IE popups and links redirect among other things

fadingaurora · Nov 25, 2009

I am using Windows XP and upon startup i have a few errors:

hkcmd.exe bad image
system321juhalobo.dll
worm.win32.netsky

dpcmdcom.sys page_fault_in_nonpaged_area

when i use internet explorer i keep getting my links redirected and random windows popup. I have tried to see what programs are running but the task manager is disabled and i cant figure out how to get to it? When i try ctrl+alt+delete i get a blue screen = fatal system error and have to manually turn off and restart the computer. I also cannot get to safe mode as i get the blue error screen everytime i try! I know i probably have conflicting virus programs and internet security programs on here that may be part of the problem but when i try to uninstall the ones i dont use i get an error or access denied

i hope this makes some sense sorry to ramble on! any help would be greatly appreciated!

I am going through the 8 step removal instructions and cannot get malwarebytes to run... when i click the application on my desktop nothing happens..

AnonymousSurfer · Nov 25, 2009

Hi fadingaurora,

Please read 8-step Viruses/Spyware/Malware Preliminary Removal Instructions and download the Programs requested in the thread, then post the logs after you have the run scans.

If you use your computer to do Online Banking/Business purposes/Store personal Information/Input Credit Card Information, please read Is your system infected? Read this before Cleaning or Formatting

fadingaurora · Nov 25, 2009

shoot! I got as far as running SuperAntiSpyware and then was asked to reboot the computer... Now i am stuck on the windows login screen and cant get on! i put in my password and it says loading settings then it logs off and says 'saving settings' and stays on the login page. i dont know what to do! i cant get in safe mode either.

AnonymousSurfer · Nov 25, 2009

Can you get in Safe Mode with Command Prompt? Also, have you tried with other users?

fadingaurora · Nov 25, 2009

i cannot get it to run in safe mode with command prompt either and i am the only user (main user) i get the blue error message:

A problem has been detected and windows has been shut down to prevent damage to your computer.
STOP: 0x0000007B: (oxF79EDS28, 0xC0000034)

Bobbye · Nov 28, 2009

Here's a reference for the error message: http://support.microsoft.com/kb/324103

Let us know if you still need help.

fadingaurora · Nov 28, 2009

thank you! ok so.... i was stuck in the windows logon logoff loop and could not get out of it, i tried everything and safe mode wouldnt work so i ended up booting from the Windows XP startup disk and basically reinstalled windows through recovery console?

Everything is running much better now and i can log on and all my files are still here suprisingly nothing was lost haha..the only error messages i am getting upon logon are:

c:\windows\system32\lokavige.dll

fusifava.dll

i have also attached the SUPERAntiSpyware log from before i reinstalled windows... i am thinking i might have accidentally deleted something important after i ran the scan and thats why i was stuck in the logon logoff loop?

Bobbye · Nov 28, 2009

You didn't give the error message: I'm guessing it was that the files couldn't be found:

lokavige.dll is a Fraudulent Security Program
* The Process is packed and/or encrypted using a software packing process

This file is a Adware.Vundo/Variant-Pester malware infection.

fusifava.dll. is also a Vundo file.

i am thinking i might have accidentally deleted something important after i ran the scan and thats why i was stuck in the logon logoff loop?

That means the malware is still on the system. Malware frequently gives the 'can't find' or 'file missing' message just like a legitimate file would. The fact that it's 'missing' does not point to it being a 'good file'.

The files you had originally that you called errors:
juhalobo.dll> Adware.Vundo/Variant-EC

worm.win32.netsky> Email-Worm.Win32.NetSky.x

This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.

The worm is activated when the user launches the attached file by clicking on the attachment. The worm will then install itself and start propagating.

dpcmdcom.sys > I can't ID this.

Please go through the 3 programs now: Malwarebytes, Superantispyware- again and HijackThis. I need to see what entries you still have on your system. the number of Trojans and Worms on the system don't just disappear.

Important: Please attach the logs from Malwarebytes and Superantispyware in next reply.

Paste the HijackThis log in next reply

fadingaurora · Nov 28, 2009

now after restarting my computer i have the Eco Antivirus popping up again! everything seemed to be all cleaned out. I purchased AVG internet security and tried to install that but it kept saying i had to uninstall trend-micropc-cillin in order for it to not conflict and every time i tried to uninstall that it says a fatal error has occured and i cannot finish installing AVG

fadingaurora · Nov 28, 2009

mbam and superantispy log here...

the hijack log is too long to paste in one reply so i will attach it if thats ok!

Bobbye · Nov 29, 2009

I know i probably have conflicting virus programs and internet security programs on here that may be part of the problem but when i try to uninstall the ones i dont use i get an error or access denied

Yes, you do. you have the TrendMicro Security Suite and the AVG Security Suite. One of them has to go. Since they are both paid programs, it will be your choice. I will set up the way to handle that. IT needs to be done now because this actually makes you more vulnerable and slows down the system.

First, download the removal tool for the suite you are NOT going to keep> save it to your desktop> don't run yet:
AVG Removal: Note: You may have to reinstall AVG to uninstall it fully
OR
Using the PCCTool to remove Trend Micro.

Then
Boot into Safe Mode

Restart your computer and start pressing the F8 key on your keyboard.

Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Double click to open either tools you downloaded and run the program as instructed. When through, boot back into Normal Mode:

You have a DNS Changer infection- do the following:
DNS Changer
You will need to do a DNS Flush, then reset your router.
Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

Exit the Command prompt when finished and shut the system down.-

[1]. Shut down your computer, and any other computer connected to your router.
[2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
[3]. Unplug the router. Wait sixty seconds.
[4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
[5].With the router unplugged, start your computer. Run MBAM again.
[6].Connect to the router again. The turn the router back on.
[7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
[8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

Follow by Please download VundoFix.exe HERE and save to your desktop:

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the ‘Fix Vundo’ button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click OK.

Please attach the C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Rescan with HijackThis and include new log.

Attach reports/logs from all. That will determine what to do next.

fadingaurora · Dec 26, 2009

VundoFix V7.0.6

Scan started at 10:18:14 PM 12/26/2009

Listing files found while scanning....

No infected files were found.

Bobbye · Dec 26, 2009

Okay, you can't just disappear for three weeks after your initial posting, then reappear and expect to take up where you left off! You would need to remove most of the entries in the HJT log it's so badly infected.

Please do the following before we try anything else: You will browse to the place in your ststem where each entry is and select it for the scan.

Make sure to use Internet Explorer for this

Please go to VirSCAN.org FREE on-line scan service

Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

c:\windows\system32\userinit.exe

Click on the Upload button

If a pop-up appears saying the file has been scanned already, please select the ReScan button.

Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.

Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe

Paste the log in your next reply. I'll know where to go after seeing that.

fadingaurora · Dec 26, 2009

VirSCAN.org Scanned Report :
Scanned time : 2009/12/26 23:39:58 (EST)
Scanner results: Scanners did not find malware!
File Name : userinit.exe
File Size : 24576 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 39b1ffb03c2296323832acbae50d2aff
SHA1 : e5aedcbe25a97c89101f1f3860ff846e94d70445
Online report : http://virscan.org/report/388c420d0fc942ac1d70bd24a77f2a11.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091226040430 2009-12-26 4.07 -
AhnLab V3 2009.12.26.00 2009.12.26 2009-12-26 0.99 -
AntiVir 8.2.1.122 7.10.2.75 2009-12-26 0.11 -
Antiy 2.0.18 20091225.3525327 2009-12-25 0.12 -
Arcavir 2009 200912260830 2009-12-26 0.03 -
Authentium 5.1.1 200912260927 2009-12-26 1.26 -
AVAST! 4.7.4 091226-1 2009-12-26 0.01 -
AVG 8.5.288 270.14.120/2588 2009-12-27 0.36 -
BitDefender 7.81008.4787312 7.29629 2009-12-27 4.15 -
CA (VET) 35.1.0 7197 2009-12-24 4.55 -
ClamAV 0.95.2 10222 2009-12-26 0.01 -
Comodo 3.13 3381 2009-12-27 0.91 -
CP Secure 1.3.0.5 2009.12.27 2009-12-27 0.04 -
Dr.Web 4.44.0.9170 2009.12.27 2009-12-27 8.01 -
F-Prot 4.4.4.56 20091226 2009-12-26 1.30 -
F-Secure 7.02.73807 2009.12.27.01 2009-12-27 0.15 -
Fortinet 11.311- 11.311 2009-12-26 0.17 -
GData 19.9560/19.647 20091227 2009-12-27 6.00 -
ViRobot 20091226 2009.12.26 2009-12-26 0.41 -
Ikarus T3.1.01.79 2009.12.26.74839 2009-12-26 4.18 -
JiangMin 13.0.900 2009.12.26 2009-12-26 4.95 -
Kaspersky 5.5.10 2009.12.27 2009-12-27 0.11 -
KingSoft 2009.2.5.15 2009.12.27.10 2009-12-27 0.54 -
McAfee 5.3.00 5843 2009-12-26 3.29 -
Microsoft 1.5302 2009.12.27 2009-12-27 6.48 -
Norman 6.01.09 6.01.00 2009-12-26 4.01 -
Panda 9.05.01 2009.12.25 2009-12-25 0.63 -
Trend Micro 9.000-1003 6.722.07 2009-12-27 0.03 -
Quick Heal 10.00 2009.12.26 2009-12-26 1.34 -
Rising 20.0 22.27.06.01 2009-12-27 1.01 -
Sophos 3.03.0 4.49 2009-12-27 2.75 -
Sunbelt 3.9.2388.2 5583 2009-12-26 2.01 -
Symantec 1.3.0.24 20091226.017 2009-12-26 0.05 -
nProtect 20091226.01 6714273 2009-12-26 3.88 -
The Hacker 6.5.0.3 v00113 2009-12-26 0.75 -
VBA32 3.12.12.0 20091225.2239 2009-12-25 2.49 -
VirusBuster 4.5.11.10 10.118.10/2003785 2009-12-26 2.33 -

VirSCAN.org Scanned Report :
Scanned time : 2009/12/26 23:44:16 (EST)
Scanner results: Scanners did not find malware!
File Name : explorer.exe
File Size : 1032192 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : a0732187050030ae399b241436565e64
SHA1 : 69f33740413da112630be73ebb805a23b69f2f7f
Online report : http://virscan.org/report/8182aa65754aa571046c422ab1fff310.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091226040430 2009-12-26 4.13 -
AhnLab V3 2009.12.26.00 2009.12.26 2009-12-26 1.02 -
AntiVir 8.2.1.122 7.10.2.75 2009-12-26 0.40 -
Antiy 2.0.18 20091225.3525327 2009-12-25 0.12 -
Arcavir 2009 200912260830 2009-12-26 0.08 -
Authentium 5.1.1 200912260927 2009-12-26 2.22 -
AVAST! 4.7.4 091226-1 2009-12-26 0.05 -
AVG 8.5.288 270.14.120/2588 2009-12-27 0.35 -
BitDefender 7.81008.4787312 7.29629 2009-12-27 4.17 -
CA (VET) 35.1.0 7197 2009-12-24 8.04 -
ClamAV 0.95.2 10222 2009-12-26 0.16 -
Comodo 3.13 3381 2009-12-27 0.94 -
CP Secure 1.3.0.5 2009.12.27 2009-12-27 0.11 -
Dr.Web 4.44.0.9170 2009.12.27 2009-12-27 8.32 -
F-Prot 4.4.4.56 20091226 2009-12-26 2.14 -
F-Secure 7.02.73807 2009.12.27.01 2009-12-27 9.46 -
Fortinet 11.311- 11.311 2009-12-26 0.22 -
GData 19.9560/19.647 20091227 2009-12-27 6.21 -
ViRobot 20091226 2009.12.26 2009-12-26 0.41 -
Ikarus T3.1.01.79 2009.12.26.74839 2009-12-26 4.16 -
JiangMin 13.0.900 2009.12.26 2009-12-26 5.62 -
Kaspersky 5.5.10 2009.12.27 2009-12-27 0.07 -
KingSoft 2009.2.5.15 2009.12.27.10 2009-12-27 0.68 -
McAfee 5.3.00 5843 2009-12-26 3.36 -
Microsoft 1.5302 2009.12.27 2009-12-27 6.67 -
Norman 6.01.09 6.01.00 2009-12-26 4.01 -
Panda 9.05.01 2009.12.25 2009-12-25 0.64 -
Trend Micro 9.000-1003 6.722.07 2009-12-27 0.04 -
Quick Heal 10.00 2009.12.26 2009-12-26 1.67 -
Rising 20.0 22.27.06.01 2009-12-27 1.09 -
Sophos 3.03.0 4.49 2009-12-27 2.75 -
Sunbelt 3.9.2388.2 5583 2009-12-26 3.01 -
Symantec 1.3.0.24 20091226.017 2009-12-26 0.08 -
nProtect 20091226.01 6714273 2009-12-26 4.00 -
The Hacker 6.5.0.3 v00113 2009-12-26 0.77 -
VBA32 3.12.12.0 20091225.2239 2009-12-25 2.35 -
VirusBuster 4.5.11.10 10.118.10/2003785 2009-12-26 2.62 -

VirSCAN.org Scanned Report :
Scanned time : 2009/12/26 23:46:36 (EST)
Scanner results: Scanners did not find malware!
File Name : svchost.exe
File Size : 14336 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 8f078ae4ed187aaabc0a305146de6716
SHA1 : da0ff4006859a7580aba81f486f692dead2014fe
Online report : http://virscan.org/report/4ccf20da647cec50f5252bf72dcad535.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091226040430 2009-12-26 4.22 -
AhnLab V3 2009.12.26.00 2009.12.26 2009-12-26 1.04 -
AntiVir 8.2.1.122 7.10.2.75 2009-12-26 0.28 -
Antiy 2.0.18 20091225.3525327 2009-12-25 0.12 -
Arcavir 2009 200912260830 2009-12-26 0.03 -
Authentium 5.1.1 200912260927 2009-12-26 1.25 -
AVAST! 4.7.4 091226-1 2009-12-26 0.00 -
AVG 8.5.288 270.14.120/2588 2009-12-27 0.32 -
BitDefender 7.81008.4787312 7.29629 2009-12-27 4.17 -
CA (VET) 35.1.0 7197 2009-12-24 8.09 -
ClamAV 0.95.2 10222 2009-12-26 0.01 -
Comodo 3.13 3381 2009-12-27 0.98 -
CP Secure 1.3.0.5 2009.12.27 2009-12-27 0.04 -
Dr.Web 4.44.0.9170 2009.12.27 2009-12-27 8.07 -
F-Prot 4.4.4.56 20091226 2009-12-26 1.25 -
F-Secure 7.02.73807 2009.12.27.01 2009-12-27 9.45 -
Fortinet 11.311- 11.311 2009-12-26 0.18 -
GData 19.9560/19.647 20091227 2009-12-27 6.03 -
ViRobot 20091226 2009.12.26 2009-12-26 0.43 -
Ikarus T3.1.01.79 2009.12.26.74839 2009-12-26 4.18 -
JiangMin 13.0.900 2009.12.26 2009-12-26 4.38 -
Kaspersky 5.5.10 2009.12.27 2009-12-27 0.07 -
KingSoft 2009.2.5.15 2009.12.27.10 2009-12-27 0.52 -
McAfee 5.3.00 5843 2009-12-26 3.28 -
Microsoft 1.5302 2009.12.27 2009-12-27 7.07 -
Norman 6.01.09 6.01.00 2009-12-26 4.01 -
Panda 9.05.01 2009.12.25 2009-12-25 0.78 -
Trend Micro 9.000-1003 6.722.07 2009-12-27 0.03 -
Quick Heal 10.00 2009.12.26 2009-12-26 1.29 -
Rising 20.0 22.27.06.01 2009-12-27 0.96 -
Sophos 3.03.0 4.49 2009-12-27 2.76 -
Sunbelt 3.9.2388.2 5583 2009-12-26 2.13 -
Symantec 1.3.0.24 20091226.017 2009-12-26 0.05 -
nProtect 20091226.01 6714273 2009-12-26 3.90 -
The Hacker 6.5.0.3 v00113 2009-12-26 0.75 -
VBA32 3.12.12.0 20091225.2239 2009-12-25 2.24 -
VirusBuster 4.5.11.10 10.118.10/2003785 2009-12-26 2.34 -

fadingaurora · Dec 26, 2009

I'm so sorry for bumping this up again!

fadingaurora · Dec 27, 2009

VirSCAN.org Scanned Report :
Scanned time : 2009/12/27 00:07:32 (EST)
Scanner results: Scanners did not find malware!
File Name : userinit.exe
File Size : 24576 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 39b1ffb03c2296323832acbae50d2aff
SHA1 : e5aedcbe25a97c89101f1f3860ff846e94d70445
Online report : http://virscan.org/report/ba020596a89c3d198aadefac10b5cae4.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091226040430 2009-12-26 4.08 -
AhnLab V3 2009.12.26.00 2009.12.26 2009-12-26 0.99 -
AntiVir 8.2.1.122 7.10.2.75 2009-12-26 0.32 -
Antiy 2.0.18 20091225.3525327 2009-12-25 0.12 -
Arcavir 2009 200912260830 2009-12-26 0.03 -
Authentium 5.1.1 200912260927 2009-12-26 1.28 -
AVAST! 4.7.4 091226-1 2009-12-26 0.01 -
AVG 8.5.288 270.14.120/2588 2009-12-27 0.37 -
BitDefender 7.81008.4787312 7.29629 2009-12-27 4.15 -
CA (VET) 35.1.0 7197 2009-12-24 4.45 -
ClamAV 0.95.2 10222 2009-12-26 0.01 -
Comodo 3.13 3382 2009-12-27 0.90 -
CP Secure 1.3.0.5 2009.12.27 2009-12-27 0.04 -
Dr.Web 4.44.0.9170 2009.12.27 2009-12-27 8.08 -
F-Prot 4.4.4.56 20091226 2009-12-26 1.27 -
F-Secure 7.02.73807 2009.12.27.01 2009-12-27 9.58 -
Fortinet 11.312- 11.312 2009-12-26 0.18 -
GData 19.9563/19.647 20091227 2009-12-27 6.00 -
ViRobot 20091226 2009.12.26 2009-12-26 0.41 -
Ikarus T3.1.01.79 2009.12.26.74839 2009-12-26 4.15 -
JiangMin 13.0.900 2009.12.26 2009-12-26 4.82 -
Kaspersky 5.5.10 2009.12.27 2009-12-27 0.11 -
KingSoft 2009.2.5.15 2009.12.27.10 2009-12-27 0.59 -
McAfee 5.3.00 5843 2009-12-26 3.30 -
Microsoft 1.5302 2009.12.27 2009-12-27 6.83 -
Norman 6.01.09 6.01.00 2009-12-26 4.01 -
Panda 9.05.01 2009.12.25 2009-12-25 0.60 -
Trend Micro 9.000-1003 6.723.00 2009-12-27 0.03 -
Quick Heal 10.00 2009.12.26 2009-12-26 1.30 -
Rising 20.0 22.27.06.01 2009-12-27 0.93 -
Sophos 3.03.0 4.49 2009-12-27 2.74 -
Sunbelt 3.9.2388.2 5583 2009-12-26 2.23 -
Symantec 1.3.0.24 20091226.017 2009-12-26 0.05 -
nProtect 20091226.01 6714273 2009-12-26 6.41 -
The Hacker 6.5.0.3 v00113 2009-12-26 0.80 -
VBA32 3.12.12.0 20091225.2239 2009-12-25 2.37 -
VirusBuster 4.5.11.10 10.118.10/2003785 2009-12-26 2.36 -

VirSCAN.org Scanned Report :
Scanned time : 2009/12/26 23:44:16 (EST)
Scanner results: Scanners did not find malware!
File Name : explorer.exe
File Size : 1032192 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : a0732187050030ae399b241436565e64
SHA1 : 69f33740413da112630be73ebb805a23b69f2f7f
Online report : http://virscan.org/report/8182aa65754aa571046c422ab1fff310.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091226040430 2009-12-26 4.13 -
AhnLab V3 2009.12.26.00 2009.12.26 2009-12-26 1.02 -
AntiVir 8.2.1.122 7.10.2.75 2009-12-26 0.40 -
Antiy 2.0.18 20091225.3525327 2009-12-25 0.12 -
Arcavir 2009 200912260830 2009-12-26 0.08 -
Authentium 5.1.1 200912260927 2009-12-26 2.22 -
AVAST! 4.7.4 091226-1 2009-12-26 0.05 -
AVG 8.5.288 270.14.120/2588 2009-12-27 0.35 -
BitDefender 7.81008.4787312 7.29629 2009-12-27 4.17 -
CA (VET) 35.1.0 7197 2009-12-24 8.04 -
ClamAV 0.95.2 10222 2009-12-26 0.16 -
Comodo 3.13 3381 2009-12-27 0.94 -
CP Secure 1.3.0.5 2009.12.27 2009-12-27 0.11 -
Dr.Web 4.44.0.9170 2009.12.27 2009-12-27 8.32 -
F-Prot 4.4.4.56 20091226 2009-12-26 2.14 -
F-Secure 7.02.73807 2009.12.27.01 2009-12-27 9.46 -
Fortinet 11.311- 11.311 2009-12-26 0.22 -
GData 19.9560/19.647 20091227 2009-12-27 6.21 -
ViRobot 20091226 2009.12.26 2009-12-26 0.41 -
Ikarus T3.1.01.79 2009.12.26.74839 2009-12-26 4.16 -
JiangMin 13.0.900 2009.12.26 2009-12-26 5.62 -
Kaspersky 5.5.10 2009.12.27 2009-12-27 0.07 -
KingSoft 2009.2.5.15 2009.12.27.10 2009-12-27 0.68 -
McAfee 5.3.00 5843 2009-12-26 3.36 -
Microsoft 1.5302 2009.12.27 2009-12-27 6.67 -
Norman 6.01.09 6.01.00 2009-12-26 4.01 -
Panda 9.05.01 2009.12.25 2009-12-25 0.64 -
Trend Micro 9.000-1003 6.722.07 2009-12-27 0.04 -
Quick Heal 10.00 2009.12.26 2009-12-26 1.67 -
Rising 20.0 22.27.06.01 2009-12-27 1.09 -
Sophos 3.03.0 4.49 2009-12-27 2.75 -
Sunbelt 3.9.2388.2 5583 2009-12-26 3.01 -
Symantec 1.3.0.24 20091226.017 2009-12-26 0.08 -
nProtect 20091226.01 6714273 2009-12-26 4.00 -
The Hacker 6.5.0.3 v00113 2009-12-26 0.77 -
VBA32 3.12.12.0 20091225.2239 2009-12-25 2.35 -
VirusBuster 4.5.11.10 10.118.10/2003785 2009-12-26 2.62 -

VirSCAN.org Scanned Report :
Scanned time : 2009/12/27 00:10:11 (EST)
Scanner results: Scanners did not find malware!
File Name : svchost.exe
File Size : 14336 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 8f078ae4ed187aaabc0a305146de6716
SHA1 : da0ff4006859a7580aba81f486f692dead2014fe
Online report : http://virscan.org/report/00bef6600c1a3ed56791be4024f7f1e8.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091226040430 2009-12-26 4.38 -
AhnLab V3 2009.12.26.00 2009.12.26 2009-12-26 1.11 -
AntiVir 8.2.1.122 7.10.2.75 2009-12-26 0.36 -
Antiy 2.0.18 20091225.3525327 2009-12-25 0.12 -
Arcavir 2009 200912260830 2009-12-26 0.03 -
Authentium 5.1.1 200912260927 2009-12-26 1.25 -
AVAST! 4.7.4 091226-1 2009-12-26 0.00 -
AVG 8.5.288 270.14.120/2588 2009-12-27 0.32 -
BitDefender 7.81008.4787312 7.29629 2009-12-27 4.18 -
CA (VET) 35.1.0 7197 2009-12-24 5.93 -
ClamAV 0.95.2 10222 2009-12-26 0.01 -
Comodo 3.13 3382 2009-12-27 0.92 -
CP Secure 1.3.0.5 2009.12.27 2009-12-27 0.04 -
Dr.Web 4.44.0.9170 2009.12.27 2009-12-27 8.06 -
F-Prot 4.4.4.56 20091226 2009-12-26 1.23 -
F-Secure 7.02.73807 2009.12.27.01 2009-12-27 1.44 -
Fortinet 11.312- 11.312 2009-12-26 0.17 -
GData 19.9563/19.647 20091227 2009-12-27 5.74 -
ViRobot 20091226 2009.12.26 2009-12-26 0.41 -
Ikarus T3.1.01.79 2009.12.26.74839 2009-12-26 4.16 -
JiangMin 13.0.900 2009.12.26 2009-12-26 5.81 -
Kaspersky 5.5.10 2009.12.27 2009-12-27 0.07 -
KingSoft 2009.2.5.15 2009.12.27.10 2009-12-27 0.56 -
McAfee 5.3.00 5843 2009-12-26 3.30 -
Microsoft 1.5302 2009.12.27 2009-12-27 7.20 -
Norman 6.01.09 6.01.00 2009-12-26 4.01 -
Panda 9.05.01 2009.12.25 2009-12-25 0.60 -
Trend Micro 9.000-1003 6.723.00 2009-12-27 0.03 -
Quick Heal 10.00 2009.12.26 2009-12-26 1.30 -
Rising 20.0 22.27.06.01 2009-12-27 0.99 -
Sophos 3.03.0 4.49 2009-12-27 2.87 -
Sunbelt 3.9.2388.2 5583 2009-12-26 2.05 -
Symantec 1.3.0.24 20091226.017 2009-12-26 0.05 -
nProtect 20091226.01 6714273 2009-12-26 3.91 -
The Hacker 6.5.0.3 v00113 2009-12-26 0.76 -
VBA32 3.12.12.0 20091225.2239 2009-12-25 2.23 -
VirusBuster 4.5.11.10 10.118.10/2003785 2009-12-26 2.34 -

Bobbye · Dec 27, 2009

No problem. But now I would like you to update and run the 3 programs again> Malwarebytes, Superantispyware and HijackThis. Please leave new logs in next reply.

Will see what's going on now.

fadingaurora · Dec 27, 2009

here we are

Bobbye · Dec 27, 2009

You should never have stopped! The system is badly infected- either you didn't follow through previously or you are infected with the same malware again. I'm going to have you run 2 programs. That will allow some removals, but I suspect either you will need to do a reinstall or I will have to refer you.

Please download ComboFix HERE:

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

Run Combo-Fix.exe and follow the prompts.
(Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)

Wait for the scan to be completed.

If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the Active X control to install

Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.

Click Start

Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked

Click Scan

Wait for the scan to finish

Re-enable your Antivirus software.

A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Attach the Combofix report and the Eset log to your next reply.

You will need to follow my instructions and complete what I ask you to do. If you leave before I either tell you the system is clean or refer you, you will have to start a new thread and start all over again.

Keep in mind that in the meantime, this malware is stealing information, checking your passwords and looking at your banking information.

TechSpot

IE popups and links redirect among other things

fadingaurora Newcomer, in training

AnonymousSurfer Newcomer, in training

fadingaurora Newcomer, in training

AnonymousSurfer Newcomer, in training

fadingaurora Newcomer, in training

Bobbye Helper on the Fringe

fadingaurora Newcomer, in training

Bobbye Helper on the Fringe

fadingaurora Newcomer, in training

fadingaurora Newcomer, in training

Bobbye Helper on the Fringe

fadingaurora Newcomer, in training

Bobbye Helper on the Fringe

fadingaurora Newcomer, in training

fadingaurora Newcomer, in training

fadingaurora Newcomer, in training

Bobbye Helper on the Fringe

fadingaurora Newcomer, in training

Bobbye Helper on the Fringe