Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


IE Browser Redirect - "thewebsitesurvey.com"

  • This topic is locked This topic is locked
12 replies to this topic

#1 GCM


  • Members
  • 7 posts
  • Local time:10:40 PM

Posted 08 January 2010 - 10:23 AM


I'm having an issue with browser re-directs. Specifically, when I click on Google search result links, I'm redirected to various unrelated sites - most commonly "thewebsitesurvey.com". Pop-up browser sessions are occasioually occuring as well but not as offen. Links that are embedded in web pages don't seem to be impacted nor do my IE Toolbar Links or Favorites. Cutting & pasting URLs into the addresses bar also appear to be unaffected.

I have run Spyweeper, AVG and Kaspersky Online and nothing has been detected. Kaspersky online scan didn't create a Report.... I also run CCleaner and Cleanup regularly.

I Restored Windows to a Backup point I knew was good but that didn't fix the problem.

Following the instructions on this site, I downloaded and ran both DSS and RootRepeal. The DSS log is pasted below and Attach.txt and Ark.txt are attached.

DSS.txt Log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Glenn at 9:22:44.12 on Fri 01/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.103 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Glenn\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRunOnce: [CleanUp!] "c:\program files\cleanup!\Cleanup.exe" /WindowsRestart
mRun: [AVG9_TRAY] "c:\progra~1\avg\avg9\avgtray.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
dRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
dRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156189075574
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238548414842
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R0 hotcore3;Hotcore helper;c:\windows\system32\drivers\hotcore3.sys [2009-2-19 40496]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-2 29808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-26 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-3-25 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-20 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-17 285392]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-4-2 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-4-11 1181040]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2006-8-27 15104]
S2 Ca50xav;Digital Blue DMC2 Video Device;c:\windows\system32\drivers\Ca50xav.sys [2009-9-4 508304]
S3 iscFlash;iscFlash;\??\c:\windows\system32\drivers\iscflash.sys --> c:\windows\system32\drivers\iscflash.sys [?]
S4 KODAK Picture Transfer Agent;Kodak picture transfer agent;c:\program files\kodak\kodak utilities\pts\Kodak Picture Transfer Service.exe [2007-3-13 163840]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-8-15 24652]

=============== Created Last 30 ================

2010-01-07 22:35:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-07 16:57:36 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-11-18 02:11:08 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-18 02:11:07 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-18 02:10:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-23 16:54:00 245760 ------w- c:\windows\Setup1.exe
2009-10-23 16:53:38 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2001-06-20 21:19:18 40960 ------w- c:\program files\ACMonitor_X83.exe

============= FINISH: 9:25:38.79 ===============

Attached Files

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:03:40 AM

Posted 14 January 2010 - 08:15 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 GCM

  • Topic Starter

  • Members
  • 7 posts
  • Local time:10:40 PM

Posted 16 January 2010 - 10:32 AM

Hi M0le,

Thank you for responding to my post. My problem has gone from bad to VERY bad....After posting my plea for help, I shut down the computer. When I tried to start it up the next day, it would not boot in any mode (normal, Safe, Safe with Networking, etc). I was eventually able to boot to the Windows Recovery Console and tried a few things, like BOOTFIX but that didn't help. I ended up executing a Windows Repair from my original pre-SP2 XP disk.

From here, I was able to boot but Internet Explore didn't work. I uninstalled IE8, did another Windows Repair and now have limited IE function using IE7.

I tried to install SP2 but it stalled half way through the process. That rendered they system lifeless again and I had to do yet another Windows Repair.

As it stands, I'm not being impacted by browser redirects/hijacks but very few things are working correctly:
1) can't get the Firewall running
2) IE crashing very often
3) Outlook is not working

My biggest concern right now is getting SP2 and SP3 loaded so the system is more secure.

Not sure where you want to go with this????

#4 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:03:40 AM

Posted 16 January 2010 - 05:51 PM

Updating to SP2 and 3 is important but you have to have a stable system first.

I would like to try and run a few scans to see how clean the PC is but I'm not sure if your browser is up to the task.

I am posting instructions for download but you may find it easier to transfer them from another PC via a flashdrive.

Try and get a scan from Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

I need to rule out malware before I hand you over to another forum to try and sort out the system issues you have.

Posted Image
m0le is a proud member of UNITE

#5 GCM

  • Topic Starter

  • Members
  • 7 posts
  • Local time:10:40 PM

Posted 17 January 2010 - 06:50 PM

Ok I ran gmer and it died a few minuted into execution. A dialogue box came up saying gmer coudn't continue. When I clicked ok, it closed gmer so I couldn't capture anything it did.

I tried it again. After a few minutes of execution I got a BSOD.

I re-booted in Safe mode and tried running it again. I ran for a long time but when it ended there was nothing to save or copy nor was there even a save button...

I re-booted again in normal mode and tried one more time. It ran a long time but ended and I was able to save the log and the txt.

Below is the txt:

GMER - http://www.gmer.net
Rootkit scan 2010-01-17 18:10:28
Windows 5.1.2600
Running: w2iteh5o.exe; Driver: C:\DOCUME~1\Glenn\LOCALS~1\Temp\kfrcrkog.sys

---- System - GMER 1.0.15 ----

SSDT 82384578 ZwAllocateVirtualMemory
SSDT 823B1560 ZwCreateKey
SSDT 8235F520 ZwCreateProcess
SSDT 8235F4A8 ZwCreateProcessEx
SSDT 82384848 ZwCreateThread
SSDT 82397188 ZwDeleteKey
SSDT 8235F598 ZwDeleteValueKey
SSDT 823845F0 ZwQueueApcThread
SSDT 82384488 ZwReadVirtualMemory
SSDT 8235F700 ZwRenameKey
SSDT 823846E0 ZwSetContextThread
SSDT 8235F688 ZwSetInformationKey
SSDT 82384020 ZwSetInformationProcess
SSDT 82384758 ZwSetInformationThread
SSDT 8235F610 ZwSetValueKey
SSDT 823848C0 ZwSuspendProcess
SSDT 82384668 ZwSuspendThread
SSDT 8235F430 ZwTerminateProcess
SSDT 823847D0 ZwTerminateThread
SSDT 82384500 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B79 804D4F8E 1 Byte [06]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 150 804FC668 4 Bytes [78, 45, 38, 82]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 804FC6C8 4 Bytes [60, 15, 3B, 82]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1C8 804FC6E0 8 Bytes [20, F5, 35, 82, A8, F4, 35, ...]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1E0 804FC6F8 4 Bytes [48, 48, 38, 82]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 208 804FC720 4 Bytes [88, 71, 39, 82]
.text ...
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF821B340, 0xFFF3F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF000300, 0x234A20, 0xF8000020]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 82384330
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 823843A8
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 823843A8
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 82384330
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 82384330
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 823843A8
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 823843A8
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 82384330
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 823843A8
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 82384330
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 823843A8
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] 82384330
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] 823843A8
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 823843A8
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 82384330

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 821F7190
Device \Driver\Tcpip \Device\Ip 822D2C98

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Tcp 821F7190
Device \Driver\Tcpip \Device\Tcp 822D2C98

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Udp 821F7190
Device \Driver\Tcpip \Device\Udp 822D2C98

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\RawIp 821F7190
Device \Driver\Tcpip \Device\RawIp 822D2C98

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\IPMULTICAST 821F7190
Device \Driver\Tcpip \Device\IPMULTICAST 822D2C98

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----

#6 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:03:40 AM

Posted 17 January 2010 - 07:02 PM

...and it's clean blink.gif

Your system looks really unstable so I want to continue with this carefully. Let me know if you think your PC can handle more.

Let's run MBAM and see if it finds anything

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#7 GCM

  • Topic Starter

  • Members
  • 7 posts
  • Local time:10:40 PM

Posted 18 January 2010 - 07:04 PM

Malwarebytes executed succefully the first time .

Below is the log. I find it hard to believe that this was my original problem only becasue I run CCleaner and Cleanup after almost every time I'm on the Internet and both of these programs clean up Cookies...

Malwarebytes' Anti-Malware 1.44
Database version: 3595
Windows 5.1.2600
Internet Explorer 6.0.2600.0000

1/18/2010 6:51:36 PM
mbam-log-2010-01-18 (18-51-36).txt

Scan type: Full Scan (C:\|D:\|I:\|J:\|)
Objects scanned: 233899
Time elapsed: 1 hour(s), 23 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Glenn\Cookies\MM2048.DAT (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Glenn\Cookies\MM256.DAT (Trojan.Agent) -> Quarantined and deleted successfully.

#8 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:03:40 AM

Posted 18 January 2010 - 07:21 PM

I think the problem does appear to be what damage the (probable) rootkit has done to your system. The cookies are trojan cookies so not quite as easy to remove with something like ccleaner.

Let's attempt some repair to the browser and see if that helps or hinders.

Download Fix IE Utility
  • Unzip the file to your desktop.
  • Close all open windows, especially Internet Explorer
  • Double click on Fix IE Utility to run it.
  • Click on the Run Utility button
  • Wait until the box saying "All Files Re-registered" appears
  • Then click on OK
  • Restart your machine to see if your Internet Explorer is now working properly again

Posted Image
m0le is a proud member of UNITE

#9 GCM

  • Topic Starter

  • Members
  • 7 posts
  • Local time:10:40 PM

Posted 19 January 2010 - 07:54 AM

I executed Fix IE Utility.
I need to do more surfing to determine if things are more stable, however, IE still blows up if I use the "ADDREPLY" button on this site. The only way I've been able to send replys to this thread is to use the "FASTREPLY" button.

If I use the "ADDREPLY" button, I get a dialog box indicating IE needs to close. Below is some info.

AppName: iexplore.exe AppVer: 6.0.2600.0 ModName: mshtml.dll
ModVer: 6.0.2600.0 Offset: 0010471a

I will continue to surf to see if other problems occur.

P.S. thanks for your continued support!

#10 GCM

  • Topic Starter

  • Members
  • 7 posts
  • Local time:10:40 PM

Posted 19 January 2010 - 02:17 PM

Quick update:

Like is said above, "ADDREPLY" caused IE to blow up. I've done some random surfing since my earlier post this morning. IE has been faily stable. Only one problem - I think it was a link off of Google New that casue IE to close.

I also tried to get Outlook working but no luck - still get a "CreateInfoWindow" error with MSOERT2 DLL. I unistalled Outlook then re-installed I but still no luck.

Still can't get the Firewall running (problem with ICS service). I've tried starting ICS manually but it stops immediately.

and finally, I tried to install SP2. Again it stalled and hung in the middle. I was left with an incomplete instalation that I needed to uninstall.

...all just FYI...

#11 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:03:40 AM

Posted 19 January 2010 - 07:23 PM

There seems to be a lot of problems on the PC and none of them are malware related.

I would recommend that you attempt a repair installation to try and repair the system files, this would mean that your data/personal files are not wiped but the XP operating system is repaired.

Click here for instructions on how to perform a repair installation.

I would also recommend that you try a forum such as this one on Bleeping Computer. This is no longer a malware fix and now moves into the XP forum. You should link to this topic and explain that you have a clean PC.

I will keep this topic open for five days in case you want to reply or get back to me. After that, feel free to PM me. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#12 GCM

  • Topic Starter

  • Members
  • 7 posts
  • Local time:10:40 PM

Posted 20 January 2010 - 09:32 AM


I understand this no longer a Malware issue and will move over to the XP Forum.

Thank you for all you help!

#13 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:03:40 AM

Posted 25 January 2010 - 08:04 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users