Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware, Virus?


  • This topic is locked This topic is locked
11 replies to this topic

#1 cowgirlup914

cowgirlup914

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:NC
  • Local time:09:35 PM

Posted 26 December 2009 - 09:42 AM

I booted up my computer this a.m. and got a message:

c:\windows\system32\kifekeye.dll not found.

I ran a virus program, tried to run MalwareBytes but got a message stating it couldn't be found and I used it yesterday. I uninstalled it and when I tried to reinstall, I got an error message. I also use CleanUp.

I am attaching my HiJack This log for help:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:35 AM, on 12/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Shared\lib.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nutekilek] Rundll32.exe "c:\windows\system32\kifekeye.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Lost%20Treasures%20of%20El%20Dorado/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://members.driverguide.com/director/di...de=toolkit_lite
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Filter hijack: text/html - {2918cf51-ccfc-41a7-a3f3-7371e6cfa9c5} - C:\WINDOWS\default32.dll
O20 - AppInit_DLLs: royegize.dll c:\windows\system32\kifekeye.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: borejozuf - {b719bce2-caf8-4f55-b063-72a7590692b0} - c:\windows\system32\kifekeye.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {b719bce2-caf8-4f55-b063-72a7590692b0} - c:\windows\system32\kifekeye.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0138861222259621) (0138861222259621mcinstcleanup) - Unknown owner - C:\DOCUME~1\Suzanne\LOCALS~1\Temp\013886~1.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7887 bytes


Thanks for your help! :(

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:35 AM

Posted 27 December 2009 - 03:13 AM

Hi,

To run malwarebytes when you get the error code 2 during install, or mbam.exe gets deleted, please see here:

http://www.malwarebytes.org/forums/index.php?showtopic=29028
Once malwarebytes opens, click the "Update" tab, click "Check for Updates" in order to download the updates.
Then run the scan, let mbam quarantine/delete what it found and reboot afterwards.
After reboot, post the malwarebytes log together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 cowgirlup914

cowgirlup914
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:NC
  • Local time:09:35 PM

Posted 27 December 2009 - 07:51 PM

Thanks, I tried that link and I got an error code. I did download Aviria and it worked pretty good.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:35 AM

Posted 28 December 2009 - 12:49 AM

Hi,

I'm confused now...

Normally the instructions I posted should allow mbam to run again, unless you're doing something different as instructed.

Did you place the renamed exe file in your C:\Program Files\Malwarebytes antimalware folder and launch it from there?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 cowgirlup914

cowgirlup914
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:NC
  • Local time:09:35 PM

Posted 29 December 2009 - 10:58 AM

I'm confused too. I tried again and when I select Run, I get an error code 707.

I've also started getting alot of popups, even though I have pop up blocker on.

I've run Cleanup, Avira and Iobit Security 360. What's going on with my computer??!! I can scan again and send another HiJackThis log if needed.

Thank you so much for your help!

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:35 AM

Posted 29 December 2009 - 11:05 AM

Hi,

The error code 707 means that it can't load the languages file and that's only because you probably ran the renamed mbam.exe from outside the malwarebytes Antimalware folder.

Ok, let me explain the instructions again:

Download a randomized renamed mbam.exe version from here.
Save the file on your desktop

Now navigate to the Program Files\Malwarebytes' Anti-Malware folder on the infected PC and place the renamed file in there (the one you downloaded and saved on your desktop)
Doubleclick that renamed file (inside the Program Files\Malwarebytes' Anti-Malware folder) in order to run. Then malwarebytes should run.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 cowgirlup914

cowgirlup914
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:NC
  • Local time:09:35 PM

Posted 29 December 2009 - 03:04 PM

Thanks again for your help, but your suggestion won't work.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:35 AM

Posted 29 December 2009 - 03:06 PM

Ok, can you explain what you did and if you got any errors or whatever? Because "won't work" is a bit of a general explanation, so I cannot figure out what exactly didn't work :(
The more info you give me, the better I can help you :(
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 cowgirlup914

cowgirlup914
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:NC
  • Local time:09:35 PM

Posted 29 December 2009 - 05:45 PM

I contacted Malwarebytes directly and they gave me a link to download and it worked! I had a Trojan Vundo Virus, but I'm pretty sure it's gone now. Everything is running a lot smoother - thanks for you patience!
:(

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:35 AM

Posted 30 December 2009 - 02:34 AM

Hi,

I contacted Malwarebytes directly and they gave me a link to download and it worked!

Can you tell me what link? Because I'm really confused here. I am the Assistant Director of Research of Malwarebytes, ( http://www.malwarebytes.org/forums/index.php?showuser=102 ), so it's important for me that I know what is going on here. I know you had Vundo and Vundo deletes the mbam.exe, that's why I already gave you another link for a workaround. That's why I want to know what link someone else gave you to make it to work, this to make sure no other copies of it are hosted anywhere else without permission.
Thanks
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 cowgirlup914

cowgirlup914
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:NC
  • Local time:09:35 PM

Posted 30 December 2009 - 07:01 AM

This is the email I received from Tom Mercado:

Hello and welcome to the Malwarebytes consumer helpdesk. Thank you for choosing Malwarebytes' Anti-Malware as your malware security solution, my name is Tom Mercado and I'll be assisting you today.

Part 1: If Malwarebytes' Anti-Malware will not run please download the following file and save it to the desktop and double-click it. See if it runs. Be sure the default 'Quick' scan is selected.
http://mbam.malwarebytes.org/program/random-installer.php.

This special version will need to be uninstalled once the system is cleaned.

Part 2: If it still does not run, giving you messages about not being able to find the file or you do not have permissions or if you're blocked from accessing any of our websites, this may indicate a rootkit which specifically blocks Malwarebytes' Anti-Malware. We need to check and see if this is the case.

Please do as instructed below, read slowly and carefully. This is a default operation of Windows and when done correctly, works every time. It has been built into every single version of Windows since it's inception, over 20 years ago.

Open My computer, and double-click the C Drive folder icon, then double-click the Windows icon folder and look for the following file: ntbtlog <<<<this file(it's actually may be an icon and not have any file extension)....if it's present , delete it. Then reboot as instructed below. If it's not present then reboot as instructed below.

Part3: Reboot, this way:
Click the 'Start' button, select 'Turn Off Computer', then choose 'Restart'
Immediately begin tapping the <F8> key to enter the Advanced Boot Menu.(This may take several tries, it's all about the timing).
A menu will appear, the 'Advanced Boot Menu', with several choices to choose from.
From the advanced boot menu choose "enable boot logging" then hit enter. This should reboot the system, if it does not, reboot manually.
Once the system boots to normal mode, look for that file:
C:\windows\ntbtlog.txt <<<--this one

Open it up and it will open in default Notepad format. Save the file to your desktop for easy recall. Then reply to me and attach that file for my review.

If you cannot find the file, please repeat the procedure and it ought to appear.

Reference link:
http://www.watchingthenet.com/how-to-enabl...in-windows.html

We'll proceed based on the output of that file. This WILL NOT fix anything or make any changes to your system. We're simply looking for some specific files.

Please save using the default Notepad format,
DO NOT USE WORD or any other office type of software.
DO NOT COPY & PASTE the log, send it as an attachment.
Reply to THIS ticket, DO NOT create a new one.


I didn't have to delete the ntbtlog as he suggested. Now he wants me to run Combo Fix, but kind of concerned about running that program.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:35 AM

Posted 30 December 2009 - 07:09 AM

Hi,


Since Tom Mercado is already assisting you, I'll close this thread otherwise it's too confusing if multiple persons are helping.
Thanks for understanding.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users