Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Malwarebytes is not running, desktop doesn't show, browser redirects, please help.

  • This topic is locked This topic is locked
6 replies to this topic

#1 bojadada


  • Members
  • 9 posts
  • Local time:09:14 AM

Posted 07 November 2009 - 10:41 AM

Ok, here's how this all started. I foolishly downloaded a "ms point generator" called Titan generator. I started the exe, and then nothing happened, so I deleted the file. I was worried a virus was on my computer, so I ran a scan with malwarebytes. 3 seconds into the scan, malwarebytes just shut down. And if I try to run it again, it says I don't have appropriate permissions or something like that, I don't remember because well, my desktop doesn't show. I thought something was up with the registry, so I did a registry scan with ccleaner. I fixed the selected issues with it, but after that, the desktop just dissapeared. I thought that maybe the explorer.exe file was missing, but when I looked at the location it normally is, it was still there, I did that by going to new task on task manager, then browse. The only way I can run programs now is through task manager, which is how I am on internet explorer right now. Whenever I'm in google, if I click a link after I search, I get redirected, so I have to open a cached version of the page. How do I get my desktop back? How do I remove this virus? Help is really appreciated, I sure as hell can't fix this on my own. Thanks.

BC AdBot (Login to Remove)


#2 sempai



  • Malware Response Team
  • 5,288 posts
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:14 PM

Posted 07 November 2009 - 01:09 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE


You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 

#3 bojadada

  • Topic Starter

  • Members
  • 9 posts
  • Local time:09:14 AM

Posted 07 November 2009 - 05:04 PM

Ok, I just noticed that you said to disconnect from the internet when you do this. Well, the problem is, that since my desktop doesn't show, I don't know how to disable/enable my internet connection. How would I go upon doing this through task manager?

Edited by bojadada, 07 November 2009 - 11:24 PM.

#4 bojadada

  • Topic Starter

  • Members
  • 9 posts
  • Local time:09:14 AM

Posted 08 November 2009 - 05:33 PM

I got it to work, and I got my desktop back by copying an explorer.exe from a clean computer over to my infected one, but after I right click an empty portion of my desktop, it dissapears again, and I can't run explorer.exe unless I copy the clean one over again, otherwise it'll just say the file is missing. I also seem to not get browser redirects anymore, I'm still trying to see if I can scan with malwarebytes though, and I'm worried that the redirects might happen again, so I'm not gonna say my system is clean yet.

DDS (Ver_09-10-26.01) - NTFSx86
Run by frank at 16:26:37.26 on Sun 11/08/2009
Internet Explorer: 7.0.5730.13
AV: avast! antivirus 4.8.0 [VPS 091023-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} - c:\program files\fireshot for ie\FSAddin-0.76.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Livestream Procaster] "c:\program files\livestream procaster\Procaster.exe" -autorun
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [inixs] c:\windows\system32\minix32.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: download.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://go.microsoft.com/fwlink/?LinkId=82580
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\frank\applic~1\mozilla\firefox\profiles\5ba8cl8l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=101676&l=null
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=
FF - component: c:\documents and settings\frank\application data\idm\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\documents and settings\frank\application data\mozilla\firefox\profiles\5ba8cl8l.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

pref(dom.disable_open_during_load, true);
============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-11-08 20:44:56 0 d-----w- C:\a12fa40b0633fd42d7f7
2009-11-08 20:41:50 56320 ------w- c:\windows\system32\eventlog.dll
2009-11-08 20:41:00 19569 ----a-w- c:\windows\000001_.tmp
2009-11-08 20:33:46 0 d-----w- c:\windows\system32\CatRoot_bak
2009-11-08 19:07:04 0 d-----w- c:\program files\Malwarebytes
2009-11-07 16:05:26 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-11-07 15:06:29 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-03 23:56:40 0 d-----w- c:\program files\music
2009-11-01 19:17:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 19:17:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 19:17:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 18:34:27 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-01 18:34:11 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-01 18:34:11 0 d-----w- c:\docume~1\frank\applic~1\SUPERAntiSpyware.com
2009-11-01 17:00:47 150016 ----a-w- c:\windows\msa.exe
2009-11-01 17:00:15 0 ----a-w- c:\windows\win32k.sys
2009-10-28 03:01:59 0 d-----w- c:\program files\DVDVideoSoft
2009-10-28 03:01:59 0 d-----w- c:\program files\common files\DVDVideoSoft
2009-10-27 01:31:59 0 d-----w- c:\docume~1\frank\applic~1\DiskAid
2009-10-27 01:31:47 0 d-----w- c:\program files\DigiDNA
2009-10-26 21:25:55 0 d-----w- c:\program files\iPod
2009-10-26 21:25:43 0 d-----w- c:\program files\iTunes
2009-10-26 21:25:43 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-26 21:17:58 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll

==================== Find3M ====================

2009-11-01 22:58:43 4588 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-22 21:16:40 389120 ----a-w- c:\windows\system32\CF13114.exe
2009-09-22 21:16:17 389120 ----a-w- c:\windows\system32\CF17296.exe
2009-09-21 20:42:53 288768 ----a-w- C:\dmhzymf1.exe
2009-09-21 11:59:19 34816 ----a-w- c:\windows\system32\drivers\rootrepeal_2.sys
2009-09-20 11:44:56 2198 ----a-w- C:\Z3gR5.bat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 02:16:07 29480 ----a-w- c:\windows\system32\msxml3a.dll
2009-09-09 02:16:02 505128 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-02-14 02:08:29 36868 ----a-w- c:\program files\uninst-Particular.exe
2008-09-22 23:13:00 3676 ----a-w- c:\program files\libb.txt

============= FINISH: 16:27:31.39 ===============

Attached Files

Edited by bojadada, 08 November 2009 - 06:03 PM.

#5 sempai



  • Malware Response Team
  • 5,288 posts
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:14 PM

Posted 10 November 2009 - 11:33 AM

Hi bojadada,

We apologize for the delay. Forum have been busy.

*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.

1. We need to settle some issues before we go to the cleaning process:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Please follow the next instructions if you decided that we do the cleaning process:

2. Please save this FILE to your desktop. Click on Start > Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

3. Please do the following:

1. Click on the Start button, then click on Run...
2. In the empty "Open:" box provided, type cmd and press Enter

This will launch a Command Prompt window (looks like DOS).

3. Copy the entire Bold text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y

4. In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
5. Press Enter.

When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #4) won't work if the file copy was not successful.

6. Exit the Command Prompt window.

4. Download The Avenger2 by SwanDog46.
  • Unzip avenger.exe to your desktop.
  • Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • Now start The Avenger2 by double clicking avenger.exe on your desktop.
  • Read the prompt that appears, and press OK.
  • Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  • Press the "Execute" button.
  • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Logs that I need to see when you reply are:
  • Win32diag.text
  • Avenger.text



You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 

#6 sempai



  • Malware Response Team
  • 5,288 posts
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:14 PM

Posted 15 November 2009 - 01:04 AM


Are you still with us?


You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 

#7 Farbar


    Just Curious

  • Security Developer
  • 21,689 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:14 PM

Posted 17 November 2009 - 10:09 AM

The topic is closed due to lack of activity.

If you need the topic to be reopened send a PM to us within a couple of days.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users