Jump to content

Can't launch Malwarebytes, or browse to malwarebytes.com

Recommended Posts

Hi All.

First, thanks for your help!


I can't launch any anti virus software that I can find, I can't browse to any anti virus site, I can't search for any string that has an anti virus product name in it, the word virus, trojan, backdoor...

I've created rescue discs for Bitdefender and Kaspersky, run each. Bitdefender found nothing, Kaspersky did, deletes it, but still same behavior.

As a result, I can't run MWB and generate a log, or view these forums...

I am definitely not a computer tech!

After I ran GMER, computer locked up. It did that twice (each scan produced same results)

Below are attached logs... (I hope I got the logs as needed)

DDS (Ver_09-12-01.01) - NTFSx86

Run by Owner at 13:11:50.37 on Sat 03/06/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.663 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch


C:\WINDOWS\System32\svchost.exe -k netsvcs





C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Wave Systems Corp\Common\DataServer.exe

C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe




C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe


C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe


C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin


C:\Program Files\iPod\bin\iPodService.exe



C:\Documents and Settings\Owner\Desktop\mwbRescue\Defogger.exe

C:\Documents and Settings\Owner\Desktop\mwbRescue\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Smart-Shopper: {4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} - c:\program files\smart-shopper\bin\2.5.1\Smrt-Shpr.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

EB: SmartShopper: {8bcb5337-ec01-4e38-840c-a964f174255b} - c:\program files\smart-shopper\bin\2.5.1\Smrt-Shpr.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [cdoosoft] c:\docume~1\owner\locals~1\temp\herss.exe

uRun: [nzqwkrbvfkw] zroauhxxnyqacnvoe.exe

uRun: [irfitxev] c:\docume~1\owner\locals~1\temp\vrsigxrvpeaoujvsmxebh.exe

uRunOnce: [kxpwltezkqdi] vrsigxrvpeaoujvsmxebh.exe .

uRunOnce: [zjycotbtb] c:\docume~1\owner\locals~1\temp\ibzmhvmneqjuxjsmdl.exe .

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"

mRun: [<NO NAME>]

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [irfitxev] ibzmhvmneqjuxjsmdl.exe

mRun: [kztctdqnaixedl] c:\docume~1\owner\locals~1\temp\tnmawldfxkequhrmens.exe

mRunOnce: [zjycotbtb] ibzmhvmneqjuxjsmdl.exe .

mRunOnce: [jxqyoxjfrymsq] c:\docume~1\owner\locals~1\temp\zroauhxxnyqacnvoe.exe .

mExplorerRun: [sdtylratcg] sjfqjvkjyizijtas.exe

mExplorerRun: [tboqadj] c:\docume~1\owner\locals~1\temp\ibzmhvmneqjuxjsmdl.exe

StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000002}\SC_Acrobat.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\comman~1.lnk - c:\program files\fiery\command workstation 4\CWS 4.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

uPolicies-system: DisableRegistryTools = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: DisableRegistryTools = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)

mPolicies-system: EnableInstallerDetection = 0 (0x0)

mPolicies-system: EnableSecureUIAPaths = 0 (0x0)

mPolicies-system: EnableVirtualization = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - {6FAC4823-815E-4361-836E-46D65ED2550B} - c:\program files\smart-shopper\bin\2.5.1\Smrt-Shpr.dll

IE: {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - {4CF088BD-BE95-40a5-BE9B-677F8683EDEA} - c:\program files\smart-shopper\bin\2.5.1\Smrt-Shpr.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264885175953

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

TCP: {7DF0FEF6-C4E2-4FA9-B3F9-E8C3F22767D2} =,

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8t86x9z5.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.theupsstore.com/

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\


FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [2009-2-12 21664]

=============== Created Last 30 ================

2010-03-06 17:27:26 0 ----a-w- c:\documents and settings\owner\defogger_reenable

2010-03-04 14:28:11 0 d--h--w- c:\windows\PIF

2010-03-04 14:26:59 0 d-----w- c:\docume~1\owner\applic~1\Smart-Shopper

2010-03-04 14:26:58 0 d-----w- c:\program files\Smart-Shopper

2010-03-04 14:26:39 0 d-----w- c:\program files\jZip

2010-03-04 11:26:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab

2010-03-03 19:15:29 114688 --sh--r- C:\fk.exe

2010-03-02 18:12:27 73 ---h--w- c:\windows\zroauhxxnyqacnvoelohjnnnwiaxjdqggwhzjlw.xnu

2010-03-02 18:12:27 73 ---h--w- c:\windows\system32\zroauhxxnyqacnvoelohjnnnwiaxjdqggwhzjlw.xnu

2010-03-02 18:12:27 316 ---h--w- c:\windows\system32\sjfqjvkjyizijtashnphilkjrctpatfutisjst.kcr

2010-03-02 18:12:27 316 ---h--w- c:\windows\sjfqjvkjyizijtashnphilkjrctpatfutisjst.kcr

2010-03-02 18:12:27 2390 ---h--w- c:\windows\system32\jxqyoxjfrymsqxbqcfetrrnjowkdlbkwsel.fdk

2010-03-02 18:12:27 2390 ---h--w- c:\windows\jxqyoxjfrymsqxbqcfetrrnjowkdlbkwsel.fdk

2010-03-02 18:12:13 4248 ---h--w- c:\windows\system32\kztctdqnaixedlqgtxxnmnkhnwlfofpczmuj.pxc

2010-03-02 18:12:13 4248 ---h--w- c:\windows\kztctdqnaixedlqgtxxnmnkhnwlfofpczmuj.pxc

2010-03-02 18:12:13 280 ---h--w- c:\windows\system32\fjsqwvxjlimiwtnsunchvlxje.gpn

2010-03-02 18:12:13 280 ---h--w- c:\windows\fjsqwvxjlimiwtnsunchvlxje.gpn

2010-02-24 19:57:48 96256 --sh--r- C:\s1.exe

2010-02-19 20:27:45 51 --sh--r- C:\autorun.inf

2010-02-11 08:03:41 206 ----a-w- c:\windows\system32\MRT.INI

==================== Find3M ====================

2010-03-06 18:05:29 280 ---h--w- c:\program files\fjsqwvxjlimiwtnsunchvlxje.gpn

2010-03-06 18:05:29 2390 ---h--w- c:\program files\jxqyoxjfrymsqxbqcfetrrnjowkdlbkwsel.fdk

2010-03-06 17:49:59 638976 --sh--r- c:\windows\system32\sjfqjvkjyizijtas.exe

2010-03-06 00:12:48 316 ---h--w- c:\program files\sjfqjvkjyizijtashnphilkjrctpatfutisjst.kcr

2010-03-02 18:12:27 73 ---h--w- c:\program files\zroauhxxnyqacnvoelohjnnnwiaxjdqggwhzjlw.xnu

2010-03-02 18:12:13 4248 ---h--w- c:\program files\kztctdqnaixedlqgtxxnmnkhnwlfofpczmuj.pxc

2010-02-19 16:53:34 159188 ----a-w- c:\windows\fonts\AdobeFnt09.lst

2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-07 19:21:06 23040 ----a-w- c:\windows\system32\drivers\aksusb.sys

2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll

2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll

2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:26:15 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43:51 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 13:12:06.68 ===============

Thanks again.



Link to post
Share on other sites

Hi and welcome!

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Download rkill.com:


1. Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs.

2. Please be patient while the program looks for various malware programs and ends them.

3. When it has finished, the black window will automatically close and you can continue with the next step. Please post back the rkill log that is generated.

Disable the active protection component of your antivirus by following the directions that apply here:


I want you to run a Gmer Quick scan and you should easily be able to give me that report, as outlined below:

  • Double-click the Gmer randomly named EXE to launch the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When this "quick" scan is finished (a few seconds), copy the Quick scan report to the windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARKQ.txt and post it in your next reply. If the log is very long attach it please.

Please download Combofix from:HERE

In the Combofix Guide at Bleeping Computer aka A guide and tutorial on using ComboFix


Using ComboFix ->

I want you to rename Combofix.exe as you download it to rayman.exe


  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

VERY IMPORTANT: Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:


Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:


Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Launch Combofix (rayman.exe) from the Run Line, as follows:

Navigate to Start --> Run, and copy/paste this command exactly as shown, then hit Enter:

"%userprofile%\desktop\rayman.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of C:\Combofix.txt in your next reply with rkill.txt and ARKQ.txt.

Note: Do NOT mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.