Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


hijacker, security and random ad virus

  • This topic is locked This topic is locked
10 replies to this topic

#1 pbnichols


  • Members
  • 5 posts
  • Local time:02:48 PM

Posted 01 June 2010 - 09:57 PM

Hi, I have been having the same problem for the last couple of days. Basically I have an infection that is downloading and running other malware and virus programs.

First sign is when using search features in either IE8 or Mozilla Firefox. When clicking on the search results it takes me to some random page.

Second sign is random IE windows opening, even when I have not launched IE. These are not pop up windows but full out websites.

Third sign is random advertisements being played through the sound system without opening an IE window.

Fourth, is one of the fake antivirus virus' except this one blocks all applications and keeps them from launching and pops up a message that reads "The program WHATEVER.exe has been stopped because it is infected with a virus. Click here to remove."

I had the security program virus a couple of weeks ago and was able to remove it but have not been able to repeat that removal. I can get around the program by logging into my account letting everything load, logging off my account and then logging back in and hitting Control-Alt-Delete while the window is loading. This will pull up the taskmanager and allow me to kill the processes so that I can recover screen access.

I ran DDS and see the voguecash entry and potential entries that resemble what I removed a few weeks ago to get rid of the fake antispyware.

Please help?!? I am at a loss right now. I run avira and it doesn't find anything then I run superantispyware and it will find a host of issues and I will follow the removal steps but they all keep coming back.

Any help would be tremendously appreciated.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Br at 22:14:17.57 on 06/01/10
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2841 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\VS Revo Group\Revo Uninstaller\revouninstaller.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Br\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: adShotHlpr Object: {21fc3c61-d4a2-422e-9cbf-145275a3236f} - c:\windows\system32\kftcmmks.dll
BHO: moigh Object: {294c1a05-4115-4f38-8820-eedd963f1a86} - c:\windows\system32\mfnsewqc.dll
BHO: voguecash browser enhancer: {6ce0a47f-4dc6-2b98-9e8e-58db49348808} - c:\windows\system32\iudceemvwkncewl.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
TB: {A057A204-BACC-4D26-DFC4-79A09BF76BC9} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [M5T8QL3YW3] c:\docume~1\br\locals~1\temp\Aw2.exe
uRun: [gdqutkyw] c:\documents and settings\br\local settings\application data\ywcfmsbhu\ndacqcdtssd.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [qevarwel] c:\documents and settings\br\local settings\application data\whfrwahvp\hyibdrftssd.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [skb] rundll32 "kftcmmks.dll",,Run
mRun: [irhggxaygmnhpc] c:\windows\system32\regsvr32.exe /s "c:\windows\system32\iudceemvwkncewl.dll"
mRun: [MChk] c:\windows\system32\zbdkcamv.exe
mRun: [gdqutkyw] c:\documents and settings\br\local settings\application data\ywcfmsbhu\ndacqcdtssd.exe
mRun: [qevarwel] c:\documents and settings\br\local settings\application data\whfrwahvp\hyibdrftssd.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} - hxxp://labs.jaduka.com/VaxSIPUserAgentCAB.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.photogize.com/bponet/ImageUploader5.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - hxxp://aerial.leepa.org/ecwplugins/NCS.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} - hxxps://www36.verizon.com/CallAssistant/MyAccount/UnProtected/Voice%20Mail/VCAVMUtil.CAB
DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} - hxxp://
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://iwave.webex.com/client/T27L/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: NameServer =,
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\br\applic~1\mozilla\firefox\profiles\9bfx841l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\documents and settings\br\application data\move networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\br\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\br\local settings\application data\huludesktop\instances\\nphdplg.dll
FF - plugin: c:\documents and settings\tanya\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\tanya\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-5-13 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-8-4 138752]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-13 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-13 267432]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-13 60936]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-8-22 45848]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-7-7 104000]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-11 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
S1 ixwvgqup;ixwvgqup;\??\c:\windows\system32\drivers\ixwvgqup.sys --> c:\windows\system32\drivers\ixwvgqup.sys [?]
S1 MpKsl9d0d7200;MpKsl9d0d7200;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{86a8b056-b607-495a-8a51-401ff3e66ec0}\mpksl9d0d7200.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{86a8b056-b607-495a-8a51-401ff3e66ec0}\MpKsl9d0d7200.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\flyusb.sys [2010-1-1 18560]
S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);c:\windows\system32\drivers\hpzs2k12.sys [2009-4-17 50392]
S3 MSSQL$NR2005;MSSQL$NR2005;c:\program files\microsoft sql server\mssql$nr2005\binn\sqlservr.exe -snr2005 --> c:\program files\microsoft sql server\mssql$nr2005\binn\sqlservr.exe -sNR2005 [?]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2010-1-13 54416]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2010-1-13 160272]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2010-1-13 160272]
S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [2010-1-13 11920]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2010-1-13 113680]
S3 qcmdmxp;HTC Proprietary USB Driver (PID 0B03);c:\windows\system32\drivers\qcmdmxp.sys [2008-7-24 92800]
S3 qcserxp;HTC Diagnostic Port (PID 0B03);c:\windows\system32\drivers\qcserxp.sys [2008-7-24 92800]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
S3 SQLAgent$NR2005;SQLAgent$NR2005;c:\program files\microsoft sql server\mssql$nr2005\binn\sqlagent.exe -i nr2005 --> c:\program files\microsoft sql server\mssql$nr2005\binn\sqlagent.EXE -i NR2005 [?]
S3 tap0801co;TAP-Win32 Adapter V8 (coLinux);c:\windows\system32\drivers\tap0801co.sys [2008-7-19 25856]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-05-30 23:43:50 0 d-----w- c:\program files\Yahoo!
2010-05-29 03:43:56 171008 ----a-w- c:\windows\Apunec.exe
2010-05-28 21:15:16 0 d-----w- c:\docume~1\br\applic~1\Street-Ads
2010-05-28 21:14:50 0 d-----w- c:\docume~1\br\applic~1\Sky-Banners
2010-05-28 21:14:48 50981 ----a-w- c:\windows\system32\tblaqwrpyuceicv.exe
2010-05-28 21:14:07 69120 ----a-w- c:\windows\system32\ernel32.dll
2010-05-28 21:14:05 69120 ----a-w- c:\docume~1\br\applic~1\f1ae1fec.exe
2010-05-28 04:15:15 14738 ----a-w- C:\Backup_of_states.cdr
2010-05-28 03:54:25 14776 ----a-w- C:\states.cdr
2010-05-27 21:03:20 12 ----a-w- c:\windows\system32\crt.dat
2010-05-27 21:01:19 123904 ----a-w- c:\windows\Apuneb.exe
2010-05-27 21:01:14 296844 ----a-w- c:\windows\system32\shimg.dll
2010-05-27 21:01:11 123904 ----a-w- c:\windows\Apunea.exe
2010-05-27 11:57:10 169472 ----a-w- c:\windows\system32\iudceemvwkncewl.dll
2010-05-25 05:38:04 309248 ----a-w- c:\windows\system32\mfnsewqc.dll
2010-05-25 05:37:48 327680 ----a-w- c:\windows\system32\kftcmmks.dll
2010-05-24 16:31:20 40633 ----a-w- c:\windows\system32\zbdkcamv.exe
2010-05-17 23:06:40 0 d-----w- c:\program files\NaturalSoft
2010-05-16 20:37:06 0 d-----w- c:\docume~1\br\applic~1\Windows Search
2010-05-16 18:10:07 0 d-sh--w- c:\documents and settings\br\IECompatCache
2010-05-16 01:34:55 0 d-----w- c:\docume~1\br\applic~1\Office Genuine Advantage
2010-05-16 00:13:11 0 d-sh--w- c:\documents and settings\br\PrivacIE
2010-05-16 00:09:45 0 d-sh--w- c:\documents and settings\br\IETldCache
2010-05-15 23:57:23 0 d-----w- c:\program files\common files\Windows Live
2010-05-15 23:53:21 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-05-15 23:53:21 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-05-15 23:53:16 0 d-----w- c:\windows\ie8updates
2010-05-15 23:53:14 64000 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-05-15 23:51:24 0 dc-h--w- c:\windows\ie8
2010-05-15 23:46:23 0 d-----w- c:\program files\Microsoft
2010-05-15 23:44:05 0 d-----w- c:\docume~1\br\applic~1\Windows Desktop Search
2010-05-15 23:43:24 0 d-----w- c:\windows\system32\GroupPolicy
2010-05-15 23:43:24 0 d-----w- c:\program files\Windows Desktop Search
2010-05-15 23:42:03 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2010-05-15 23:42:02 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2010-05-15 23:42:02 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
2010-05-14 02:59:59 0 d-sha-r- C:\cmdcons
2010-05-14 02:44:08 98816 ----a-w- c:\windows\sed.exe
2010-05-14 02:44:08 77312 ----a-w- c:\windows\MBR.exe
2010-05-14 02:44:08 256512 ----a-w- c:\windows\PEV.exe
2010-05-14 02:44:08 161792 ----a-w- c:\windows\SWREG.exe
2010-05-14 00:33:11 0 d-----w- c:\docume~1\br\applic~1\Avira
2010-05-14 00:27:08 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-05-14 00:27:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-05-14 00:27:03 0 d-----w- c:\program files\Avira
2010-05-13 20:21:14 0 d-----w- c:\windows\pss
2010-05-13 20:20:15 94720 ----a-w- c:\windows\system32\dllcache\certmap.ocx
2010-05-13 17:34:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-13 17:34:04 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-13 17:34:04 0 d-----w- c:\docume~1\br\applic~1\SUPERAntiSpyware.com
2010-05-13 17:16:47 0 d-----w- c:\program files\Trend Micro
2010-05-13 15:23:11 140784 ----a-w- c:\windows\system32\drivers\jaszemen.sys
2010-05-13 14:24:08 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-13 14:24:08 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-13 14:23:27 20480 ----a-w- c:\windows\system32\drivers\OLDF5.tmp
2010-05-13 14:23:21 20480 ----a-w- c:\windows\system32\drivers\OLDF2.tmp
2010-05-13 14:23:19 20480 ----a-w- c:\windows\system32\drivers\flpydisk.sys
2010-05-13 14:22:28 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-13 14:22:28 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-05-13 14:22:25 17024 ----a-w- c:\windows\system32\drivers\OLDE6.tmp
2010-05-13 14:22:24 17024 ----a-w- c:\windows\system32\drivers\ccdecode.sys
2010-05-13 14:22:08 160256 ----a-w- c:\windows\system32\drivers\OLDE2.tmp
2010-05-13 14:21:55 160256 ----a-w- c:\windows\system32\drivers\b57xp32.sys
2010-05-13 14:20:18 43524 ----a-w- c:\windows\system32\backlogon.bak.exe

==================== Find3M ====================

2010-05-13 23:09:13 140784 ----a-w- c:\windows\system32\drivers\HookSys.sys
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-22 17:05:06 256 ----a-w- c:\documents and settings\br\pool.bin
2010-04-05 02:59:28 101712 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-24 16:57:31 48328 ----a-w- c:\windows\fonts\TrashHand.TTF
2010-03-11 12:38:51 133120 ------w- c:\windows\system32\dllcache\extmgr.dll
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2009-04-18 03:56:05 1242 ----a-w- c:\program files\mnotbusj.txt
2009-04-10 02:45:25 20520 ----a-w- c:\program files\init.dat
2009-10-19 14:19:06 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009101220091019\index.dat
2009-10-26 13:47:51 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009101920091026\index.dat
2009-10-26 13:47:51 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009102620091027\index.dat
2009-10-27 19:21:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009102720091028\index.dat
2009-10-28 12:53:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009102820091029\index.dat
2009-10-29 21:05:26 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009102920091030\index.dat
2009-10-30 04:04:12 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009103020091031\index.dat
2009-10-31 11:43:18 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009103120091101\index.dat
2009-11-01 04:03:47 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009110120091102\index.dat

============= FINISH: 22:16:32.45 ===============

Attached Files

BC AdBot (Login to Remove)


#2 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:02:48 PM

Posted 02 June 2010 - 03:21 PM

Hello. smile.gif

My name is Extremeboy (or EB for short), and I will be helping you with your log.

You appear to be infected with a DNS.Changer infection. Let's start off with a Malwarebytes scan.
Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Any problems let me know
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 pbnichols

  • Topic Starter

  • Members
  • 5 posts
  • Local time:02:48 PM

Posted 02 June 2010 - 09:25 PM

Hi EB, thanks for the help! Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.46

Database version: 4165

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

06/02/10 10:23:46 PM
mbam-log-2010-06-02 (22-23-46).txt

Scan type: Quick scan
Objects scanned: 174661
Time elapsed: 11 minute(s), 54 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 20
Registry Values Infected: 9
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
C:\Documents and Settings\Br\Local Settings\Application Data\whfrwahvp\hyibdrftssd.exe (Rogue.AntispywareSoft) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\kftcmmks.dll (Adware.EZlife) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{21fc3c61-d4a2-422e-9cbf-145275a3236f} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{21fc3c61-d4a2-422e-9cbf-145275a3236f} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{21fc3c61-d4a2-422e-9cbf-145275a3236f} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21fc3c61-d4a2-422e-9cbf-145275a3236f} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp.1 (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qevarwel (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qevarwel (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gdqutkyw (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jjquqosu (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\m5t8ql3yw3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gdqutkyw (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jjquqosu (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\irhggxaygmnhpc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data:, -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a74a3c50-ddb0-4be7-9c3f-b993fbc08a4e}\NameServer (Trojan.DNSChanger) -> Data:, -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f3808918-b6bf-4d7d-86f6-84b23ecaccc2}\DhcpNameServer (Trojan.DNSChanger) -> Data:, -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f3808918-b6bf-4d7d-86f6-84b23ecaccc2}\NameServer (Trojan.DNSChanger) -> Data:, -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Br\Local Settings\Application Data\whfrwahvp\hyibdrftssd.exe (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kftcmmks.dll (Adware.EZlife) -> Delete on reboot.
C:\WINDOWS\Apunea.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Apuneb.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Apunec.exe (Trojan.Fraudpack) -> Delete on reboot.
C:\WINDOWS\system32\crt.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shimg.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iudceemvwkncewl.dll (Trojan.Agent) -> Delete on reboot.

#4 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:02:48 PM

Posted 03 June 2010 - 02:52 PM

Hello. smile.gif

Malwarebytes removed quite a bit, should of been removed successfully.

Now, please run Combofix...

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 pbnichols

  • Topic Starter

  • Members
  • 5 posts
  • Local time:02:48 PM

Posted 03 June 2010 - 06:16 PM

Hey EB, I will run combofix tonight. However, after running MBAM my system has started locking up. It will work fine for a random amount of time and then just freeze up and a loud countinous beep tone will play. The only way to stop it is to hold down the power button until the system shuts off.

#6 pbnichols

  • Topic Starter

  • Members
  • 5 posts
  • Local time:02:48 PM

Posted 05 June 2010 - 12:47 AM

Well, the nasty "hang" kept getting worse and worse after running MBAM. I was finally able to run Combofix and it found rootkit activity, restarted my machine and then finished running. After it finished running it rebooted again and started creating the logfile. At that point combofix locked up and finally after about 30 minutes I got a blue screen. Now it won't even boot up...

#7 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:02:48 PM

Posted 05 June 2010 - 09:15 PM


That doesn't sound good at all.

Your computer doesn't boot up, meaning it doesn't load into Windows or can not even start up at all? Can it at least get pass the BIOS? If so, then we have something to work with here. If not, we may have a lot of issues going around.

Let me know. If possible, do you have any spare blank CDs and flash-drives as we may need that after I hear what you have to say and continue with this.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 pbnichols

  • Topic Starter

  • Members
  • 5 posts
  • Local time:02:48 PM

Posted 06 June 2010 - 07:41 AM

Hey EB,
Yeah it gets past the Bios with no problems, the blue screen occurs when it starts to load windows.
I can swap the hard drive and everthing works just fine. No issues on bootup, no "hanging" nothing. So at least I know that the bios and the rest of the computer is functioning properly.

Should we even attempt to continue and try to fix the issues on the other drive? Although, there are about 3 files on that one that I would ideally like to recover. A word file, the itunes backup file and my outlook pst file.

Anythoughts, I'm open to trying anything at this point?

Any suggestions on what AV and antimaleware I should be running (currently Avira and SAS).

Thanks again for all the help.

#9 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:02:48 PM

Posted 06 June 2010 - 02:23 PM


Regarding Security programs, that is easy, we can always talk about that at the end and I'll give you a few thoughts and list on that.

For now, let's deal with this unbootable situation. We can probably recover this, as well as back up your data as needed.

First... we will require a blank writable CD and a USB to help recover your files and deal with the unbootable situation.

Please read here and download ImgBurn and install it as we will use that to burn a file onto your CD.
  • Download OTLPE Network from either location and save it to your desktop:


  • Double click the OTLPENet icon on your desktop
  • "Do you want to burn the CD?" choose Yes
  • ImgBurn will automatically extract and load the OTLPENet Iso to be burned to CD
  • Place a blank CD in your CD-Rom
  • Click to start the burn process
  • You will see a dialog "Operation successfully completed"
  • Boot the non-working computer using the boot CD you just created
  • In order to do so, the computer must be set to boot from the CD first. Unable to do this? Please read here.

  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start
  • Copy and Paste the following code into the textbox. Do not include the word "Code"

    Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.exe /s
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles

  • Push
  • When finished, the file will be saved in drive C:\OTL.txt
  • Please post the contents of the C:\OTL.txt file in your next reply.
  • Copy this file to your USB drive if you do not have an internet connection.

You can use your USB and copy and paste the files you need from your computer onto the USB and then copy it to the working computer as well.

Let me know how it goes.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:02:48 PM

Posted 15 June 2010 - 03:08 PM

Are you still there?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:02:48 PM

Posted 27 June 2010 - 03:02 PM


Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users