Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

blocked websites and IE starting by itself


  • This topic is locked This topic is locked
2 replies to this topic

#1 rustyshark

rustyshark

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 13 May 2009 - 04:54 AM

Lots of websites are being blocked, including malwarebytes.org, virustotal.com, and virusscan.jotti.org.

multiple instances of iexplore.exe show up in task manager even though I never opened ie and no ie windows are visible. One instance is usually using massive amounts of cpu power while the others sit at 0%. Killing the one that's using the most cpu sometimes causes another random process like svchost.exe to start using an equal amout of cpu time. Killing them all just results in them coming back a couple minutes later. Sometimes ie shows a random pop-up, but usually there's nothing visible.


Tried running Spybot and Malwarebytes, but running them again a couple hours later found that the stuff they deleted just wound up coming right back again. Also, the domain problem stops Malwarebytes from updating. Winpatrol is frequently reporting attempts to add programs to the auto-startup list, including c:\windows\system32\userinit.exe, c:\windows\system32\reader_s.exe, and lots of randomly named programs running from temp directories.


DDS (Ver_09-03-16.01) - NTFSx86
Run by 1 at 4:36:38.64 on Wed 05/13/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1284 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\WinPatrol\winpatrol.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
svchost.exe C:\WINDOWS\TEMP\VRT2.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\1\LOCALS~1\Temp\mozOpenDownload\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = about:blank
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: c:\windows\system32\sdrgfcvbf.dll: {c2ba40a1-74f3-42bd-f434-12345a2c8953} - c:\windows\system32\sdrgfcvbf.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [WinPatrol] c:\program files\winpatrol\winpatrol.exe -expressboot
dRun: [uidenhiufgsduiazghs] c:\windows\temp\foyetpcws.exe
dRun: [Diagnostic Manager] c:\windows\temp\4188530454.exe
dRun: [<NO NAME>] c:\windows\temp\foyetpcws.exe
dRun: [reader_s] c:\documents and settings\1\reader_s.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
AppInit_DLLs: c:\progra~1\thunmail\testabd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\sdrgfcvbf.dll: {c2ba40a1-74f3-42bd-f434-12345a2c8953} - c:\windows\system32\sdrgfcvbf.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\1\applic~1\mozilla\firefox\profiles\sdo88zzc.default\
FF - component: c:\documents and settings\1\application data\mozilla\firefox\profiles\sdo88zzc.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\documents and settings\1\application data\mozilla\firefox\profiles\sdo88zzc.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\opera\program\plugins\npdjvu.dll
FF - plugin: c:\program files\opera\program\plugins\npjava11.dll
FF - plugin: c:\program files\opera\program\plugins\npjava12.dll
FF - plugin: c:\program files\opera\program\plugins\npjava13.dll
FF - plugin: c:\program files\opera\program\plugins\npjava14.dll
FF - plugin: c:\program files\opera\program\plugins\npjava32.dll
FF - plugin: c:\program files\opera\program\plugins\npjpi160_02.dll
FF - plugin: c:\program files\opera\program\plugins\npoji610.dll
FF - plugin: c:\program files\opera\program\plugins\NPTURNMED.dll

============= SERVICES / DRIVERS ===============

R0 protect;protect;c:\windows\system32\drivers\protect.sys --> c:\windows\system32\drivers\protect.sys [?]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [2009-5-9 17280]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [2009-5-9 9600]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2009-5-9 69692]
S3 pcm1394;pcm1394;c:\windows\system32\pcm1394.sys [2009-5-9 2304]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]

=============== Created Last 30 ================

2009-05-13 03:54 61,440 a------- c:\windows\system32\5.tmp
2009-05-13 03:54 60,417 a------- c:\windows\system32\reader_s.exe
2009-05-13 03:54 60,417 a------- c:\documents and settings\1\reader_s.exe
2009-05-13 03:53 84 a------- c:\windows\system32\3.tmp
2009-05-13 03:47 0 a------- C:\27.tmp
2009-05-13 03:47 0 a------- C:\26.tmp
2009-05-13 03:47 0 a------- C:\25.tmp
2009-05-13 03:47 0 a------- C:\24.tmp
2009-05-13 03:47 0 a------- C:\23.tmp
2009-05-13 03:47 0 a------- C:\22.tmp
2009-05-13 03:47 0 a------- C:\21.tmp
2009-05-13 03:47 0 a------- C:\20.tmp
2009-05-13 03:47 0 a------- C:\1C.tmp
2009-05-13 03:47 0 a------- C:\1B.tmp
2009-05-13 03:47 0 a------- C:\1A.tmp
2009-05-13 03:46 0 a------- C:\F.tmp
2009-05-13 03:46 0 a------- C:\E.tmp
2009-05-13 03:46 0 a------- C:\D.tmp
2009-05-13 03:46 0 a------- C:\C.tmp
2009-05-13 03:46 0 a------- C:\A.tmp
2009-05-13 03:46 51,712 a------- C:\9.tmp
2009-05-13 03:46 23,552 a------- c:\windows\system32\wmimgr32.dll
2009-05-13 03:46 15,000 a------- c:\windows\system32\sdrgfcvbf.dll
2009-05-13 02:59 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-05-13 01:45 <DIR> --d----- c:\docume~1\1\applic~1\WinPatrol
2009-05-13 01:45 <DIR> --d----- c:\program files\WinPatrol
2009-05-13 01:25 <DIR> --d----- c:\program files\Unlocker
2009-05-12 23:31 0 a------- C:\1F.tmp
2009-05-12 23:31 0 a------- C:\1E.tmp
2009-05-12 23:31 0 a------- C:\1D.tmp
2009-05-12 23:31 0 a------- C:\19.tmp
2009-05-12 22:47 <DIR> --dsh--- C:\found.000
2009-05-12 21:41 155 a------- c:\windows\wininit.ini
2009-05-12 18:47 <DIR> --d----- c:\docume~1\1\applic~1\Malwarebytes
2009-05-12 18:47 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-12 18:47 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-12 18:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-12 18:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-12 18:38 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-12 18:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-12 18:14 <DIR> --d----- c:\windows\system32\3361
2009-05-12 18:14 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-05-12 18:14 <DIR> --d----- c:\windows\dhcp
2009-05-12 18:14 61,440 a------- c:\windows\system32\24.tmp
2009-05-12 18:14 <DIR> --dshr-- c:\program files\ThunMail
2009-05-12 18:14 120 a------- c:\windows\system32\20.tmp
2009-05-12 16:30 61,440 a------- c:\windows\system32\2B.tmp
2009-05-12 16:30 120 a------- c:\windows\system32\28.tmp
2009-05-12 16:30 55,808 a------- c:\docume~1\1\applic~1\unobi.dll
2009-05-12 04:51 61,440 a------- c:\windows\system32\21.tmp
2009-05-12 04:51 84 a------- c:\windows\system32\1D.tmp
2009-05-12 04:15 359,040 ac------ c:\windows\system32\dllcache\TCPIP.SYS
2009-05-12 04:15 359,040 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-05-12 03:39 <DIR> --ds---- c:\documents and settings\1\UserData
2009-05-12 03:08 <DIR> --ds---- c:\windows\%SystemDrive%
2009-05-12 03:08 <DIR> --ds---- c:\windows\system32\%SystemDrive%
2009-05-11 19:34 61,440 a------- c:\windows\system32\1F.tmp
2009-05-11 19:34 84 a------- c:\windows\system32\19.tmp
2009-05-11 18:01 61,440 a------- c:\windows\system32\1C.tmp
2009-05-11 18:01 84 a------- c:\windows\system32\15.tmp
2009-05-11 17:52 61,440 a------- c:\windows\system32\18.tmp
2009-05-11 17:52 84 a------- c:\windows\system32\11.tmp
2009-05-11 00:24 61,440 a------- c:\windows\system32\1E.tmp
2009-05-11 00:24 120 a------- c:\windows\system32\1B.tmp
2009-05-10 23:06 61,440 a------- c:\windows\system32\16.tmp
2009-05-10 19:32 61,440 a------- c:\windows\system32\13.tmp
2009-05-10 19:29 61,440 a------- c:\windows\system32\1A.tmp
2009-05-10 19:29 120 a------- c:\windows\system32\17.tmp
2009-05-10 15:35 61,440 a------- c:\windows\system32\14.tmp
2009-05-10 15:35 120 a------- c:\windows\system32\10.tmp
2009-05-10 00:33 61,440 a------- c:\windows\system32\12.tmp
2009-05-09 21:16 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-05-09 21:14 <DIR> --d----- c:\windows\Downloaded Installations
2009-05-09 18:16 182,912 ac------ c:\windows\system32\dllcache\ndis.sys
2009-05-09 18:10 61,440 a------- c:\windows\system32\D2.tmp
2009-05-09 18:10 120 a------- c:\windows\system32\CF.tmp
2009-05-09 16:21 1,197,294 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-05-09 16:21 764,868 -c------ c:\windows\system32\dllcache\apph_sp.sdb
2009-05-09 16:21 217,118 -c------ c:\windows\system32\dllcache\apphelp.sdb
2009-05-09 16:21 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-05-09 16:20 <DIR> --d----- c:\windows\system32\LogFiles
2009-05-09 15:54 <DIR> --d----- c:\docume~1\1\applic~1\RapidCRC
2009-05-09 14:14 <DIR> --d----- c:\program files\FolderSize
2009-05-09 14:10 <DIR> --d----- c:\documents and settings\1\WINDOWS
2009-05-09 14:10 <DIR> --d----- c:\documents and settings\1
2009-05-09 14:10 <DIR> --d----- c:\docume~1\1\applic~1\Intel
2009-05-09 14:05 8,192 a------- c:\windows\REGLOCS.OLD
2009-05-09 13:57 333 a------- c:\windows\system32\$ncsp$.inf
2009-05-09 13:53 <DIR> --d----- c:\windows\tiinst
2009-05-09 13:49 <DIR> --d----- c:\program files\SigmaTel
2009-05-09 13:49 21,275 a------- c:\windows\system32\drivers\AegisP.sys
2009-05-09 13:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Prism Deploy
2009-05-09 13:47 <DIR> --d----- c:\program files\common files\New Boundary
2009-05-09 13:47 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-05-09 13:47 69,722 a------- c:\windows\system32\SynTPFcs.dll
2009-05-09 13:47 185,824 a------- c:\windows\system32\drivers\SynTP.sys
2009-05-09 13:47 90,202 a------- c:\windows\system32\SynTPAPI.dll
2009-05-09 13:47 81,920 a------- c:\windows\system32\SynTPCo2.dll
2009-05-09 13:47 114,688 a------- c:\windows\system32\SynCtrl.dll
2009-05-09 13:47 77,917 a------- c:\windows\system32\SynCOM.dll
2009-05-09 13:47 <DIR> --d----- c:\program files\Synaptics
2009-05-09 13:45 2 ---shr-- C:\USER
2009-05-09 13:45 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-05-09 13:44 14,848 a------- c:\windows\system32\drivers\kbdhid.sys
2009-05-09 13:33 359,936 a------- c:\windows\system32\wzcsvc.dll
2009-05-09 13:33 51,712 a------- c:\windows\system32\wzcsapi.dll
2009-05-09 13:33 13,824 a------- c:\windows\system32\wowfaxui.dll
2009-05-09 13:33 3,200 a------- c:\windows\system32\wowfax.dll
2009-05-09 13:33 23,552 ac------ c:\windows\system32\dllcache\wdmaud.drv
2009-05-09 13:33 23,552 a------- c:\windows\system32\wdmaud.drv
2009-05-09 13:33 49,211 a------- c:\windows\system32\usrvpa.dll
2009-05-09 13:33 45,116 a------- c:\windows\system32\usrvoica.dll
2009-05-09 13:33 49,209 a------- c:\windows\system32\usrv80a.dll
2009-05-09 13:33 102,457 a------- c:\windows\system32\usrv42a.dll
2009-05-09 13:31 157,696 a------- c:\windows\system32\paqsp.dll
2009-05-09 13:30 63,744 a------- c:\windows\system32\drivers\mf.sys
2009-05-09 13:29 707 a------- c:\windows\_default.pif
2009-05-09 13:28 867,840 a------- c:\windows\system32\wbdbase.ita
2009-05-09 13:27 130,048 a------- c:\windows\system32\progman.exe
2009-05-09 13:26 290,816 a------- c:\windows\system32\msnsspc.dll
2009-05-09 13:25 290,816 a------- c:\windows\system32\l3codeca.acm
2009-05-09 13:23 20,192 ac------ c:\windows\system32\dllcache\dpti2o.sys
2009-05-09 13:22 26,496 ac------ c:\windows\system32\dllcache\asc.sys
2009-05-09 13:09 64 a------- C:\MOVE_RECOVERY
2009-05-09 13:08 <DIR> --d----- C:\My Backup -- 09-05-09 1008AM
2009-05-09 11:43 <DIR> --d----- c:\program files\common files\ATI Technologies
2009-05-09 11:41 <DIR> --d----- c:\program files\ATI Technologies
2009-05-03 11:52 <DIR> --d----- c:\program files\Bochs-2.4

==================== Find3M ====================

2009-05-12 04:15 359,040 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-05-09 18:16 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-05-09 11:19 94,291 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

============= FINISH: 4:37:16.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 AM

Posted 13 May 2009 - 06:30 AM

Hi,

I have bad news for you :thumbup2:

I see you're dealing with Virut on top of the other nasty malware you are dealing with. In that case, it's unfortunately a lost case - Game over situation and a format and reinstall is the fastest and especially the safest solution.

You may want to read this why:
Virut and other File infectors - Throwing in the Towel?

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 AM

Posted 16 May 2009 - 05:16 PM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users