Jump to content

I cannot start or update Malwarebytes (HijackThis file included)


Recommended Posts

I was infected yesterday with WinPC Anti-virus.

I already had the free Malwarebytes' Anti-Malware software, but when I double clicked it, it wouldn't Start.

I tried downloading again with the same results.

Today I found instructions to manually remove WinPC Anti-virus.

Then I noticed I was also infected with Spyware Protect 2009.

I got the instructions to manually remove that also.

I would like to run a Malwarebytes scan, but it still will not run.

(*side note: similar issue with my System Restore - I can click the date I want to restore to, but the Next button won't work, so it never restores)

I couldn't get the MBAM log, since Malwarebytes won't run, but I did install HijackThis today. Here is the log: (thank you)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:00:48 PM, on 5/14/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe

C:\Program Files\Palm\Hotsync.exe

C:\Program Files\PdaNet 4.11\PdaNet.exe

C:\Program Files\PdaNet 4.11\PdaNetUm.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\PROGRA~1\COMMON~1\JFTech\PALMON~1.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Spyware Doctor\pctsGui.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\SearchFilterHost.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O1 - Hosts: ::1 localhost

O1 - Hosts: 209.44.111.57 browser-security.microsoft.com

O1 - Hosts: 209.44.111.57 antivguardian.com

O1 - Hosts: 209.44.111.57 www.antivguardian.com

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: MySpace Toolbar - {28AED1AF-B164-44CD-B435-CF04AA955015} - C:\Program Files\MySpace\Toolbar\1.0.32.0\MySpaceToolbar.dll

O2 - BHO: WinInet Class - {39fc2065-c9c7-49cd-8942-44cc2dedc844} - C:\WINDOWS\ieocx.dll

O2 - BHO: Popup Killer - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll

O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: FreecycleMemberBHO - {C3E5E149-27B7-49D1-8420-B02AC52AF663} - C:\Program Files\Freecycle\FreecycleMember.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O3 - Toolbar: MySpace Toolbar - {28AED1AF-B164-44CD-B435-CF04AA955015} - C:\Program Files\MySpace\Toolbar\1.0.32.0\MySpaceToolbar.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers

O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe

O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')

O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet 4.11\PdaNet.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe

O4 - Global Startup: VersionTrackerPro.lnk = ?

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab

O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://vpn.libtax.info/XTSAC.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133632329247

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u1...=javadl.sun.com

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O18 - Filter hijack: text/html - {ac9d6e44-6f90-4d3a-a3b5-bb0b9ad260a0} - (no file)

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--

End of file - 10037 bytes

Link to post
Share on other sites

  • Root Admin

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
  • O1 - Hosts: ::1 localhost
  • O1 - Hosts: 209.44.111.57 browser-security.microsoft.com
  • O1 - Hosts: 209.44.111.57 antivguardian.com
  • O1 - Hosts: 209.44.111.57 www.antivguardian.com
  • O2 - BHO: WinInet Class - {39fc2065-c9c7-49cd-8942-44cc2dedc844} - C:\WINDOWS\ieocx.dll
  • O3 - Toolbar: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
  • O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
  • O18 - Filter hijack: text/html - {ac9d6e44-6f90-4d3a-a3b5-bb0b9ad260a0} - (no file)
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

Then please try the following.

From within Internet Explorer go to Tools/Internet Options/Advanced and click on the RESET button.

Then restart IE and again go to the Tools/Internet Options/Connections tab and on the LAN and Dial-up settings

remove ALL PROXY settings unless you specifically set them yourself. Also remove any DNS Server entries unless YOU specifically set them.

Then click on START - RUN and copy / paste this into the RUN line and hit the OK button.

CMD /C ATTRIB -R -S -H C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts

Then click on START - RUN and copy / paste this into the RUN line and hit the OK button.

CMD /C DEL C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts

Now see if you can install, update and run MBAM.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

Thank you for the instructions but I was still not able to open Malwarebytes Anti-Malware.

When I tried to reset Internet Explorer, it kept saying it couldn't do it until all windows were closed (and they all were).

I went on to the Run code instructions, and then after completing that, I tried to reset Internet Explorer again, and it worked the 2nd time.

*I tried opening Malwarebytes from the Desktop shortcut, Start Menu and Explorer (same results with all - computer thinks for a second, then nothing).

Below is my latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:01:58 PM, on 5/15/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe

C:\Program Files\Palm\Hotsync.exe

C:\Program Files\PdaNet 4.11\PdaNet.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\PdaNet 4.11\PdaNetUm.exe

C:\PROGRA~1\COMMON~1\JFTech\PALMON~1.EXE

C:\Program Files\Yahoo!\Companion\Installs\cpn2\ytbb.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: MySpace Toolbar - {28AED1AF-B164-44CD-B435-CF04AA955015} - C:\Program Files\MySpace\Toolbar\1.0.32.0\MySpaceToolbar.dll

O2 - BHO: Popup Killer - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll

O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: FreecycleMemberBHO - {C3E5E149-27B7-49D1-8420-B02AC52AF663} - C:\Program Files\Freecycle\FreecycleMember.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O3 - Toolbar: MySpace Toolbar - {28AED1AF-B164-44CD-B435-CF04AA955015} - C:\Program Files\MySpace\Toolbar\1.0.32.0\MySpaceToolbar.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers

O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')

O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet 4.11\PdaNet.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab

O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://vpn.libtax.info/XTSAC.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133632329247

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u1...=javadl.sun.com

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O18 - Filter hijack: text/html - {ac9d6e44-6f90-4d3a-a3b5-bb0b9ad260a0} - (no file)

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--

End of file - 8414 bytes

Link to post
Share on other sites

  • Root Admin

Please try the following and let me know if you still can not get MBAM working to scan with.

You can run it a few times to see if it works, you can also try booting to Safe Mode and see if it works.

It will make a randomly named file of mbam.exe and a shortcut to run it on your desktop, so watch the name it creates and try it.

Small util to randomize the name of MBAM.EXE

randmbam.exe

Link to post
Share on other sites

Unfortunately, the malware has gotten worst & I cannot use any programs now. I now have Security System 2009 malware, which puts up a big black screen saying l'm infected & need to buy their software to fix. I can't open any programs: HJT, Notepad or Internet Explorer. I'm sending this reply from my Palm Centro cell phone. I tried to boot in Safe Mode, standard & with Networking, but I wasn't getting an internet connection in either. I'm not sure how I could fix this, even if you did provided instructions right now. :P I'm a blogger, with a contest starting tomorrow. Its kind of important that I have a working computer. Please help & thank you for your support so far.

Link to post
Share on other sites

  • Root Admin

Okay, well if you absolutely can not run ANY software on the system then please download and burn this CD and run it on your system.

Use a friend or work computer if you have to.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
    from
    here
  • Place a blank CD in your burner and double-click on the downloaded file named
    rescuecd.exe

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files
    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner

    [*]
    Click on
    Start scanner
    at the bottom of the screen

    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

  1. Please see the post
    here
    if you're unable to view the entire screen of Avira.
  2. You can also review this one
    Fixed Rescue CD Resolution Probs with Dell Video

  3. Currently only the German keyboard is supported.
    Command Line not working
    English keyboards require work arounds.

  4. Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

Link to post
Share on other sites

Ok (wanting to cry)

- I burned the cd at work & followed the instructions.

- I couldn't see the entire antivir screen, so I went to the 1st & 2nd troubleshoot link u provided.

- since all text was in german, I couldn't find "miscellaneous > commandline", so I Ctrl + Alt + Backspace and typed "antivir --allfiles -z -ren /mnt/" (which was a little funky to do cuz of the german keyboard)

- it ran a scan, but only for like 2 seconds, then returned these results:

directories - 1

scanned files - 0

alerts - 0

suspicious - 0

scan time 00:00:01

- after that I didn't know what to do...so I did a hard reboot in regular mode with the hard drive & not D drive.

- once windows loaded, I still had the System Security malware & can't open any programs

I'm almost positive I did something wrong at the end. The scan was way too fast to have scanned my PC. Plus I did a hard reboot after it returned the results because I wasn't sure if it was done & what I needed to do next. Please advise.

Link to post
Share on other sites

  • Root Admin

If you press CTRL-ALT-DEL all three keyboard keys at the same time can you bring up the TASK MANGER ?

If you can't run ANYTHING then it's going to be difficult to fix. What about in SAFE MODE with no networking, can you run stuff like Notepad and Regedit ?

Please see if you can burn a copy of ComboFix to CD at work and bring it back and try to run it in SafeMode if you have to.

Also print out the CF instructions if you don't have them already.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Please see post #5, where I mentioned that I cannot open any programs, included HJT, Notepad or Internet Explorer. This is why I was asked to burn the 1st CD in post #7. When I double click an icon on the Desktop, I get the hour glass for about 5 seconds, but nothing else ever happens. When I go to the Start Menu, it takes longer, but same results - computer thinks for awhile, then nothing.

I cannot bring up Task Manager. And I believe it's the same issue in Safe Mode, but I will confirm that after I run home during lunch to see.

I will try to install ComboFix and Recovery Console and update tonight (from my phone if I can't get my PC to work).

Link to post
Share on other sites

Ok, in Safe Mode with Networking I was able to enable registry editing and manually remove the registry keys for System Security 2009 (though the desktop icon remained and it may still be on my PC).

Malwarebytes still will not run and I was not able to connect to the Internet, though I booted in Safe Mode with Networking.

What steps are required to connect to the internet in Safe Mode with Networking?

- When I get home tonight I will try the instructions in post #4, which is to install Malwarebytes under a different name.

- I will also burn ComboFix & Windows Recovery just in case the installation still will not work.

*As a side note, I also still cannot use System Restore. After I select the date I want to Restore, the Next button will not work.

IN SUMMARY:

- How can I connect to the internet in Safe Mode with Networking?

- If I can finally connect and install Malwarebytes under a different name, can I clean malware in Safe Mode?

Thank you guys for all your help so far. We're almost done...I can feel it! :)

Link to post
Share on other sites

  • Root Admin

Yes I know you posted you could not run stuff, but double checking as sometimes people are frustrated and don't explore further.

Well for now just try to run Combofix.exe if needed try renaming it. It may be able to fix some or most of it on its own.

Then we'll take it from there.

You can also burn this program to CD and see if it will run in Safe Mode if Combofix won't run still.

You can print this out for home.

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

When u say "rename", you simply mean

- right clicking the desktop icon

- selecting rename, and

- entering a diff name, right?

I did this for both Malwarebytes & ComboFix, but neither would work with the original or changed name.

Dr.Web Scanner is working (thank god & malwarebytes support crew) & is currently running now in Safe Mode. Once its done I will try to run HJT again (has not been working since other programs stopped) & will post logs shortly.

Link to post
Share on other sites

I'm attaching the Dr.Web log.

HJT was removed at some point (not sure if Dr.Web removed it or the virus did, but I no longer have it and couldn't connect online with Safe Mode to install it again).

Malwarebytes will not work in Safe or Regular mode with original or changed name.

In regular mode the malware is still popping up, though it is no longer putting up the black screen that covers the desktop saying I'm infected. I disconnected the Internet, so it couldn't download more malware, but certain programs and Run commands still won't work (i.e. task manager).

14760314.exe;c:\documents and settings\all users\application data\14760314;Win32.Virut.56;Cured.;

94770306.exe;c:\documents and settings\all users\application data\94770306;Win32.Virut.56;Cured.;

94770306.exe;c:\documents and settings\all users\application data\94770306;Trojan.Fakealert.4301;Deleted.;

combofix.exe/data002\32788R22FWJFW\FIND3M.bat;c:\documents and settings\megan boone\desktop\combofix.exe/data002;Probably BATCH.Virus;;

data002;c:\documents and settings\megan boone\desktop;Archive contains infected objects;;

combofix.exe;c:\documents and settings\megan boone\desktop;Container contains infected objects;Moved.;

reader_s.exe;c:\documents and settings\megan boone;Win32.Virut.56;Cured.;

reader_s.exe;c:\documents and settings\megan boone;Trojan.DownLoad.29459;Deleted.;

msmsgs.exe;c:\program files\messenger;Win32.Virut.56;Cured.;

svchost.exe;c:\program files\microsoft common;Trojan.Packed.393;Deleted.;

sqlservr.exe;c:\program files\microsoft sql server\mssql\binn;Win32.Virut.56;Cured.;

myspaceim.exe;c:\program files\myspace\im;Win32.Virut.56;Cured.;

hotsync.exe;c:\program files\palm;Win32.Virut.56;Cured.;

qttask.exe;c:\program files\quicktime;Win32.Virut.56;Cured.;

testabd.exe;c:\program files\thunmail;Win32.Virut.56;Cured.;

testabd.exe;c:\program files\thunmail;Trojan.PWS.Wow.origin;Incurable.Moved.;

av.exe;c:\windows;Win32.Virut.56;Cured.;

svchost.exe;c:\windows\dhcp;Win32.Virut.56;Cured.;

svchost.exe;c:\windows\dhcp;BackDoor.BlackHole.3354;Deleted.;

explorer.exe;c:\windows;Win32.Virut.56;Cured.;

unregmp2.exe;c:\windows\inf;Win32.Virut.56;Cured.;

ld08.exe;c:\windows;Win32.Virut.56;Cured.;

ld08.exe;c:\windows;Win32.HLLW.Facebook.67;Deleted.;

xpnetdiag.exe;c:\windows\network diagnostic;Win32.Virut.56;Cured.;

pp07.exe;c:\windows;Win32.Virut.56;Cured.;

pp07.exe;c:\windows;Win32.HLLW.Facebook.68;Deleted.;

svchost.exe;c:\windows\system32\3361;Win32.Virut.56;Cured.;

svchost.exe;c:\windows\system32\3361;Trojan.Click.25852;Deleted.;

__c00cc16b.dat;c:\windows\system32;Trojan.DownLoad.29357;Deleted.;

ctfmon.exe;c:\windows\system32;Win32.Virut.56;Cured.;

dumprep.exe;c:\windows\system32;Win32.Virut.56;Cured.;

fxssvc.exe;c:\windows\system32;Win32.Virut.56;Cured.;

ie4uinit.exe;c:\windows\system32;Win32.Virut.56;Cured.;

igfxsrvc.exe;c:\windows\system32;Win32.Virut.56;Cured.;

imapi.exe;c:\windows\system32;Win32.Virut.56;Cured.;

logonui.exe;c:\windows\system32;Win32.Virut.56;Cured.;

msfeedssync.exe;c:\windows\system32;Win32.Virut.56;Cured.;

msiexec.exe;c:\windows\system32;Win32.Virut.56;Cured.;

pcm1394.sys;c:\windows\system32;Trojan.NtRootKit.2927;Deleted.;

reader_s.exe;c:\windows\system32;Win32.Virut.56;Cured.;

reader_s.exe;c:\windows\system32;Trojan.DownLoad.29459;Deleted.;

regsvr32.exe;c:\windows\system32;Win32.Virut.56;Cured.;

rundll32.exe;c:\windows\system32;Win32.Virut.56;Cured.;

searchindexer.exe;c:\windows\system32;Win32.Virut.56;Cured.;

sopidkc.exe;c:\windows\system32;Win32.Virut.56;Cured.;

sopidkc.exe;c:\windows\system32;Trojan.DownLoad.35111;Deleted.;

spoolsv.exe;c:\windows\system32;Win32.Virut.56;Cured.;

sys32dll.exe;c:\windows\system32;Win32.Virut.56;Cured.;

sys32dll.exe;c:\windows\system32;Trojan.DownLoad.37297;Deleted.;

userinit.exe;c:\windows\system32;Win32.Virut.56;Cured.;

svchost.exe;c:\windows\system;Win32.Virut.56;Cured.;

svchost.exe;c:\windows\system;BackDoor.Siggen.184;Deleted.;

525907172.exe;c:\windows\temp;Win32.Virut.56;Cured.;

dkqol.exe;C:\;Trojan.DownLoad.37295;Deleted.;

ijvr.exe;C:\;Trojan.DownLoad.33658;Deleted.;

jfknkkkh.exe;C:\;Win32.Virut.56;Cured.;

prylxoqb.exe;C:\;Win32.Virut.56;Cured.;

prylxoqb.exe;C:\;Trojan.DownLoad.37295;Deleted.;

twsgm.exe;C:\;Trojan.DownLoad.33658;Deleted.;

vfmf.exe;C:\;Win32.Virut.56;Cured.;

vfmf.exe;C:\;Win32.Virut.56;Cured.;

tl.exe;C:\Documents and Settings\All Users\eBay\Turbo Lister2\Update;Win32.Virut.56;Cured.;

tlmail.exe;C:\Documents and Settings\All Users\eBay\Turbo Lister2\Update;Win32.Virut.56;Cured.;

3 Months Free NetZero.exe;C:\Documents and Settings\Megan Boone\Desktop\Unused Desktop Shortcuts;Win32.Virut.56;Cured.;

3 Months Free NetZero.exe;C:\Documents and Settings\Megan Boone\Desktop\Unused Desktop Shortcuts;Trojan.Click.1487;Deleted.;

418.exe;C:\Documents and Settings\Megan Boone\Local Settings\Temp;Win32.Virut.56;Cured.;

418.exe;C:\Documents and Settings\Megan Boone\Local Settings\Temp;Win32.HLLW.Recycler.5;Deleted.;

_A00FFE3C88.exe;C:\Documents and Settings\Megan Boone\Local Settings\Temp;Trojan.DownLoad.33658;Deleted.;

lvreefo[1].htm;C:\Documents and Settings\Megan Boone\Local Settings\Temporary Internet Files\Content.IE5\5M27GHWT;Trojan.DownLoad.33658;Deleted.;

p[1].exe;C:\Documents and Settings\Megan Boone\Local Settings\Temporary Internet Files\Content.IE5\5M27GHWT;Trojan.Packed.365;Incurable.Moved.;

wspcpq[1].htm;C:\Documents and Settings\Megan Boone\Local Settings\Temporary Internet Files\Content.IE5\5M27GHWT;Trojan.DownLoad.37295;Deleted.;

ggcqqdde[1].htm;C:\Documents and Settings\Megan Boone\Local Settings\Temporary Internet Files\Content.IE5\6IPHHJA5;Trojan.MulDrop.30417;Deleted.;

install[1].exe;C:\Documents and Settings\Megan Boone\Local Settings\Temporary Internet Files\Content.IE5\6IPHHJA5;Trojan.Packed.393;Deleted.;

loaderadv563[1].exe;C:\Documents and Settings\Megan Boone\Local Settings\Temporary Internet Files\Content.IE5\6IPHHJA5;Trojan.Packed.2450;Deleted.;

aasuper1[1].htm;C:\Documents and Settings\Megan Boone\Local Settings\Temporary Internet Files\Content.IE5\LX793E99;Win32.Virut.56;Cured.;

yhrrrrsfob[1].txt;C:\Documents and Settings\Megan Boone\Local Settings\Temporary Internet Files\Content.IE5\LX793E99;Trojan.Packed.2450;Deleted.;

aasuper3[1].htm;C:\Documents and Settings\Megan Boone\Local Settings\Temporary Internet Files\Content.IE5\R3VITQKI;Win32.HLLW.Facebook.67;Deleted.;

Adobe Media Player.exe;C:\Program Files\Adobe Media Player;Win32.Virut.56;Cured.;

BJEZPRN.EXE;C:\Program Files\Canon\Easy-PhotoPrint;Win32.Virut.56;Cured.;

uninst.exe;C:\Program Files\Canon\Easy-PhotoPrint;Win32.Virut.56;Cured.;

uninstall.exe;C:\Program Files\Canon\IJ Manual\IP1600;Win32.Virut.56;Cured.;

IDriver.exe;C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32;Win32.Virut.56;Cured.;

ISUSPM.exe;C:\Program Files\Common Files\InstallShield\UpdateService;Win32.Virut.56;Cured.;

PalmOneLiveConnect.exe;C:\Program Files\Common Files\JFTech;Win32.Virut.56;Cured.;

msinfo32.exe;C:\Program Files\Common Files\Microsoft Shared\MSInfo;Win32.Virut.56;Cured.;

rnuninst.exe;C:\Program Files\Common Files\Real\Update;Win32.Virut.56;Cured.;

Mediahub.exe;C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main;Win32.Virut.56;Cured.;

UNWISE.EXE;C:\Program Files\Cosmopolitan\Cosmo Fashion Makeover Deluxe;Win32.Virut.56;Cured.;

DSAgnt.exe;C:\Program Files\Dell Support;Win32.Virut.56;Cured.;

DSBrws.exe;C:\Program Files\Dell Support;Win32.Virut.56;Cured.;

DSSet.exe;C:\Program Files\Dell Support;Win32.Virut.56;Cured.;

NetClose.dll;C:\Program Files\Dell Support\GTCoach\dlls\main;Trojan.PWS.Wsgame.origin;Incurable.Moved.;

TS2BodyShop.exe;C:\Program Files\EA GAMES\The Sims 2\CSBin;Win32.Virut.56;Cured.;

EasyInfo.exe;C:\Program Files\EA GAMES\The Sims 2\Support;Win32.Virut.56;Cured.;

EReg.exe;C:\Program Files\EA GAMES\The Sims 2\Support;Win32.Virut.56;Cured.;

Tl.exe;C:\Program Files\eBay\Turbo Lister2;Win32.Virut.56;Cured.;

filezilla.exe;C:\Program Files\FileZilla FTP Client;Win32.Virut.56;Cured.;

Yahtzee.exe;C:\Program Files\Hasbro\Yahtzee;Win32.Virut.56;Cured.;

Setup.exe;C:\Program Files\InstallShield Installation Information\{5C0BFEB4-4A1B-439C-91AC-9AED106DA213};Win32.Virut.56;Cured.;

PRONoMgr.exe;C:\Program Files\Intel\PROSetWired\NCS\PROSet;Win32.Virut.56;Cured.;

PROSet.exe;C:\Program Files\Intel\PROSetWired\NCS\PROSet;Win32.Virut.56;Cured.;

ExtExport.exe;C:\Program Files\Internet Explorer;Win32.Virut.56;Cured.;

iedw.exe;C:\Program Files\Internet Explorer;Win32.Virut.56;Cured.;

icwconn1.exe;C:\Program Files\Internet Explorer\Connection Wizard;Win32.Virut.56;Cured.;

icwconn2.exe;C:\Program Files\Internet Explorer\Connection Wizard;Win32.Virut.56;Cured.;

icwrmind.exe;C:\Program Files\Internet Explorer\Connection Wizard;Win32.Virut.56;Cured.;

icwtutor.exe;C:\Program Files\Internet Explorer\Connection Wizard;Win32.Virut.56;Cured.;

inetwiz.exe;C:\Program Files\Internet Explorer\Connection Wizard;Win32.Virut.56;Cured.;

isignup.exe;C:\Program Files\Internet Explorer\Connection Wizard;Win32.Virut.56;Cured.;

STRunner.exe;C:\Program Files\Learn2.com\StRunner;Win32.Virut.56;Cured.;

LimeWire.exe;C:\Program Files\LimeWire;Win32.Virut.56;Cured.;

mbam.exe;C:\Program Files\Malwarebytes' Anti-Malware;Win32.Virut.56;Cured.;

PS2Trial.exe;C:\Program Files\Microsoft Plus! Photo Story 2 LE;Win32.Virut.56;Cured.;

moviemk.exe;C:\Program Files\Movie Maker;Win32.Virut.56;Cured.;

bckgzm.exe;C:\Program Files\MSN Gaming Zone\Windows;Win32.Virut.56;Cured.;

chkrzm.exe;C:\Program Files\MSN Gaming Zone\Windows;Win32.Virut.56;Cured.;

hrtzzm.exe;C:\Program Files\MSN Gaming Zone\Windows;Win32.Virut.56;Cured.;

Rvsezm.exe;C:\Program Files\MSN Gaming Zone\Windows;Win32.Virut.56;Cured.;

shvlzm.exe;C:\Program Files\MSN Gaming Zone\Windows;Win32.Virut.56;Cured.;

napster.exe;C:\Program Files\Napster;Win32.Virut.56;Cured.;

conf.exe;C:\Program Files\NetMeeting;Win32.Virut.56;Cured.;

OLYMPUS Master.exe;C:\Program Files\OLYMPUS\OLYMPUS Master;Win32.Virut.56;Cured.;

msimn.exe;C:\Program Files\Outlook Express;Win32.Virut.56;Cured.;

wab.exe;C:\Program Files\Outlook Express;Win32.Virut.56;Cured.;

Instapp.exe;C:\Program Files\Palm;Win32.Virut.56;Cured.;

Palm.exe;C:\Program Files\Palm;Win32.Virut.56;Cured.;

IMxDVD2CM.exe;C:\Program Files\PIXELA\ImageMixer;Win32.Virut.56;Cured.;

QuickTimeUpdater.exe;C:\Program Files\QuickTime;Win32.Virut.56;Cured.;

realplay.exe;C:\Program Files\Real\RealPlayer;Win32.Virut.56;Cured.;

setup.exe;C:\Program Files\Real\RealPlayer\Setup;Win32.Virut.56;Cured.;

RecordedfileImportUtility.exe;C:\Program Files\Samsung\YH-925\Utility;Win32.Virut.56;Cured.;

RecoveryUtility.exe;C:\Program Files\Samsung\YH-925\Utility;Win32.Virut.56;Cured.;

natspeak.exe;C:\Program Files\ScanSoft\NaturallySpeaking\Program;Win32.Virut.56;Cured.;

BootSafe.exe;C:\Program Files\SUPERAntiSpyware;Win32.Virut.56;Cured.;

SUPERAntiSpyware.exe;C:\Program Files\SUPERAntiSpyware;Win32.Virut.56;Cured.;

HijackThis.exe;C:\Program Files\Trend Micro\HijackThis;Win32.Virut.56;Cured.;

MtsAxInstaller.exe;C:\Program Files\Viewpoint\Viewpoint Experience Technology;Win32.Virut.56;Cured.;

SystemInfo.exe;C:\Program Files\Watchtower\Watchtower Library 2006;Win32.Virut.56;Cured.;

wtlib.exe;C:\Program Files\Watchtower\Watchtower Library 2006\e;Win32.Virut.56;Cured.;

popupwasher.exe;C:\Program Files\Webroot\Pop-Up Washer;Win32.Virut.56;Cured.;

UNWISE.EXE;C:\Program Files\Webroot\Pop-Up Washer;Win32.Virut.56;Cured.;

wwDisp.exe;C:\Program Files\Webroot\Washer;Win32.Virut.56;Cured.;

wmplayer.exe;C:\Program Files\Windows Media Player;Win32.Virut.56;Cured.;

hypertrm.exe;C:\Program Files\Windows NT;Win32.Virut.56;Cured.;

wordpad.exe;C:\Program Files\Windows NT\Accessories;Win32.Virut.56;Cured.;

pinball.exe;C:\Program Files\Windows NT\Pinball;Win32.Virut.56;Cured.;

QPW.exe;C:\Program Files\WordPerfect Office 12\Programs;Win32.Virut.56;Cured.;

pqlmq.exe;C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556;Win32.Virut.56;Cured.;

pqlmq.exe;C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556;Win32.HLLW.Recycler.5;Deleted.;

service.exe;C:\RECYCLER\S-1-5-21-9290646963-1989897948-526030661-2783;Win32.Virut.56;Cured.;

service.exe;C:\RECYCLER\S-1-5-21-9290646963-1989897948-526030661-2783;Trojan.Packed.142;Deleted.;

ddcya.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;

fpqpkcaa.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;

qaeetdmp.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;

qnlevhcw.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;

yncjoyvc.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;

explorer.exe.tmp;C:\WINDOWS;Win32.Virut.56;Cured.;

hh.exe;C:\WINDOWS;Win32.Virut.56;Cured.;

notepad.exe;C:\WINDOWS;Win32.Virut.56;Cured.;

regedit.exe;C:\WINDOWS;Win32.Virut.56;Cured.;

regedit.exe.tmp;C:\WINDOWS;Win32.Virut.56;Cured.;

sysguard.exe;C:\WINDOWS;Trojan.Fakealert.4277;Deleted.;

uninst.exe;C:\WINDOWS;Win32.Virut.56;Cured.;

Unwash6.exe;C:\WINDOWS;Win32.Virut.56;Cured.;

orun32.exe;C:\WINDOWS\Help\SBSI\Training;Win32.Virut.56;Cured.;

f74a.msi/stream001/engine.cai\dlls\main\NetClose.dll;C:\WINDOWS\Installer\f74a.msi/stream001/engine.cai;Trojan.PWS.Wsgame.origin;;

engine.cai;C:\WINDOWS\Installer;Archive contains infected objects;;

stream001;C:\WINDOWS\Installer;Archive contains infected objects;;

f74a.msi;C:\WINDOWS\Installer;Archive contains infected objects;Moved.;

PS2Trial.Exe;C:\WINDOWS\Installer\{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B};Win32.Virut.56;Cured.;

NewShortcut1.56285FC4_11A9_11D6_8473_00902745D287.exe;C:\WINDOWS\Installer\{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7};Win32.Virut.56;Cured.;

NewShortcut4_4CBB1976C0944FA38ACF3C143BEB09D5.exe;C:\WINDOWS\Installer\{548EEA8E-8299-497F-8057-811D2D7097DC};Win32.Virut.56;Cured.;

NewShortcut6_5FF0011DF81244E5B74356CDA2D3FA3D_1.exe;C:\WINDOWS\Installer\{548EEA8E-8299-497F-8057-811D2D7097DC};Win32.Virut.56;Cured.;

ARPPRODUCTICON.exe;C:\WINDOWS\Installer\{5905F42D-3F5F-4916-ADA6-94A3646AEE76};Win32.Virut.56;Cured.;

NewShortcut1.exe;C:\WINDOWS\Installer\{5905F42D-3F5F-4916-ADA6-94A3646AEE76};Win32.Virut.56;Cured.;

misc.exe;C:\WINDOWS\Installer\{90530409-6000-11D3-8CFE-0150048383C9};Win32.Virut.56;Cured.;

visicon.exe;C:\WINDOWS\Installer\{90530409-6000-11D3-8CFE-0150048383C9};Win32.Virut.56;Cured.;

CARMOrganizer.exe;C:\WINDOWS\Installer\{AF19F291-F22F-4798-9662-525305AE9E48};Win32.Virut.56;Cured.;

ClipBkShortcut.exe;C:\WINDOWS\Installer\{AF19F291-F22F-4798-9662-525305AE9E48};Win32.Virut.56;Cured.;

PRShortcut.exe;C:\WINDOWS\Installer\{AF19F291-F22F-4798-9662-525305AE9E48};Win32.Virut.56;Cured.;

QPWShortcut.exe;C:\WINDOWS\Installer\{AF19F291-F22F-4798-9662-525305AE9E48};Win32.Virut.56;Cured.;

RegisterShortcutHomeEdition.exe;C:\WINDOWS\Installer\{AF19F291-F22F-4798-9662-525305AE9E48};Win32.Virut.56;Cured.;

UAShortcut.exe;C:\WINDOWS\Installer\{AF19F291-F22F-4798-9662-525305AE9E48};Win32.Virut.56;Cured.;

WPShortcut.exe;C:\WINDOWS\Installer\{AF19F291-F22F-4798-9662-525305AE9E48};Win32.Virut.56;Cured.;

IconCDDCBBF15.exe;C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA};Win32.Virut.56;Cured.;

NewShortcut1_45BA714564B04B5DBDC240E20FCDC6DC.exe;C:\WINDOWS\Installer\{FD6034A3-655C-49F0-B496-D4CBFD74D7A7};Win32.Virut.56;Cured.;

NewShortcut2.041BC1C4_61CF_4566_B322_09A7A1F3FCD3.exe;C:\WINDOWS\Installer\{FD6034A3-655C-49F0-B496-D4CBFD74D7A7};Win32.Virut.56;Cured.;

NewShortcut2_CEE9A021A79C462F7256725618452FF1.exe;C:\WINDOWS\Installer\{FD6034A3-655C-49F0-B496-D4CBFD74D7A7};Win32.Virut.56;Cured.;

NewShortcut6_45BA714564B04B5DBDC240E20FCDC6DC.exe;C:\WINDOWS\Installer\{FD6034A3-655C-49F0-B496-D4CBFD74D7A7};Win32.Virut.56;Cured.;

ConfigWizards.exe;C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322;Win32.Virut.56;Cured.;

helpsvc.exe;C:\WINDOWS\pchealth\helpctr\binaries;Win32.Virut.56;Cured.;

accwiz.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

ahui.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

calc.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

charmap.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

cleanmgr.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

cmd.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

control.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

ctfmon.exe.tmp;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

dwwin.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

freecell.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

fxscover.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

fxssend.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

magnify.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

mobsync.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

mshearts.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

mspaint.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

mstsc.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

narrator.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

notepad.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

ntvdm.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

odbcad32.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

osk.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

rcimlby.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

reg.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

searchfilterhost.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

searchprotocolhost.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

sndrec32.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

sndvol32.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

sol.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

spider.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

taskmgr.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

taskmgr.exe.tmp;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

tourstart.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

UACaplbdkdysxtplsn.dll;C:\WINDOWS\system32;Probably Trojan.Packed.365;;

UACbtwgkxxhucujnaw.dll;C:\WINDOWS\system32;Trojan.Packed.365;Incurable.Moved.;

UACqayiejgdmajknoc.dll;C:\WINDOWS\system32;Probably Trojan.Packed.365;;

UACrktwlahnnnkoqle.dll;C:\WINDOWS\system32;Probably Trojan.Packed.365;;

UACxerlhnpfuideuol.dll;C:\WINDOWS\system32;Trojan.Packed.365;;

utilman.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

verclsid.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

w.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

wiaacmgr.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

winmine.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

wtukd32.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

wupdmgr.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;

__c00CC16B.dat;C:\WINDOWS\system32;Trojan.DownLoad.29357;Deleted.;

__c00FEC59.dat;C:\WINDOWS\system32;Trojan.DownLoad.29357;Deleted.;

796525.dll;C:\WINDOWS\system32\796525;Trojan.DownLoad.36180;Deleted.;

reader_s.exe;C:\WINDOWS\system32\config\systemprofile;Win32.Virut.56;Cured.;

reader_s.exe;C:\WINDOWS\system32\config\systemprofile;Trojan.DownLoad.29459;Deleted.;

codec[1].exe;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6FNIA0ZO;Trojan.Siggen.2144;Deleted.;

166[1].exe;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DXB6F6RM;Trojan.Packed.2450;Deleted.;

rstrui.exe;C:\WINDOWS\system32\Restore;Win32.Virut.56;Cured.;

migwiz.exe;C:\WINDOWS\system32\usmt;Win32.Virut.56;Cured.;

BN2D.tmp;C:\WINDOWS\Temp;Trojan.Packed.142;Deleted.;

BN35.tmp;C:\WINDOWS\Temp;Trojan.Packed.142;Deleted.;

cawadpoisudrfgw44.exe\sopidkc.exe;C:\WINDOWS\Temp\cawadpoisudrfgw44.exe;Trojan.DownLoad.35111;;

cawadpoisudrfgw44.exe;C:\WINDOWS\Temp;Archive contains infected objects;Moved.;

cawadpoisudrfgw47.exe;C:\WINDOWS\Temp;Win32.Virut.56;Cured.;

cawadpoisudrfgw47.exe;C:\WINDOWS\Temp;Trojan.MulDrop.31599;Deleted.;

rdl18.tmp;C:\WINDOWS\Temp;Trojan.Siggen.2144;Deleted.;

VRT13.tmp;C:\WINDOWS\Temp;Trojan.Packed.255;Deleted.;

VRT22.tmp;C:\WINDOWS\Temp;Trojan.DownLoad.37264;Deleted.;

_A00FFCAD9B.exe;C:\WINDOWS\Temp;Win32.Virut.56;Cured.;

_A00FFCAD9B.exe;C:\WINDOWS\Temp;Trojan.DownLoad.33658;Deleted.;

aasuper3[1].htm;C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\8YOSLEUN;Win32.HLLW.Facebook.67;Deleted.;

yhrrrrsfob[1].txt;C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\8YOSLEUN;Trojan.Packed.2450;Deleted.;

aasuper2[1].htm;C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\NU03K2N8;Trojan.DownLoad.29459;Deleted.;

bot[1].exe;C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\NU03K2N8;BackDoor.Siggen.184;Deleted.;

lvreefo[1].htm;C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\NU03K2N8;Trojan.DownLoad.33658;Deleted.;

nfr[1].exe;C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\NU03K2N8;Trojan.DownLoad.37297;Deleted.;

6244[1].exe;C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\R2JR4W1Y;Trojan.DownLoad.36180;Deleted.;

aasuper1[1].htm;C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\R2JR4W1Y;Win32.Virut.56;Cured.;

wspcpq[1].htm;C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\R2JR4W1Y;Trojan.DownLoad.37295;Deleted.;

ggcqqdde[1].htm;C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\RDVFH7OV;Trojan.MulDrop.30417;Deleted.;

pp.07[1].exe;C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\RDVFH7OV;Win32.HLLW.Facebook.68;Deleted.;

Link to post
Share on other sites

  • Root Admin

Hello, I'm sorry to tell you this but you have the VIRUT virus.

The Virut virus is a file infector infection. Most experts suggest a format/reinstall.

Virut File Infector Warning

Your system is infected with the Win32.Virut virus.
Virus:Win32 VIRUT

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr) and also web pages (.html and .htm). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only.
DO NOT
backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Disconnect it from any Network and do not share external USB drives or similar devices with any other computer as it can easily infect them as well if they're not protected from this Virus.
Link to post
Share on other sites

Well that sucks. :)

All this started when I was adding new friends on my myspace page.

For clarification:

- I burned & installed all the above programs to CDs, but I saved the Dr. WebCureIt log on my USB drive (which already had a lot of personal files on it). Is that drive now infected? I really hope not!

- Could you also provide instructions on how to reformat? I've never had to do it before.

Link to post
Share on other sites

  • Root Admin

You will need the Windows XP installation CD for this and the COA (Certificate Of Authenticity) key number found on the side of the machine somewhere normally.

Then review the site link here: http://michaelstevenstech.com/cleanxpinstall.html

http://web.mit.edu/ist/products/winxp/adva...all-format.html

Almost guaranteed that you got infected by either having NO Anti-Virus running, or very old definitions. Make sure you get Anti-Virus as soon as possible installed on new build and keep it up to date daily.

Is the USB drive infected ? Probably, but won't be able to tell until you have a good working and fully protected system to take a look at the files on it.

DO NOT use it until a good up to date AV is installed and running.

Link to post
Share on other sites

  • Root Admin

If you need further help please open a new ticket in the PC Help forum or send me a Private Message to open this again.

Good luck.

Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.