Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with multiple malware.


  • This topic is locked This topic is locked
2 replies to this topic

#1 shongshong

shongshong

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 17 May 2009 - 07:10 AM

I have been infected with what seems multiple malware -- Coreguard virus, XP System Security Virus center, inability to access the websites of major antivirus/malware software (Malwarebytes, Norton) and online virus scanners (bitdefender, etc.).

These malware also block my ability to install Norton and other malware removal software.

I do have malwarebytes software installed and have run it with what appears to be success. However, at this point, I am still unable to access antivirus site websites or install antivirus software.

Unfortunately, this is my father's computer that I have infected, and I feel great urgency in trying to fix these problems, as I forgot to mention that occasionally I will get re-directed to a porn site, so I am extremely frustrated.

Your help is appreciated.

Posted below is from DDS:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Owner at 7:59:13.48 on 05/17/2009 Sun
Internet Explorer: 7.0.5730.11

============== Running Processes ===============


============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Verizon Online
uInternet Settings,ProxyOverride = localhost;*.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: CouponBar: {5bed3930-2e9e-76d8-bacc-80df2188d455} - c:\windows\CouponBarIE.dll
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [BackupNotify] c:\program files\hp\digital imaging\bin\backupnotify.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [ymetray] "c:\program files\yahoo!\yahoo! music engine\YahooMusicEngine.exe" -preload
mRun: [V0230Mon.exe] c:\windows\V0230Mon.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\powerm~1.lnk - c:\program files\powermenu\PowerMenu.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\westfi~1.lnk - c:\program files\permissiontv\bin\dmtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music engine\ymetray.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Surfulater: Add &new Article - c:\program files\saig\surfulater\Surfulater.exe/SENDTOSURFULATER.HTML
IE: Surfulater: Add Article pl&us Page - c:\program files\saig\surfulater\Surfulater.exe/SENDANDATTACHTOSURFULATER.HTML
IE: Surfulater: Attac&h Page to Article - c:\program files\saig\surfulater\Surfulater.exe/ATTACHTOSURFULATER.HTML
IE: Surfulater: Book&mark this Page - c:\program files\saig\surfulater\Surfulater.exe/BOOKMARKINSURFULATER.HTML
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: SpSubLSP.dll
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
Trusted Zone: turbotax.com
Trusted Zone: yahoo.com\login
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: MIW Deployment - hxxps://129.49.168.199/downloads/MIWDeploy.cab
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3D3BE28B-462C-45E1-AFC2-A7ACD060310B} - hxxp://216.57.8.34/FacilityLink/XMLDI2FS.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://www.sidestep.com/get/k00719/sb02a.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} - hxxp://chat.yahoo.com/cab/yuplapp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://notes2.cc.sunysb.edu/dwa8W.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://notes2.cc.sunysb.edu/dwa7W.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
TCP: {E1199BB8-0E34-4CFD-9EB8-742F785E95C4} = 127.0.0.1,192.168.1.1,192.168.1.1
TCP: {F1C4971A-8169-41F8-B974-E40ECEE55731} = 127.0.0.1
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\kion9lw1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\documents and settings\owner\application

data\mozilla\firefox\profiles\kion9lw1.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-17 07:48 1 a------- c:\windows\system32\5.tmp
2009-05-17 07:48 84 a------- c:\windows\system32\4.tmp
2009-05-17 02:12 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-17 00:11 1 a------- c:\windows\system32\12.tmp
2009-05-17 00:11 84 a------- c:\windows\system32\11.tmp
2009-05-17 00:05 1 a------- c:\windows\system32\10.tmp
2009-05-16 22:31 <DIR> --d----- C:\RootkitNO
2009-05-16 20:06 2,114 a------- c:\windows\system32\tmp.reg
2009-05-16 19:35 <DIR> --d----- c:\windows\RestoreSafeDeleted
2009-05-16 19:11 373 a------- c:\windows\system32\Installer.exe
2009-05-16 19:11 244,224 a------- c:\windows\system32\wscsvc32.exe
2009-05-16 19:11 82,432 a------- c:\windows\system32\resdll.dll
2009-05-16 18:49 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-05-16 18:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-16 18:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-16 18:49 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-16 18:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-16 18:10 2 a--shrot c:\windows\winstart.bat
2009-05-16 18:10 12,752 a------- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-05-16 18:10 <DIR> --d----- c:\program files\UnHackMe
2009-05-16 17:55 1 a------- c:\windows\system32\6B.tmp
2009-05-16 17:55 84 a------- c:\windows\system32\6A.tmp
2009-05-16 16:24 55 a------- C:\xcrashdump.dat
2009-05-16 16:24 57,856 a------- C:\ijvr.exe
2009-05-16 16:23 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-05-16 16:23 42,496 a------- C:\jfknkkkh.exe
2009-05-16 16:23 2 a------- C:\1151824953
2009-05-16 16:23 0 a------- C:\yemeua.exe
2009-05-16 16:23 57,856 a------- C:\twsgm.exe
2009-05-16 16:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\91840616
2009-05-16 16:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\11830624
2009-05-08 14:56 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2009-05-08 14:55 <DIR> --dsh--- c:\documents and settings\owner\IECompatCache
2009-05-08 14:52 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-05-08 14:49 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-05-16 16:23 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-30 01:36 99,840 a------- c:\windows\system32\WS2Fix.exe
2009-03-20 14:50 3,379,200 a------- c:\windows\system32\GPhotos.scr
2009-03-19 03:06 96,384 a------- c:\windows\system32\drivers\sptd5853.sys
2009-03-18 06:59 80,795 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 66,048 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2006-03-18 12:59 409,600 ac------ c:\documents and settings\owner\remote.exe
2004-06-11 20:53 4,185,744 ac------ c:\program files\Install_AIM.exe
2004-08-29 23:18 0 ac-sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 7:59:53.76 ===============

BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:06 AM

Posted 23 May 2009 - 09:46 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:06 AM

Posted 30 May 2009 - 06:14 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users