serious prob acessing web

positivenote · 10-12-2008 12:13am #1

:mad:

hi guys,
ive been infected with something and i cant access the inmternet through traditional means. Im currently posting here using a path through msn. For a few months now ive been getting constant popups about ringtones/american green cards etc. Ive tried ad bl;ockers and blocking the pop p urls but they kept on coming. Only 30ins ago i couldn't log on. I use firefox and IE but neither would work, then up pops a pop up... i use the adress bar in the pop up and get online. Imeadiately i log on here and go through the sticky on getting rid of maalware and virus's, but when i get to step 2 the Malwarebytes' Anti-Malware application pauses after about 28sec having found at least 20 infections and crashes/stalls. As a result i go back to my registery point (as advised to set) but now the Malwarebytes' Anti-Malware application isnt there anymore... and i cant get online AND the pop ups seem to have stopped !!!
Please advise help or guide me in getting rid of whatever is causing this....
thanks a million in advance....

admin, im sorry about the long post

ntlbell · 10-12-2008 12:19am

boot into safe mode

run spyware blaster

spy bot search and destroy

ad-aware and get rid of as many as you can

use firefox in future install adblock plus and no-script

and stay off the porn sites etc

setup a normal user account no admin priv's and use this for day to day useage dont be browsing as administrator

numbnuts · 10-12-2008 12:30am

Please download ATF Cleaner by Atribune from http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25 . Save it to your Desktop.

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Shutdown/restart the computer.

Now boot into safe mode and run Malwarebytes.

When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.

numbnuts..

positivenote · 10-12-2008 1:31am

hi numbnuts,
i carried out what you said and i have posted the reults below...it seems a lot of info but maybe im just ignorant:

Thanks for your time so far (i'll hang around 10mins but i may have to wait till tomorrow to carry out any further instructions as im shattered and might do something wrong).... still getting the annoying popups but can access the net through firefox and IE at the moment..

Malwarebytes' Anti-Malware 1.31
Database version: 1479
Windows 5.1.2600 Service Pack 3

10/12/2008 01:18:44
mbam-log-2008-12-10 (01-18-44).txt

Scan type: Quick Scan
Objects scanned: 54571
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 22
Registry Values Infected: 10
Registry Data Items Infected: 0
Folders Infected: 12
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f3487350-ee58-4eba-9eab-db13f04120a6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3487350-ee58-4eba-9eab-db13f04120a6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ultra soft (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3wPlayer_is1 (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jojagunije (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm239faa44 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3wplayer service (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\netsearchsoft.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.netsearchsoft.com (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\3wPlayer (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\3wPlayer\skins (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\3wPlayer (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\glenn\Application Data\ultra (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\3wPlayer\wakeservice.exe (Trojan.Adware) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bayunivu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hutikovu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\kagavuva.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\~.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm.bak (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\3wPlayer\settings.ini (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\3wPlayer\settings.stp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\3wPlayer\SkinCrafterDll.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\3wPlayer\test.gif (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\3wPlayer\unins000.dat (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\3wPlayer\unins000.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\3wPlayer\skins\PlayerSkin.skf (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\3wPlayer\3wPlayer.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\3wPlayer\Uninstall 3wPlayer.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\glenn\Application Data\ultra\uninstall.bat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\csrcs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32:kb11.exe (Rootkit.ADS) -> Quarantined and deleted successfully.
C:\WINDOWS\INF\ultra.inf (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\INF\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\glenn\Desktop\3wPlayer-1.9.0.0-setup-0593.exe (Trojan.Adware) -> Quarantined and deleted successfully.

ActorSeeksJob · 10-12-2008 2:01am

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

positivenote · 10-12-2008 11:33pm

just finished carrying out that scan with Combofix. Heres is the log it provided at the end... it seems quite long. Imstill getting the annoying pop ups, but for the moment i dont have to access the web through msn....

Any advice would be great as its all gibberish to me unfortunately.....
thanks again

ComboFix 08-12-09.03 - glenn 2008-12-10 23:09:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495 [GMT 0:00]
Running from: c:\documents and settings\glenn\Desktop\ComboFix.exe
* Resident AV is active

.
ADS - system32: deleted 113 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\~.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\bekehutu.dll
c:\windows\system32\borababu.dll
c:\windows\system32\dufizige.dll
c:\windows\system32\ewekobem.ini
c:\windows\system32\fibideja.dll
c:\windows\system32\fosepoyo.dll
c:\windows\system32\mebokewe.dll
c:\windows\system32\nasiliyu.dll
c:\windows\system32\reperizu.dll
c:\windows\system32\vuwilamu.dll
c:\windows\system32\wekenopo.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-10 01:14 . 2008-12-10 01:14 <DIR> d

c:\documents and settings\glenn\Application Data\Malwarebytes
2008-12-10 01:10 . 2008-12-10 01:11 <DIR> d

c:\documents and settings\Administrator\Application Data\MSN6
2008-12-10 00:53 . 2008-12-10 00:53 <DIR> d

c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-10 00:53 . 2008-12-03 19:52 38,496 --a

c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-12-10 00:53 . 2008-12-03 19:52 15,504 --a

c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-10 00:02 . 2008-12-10 00:04 <DIR> d

c:\documents and settings\glenn\Application Data\MSN6
2008-12-10 00:02 . 2008-12-10 00:02 <DIR> d

c:\documents and settings\All Users\Application Data\MSN6
2008-12-09 23:22 . 2008-12-10 00:53 <DIR> d

c:\program files\Malwarebytes' Anti-Malware
2008-12-09 23:22 . 2008-12-09 23:22 <DIR> d

c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-09 23:15 . 2008-12-09 23:15 <DIR> d

c:\program files\09-12-2008
2008-12-09 23:14 . 2005-10-20 12:00 157,696 --a

c:\program files\ERUNT.EXE
2008-12-09 23:14 . 2005-10-20 12:03 140,288 --a

c:\program files\NTREGOPT.EXE
2008-12-09 23:14 . 2005-10-20 12:04 38,912 --a

c:\program files\AUTOBACK.EXE
2008-12-09 23:14 . 2002-09-25 03:11 5,417 --a

c:\program files\LOC_GER.ZIP
2008-12-02 23:53 . 2008-12-02 23:53 0 -rahs---- C:\khr
2008-11-12 22:31 . 2008-09-04 17:15 1,106,944

c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2008-11-12 22:31 . 2008-10-24 11:21 455,296

c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 22:49

d

w c:\program files\Java
2008-12-04 20:47

d

w c:\documents and settings\glenn\Application Data\uTorrent
2008-11-18 18:50

d

w c:\program files\McAfee
2008-11-01 23:47

d

w c:\program files\livetvbar
2008-11-01 23:47

d

w c:\program files\Conduit
2008-10-26 14:50

d

w c:\documents and settings\glenn\Application Data\Media Player Classic
2008-10-26 00:29

d

w c:\program files\SopCast
2008-10-25 17:32

d

w c:\program files\K-Lite Codec Pack
2008-10-25 17:11

d

w c:\documents and settings\glenn\Application Data\vlc
2008-10-25 17:02

d

w c:\program files\VideoLAN
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 15:39

d

w c:\documents and settings\All Users\Application Data\McAfee
2008-03-10 13:34 3,199,933 ----a-w c:\program files\Setup-SopCast-3.0.0-2008-3-10.exe
2006-12-03 02:27 2,581 ----a-w c:\program files\bjg.html
2006-12-03 02:26 2,581 ----a-w c:\program files\bjg.txt
2006-10-11 09:19 94,208 ----a-w c:\program files\max9keygen.exe
2005-10-20 12:05 31,952 ----a-w c:\program files\README.TXT
2005-10-20 12:04 38,994 ----a-w c:\program files\LIESMICH.TXT
2005-10-20 12:02 163,328 ----a-w c:\program files\ERDNT.E_E
2002-09-25 03:11 2,815 ----a-w c:\program files\ERDNTDOS.LOC
2002-09-25 03:09 3,275 ----a-w c:\program files\ERDNTWIN.LOC
2002-09-25 02:57 1,960 ----a-w c:\program files\NTREGOPT.LOC
2001-11-24 04:01 4,090 ----a-w c:\program files\ERUNT.LOC
2001-08-22 12:15 245,760 ----a-w c:\windows\INF\i386\viceo.dll
2001-08-22 12:13 61,440 ----a-w c:\windows\INF\i386\gl.dll
2001-08-22 12:13 32,768 ----a-w c:\windows\INF\i386\Pmicro.dll
2001-08-03 17:29 13,824 ----a-w c:\windows\INF\i386\Usbscan.sys
1999-07-18 19:05 15,716 ----a-w c:\windows\INF\i386\Pmxscan.sys
2007-05-31 14:05 1,667,072 ----a-w c:\program files\mozilla firefox\plugins\fluxcore.dll
2006-07-28 11:29 36,864 ----a-w c:\program files\mozilla firefox\plugins\fluxcryp.dll
2007-05-31 14:06 307,200 ----a-w c:\program files\mozilla firefox\plugins\fluxdx8.dll
2007-05-31 14:06 61,440 ----a-w c:\program files\mozilla firefox\plugins\HawkNL.dll
2008-03-02 23:37 80 --sh--r c:\windows\SYSTEM32\D72A3A57A3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-06 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-08-11 4112384]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"MPSExe"="c:\program files\McAfee.com\MPS\mscifapp.exe" [2003-07-02 225280]
"EPSON Stylus Photo R320 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9XE.EXE" [2004-12-16 98304]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-01-20 200704]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Love default global mess"="c:\documents and settings\All Users\Application Data\great coal love default\dart burn.exe" [2008-12-10 5071360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-16 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\glenn\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-10-04 24576]
TabUserW.exe.lnk - c:\windows\SYSTEM32\WTablet\TabUserW.exe [2008-07-09 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\SYSTEM32\\wuauclt.exe"=
"c:\\WINDOWS\\SYSTEM32\\dla\\tfswctrl.exe"=
"c:\\Program Files\\QuickTime\\qttask.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\WINDOWS\\SYSTEM32\\cscript.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=

S3 MA8630C;MA8630C;c:\windows\system32\DRIVERS\MA8630C.sys [2007-03-03 22992]
S3 MA8630M;MA8630M;c:\windows\system32\DRIVERS\MA8630M.sys [2007-03-03 24148]
S3 MA8630U;MA8630U;c:\windows\system32\DRIVERS\MA8630U.sys [2007-03-03 55634]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dff2909e-af29-11dd-a21f-0011113e5144}]
\Shell\AutoRun\command - H:\djlvgy.exe
\Shell\explore\Command - H:\djlvgy.exe
\Shell\open\Command - H:\djlvgy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{27E9163A-80DB-FA8A-8D41-1998E47B9051}]
c:\windows\system32:kb11.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-10 c:\windows\Tasks\B4924E7298E9C46E.job
- c:\docume~1\glenn\applic~1\savedr~1\forkmealsurf.exe [2008-07-24 07:57]

2008-09-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-05-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
- - - - ORPHANS REMOVED - - - -

BHO-{f3487350-ee58-4eba-9eab-db13f04120a6} - c:\windows\system32\dufizige.dll
HKCU-Run-Body Camp - c:\docume~1\glenn\APPLIC~1\SAVEDR~1\city debug internet.exe
HKLM-Run-VirusScan - c:\progra~1\mcafee.com\vso\mcvsshld.exe

.

Supplementary Scan

.
uStart Page = hxxp://www.euro.dell.com/countries/ie/enu/gen/default.htm
uInternet Connection Wizard,ShellNext = hxxp://uk.mcafee.com/apps/vso/en-gb/vso8/setexp.asp?regwiz=file://c:\program%20files\mcafee.com\agent\mcregwiz.exe&systempopup=true&affid=105-24&dtag=4XY791J
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\System32\mclsp.dll

c:\windows\SYSTEM32\unicows.dll - c:\windows\Downloaded Program Files\CONFLICT.1\ImageUploader4.ocx
O16 -: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731}
hxxp://static.photobox.co.uk/sg/common/ImageUploader4.cab
c:\windows\Downloaded Program Files\CONFLICT.1\ImageUploader4.inf
FireFox -: Profile - c:\documents and settings\glenn\Application Data\Mozilla\Firefox\Profiles\dn7i5poo.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 23:14:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

DLLs Loaded Under Running Processes

- - - - - - - > 'lsass.exe'(784)
c:\windows\System32\mclsp.dll
c:\windows\system32\SPORDER.dll
c:\windows\System32\mclsphlr\gdlsphlr.dll
c:\windows\system32\McRtl32.dll
.

Other Running Processes

.
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\Tablet.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\SoftwareDistribution\Download\cfbc39150cce12d1357ba324d4d0c40c\update\update.exe
.
**************************************************************************
.
Completion time: 2008-12-10 23:25:08 - machine was rebooted [glenn]
ComboFix-quarantined-files.txt 2008-12-10 23:24:56

Pre-Run: 111,822,462,976 bytes free
Post-Run: 111,602,536,448 bytes free

218 --- E O F --- 2008-12-09 23:13:57

ActorSeeksJob · 11-12-2008 12:33am

Do this

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.

positivenote · 11-12-2008 1:17am

thanks for the advice. I carried through as you posted but on the reboot following the scan the SDFix window opened and has not progressed for over 20mins...

Finishing Malware Check
Please be patient...

^C^C^CtERMINATE BATCH JOB Y/N?

Is all its saying in the window. I have just pressed N key and Enter but it is still the same???

im gonna have to go to bed as im up for wrk in 5hrs. I will check back in the morning please post any further advice. Thanks again

ActorSeeksJob · 11-12-2008 12:59pm

Plug your H: drive in for this

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\khr
c:\program files\bjg.html
c:\program files\bjg.txt
c:\program files\max9keygen.exe
H:\djlvgy.exe

Folder::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dff2909e-af29-11dd-a21f-0011113e5144}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{27E9163A-80DB-FA8A-8D41-1998E47B9051}]
[-HKEY_CLASSES_ROOT\CLSID\{27E9163A-80DB-FA8A-8D41-1998E47B9051}]

ADS::
c:\windows\system32

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

ntlbell · 11-12-2008 1:10pm

if you did a reinstall it'd of been fixed yesterday

positivenote · 11-12-2008 5:47pm

Hi Actor,
just completed what you asked and here is the text from the log. Any ideas what the problem is ?

ComboFix 08-12-09.03 - glenn 2008-12-11 17:27:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.616 [GMT 0:00]
Running from: c:\documents and settings\glenn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\glenn\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

FILE ::
C:\khr
c:\program files\bjg.html
c:\program files\bjg.txt
c:\program files\max9keygen.exe
H:\djlvgy.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\khr
c:\program files\bjg.html
c:\program files\bjg.txt
c:\program files\max9keygen.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.

2008-12-11 00:53 . 2008-12-11 00:53 578,560 --a

c:\windows\SYSTEM32\DLLCACHE\user32.dll
2008-12-11 00:50 . 2008-12-11 00:50 <DIR> d

c:\windows\ERUNT
2008-12-11 00:43 . 2008-12-11 01:06 <DIR> d

C:\SDFix
2008-12-11 00:29 . 2008-12-11 00:29 <DIR> d

c:\program files\Common Files\Wise Installation Wizard
2008-12-11 00:06 . 2008-12-11 17:24 <DIR> d

c:\program files\Spybot - Search & Destroy
2008-12-11 00:06 . 2008-12-11 17:24 <DIR> d

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-11 00:00 . 2008-12-11 00:02 <DIR> d

c:\program files\SpywareBlaster
2008-12-11 00:00 . 2008-12-11 00:30 <DIR> d-a

c:\documents and settings\All Users\Application Data\TEMP
2008-12-10 23:38 . 2008-12-10 23:39 <DIR> d

c:\documents and settings\home pc
2008-12-10 23:22 . 2008-12-10 23:24 1,393 --a

c:\windows\imsins.BAK
2008-12-10 01:14 . 2008-12-10 01:14 <DIR> d