Jump to content

feedwater.com virus? This thing must be in the electrons...

Recommended Posts

XP home ed, protected somehow or so I thought for last 4years... only my wife and I use PC, and about 1pm on a Saturday 2 weeks ago she was on Amazon, or checking some facebook site, this "thing" took over the IE browser. The computer ran as slow as 90W gear oil on a cold day, you couldn't do anything with IE open and not have a new window popping up every 3 seconds only killing thru task Manager. Then anything you tried to click on took me to or Thru? the feedwater.com site.

I got a quick lesson in that Norton AV program or PC tools program could not erradicate without booting in Safe Mode. Never done that before. But trying to do Safe Boot only ending up getting me a bunch of script with blue screen. So then I went into normal boot, but changed to boot.ini in Safemood checkbox. That did it in for sure. Trying to restart normally or by safe mode or anything ,, gave the blue screen with a stop error...

I went away for a week and wife went nuts not having a connection to outside world and 2 kids under 4yrs to contend with, not mention #3 is in the oven. I talked to retired IT guy she knew and sounded like he knew exactly what was up. Said that even in safe mode, not most effective. Has to take the HD out of machine and run the virus checker over it while it is REALLY asleep as a slave drive! I told him I screwed the boot file and he mentioned that is really an easy fix.

That was 2 days ago. Wife says he said there were over 60 instances of viruses actually, but we have an operating system that will load!, who knows where her picture of the pope for the wallpaper went,, and the IT guy said there were just 3 errors yet after it loads XP... and the registry is locked??

I asked my wife 'and he couldn't fix it? So what makes you think I can do it? ' I don't have any password on the PC whatsoever to block this. So.. I booted it up. THere were 3 error windows but running the Malwarebytes eliminated one.. THe 2 remaining are Specified Modules can't be found,,, ntuser.dll and calc.dll. What I couldn't believe almost is the Malware software found 15 more objects and removed them all and this was right after the "superdude" cleaned it.

Some other tidbits i noticed... the recovery console would not install , only got to 77% and just hung forever.... the error code 732 (0,0) after Malware tried to look for updates still appeared even after I checked that Auto Detect connection settings was in use... I do still have many of the folders hidden to me in the Document and Settings folder that I believe are MIA on account of the virus yet..

Please help. I know it is late but I will keep checking on this...

Here are the log files:

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 2

11/21/2009 1:29:48 AM

mbam-log-2009-11-21 (01-29-48).txt

Scan type: Quick Scan

Objects scanned: 83336

Time elapsed: 4 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 5

Registry Data Items Infected: 2

Folders Infected: 1

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b6d223f6-c185-49a2-ba7e-a03e84744702} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{b6d223f6-c185-49a2-ba7e-a03e84744702} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0068c1b (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gehevoyoh (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f577037.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\29503524 (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\29503524 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:

C:\Program Files\Shared\_lib.sig (Adware.Deepdive) -> Quarantined and deleted successfully.

C:\Program Files\Shared\lib.sig (Adware.Deepdive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c00D8C40.exe (Trojan.Vundo) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:36:42 AM, on 11/21/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:











C:\Program Files\NavNT\vptray.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe

C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe





C:\Program Files\NavNT\defwatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\NavNT\rtvscan.exe

C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS





C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&...mp;UT=companion

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll

O1 - Hosts: ::1 localhost

O2 - BHO: C:\WINDOWS\system32\yem6cuk88.dll - {A45A4B15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\yem6cuk88.dll (file missing)

O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [stacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [PDUiP6700DMon] C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe

O4 - HKLM\..\Run: [fluinkbu] C:\Documents and Settings\JIM\Local Settings\Application Data\ltpbqd\qjtfsysguard.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe


O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\LOCALS~1\ntuser.dll,_IWMPEvents@0

O4 - HKCU\..\Run: [backUp Windows 2009] C:\DOCUME~1\JIM\LOCALS~1\Temp\bx09dik.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\JIM\LOCALS~1\Temp\avp.exe

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w

O4 - HKCU\..\Run: [p2pxmld8] rundll32.exe "C:\Documents and Settings\JIM\Local Settings\Application Data\p2pxmld8\p2pxmld8.dll", DllInit

O4 - Startup: scandisk.lnk = ?

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228

O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2067C5C7-A016-42CD-9C07-7AF2DF7CCB16}: NameServer =

O18 - Filter hijack: text/html - {f1065e88-117c-4a34-9a33-4147b10dc713} - C:\WINDOWS\batmeter16.dll

O21 - SSODL: libupisoh - {b5a3290c-c933-4cf5-b6f8-cb7bfa23eadd} - c:\windows\system32\holuyibi.dll (file missing)

O22 - SharedTaskScheduler: kjaf83hfriunf3sf9sfinoi\sufh\87sefhuhdd - {A45A4B15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\yem6cuk88.dll (file missing)

O22 - SharedTaskScheduler: gahurihor - {b5a3290c-c933-4cf5-b6f8-cb7bfa23eadd} - c:\windows\system32\holuyibi.dll (file missing)

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS


End of file - 7700 bytes

Link to post
Share on other sites

  • 4 weeks later...
  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

  • 2 weeks later...

Ok, just for the community, an update on why we reopened this.

A friend of the family, an uncle basically, with very very good PC knowledge took the laptop home with home and entirely went over the machine. When he was here at the house at Christmas and observed the connectivity issue I was still suffering, he said there was definitely a virus in it yet. He took it home and did a complete clean-up on it. And I believe him to be heads above the first guy. He lives 2hrs away which is why I couldn't get to him first. I picked it at his house about a week later though. some of what he did that I observed while at his house:

1. rid out all the unused programs, service pack updates, adobe 9 install, IE8 install, etc.

2. system restore running in background (?) was taken off because used lot of memory. Said this was greyed out and found a line in the registry that was blocking it from being changed

3. AVG taken out and all other antivirus programs from the past that were in there- all out

4. he said MS essentials is best thing going for free, not a memory hog, put it in, and found like 16 infections yet, some other trojan yet still in the blasted thing

5. put a maintenance folder on my desktop to run with icons all in order for me to keep the PC in the clear

6. put icons for me to click and will make put backups of all my works files on our ext HD, calling it out as a Z drive

7. while on the wireless connection in his house, I moved around for a few moment in IE and the computer was zipping around without issues!

8. we did some speed test and it was like 18 or 20 mbps I think.. he said he pays for some fast connection type.

I have the PC home and guess what. It it still about as slow as Moses on the internet. I have my computer from work here, a Dell laptop, and it has NO PROBLEMS with the internet, using the same cables,lines, etc. I am using it now to type this message. I don't know if the Gateway has a bug in it still or I am having hardware problem. The device manager does not say anything is wrong with the Agere modem or Intel Pro/1000 network connection. I wouldn't expect there to be either since the computer worked fine at my uncle's house. The speedtest we did thru Speakeasy would not even load. I called him and he said he did use it with the ethernet wire to PC too, and the thing just flew then also. That was before I showed up, the day before. I ran the MS essentials program just now and it says nothing is wrong.

I don't know if updating the drivers will help me since it worked fine at his house. I would have to use my work pc, download the drivers to memory stick and put it in the gateway. Not a big deal, I just am wondering if there is some switch or setting that was flipped at this point in the registry or if there is some corrupted dll or setup file that the virus had its way with... or if there is a legitimate hardware issue... or something else. I remember when this all started, i read somewhere how powering down and turning it back on is when the viruses reinvogorate themselves. i don't see windows popping all over the place at all. I can barrrrely get to on the internet though so the symptoms seem the same even though the machine is supposed to be clean.

New Update:

Since the GW laptop has wireless capability and worked like a charm at the uncle's, we decided we should get a wireless router so we can be more protable with it. We only have direct connection from the cable modem to the PC currently. That was 2 days ago and while talking to my sister in law who is 15 miles away, she suggested I bring the PC over and connect using their wireless router as a trial. Great idea!

Crazy stuff- After turning the network adapter on in device manager for the wireless, and entering a code,, it connected and IE was running incredibly smooth no matter where I went. THe download speed was about 15000 mbps! So I told them OK, now let's do the cable. I turned the wireless adapter off, my brother handed me the cable, we reset the box, and nothing,,, the PC was dead as doornail on IE. only would get to whatever it had cached in memory for the sites I tried. But then I noticed, he gave me the cable that came STRAIGHT out of his cable modem that would have went to his wireless router.... So he put that back into the wireless router and gave me the line that was going into his desktop to try, voila!, my GW was flying around again.

He said this didn't make sense. So he tried it. We took the line that went from his cable modem to the wireless router out, and put it straight into his computer. Did the reset first of course on the modem. His computer would not access the internet either! But he said for X years, before they had the wireless router, they always just ran the connection straight from the modem into the desktop and never had an issue.

I then confirmed he has the same internet service provider as us, Roadrunner. I called them up that night, told them my computer can connect via wire or wireless at two other people's homes but here it is no goo. so they sent a technician out today while i was at work.

My wife was here and said he first checked the signal out the house, it was good. Then he sat down inside with PC he brought. He connected just fine and did the speed test. He said we are only supposed to be at 1.5 MB/s but we are actually about 2. That was on the Speakeasy site. And he is right on our connection, with the laptop I have here now (again my work provided Dell machine) I get the same. He said they have a number we can call for more support on this. He did notice that one of the lights where the ethernet plugs in is not lighting up. There are two lights. But I don't know WHY THIS PC WORKED AT 2 OTHER PEOPLE'S HOUSE YET NO MATTER WHAT THAT LIGHT IS DOING. So I will try to call them tomorrow for more answers.

I can not even get to the website fully to run the CA PC security and Performance Scanner. Put the exe on my mem stick to install, but it comes up with window that it must have connection to the site to run.

I did a little reading about modems and pinging them and firmware upgrades, yada yada. This is driving me up a wall at this point. My uncle said he has not even heard of such an oddity. The event viewer says the network card establishes contact at full duplex when i turn the PC on. Albeit, it is only 10Mbps versus my Dell that says 100. But even still, the GW was WORKING AT TWO OTHER PEOPLE'S HOUSE JUST FINE. My question now is the cable companies trying to soften their voltage or something on those of us who are not paying for premium "pipe" to internet, so we have to upgrade our service to connect? Wondering if my Dell that is about 2 years old has something different in it that allows it to work here and the GW is missing.

Link to post
Share on other sites

  • Staff


My apologies for the delay.

How odd.

Anything useful from this?

He said they have a number we can call for more support on this.

Seems like if you got a router at home, everything would work fine, but at the moment (without seeing any diagnostics), I cannot say for sure what is going on here, and if you cannot connect to the Internet, you wont be able to download any of the diagnostic tools that I would like to see results from...

Link to post
Share on other sites

More major progress on this end! I will try to be brief-

So even after time warner sent a tech to the house, several calls to their support which escalated to their 'national helpdesk' that took a good 90 minutes of my life away, repeated looks they make sitting from some switchboard back at the mothership... It was not until I went back to my brother's place, borrowed his cable modem and wireless router that I found out OUR CABLE MODEM was part of the issue!! I was pretty jacked at this point.

went to the store for box swap they call it, turned in the webstar for the same Motorola SB5101 that my brother had, and that solved big part of it. The tech on phone one time said they didn't like that my machine would not boot in safe mode though,, so any suggestions on that appreciated here.

But still an occasion in the event viewer where the NIC was dropping out. I grabbed updated driver for the NIC card off the support.gateway site for my machine and I believe this helped greatly too. Why? Both lights where the ethernet line plugs are lit up! I think it has to do with it speed being set to Auto now (or other) but now it's going for the gusto and hooking up at 100 mbps full-duplex all the time.

then I called RR tech support on saturday with a question about our service is supposed to be for our zip code, what we pay, why my brother is on Basic RR getting speeds 5x faster than us. After short while into it, the CS rep said they were running a promotion for RR7.0 which is about 4-5x faster than we subscribe to now and,, it is $15 less per month! Not just for few months, but whole year! It was like Christmas in January.

so in 24 hours I went from weak or no connection, to repeatable solid performance with super fast speed.

My uncle advised to get a modem (something about extra protection) He recommended Linksys , so I did little homework on what they have before we left today, then I took wife and kids to dinner and picked up a WRT160N today. I have not opened it yet.

I just did the test you recommended and here are the results. I think we are looking good. wish I could print it out nicely. http://www.pcpitstop.com/betapit/sec.asp?conid=23194718

I am still getting a DCOM error in my event viewer that is related to the MDM device.. I plan to work on that one this week.

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.