Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Seach engine redirect, spyware, virus software issues

  • This topic is locked This topic is locked
6 replies to this topic

#1 WBoy


  • Members
  • 3 posts
  • Local time:02:35 AM

Posted 11 January 2010 - 03:50 PM

Good afternoon.

I am working on a problem on an older Dell. So it's a Dell, Dimension 8200 Windows XP Version 5.1 Service Pack 3, if that makes sense. We use it as a second computer, and used it infrequently. We had no virus software on it. Our primary computer died, so we began using the Dell (without an anti-virus), and then one day it was invaded and began to have multiple issues.

1. Runs insanely slow.
2. Google searches are redirected if I use the toolbar or search automatically in the main web address box.
3. Spybot would not run, or would fail to update.
4. Malware bytes would get stuck updating
5. Bitdefender (not installed when problems began) will not install. It freezes about 3/4 of the way through. Or, twice in the past month, the stars aligned, and my fingers were crossed at the same time and it did install, but the firewall would not work. I did run a deep system scan on both those occasions. But shortly after the system scan would complete, I would have the system crash - blue screen. I would then have to uninstall Bitdefender in safe mode.

Over the past month, I have been able to run spybot, Malwarebytes, and bitdefender at various times. But they will not work consistently. At present, malwarebytes and bitdefender are both uninstalled.

In addition, after trying to run spybot, or malwarebytes, I could no longer access the internet through a web browser or email. To get around that, and regain internet access, I would create a new user account and use WinsockFix (or something named like that) to reset the settings and the internet would work again.

I have been back and forth with the bitdefender folks with no progress.

Finally, today, in preparation for this post, I ran the DDS file without trouble.

When I click on RootRepeal, it says "Initializing, please wait" and freezes up. The I get a message about Windows is too low on virtual memory. Then an error, "The instruction at 0x77c472e3 referenced memory at 0x00000000. The memory could not be "written". Click on Ok to Terminate Program. I clicked on Ok. Then, I get a Blue Screen:

A problem has been detected and windows has been shut down to prevent damage to your computer.

A process or thread cruicial to system operation has unexpectedly exited or been terminate.

Technical information:
***STOP: 0x000000F4 (0x00000003, 0x830E5550, 0x830E56c4, 0x805fb066)

I'm attaching the DDS files, and waiting for instructions on RootRepeal.

Thanks in advance for your help.


Log from DDS:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Wesley Boyette at 14:02:02.54 on Mon 01/11/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.162 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Wesley Boyette\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/home.php?
uDefault_Page_URL = hxxp://www.dellnet.com
uWindow Title = Microsoft Internet Explorer
mWindow Title = Microsoft Internet Explorer
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - No File
TB: {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: MoneySide: {9404901d-06da-4b23-a0ee-3ea4f64ec9b3} - c:\program files\microsoft money\system\mnyviewer.dll
uRun: [ATI Launchpad] "c:\program files\ati multimedia\main\launchpd.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [DellTouch] c:\windows\DELLMMKB.EXE
mRun: [AHQInit] c:\program files\creative\sblive\program\AHQInit.exe
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
uPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
Trusted Zone: aol.com\free
Trusted Zone: vladzone.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} - hxxp://www.snapfish.com/SnapfishOutlookImport.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37579.5238657407
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/Entriq_3_6_0_15_Silent.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/NBCUniversal_1_0_0_9.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - hxxp://download.redswoosh.net/Installer/104/rsinstaller.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
Hosts: www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\wesley~1\applic~1\mozilla\firefox\profiles\qj3izq3s.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - component: c:\documents and settings\wesley boyette\application data\mozilla\firefox\profiles\qj3izq3s.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - plugin: c:\documents and settings\wesley boyette\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\wesley boyette\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\wesley boyette\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\wesley boyette\application data\mozilla\firefox\profiles\qj3izq3s.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2000-10-3 6942]
S3 cdiskdun;cdiskdun;\??\c:\docume~1\wesley~1\locals~1\temp\cdiskdun.sys --> c:\docume~1\wesley~1\locals~1\temp\cdiskdun.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2001-8-6 28672]

=============== Created Last 30 ================

2009-12-20 05:06:08 0 d-----w- c:\program files\common files\BitDefender
2009-12-18 15:15:40 38 -c--a-w- C:\BdUninstallTool2009.12.18-10.15.40.reg
2009-12-18 15:08:07 38 -c--a-w- C:\BdUninstallTool2009.12.18-10.08.06.reg
2009-12-16 19:42:46 189994 -c--a-w- C:\BdUninstallTool2009.12.16-02.42.46.reg
2009-12-16 19:07:38 3373917 ----a-w- c:\windows\{00000002-00000000-00000009-00001102-00000002-80221102}.BAK
2009-12-16 14:15:14 261934 -c--a-w- C:\BdUninstallTool2009.12.16-09.15.14.reg
2009-12-16 03:34:47 4 ----a-w- c:\windows\system32\aspdict-en.dat
2009-12-16 03:34:47 16 ----a-w- c:\windows\system32\asdict.dat
2009-12-15 18:36:06 185090 -c--a-w- C:\BdUninstallTool2009.12.15-01.36.06.reg
2009-12-15 13:59:52 573 -c--a-w- C:\BdUninstallTool2009.12.15-08.59.52.reg
2009-12-14 19:31:02 1121 ----a-w- c:\windows\Mpcwty01.ini
2009-12-14 19:13:21 266361 -c--a-w- C:\BdUninstallTool2009.12.14-02.13.20.reg
2009-12-14 12:44:10 0 ----a-w- c:\windows\system32\ab_bl.sig
2009-12-14 12:19:15 0 ----a-w- c:\windows\system32\wsbl.dat
2009-12-14 12:19:15 0 ----a-w- c:\windows\system32\ph_summ.dat
2009-12-14 12:19:15 0 ----a-w- c:\windows\system32\ph_spoof.sig
2009-12-14 12:19:15 0 ----a-w- c:\windows\system32\ph_sign.slf
2009-12-14 12:19:15 0 ----a-w- c:\windows\system32\ph_fuzzy.sig
2009-12-14 12:19:14 0 ----a-w- c:\windows\system32\ph_white.dat
2009-12-14 12:19:14 0 ----a-w- c:\windows\system32\ph_black.dat
2009-12-14 12:19:14 0 ----a-w- c:\windows\system32\pcwords2.dat
2009-12-14 12:19:14 0 ----a-w- c:\windows\system32\pcwords.dat
2009-12-14 12:19:14 0 ----a-w- c:\windows\system32\pc_sign.slf
2009-12-14 12:19:14 0 ----a-w- c:\windows\system32\ab_sbl.sig
2009-12-13 21:17:48 185090 -c--a-w- C:\BdUninstallTool2009.12.13-04.17.47.reg
2009-12-13 19:06:25 7770 -c--a-w- C:\BdUninstallTool2009.12.13-02.06.25.reg
2009-12-13 01:40:32 192880 -c--a-w- C:\BdUninstallTool2009.12.12-08.40.32.reg
2009-12-12 23:35:40 0 d-----w- c:\program files\RegCleaner
2009-12-12 23:30:25 0 d-----w- c:\program files\CCleaner
2009-12-12 22:45:59 132 ----a-w- c:\windows\system32\rezumatenoi.dat

==================== Find3M ====================

2009-12-12 02:15:32 185505 -c--a-w- C:\BdUninstallTool2009.12.11-08.58.00.reg
2009-12-12 01:12:55 620 -c--a-w- C:\BdUninstallTool2009.12.11-08.08.47.reg
2009-12-12 00:55:25 261176 -c--a-w- C:\BdUninstallTool2009.12.11-07.51.44.reg
2009-12-12 00:22:27 38 -c--a-w- C:\BdUninstallTool2009.12.11-07.21.17.reg
2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2008-11-19 01:16:51 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111820081119\index.dat

============= FINISH: 14:03:32.92 ===============

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:07:35 AM

Posted 16 January 2010 - 08:43 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.


Let's try Gmer instead of RootRepeal

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 WBoy

  • Topic Starter

  • Members
  • 3 posts
  • Local time:02:35 AM

Posted 19 January 2010 - 08:13 AM


Thanks for your help. My computer bit the dust the day after you responded. Sounds like it's turning on, and then just turns off. Sorry to waste your time.


#4 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:07:35 AM

Posted 19 January 2010 - 02:32 PM

Don't worry about "wasting my time." smile.gif

Have you tried to get help from another forum?
Posted Image
m0le is a proud member of UNITE

#5 WBoy

  • Topic Starter

  • Members
  • 3 posts
  • Local time:02:35 AM

Posted 19 January 2010 - 08:28 PM


I haven't posted to another forum here. Just today I tried a rescue CD, or recovery CD. Anyway, one of those CDs that boots linux and lets you take a look around. That worked, at least. So, I think next step is to try the installation cd and see if I can fix something. I'll definitely look around the forums once I decide what to do next and post if I have questions.

I was hoping to fix this without reinstalling, but the age of the computer, combined with the virus, combined with my attempts to fix it must have finally made something go berserk. Thanks so much.


#6 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:07:35 AM

Posted 19 January 2010 - 08:43 PM

Good luck getting it back to speed thumbup2.gif

Posted Image
m0le is a proud member of UNITE

#7 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:07:35 AM

Posted 25 January 2010 - 08:03 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users