Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zlob will not go away.. HELP, I have this stupid trojan that will not go away


  • This topic is locked This topic is locked
19 replies to this topic

#1 falkon

falkon

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 20 June 2009 - 10:34 AM

I have no idea what I need to do.. I keep getting this Zlob thing on my Firefox. It keeps shutting it down..Firefox people don't help at all.. they don't even respond to any querries..

Can someone help?

I was told i needed to run hijackthis and post a log here..

Just a note. I hardly ever have a need for IE. If it has been used in the last 6 months, then it was someone using my computer.. I hate IE.. However, I am considering that Firefox is just as bad with this one bug that won't go away.

----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:21 AM, on 6/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Netviews Wireless Monitor\WLService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Netviews Wireless Monitor\WLanCfgG.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\My Backup -- 08-12-12 1148PM\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=W3118
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W3118
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W3118
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=W3118
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W3118
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {9188f700-d63c-4c11-ac8a-d73924e8ec5c} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - ?p=ZKfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1231691800234
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: qoMcdEts - qoMcdEts.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Wireless 802.11g PCI Adapter (Netviews Wireless Service) - Unknown owner - C:\Program Files\Netviews Wireless Monitor\WLService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10328 bytes

Edited by falkon, 20 June 2009 - 10:36 AM.


BC AdBot (Login to Remove)

 


#2 falkon

falkon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 20 June 2009 - 05:02 PM

Additional problem... my "Ulead VideoStudio 8 SE Basic" program crashes upon startup. This is getting stupid!! All this crap is upsetting me! i NEED this program to work!!! It worked fine until I started running spy scanners.. Obviously this stupid $#!T is starting to affect the rest of my computer... People who write virus and malware should be charged with vandalism and tossed in jail after being strung up by the Nads!!!!

I do work in the Film industry and although I am not a Film Editor.. I do edit some video from the behind the scenes stuff and from my own home videos. I also use this program to work with RAW sound files as my camera has a excellent mic on it. If this program doesn't work.. I'm SCREWED!

What it does is begin to startup.. then it pops up a this program has to shut down.. would you like to send Microsoft an error report... Like these boobs are gonna fix anything!!! I know what the main problem is.. Microsoft sucks!!!! Windows has been the biggest bug in computers since version 3.1!!!!

Anyway.. Can someone help me here? Please??

--

I I know I am not supposed to make changes on my system until someone looks over my hijackthis log.. but I have no choice while I am waiting.. I need to try and uninstall my program and re install...

I will upload another log if I need to.. but this is getting really problematic.. I HATE HACKERS, VIRUS WRITERS, and other Losers who make this crap!! Why are they NOT looking for the morons who write this stuff and arresting them??????

#3 falkon

falkon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 20 June 2009 - 05:28 PM

Ok.. so I uninstalled my Video Editor and re installed.. It still won't run!!! Need Help ASAP...

Thanks

Hello falkon,

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large, as are other comparable sites that help others with malware issues. Athough our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, you wouldn't want someone to assist you who is not familiar with your issue and attempt to fix it, would you?

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)

Edited by The weatherman, 20 June 2009 - 05:41 PM.


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:11 AM

Posted 25 June 2009 - 03:19 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 falkon

falkon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 27 June 2009 - 12:20 AM

Ok. So I have installed Avast free addition and it found a couple of problems. Nothing that involved Zlob. I tried something called Smithfraudfix in Safe Mode. It did appear to do something and the zlob doesn't seem to be showing up . However, I think the Global ad solutions Contextual Ads thing is still in there attached to my Firefox browser. I put a plugin on FF called NoScript. It seems to allow me to control what I see on the internet a little better. The problem is now that this NoScript is blocking the contextual ads that it keeps crashing my FF Browser and wants to send a message to FF about the cause of the crash. It does this A LOT! I'm a little worried about this sending of an error report when I block a spyware or Trojan..

Now, My other serious issue is my Ulead Video Studio 8 SE Basic. I have uninstalled it and reinstalled it and it still will not open. It gets to the start screen right before the program should open, then crashes and gives me one of those useless error messages that the program had to shut down and would I like to send this log to Microsoft so they can work on the problem.. I already know the chances of Microsoft working on my problem.. For that matter I know how likely Mozilla will help me with Firefox.. Hence I am Here.

Anyway, I have no clue what is happening to my Video Studio.. I NEED this program badly. All I get from Tech support from what Used to be Ulead, and now seems to be Corel, is that they phazed out suport for my product and they would surely help me get and upgrade.. Yet again something I don't need. If my program didn't do everything I wanted it to I would upgrade. As it is, this program does MORE than I need, so I'd like to get it back up and running. Without spending more than I paid for this one to ... "Upgrade"... I just don't need their new program... That and this thing was working fine before and now it isn't. Maybe something is missing.

So.. I have no idea what is still in there as far as spyware or trojans.. Somehow I think either getting a bug or getting rid of a bug or what an anti malware thought was a bug, may have done away with something my program needs.. It worked fine when I had AVG antivirus telling me I had Zlob every 5 mins...



Can You Please, please help me here? This thing is giving me a headache..

Thanks

Sam

:thumbup2:

Attached Files

  • Attached File  DDS.txt   12.13KB   4 downloads


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:11 AM

Posted 27 June 2009 - 08:33 AM

Hello falkon,

Welcome to Bleeping Computer.

Sorry for delayed response. Forums have been really busy.

My name is fireman4it and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Please make no further changes or run any other tools unless instructed to. This may hinder the cleaning of your machine.

I will be analyzing your log. I will get back to you with instructions after it is approved.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:11 AM

Posted 27 June 2009 - 12:45 PM

Hello falkon,


Please follow all instructions in order given. If you don't understand a instruction or can't complete an instruction, please Stop there and post your problem so we can find a solution.

1.
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or AVAST.

Uninstalling A Program Through "add/remove"

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Either AVG or AVAST

Additional instructions can be found here if needed.

2.
Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

3.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Things to include in your next reply:
Combofix.txt
Gmer log
DDS txt
How is your computer running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 falkon

falkon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 28 June 2009 - 02:59 PM

Ok.. I did those scans. The system still seems to be slow and I still can't access my Ulead VideoStudio 8 SE Basic. Same error message. Also, my FireFox still crashes .. Firefox seems to have this Yoog Search trying to take over too. I keep removing it but it comes back.

I realize that the AVG antivirus program is still on here. I have disabled AVG and it doesn't monitor. Avast is the main anti virus and is monitoring. The thing is, sometimes AVG finds things when I run a scan that Avast doesn't .. That is why I have both. I would like to keep AVG as a manual scanner. As I said, I have it disabled..

Anyway, Here are my logs.

Attached Files



#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:11 AM

Posted 29 June 2009 - 07:14 PM

Hello falkon,


1.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
2.
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows ( especially FireFox ) are closed and to let it run uninterrupted.
  • Under the Custom Scans/Fixes box at the bottom,copy and paste in the following

    :OTL
    
    
    	  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www1.yoog.com/
    	  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www2.yoog.com/
    	  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www3.yoog.com/
    	  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www5.yoog.com/
    	  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www6.yoog.com/
    	  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www7.yoog.com/
    	  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www8.yoog.com/
    	  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www9.yoog.com/
    	  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www10.yoog.com/
    	  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www11.yoog.com/
    	  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www13.yoog.com/
    	  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www14.yoog.com/
    	  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www15.yoog.com/
    	  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www26.yoog.com/
    	  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www27.yoog.com/
    	  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www28.yoog.com/
    	  IE: &Search - ?p=ZKfox000
    		   
    	  FF - prefs.js..browser.search.defaulturl: "http://www28.yoog.com/search.php?q="
    	  FF - prefs.js..keyword.URL: "http://www28.yoog.com/search.php?q="
    	  FF - user.js..browser.search.defaulturl: "http://www28.yoog.com/search.php?q="
    	  FF - user.js..keyword.URL: "http://www28.yoog.com/search.php?q="
    	  FF - prefs.js..browser.search.defaultenginename: "Yoog Search"
    	  FF - prefs.js..browser.search.defaulturl: "http://www14.yoog.com/search.php?q="
    	  FF - prefs.js..browser.search.selectedEngine: "Yoog Search"
    	  FF - prefs.js..keyword.URL: "http://www14.yoog.com/search.php?q="
    	  FF - user.js..browser.search.defaultenginename: "Yoog Search"
    	  FF - user.js..browser.search.defaulturl: "http://www14.yoog.com/search.php?q="
    	  FF - user.js..browser.search.selectedEngine: "Yoog Search"
    	  FF - user.js..keyword.URL: "http://www14.yoog.com/search.php?q="
    	  FF - prefs.js..browser.search.defaulturl: "http://www8.yoog.com/search.php?q="
    	  FF - prefs.js..keyword.URL: "http://www8.yoog.com/search.php?q="
    	  FF - user.js..browser.search.defaulturl: "http://www8.yoog.com/search.php?q="
    	  FF - user.js..keyword.URL: "http://www8.yoog.com/search.php?q="
    	  FF - prefs.js..browser.search.defaulturl: "http://www15.yoog.com/search.php?q="
    	  FF - user.js..browser.search.defaulturl: "http://www15.yoog.com/search.php?q="
    	  FF - user.js..keyword.URL: "http://www5.yoog.com/search.php?q="
    	  FF - prefs.js..browser.search.defaulturl: "http://www7.yoog.com/search.php?q="
    	  FF - prefs.js..keyword.URL: "http://www7.yoog.com/search.php?q="
    	  FF - user.js..browser.search.defaulturl: "http://www7.yoog.com/search.php?q="
    	  FF - user.js..keyword.URL: "http://www7.yoog.com/search.php?q="
    	  FF - prefs.js..browser.search.defaulturl: "http://www13.yoog.com/search.php?q="
    	  FF - prefs.js..keyword.URL: "http://www13.yoog.com/search.php?q="
    	  FF - user.js..browser.search.defaulturl: "http://www13.yoog.com/search.php?q="
    	  FF - user.js..keyword.URL: "http://www13.yoog.com/search.php?q="
    	  FF - prefs.js..browser.search.defaulturl: "http://www3.yoog.com/search.php?q="
    	  FF - prefs.js..keyword.URL: "http://www3.yoog.com/search.php?q="
    	  FF - user.js..browser.search.defaulturl: "http://www3.yoog.com/search.php?q="
    	  FF - user.js..keyword.URL: "http://www3.yoog.com/search.php?q="
    	  FF - prefs.js..browser.search.defaulturl: "http://www10.yoog.com/search.php?q="
    	  FF - prefs.js..keyword.URL: "http://www10.yoog.com/search.php?q="
    	  FF - user.js..browser.search.defaulturl: "http://www10.yoog.com/search.php?q="
    	  FF - user.js..keyword.URL: "http://www10.yoog.com/search.php?q="
    	  FF - prefs.js..browser.search.defaulturl: "http://www11.yoog.com/search.php?q="
    	  FF - prefs.js..keyword.URL: "http://www11.yoog.com/search.php?q="
    	  FF - user.js..browser.search.defaulturl: "http://www11.yoog.com/search.php?q="
    	  FF - user.js..keyword.URL: "http://www11.yoog.com/search.php?q="
    	  FF - prefs.js..browser.search.defaulturl: "http://www2.yoog.com/search.php?q="
    	  FF - prefs.js..keyword.URL: "http://www2.yoog.com/search.php?q="
    	  FF - user.js..browser.search.defaulturl: "http://www2.yoog.com/search.php?q="
    	  FF - user.js..keyword.URL: "http://www2.yoog.com/search.php?q="
    	  FF - prefs.js..browser.search.defaulturl: "http://www26.yoog.com/search.php?q="
    	  FF - prefs.js..keyword.URL: "http://www26.yoog.com/search.php?q="
    	  FF - user.js..browser.search.defaulturl: "http://www26.yoog.com/search.php?q="
    	  FF - user.js..keyword.URL: "http://www26.yoog.com/search.php?q="
    	  FF - prefs.js..browser.search.defaulturl: "http://www5.yoog.com/search.php?q="
    	  FF - prefs.js..keyword.URL: "http://www5.yoog.com/search.php?q="
    	  FF - user.js..browser.search.defaulturl: "http://www5.yoog.com/search.php?q="
    	  FF - user.js..keyword.URL: "http://www5.yoog.com/search.php?q="
    	  FF - prefs.js..browser.search.defaulturl: "http://www1.yoog.com/search.php?q="
    	  FF - prefs.js..keyword.URL: "http://www1.yoog.com/search.php?q="
    	  FF - user.js..browser.search.defaulturl: "http://www1.yoog.com/search.php?q="
    	  FF - user.js..keyword.URL: "http://www1.yoog.com/search.php?q="
    	  FF - prefs.js..browser.search.defaulturl: "http://www9.yoog.com/search.php?q="
    	  FF - prefs.js..keyword.URL: "http://www9.yoog.com/search.php?q="
    	  FF - user.js..browser.search.defaulturl: "http://www9.yoog.com/search.php?q="
    	  FF - user.js..keyword.URL: "http://www9.yoog.com/search.php?q="
    	  FF - prefs.js..browser.search.defaulturl: "http://www6.yoog.com/search.php?q="
    	  FF - prefs.js..keyword.URL: "http://www6.yoog.com/search.php?q="
    	  FF - user.js..browser.search.defaulturl: "http://www6.yoog.com/search.php?q="
    	  FF - user.js..keyword.URL: "http://www6.yoog.com/search.php?q="
    	  FF - prefs.js..browser.search.defaulturl: "http://www27.yoog.com/search.php?q="
    	  FF - prefs.js..keyword.URL: "http://www27.yoog.com/search.php?q="
    	  FF - user.js..browser.search.defaulturl: "http://www27.yoog.com/search.php?q="
    	  FF - user.js..keyword.URL: "http://www27.yoog.com/search.php?q="
    	  FF - user.js..keyword.enabled: true
    	   
    	  :Services
    	  kxnxqjuh
    	  hufeyynv
    	  aylnlfdx
    
    	  :Files
    	  %ProgramFiles%\IEToolbar
    	  %ProgramFiles%\Mozilla Firefox\components\nsadzgalore.dll
    	  %ProgramFiles%\Mozilla Firefox\components\nsadsoftinc.dll
    	  %ProgramFiles%\Mozilla Firefox\components\nsBrowserOpt.dll
    	  %ProgramFiles%\Mozilla Firefox\searchplugins\Yoog.xml
    	  %ProgramFiles%\Mozilla Firefox\components\nsBrowserDc.dll
    	  %ProgramFiles%\Mozilla Firefox\components\nsdcads.dll
    	  %APPDATA%\Mozilla\Firefox\Profiles\Yoog Search.xml /s
    	  %PROGRAMFILES%\Mozilla Firefox\components\mexmgzdhgnvqilpib.dll
    	  %SystemRoot%\system32\mexmgzdhgnvqilpib.dll
    	  %PROGRAMFILES%\mozilla firefox\components\zvakwomxas.dll
    	  %SystemRoot%\system32\zawcukanoit.exe
    	  %SystemRoot%\System32\lkvwtxiako.dll  
    	  %SystemRoot%\system32\zvakwomxas.dll
    	  %SystemRoot%\system32\dgbzetddjouspgzqz.dll
    	  %SystemRoot%\System32\nsn*.dll
    	  %SystemRoot%\nmwi*.exe
    	  %SystemRoot%\system32\nsx*.dll
    	  %SystemRoot%\system32\nsj*.dll
    	  %SystemRoot%\system32\nsv*.dll
    	  %systemroot%\system32\nsf*.dll
    	  %systemroot%\mutfp*.exe
    	  %systemroot%\obwu*.exe
    	  %systemroot%\ntaj*.exe
    	  %systemroot%\nwuhr*.exe
    	  %systemroot%\System32\nss*.dll
    	  %SystemRoot%\system32\*-uninst.exe
    	  %SystemRoot%\system32\*-remove.exe
    	  %systemroot%\system32\nsr*.dll
    	  %systemroot%\reax*.exe
    	  %systemroot%\giptf*.exe
    	  %systemroot%\tkoo*.exe
    	  %systemroot%\axjth*.exe
    	  %systemroot%\ertbg*.exe
    	  %systemroot%\jnnmp*.exe
    	  %systemroot%\bprxe*.exe
    	  %systemroot%\xwisg*.exe
    	  %systemroot%\jpng*.exe
    	  %systemroot%\fhsv*.exe
    	  %systemroot%\dfmqc*.exe
    	  %systemroot%\wgfp*.exe
    	  %systemroot%\gweq*.exe
    	  %systemroot%\pxwis*.exe
    	  %systemroot%\fcvmq*.exe
    	  %systemroot%\System32\hfkxlchuhv.dll
    	  %systemroot%\System32\nst*.dll
    	  %systemroot%\dmkv*.exe
    	  %systemroot%\system32\nseE*.dll
    	  %systemroot%\System32\nsk*.dll
    	  %systemroot%\system32\mexmgzdhgnvqilpib.dll
    	  %systemroot%\system32\ibgyxrpdcrlay.dll
    	  %systemroot%\system32\ympweffizcodl.exe
    	  %systemroot%\kdiue732.txt
    	  %systemroot%\system32\jmcvcflmiugsrfia.exe
    	  %PROGRAMFILES%\VnrBlock
    	  %PROGRAMFILES%\iCheck
    	  %systemroot%\tvilp*.exe
    	  %systemroot%\itqot*.exe
    	  %systemroot%\system32\wskuofzpxkxdb.exe
    	  %systemroot%\tutvo*.exe
    	  %systemroot%\hsep*.exe
    	  %systemroot%\system32\pihtwcdtsghokinvg.dll
    	  %systemroot%\system32\juluypfvhofv.dll
    	  %systemroot%\system32\nsi*.dll
    	  %systemroot%\system32\nsl*.dll
    	  %systemroot%\system32\gchnamepziopknko.dll
    	  %systemroot%\system32\pihtwcdtsghokinvg.dll
    	  %systemroot%\system32\yprhhrqubcbujp.exe
    	  %systemroot%\system32\ucicolizrhssr.dll
    	  %systemroot%\system32\hiwdrlnk.exe
    	  %USERPROFILE%\Start Menu\Programs\Startup\runit_32.lnk
    	  %PROGRAMFILES%\runit
    	  %systemroot%\System32\dsygtypzdloyoxivg.exe
    	  %systemroot%\System32\nsg*.dll
    	  %systemroot%\System32\jifgoojjyhmkthcfk.dll
    	  %systemroot%\System32\qdfggdhhofhhylbfx.exe
    	  %ProgramFiles%\mozilla firefox\components\????????-????-????-????-????????????.dll
    	  %systemroot%\System32\????????-????-????-????-????????????.exe
    	  c:\windows\system32\drivers\phqghume.sys
    	  c:\windows\system32\drivers\ezxwqjso.sys
    	  c:\windows\system32\drivers\ahhmdmqq.sys
    
    	  :Reg
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b0d2e786-354b-fea1-8de7-883e7524e6d2}]
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b2fe5f61-3eb4-4e22-7c84-f52993635f52}]
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f20e8516-7d08-c1e3-e689-96d39bb42220}]
    	  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    	  "{ad7781e6-d262-25f8-389d-967a6d974748}"=-
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{314506e6-db9d-d679-08b6-c16f288ad5c9}]
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AC4A7813-6844-2FF3-D929-DCB471E346AB}]
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77cab7d9-e377-ddfc-7d69-cd9cab0e10ff}]
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B8620A38-0404-12B1-FA60-5A0C1FB1C6A5}]
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B188763A-902C-98E9-780E-DAA0BF25BBFD}]
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4c18a538-eb55-9029-1fdb-37769fbefee2}]
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{314506e6-db9d-d679-08b6-c16f288ad5c9}]
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AC4A7813-6844-2FF3-D929-DCB471E346AB}]
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{58b39041-fe10-d989-5b61-50d6fe664b48}]
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{994b5fb4-0103-44a6-b6b3-c73572b362bc}]
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c8217294-fa91-dd4d-ba56-4561001b63c8}]
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{670b520c-3f08-4d72-94a5-047740c07766}]
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78f9a905-789c-d4b1-d5d6-336920981691}]
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78ff6579-e7fe-8225-43c1-3fe7864edc62}]
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e8217e11-e93b-fc21-7455-fea561f86263}]
    	  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlhbxrcsmhodrzf]
    
    	  :Commands
    	  [purity]
    	  [emptytemp]
    	  [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • The fix should only take a few minutes to run. If it appears to freeze then try it again.
Things to include in your next reply:
OTL log
DDS logs
Yoog still taking over your Firefox?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 falkon

falkon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 29 June 2009 - 10:56 PM

Ok. So I tried to run that program with the fix pasted. It locked up and stopped responding. I followed the direction to the T.. Even copied, pasted in a txtx, and printed.

The program stops responding within a few seconds. I let it sit there for over an hour as it did nothing. It looked as if it stopped the fix while looking at something to do with IE.

So what do I do now?

Yoog is still there.. No idea what else is still with me..


:thumbup2:

#11 falkon

falkon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 30 June 2009 - 04:20 PM

Ok.. I took out the first line of that fix you posted.. Then I ran it.. it rebooted..

Everything is still as it was... My Ulead Video Studio still will not open.. Yoog is still there.. As for any other issues.. I don't know if the FF Browser will still crash.. I just opened it back up... I still don't know if the Contextual ad by Global ad solutions is there or not.. What a mess.....


So here is my Log.. :thumbup2:

Attached Files



#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:11 AM

Posted 02 July 2009 - 08:13 PM

Hello falkon,

1.
We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :OTL
    
    FF - prefs.js..keyword.URL: "http://www10.yoog.com/search.php?q="
    FF - prefs.js..browser.search.selectedEngine: "Yoog Search"
    C:\Documents and Settings\Owner\Application Data\Mozilla\FireFox\Profiles\r6odbuqw.default\searchplugins\Yoog Search.xml
    
    :Commands
    [emptytemp]
    [Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
2.
Please download Malwarebytes Anti-Malware (v1.32) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Things to include in your next reply:
OTL report
MBAM report
How is your computer running now. "YOOG" Still redirecting?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:11 AM

Posted 04 July 2009 - 09:19 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :thumbup2:

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 falkon

falkon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 04 July 2009 - 11:45 PM

Ok.. I have done that.. I already have MWB 1.38.

Nothing has changed. Yoog is still on my FFox, SO is the contextual ad global ad solutions. My FFox still crashes when ever it feels like it. Now when I try

to watch a video online, The browser hangs up while trying to open Adobe Flash in another window. By the way, I wouldn't think this is funny except the video

is running in another program entirely so the idea that Flash would open makes no sence. Then of course when that opens.. Everything freezes and the sound

just goes on by itself. I still can't use my Video Studio 8... This is what I get:
Ulead VideoStudio has encountered a problem and needs to close. We are sorry for the inconvenience.

I use that Ulead program every day.. I have no idea what has gone wrong with it. I have uninstalled several times and reinstalled. Something is conflicting

with it or blocking me from opening it. It has always worked without a problem. I don't even remember that program ever crashing.. ever.... I need this video

studio software working more than I need security on my computer.. I am at a loss and have filled up all my tapes with no where to dump the video.. I'm

Stuck...


This whole situation has completely bummed me out and even a long weekend won't cure it.. even with Fireworks, Beer and, hot dogs cooked on the grill next to

the steak and the tuna..

Sorry it took me so long to reply. I wasn't able to get on line for a day as the Internet connection was out and we had to get a new cable modem.

Thank you for the help so far.. I hope I am giving enough info to work with..




----

----

Malwarebytes' Anti-Malware 1.38
Database version: 2366
Windows 5.1.2600 Service Pack 3

7/3/2009 9:00:47 AM
mbam-log-2009-07-03 (09-00-47).txt

Scan type: Quick Scan
Objects scanned: 92166
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files

  • Attached File  OTL3.Txt   100.8KB   6 downloads


#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:11 AM

Posted 05 July 2009 - 09:52 PM

Hello falkon,

We need to reinstall Firefox.

1.
Uninstalling A Program Through "add/remove"

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Mozilla Firefox 3.0.11

Additional instructions can be found here if needed.

2.
Revealin hidden files

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

3.
Use Windows Explorer to find and delete these folders:

C:\Documents and Settings\Owner\Application Data\Mozilla
C:\My Backup (delete anything you find in this folder. Don't Delete the folder)
C:\Program Files\Mozilla Firefox


As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete




4. Hiding hidden files

Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

5.
Please download Firefox 3.5 from here.

6.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Things to include in your next reply:
Nod32 log
A new DDS log
Is "Yoog" still redirecting?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users