • Local time:12:12 PM

Posted 22 May 2009 - 07:03 PM

so it sounds like you reinstalled windows? what did you exactly do? Most hard ware like ethernet controllers/USB should work with native windows drivers included on the installation media.

You can get loads of information like how to restore your computer using recovery disks from your computer vendors website.
I would think the needed drivers would be included on the recovery disks. Most vendors websites have loads of information from everything from reinstalling windows to adding a hard drive. Alot also have forums. Visit there website and check the FAQ or try the search function.

If its a laptop then there is even more reason to use the included recovery disks or get drivers from the vendors website. Laptops can use propiretary hardware drivers found only on the recovery disks or vendors website.

How Can I Reduce My Risk to Malware?

#5 DangerMom

  • Topic Starter

  • Members
  • 21 posts
  • Gender:Female
  • Location:Duncanville, Texas
  • Local time:11:12 AM

Posted 22 May 2009 - 10:38 PM

Yes, I actually ended up going to the Sony website and got everything I needed to get things fixed - JUST ABOUT! I think the Windows software I borrowed from a friend did not have some of the Sony specific drivers that had been on my corrupted recovery disks. I got all my driver issues resolved and have no more errors within my Device Manager.

Now I am having a problem within "My Computer". When I try to double-click any of my hard disk drives, I get a message: "Windows cannot find 'RECYCLER\S-7-3-43-100011054-100014810-100019203-3214.com'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search." Then I brought up the right-click menu, and it shows the default action as "AutoPlay" with "Open" being the second option on the list. OK, I click on Open, and I get an "Access Denied" message. I can get into any of the drives from within other folders from the drop-down box, or from within programs and such. I only wiped out my C drive when I reloaded Windows, and still have considerable data on the largest part of my internal drive, plus a large external drive. I am able to reload some of my software, but I'm having problems with some of it too. Specifically, when I tried to reinstall Power ISO, it won't install my virtual drives properly and is telling me to reinstall again. I think this may have something to do with the "My Computer" issue also. (?)

Anyway, I think if I can get this issue resolved everything will be back to normal and virus-free again. NOTE: I haven't yet tried to reinstall my anti-virus software, so I don't know how that will work yet. I haven't been bumming around on the internet yet either, just came here to try to resolve the Windows issue.

Thanks MUCH for your help!

#6 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • Gender:Male
  • Location:@localhost
  • Local time:12:12 PM

Posted 23 May 2009 - 02:41 PM

you can try this: line 412:


How Can I Reduce My Risk to Malware?

#7 DangerMom

  • Topic Starter

  • Members
  • 21 posts
  • Gender:Female
  • Location:Duncanville, Texas
  • Local time:11:12 AM

Posted 25 May 2009 - 09:45 PM

I didn't pick up on "line 412" in your post the first time I read it, and didn't find the fix at first. But in the interim I found another post here at BC that fixed the problem for me...

Need Help Fixing C:\ Icon In My Computer

I really appreciate your help. I think we can close out this thread now. I am still ironing out some issues due to reinstalling Windows, but nothing I can't handle, and nothing keeping me from using the PC now...


#8 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • Gender:Male
  • Location:@localhost
  • Local time:12:12 PM

Posted 26 May 2009 - 03:47 PM


your welcome. Looks like your all set. Heres some info for reducing your risk to malware:

Reducing Your Risk To Malware:

The Short Version:

1) It is essential to Keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. This is now also true for web based application like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing.*

8) Install and understand the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer.

10) If your habits include: warez, cracks etc or you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.
Happy Safe Surfing.

How Can I Reduce My Risk to Malware?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users