Safe Mode Blue Screen | Unable to Load Malwarebytes

[vlane01]

Hey guys. First of all, thanks for the continual support these forums provide. I've referred several friends to Malwarebytes, and have always run it in addition to my antivirus software. This is the first time I've had trouble that I couldn't fix by searching through the cases here on your forum. Here are my symptoms:

My AVG Anti-Virus notified me of a trojan horse downloader upon loading my internet homepage on 10/25/2009. It read Trojan Horse Downloader.Small.GLM (C:\Windows\batmeter16.dll).

Spybot, AVG Anti-Virus, and Ad-Aware will since load, but will indicate errors upon checking for updates. All three indicate my system is free of problems. Malwarebytes Anti-Malware will not load, even when the root file is renamed.

When windows is restarted in safe mode, it aborts to a blue screen with the following text:

A problem has been detected and windows has been shutdown to prevent damage to your computer.

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:

Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHKDSK /F to check for hard drive corruption, and then restart your computer.

Technical Information:

*** STOP: 0x0000007B (0xF78FC524, 0xc0000034, 0x00000000, 0x00000000)

Here are the results of the hijackthis log file:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:29:47 PM, on 10/26/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061017

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.charter.net/google/index.php?q=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061017

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Powered by Charter Communications

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F2 - REG:system.ini: Shell=Explorer.exe logon.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [blackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background

O4 - HKLM\..\Run: [gehizujur] Rundll32.exe "c:\windows\system32\wuhihadi.dll",a

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165345278507

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Filter hijack: text/html - {1c860cc2-1895-4cdc-a768-728a58fdd10d} - C:\WINDOWS\batmeter16.dll

O20 - AppInit_DLLs: riziyd.dll bimimuho.dll c:\windows\system32\wuhihadi.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: mlJYstsP - mlJYstsP.dll (file missing)

O21 - SSODL: yenujijay - {32d6f95f-db17-4f6c-96b1-0fff5ebe6201} - c:\windows\system32\wuhihadi.dll

O22 - SharedTaskScheduler: mujuzedij - {32d6f95f-db17-4f6c-96b1-0fff5ebe6201} - c:\windows\system32\wuhihadi.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--

End of file - 8183 bytes

[miekiemoes]

Hi,

First of all, I need a file from your system...

Go to this page.

Enter the url of this thread in the first field.

Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\Windows\System32\logon.exe

Select it and click ok:

Then click the Send File button below.

Then....

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Then, To run malwarebytes when you get the error code 2 during install, or mbam.exe gets deleted, please see here:

http://www.malwarebytes.org/forums/index.php?showtopic=29028

Once malwarebytes opens, click the "Update" tab, click "Check for Updates" in order to download the updates.

Then run the scan, let mbam quarantine/delete what it found and reboot afterwards.

After reboot, post the malwarebytes log together with a new HijackThislog.

[vlane01]

Hey Mieke. Thanks for your help. The bug got me, and it continues to get me after the Malwarebytes scan. Here's what's happened after I messaged you last.

I submitted the file you requested from BleepingComputer. After that I disabled and reset TeaTimer per your instructions. Then I copied an updated and renamed mbam.exe to my desktop. Malwarebytes then loaded up, scanned, and found several threats. Two required restarting. So I fixed all the threats it found, saved the log file, and restarted the computer. Upon restarting I got an error message for a file not found (a DLL). I closed that warning, and was about to upload the HiJackThis and Malwarebytes log files when I got another warning message from AVG Anti-virus. It detected a Trojan, so I hit heal. Just a moment after that, I got a message saying windows explorer had shut down, followed quickly by a blue screen with the following message:

STOP: c000021a {Fatal System Error}

The Windows Logon Process System terminated unexpectedly with a status of 0xc0000005 (0x000000000 0x00000000)

The system has been shutdown.

I will try restarting my computer to retrieve those log files, and will upload them shortly to this post.

[vlane01]

Computer rebooted. Here is the name of the trojan that AVG identified and that caused the earlier crash:

Trojan Horse Generic15.ACRF (C:\Windows\system32\bimimuho.dll)

Here are the two log files from Malwarebytes' and Hijackthis' scans.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:05:49 PM, on 10/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\stsystra.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061017

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.charter.net/google/index.php?q=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061017

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Powered by Charter Communications

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\explorer.exe" /runcleanupscript

O4 - HKLM\..\Run: [blackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165345278507

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Filter hijack: text/html - {1c860cc2-1895-4cdc-a768-728a58fdd10d} - C:\WINDOWS\batmeter16.dll

O20 - AppInit_DLLs: riziyd.dll bimimuho.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: mlJYstsP - mlJYstsP.dll (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--

End of file - 7314 bytes

Malwarebytes' Anti-Malware 1.41

Database version: 3033

Windows 5.1.2600 Service Pack 3

10/27/2009 5:02:30 PM

mbam-log-2009-10-27 (17-02-30).txt

Scan type: Quick Scan

Objects scanned: 119641

Time elapsed: 13 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 3

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\wuhihadi.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{32d6f95f-db17-4f6c-96b1-0fff5ebe6201} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gehizujur (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{32d6f95f-db17-4f6c-96b1-0fff5ebe6201} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\yenujijay (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\wuhihadi.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\wuhihadi.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\wuhihadi.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\logon.exe (Worm.Emold) -> Delete on reboot.

[miekiemoes]

Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')

O4 - Startup: PowerReg Scheduler.exe

O18 - Filter hijack: text/html - {1c860cc2-1895-4cdc-a768-728a58fdd10d} - C:\WINDOWS\batmeter16.dll

O20 - AppInit_DLLs: riziyd.dll bimimuho.dll

O20 - Winlogon Notify: mlJYstsP - mlJYstsP.dll (file missing)

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

Then,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[vlane01]

Heya. Fixed the options you listed within Hijackthis. Ran ComboFix. I uploaded the log to this post.

ComboFixlog.txt

[miekiemoes]

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Folder::

c:\windows\system32\bak

c:\program files\QuickTime\bak

c:\program files\Messenger\bak

c:\program files\iTunes\bak

c:\program files\Grisoft\AVG Free\bak

AWF::

c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

c:\program files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe

c:\program files\Dell\Media Experience\bak\DMXLauncher.exe

c:\program files\Dell Support\bak\DSAgnt.exe

c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

c:\program files\McAfee\SpamKiller\bak\MSKDetct.exe

c:\program files\Microsoft Works\bak\wkfud.exe

c:\program files\Microsoft Works\bak\WksSb.exe

c:\windows\ehome\bak\ehtray.exe

c:\windows\system32\DLA\bak\DLACTRLW.EXE

NetSvc::

osautslj

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[vlane01]

Combofix log attached. Got a number of windows file protection warnings during that last scan.

log.txt

[miekiemoes]

Hi,

This looks OK again.

We also took care of leftovers from an older infection you were dealing with.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[vlane01]

Combofix is uninstalled. I have attached a HiJackThis logfile from a scan I conducted after the ComboFix uninstall. But everything seems to be running smoothly again. The computer isn't making the intermittent processing noises while idling like it was previously. The types of background processing that makes you suspicious. So that's a big change for the better. I'm going to restart, and will check back here afterwards in case you see anything in the HiJackThis logfile.

[vlane01]

Oops. Here's the log file.

log.txt

[vlane01]

Bah, too many of em. Here's the Hijackthis log I meant to upload.

[miekiemoes]

Bah, too many of em. Here's the Hijackthis log I meant to upload.

I guess all these different logs confuse you since you didn't include the log in your post either

Anyway, a new HijackThislog is not really needed anymore since Combofix shows the same (and more) than HijackThis does.

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[vlane01]

Hmm. Upload failed. I think the forums're trying to tell me something.

[miekiemoes]

It's because you already uploaded too many logs (everyone has an upload limit). Normally we ask the users to copy and paste the contents of the log - no need to upload then

[vlane01]

Hey, thanks for the epicly fast responses and easy to follow instructions. You're the best, Miekie.

[miekiemoes]

You're most welcome

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.