Jump to content

spyware keeps returning after removal and reboot


Recommended Posts

Hi i am having serious issues with my PC i have rum numerous spyware removal tools and antivirus scans but each time my PC is restarted the same issues return, each time they have a differnt name in the registry like nolmjdrv - rundll32.exe "fcyyww.dll". I have also attached the latest mbam full scan log too. also mbam will not run unless i rename the exe to firefox or mbam.com, many thanks

DDS log

DDS (Ver_10-03-17.01) - NTFSx86

Run by Mike Heywood at 12:07:57.96 on 19/07/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2494.1786 [GMT 1:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

SP: Spy Emergency *enabled* (Updated) {82117492-906E-4b02-A33A-84D42A2DD907}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Macrium\Reflect\ReflectService.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.com

C:\Documents and Settings\Mike Heywood\Desktop\Defogger.exe

C:\Documents and Settings\Mike Heywood\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

mStart Page = about:blank

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe

uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [nnolmjdrv] rundll32.exe "fcyyww.dll",s

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [Motive SmartBridge] c:\progra~1\bthome~1\help\smartb~1\BTHelpNotifier.exe

mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"

mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [ssqpoosys] rundll32.exe "fcbbxv.dll",DllRegisterServer

mRun: [ljihgddrv] rundll32.exe "fcyyww.dll",s

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [yaxvsssys] rundll32.exe "fcbbxv.dll",DllRegisterServer

dRun: [ssrolkdrv] rundll32.exe "fcyyww.dll",s

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\btbroa~1.lnk - c:\program files\bt home hub\help\bin\matcli.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

mPolicies-system: EnableLUA = 0 (0x0)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244654203531

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 fcbbxv.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-7-15 28552]

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-19 165456]

R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-7-1 59240]

R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-7-1 166632]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-19 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-19 40384]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-7-1 840936]

R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2009-11-12 220128]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-19 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-19 40384]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-7-18 20952]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-7-18 38224]

S1 SASDIFSV;SASDIFSV;k:\repair\repair\virus removal\superantispyware\sasdifsv.sys [2010-7-14 8944]

S1 SASKUTIL;SASKUTIL;k:\repair\repair\virus removal\superantispyware\SASKUTIL.SYS [2010-7-14 55024]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-7-18 304464]

S2 MSWU-2214daa4;MSWU-2214daa4;c:\windows\system32\2214daa4.exe --> c:\windows\system32\2214daa4.exe [?]

S2 MSWU-f36decbb;MSWU-f36decbb;c:\windows\system32\f36decbb.exe --> c:\windows\system32\f36decbb.exe [?]

S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [2009-11-12 32736]

S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

S3 SASENUM;SASENUM;k:\repair\repair\virus removal\superantispyware\SASENUM.SYS [2010-7-14 7408]

=============== Created Last 30 ================

2010-07-19 09:53:15 0 ----a-w- c:\documents and settings\mike heywood\defogger_reenable

2010-07-19 06:50:52 38848 ----a-w- c:\windows\avastSS.scr

2010-07-19 06:50:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-07-18 22:00:03 0 d-----w- c:\docume~1\mikehe~1\applic~1\ESET

2010-07-18 21:52:38 116 ----a-w- c:\windows\system32\SpywareCease.lie

2010-07-18 21:52:00 42 ----a-w- c:\windows\system32\scud.udf

2010-07-18 21:38:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-18 21:38:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-18 21:14:10 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation

2010-07-18 21:13:57 0 d-----w- c:\program files\NVIDIA Corporation

2010-07-18 21:04:35 0 d--h--w- c:\windows\$hf_mig$

2010-07-18 18:59:30 0 d-----w- c:\program files\ESET

2010-07-18 17:47:14 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-07-18 17:47:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-07-18 16:23:43 0 d-----w- C:\Linksys Driver

2010-07-15 10:34:17 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-07-15 10:34:08 0 d-----w- c:\program files\Panda Security

2010-07-15 09:45:26 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-15 09:18:55 25600 ----a-w- c:\windows\system32\WS2Fix.exe

2010-07-15 09:18:54 79360 ----a-w- c:\windows\system32\swxcacls.exe

2010-07-15 09:18:54 289144 ----a-w- c:\windows\system32\VCCLSID.exe

2010-07-15 09:18:53 51200 ----a-w- c:\windows\system32\dumphive.exe

2010-07-15 09:18:53 288417 ----a-w- c:\windows\system32\SrchSTS.exe

2010-07-15 09:18:52 135168 ----a-w- c:\windows\system32\swreg.exe

2010-07-15 09:18:51 53248 ----a-w- c:\windows\system32\Process.exe

2010-07-15 08:50:46 0 d-----w- c:\docume~1\mikehe~1\applic~1\SUPERAntiSpyware.com

2010-07-15 08:50:46 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-06-30 18:33:08 94208 ---ha-w- c:\windows\system32\fcyyww.dll

2010-06-30 18:28:05 87552 ---ha-w- c:\windows\system32\fcbbxv.dll

==================== Find3M ====================

2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 12:09:51.96 ===============

Latest mbam log

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4325

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

19/07/2010 12:34:01

mbam-log-2010-07-19 (12-34-01).txt

Scan type: Full scan (C:\|)

Objects scanned: 150430

Time elapsed: 28 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 7

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nnolmjdrv (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssqpoosys (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ljihgddrv (Trojan.Vundo) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yaxvsssys (Trojan.Vundo) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssrolkdrv (Trojan.Vundo) -> No action taken.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yaxvsssys (Trojan.Vundo) -> No action taken.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssrolkdrv (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Attach.zip

Link to post
Share on other sites

Hi martian71 And Welcome to Malwarebytes Forum!

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 6 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

  1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. rkill.pif
  5. WiNlOgOn.exe
  6. uSeRiNiT.exe

Please post the log in your next reply.

Once you've gotten one of them to run then try to immediately run the following:

IF.... you continue having problems running rkill.com, you can download:

iExplore.exe or eXplorer.exe

which are renamed copies of rkill.com, and try them instead.

=========================

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.