Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Popups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Popups

Unread postby Prankmunky » March 8th, 2009, 6:27 am

My parents asked me to fix their computer, they've been experiencing numerous pop ups. I don't really know much about this kind of thing beyond using spybot. Which I did, it seemed to lessen the number of popups, but they're still there. Reading around a bit this site was highly recomended. Hopefully you can help.

Anyway, here is the HighjackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:04:19 AM, on 3/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\yes75x.exe
C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\s8piy2actpa.exe
C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\gl0sfn3ek2.exe
C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\f34picbl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\userinit.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\aNI02\aNI022328.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F3 - REG:win.ini: load=C:\AIM\dtect16.exe
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {418fe03f-e5b0-496c-b1ee-13d1dbce7ebe} - C:\WINDOWS\system32\viwifolo.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {f2a625ea-c6dc-d50a-79b4-f71c5d26e9d9} - {9d9e62d5-c17f-4b97-a05d-cd6cae526a2f} - C:\WINDOWS\system32\swlrcw.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: AuthBHO.cBHO - {c658cee0-7f43-4b48-aeb5-36ef433513ac} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O3 - Toolbar: Security Manager Popup Blocker - {D35D808B-16DD-4572-861B-44966B93247B} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Ron Wells\winlogon.exe
O4 - HKLM\..\Run: [giborawuro] Rundll32.exe "C:\WINDOWS\system32\yedibufo.dll",s
O4 - HKLM\..\Run: [Alafuyirogodini] rundll32.exe "C:\WINDOWS\Rvuzuy.dll",e
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\winlognn.exe
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Uah95H5X.exe
O4 - HKLM\..\Run: [2ssU3sT] atlpapi.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mbvmklelv] C:\WINDOWS\System32\fhriyqog.exe
O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\System32\vnmispoisn_downloader.exe
O4 - HKLM\..\Run: [ncfib] C:\WINDOWS\ncfib.exe
O4 - HKLM\..\Run: [NS5QE] C:\documents and settings\ron wells\local settings\temp\NS5QE.exe
O4 - HKLM\..\Run: [oW3jAxR] C:\documents and settings\ron wells\local settings\temp\oW3jAxR.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [Security Manager] C:\Program Files\Comcast\Security Manager\app\SecurityManager.exe
O4 - HKLM\..\Run: [ccb3c5f4] rundll32.exe "C:\WINDOWS\system32\lehevusa.dll",b
O4 - HKLM\..\Run: [CPMcf80f668] Rundll32.exe "c:\windows\system32\napuruya.dll",a
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\winlognn.exe
O4 - HKCU\..\Run: [trbzjy73etdfh37chiq2zu618e9iik4g0ubkulfd1] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\ls43n7ys.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Ron Wells\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [JB38Rif2i] cateamci.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [nidle] "C:\Documents and Settings\Ron Wells\Application Data\nidle\nidle.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\ApcMain.exe -m
O4 - HKCU\..\Run: [ug54kxni67mt191ffscva0xek58vd3f] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\p3tlisxl8oh7u.exe
O4 - HKCU\..\Run: [y0pmncnon] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\v22cm76qs.exe
O4 - HKCU\..\Run: [cnpbm9zh0u4dbwh23ftcw] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\lwb5ff.exe
O4 - HKCU\..\Run: [o857mbhg1a3fc07p5zey3awxf2jhubn7n2sd0] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\adaj9naj8.exe
O4 - HKCU\..\Run: [ymwvf2s5qxr2aozdc0aj05bt7u662ftjx8yhwnvkp99s] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\xw6nzg971.exe
O4 - HKCU\..\Run: [jey1al2st4342loyhccfd6ukvf56sq] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\fe5j1uw1.exe
O4 - HKCU\..\Run: [kplfm3pmh87h8i80lbrrva0l9] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\jhot6xge.exe
O4 - HKCU\..\Run: [go1i42nucynqodjyc0dor7qv1hh8xiq12c0b0lq77ll343ta4] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\c46snjt.exe
O4 - HKCU\..\Run: [hgom21xpxwmlqbk6fburx5zso4cr9js0kuqmqw3rcux] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\hj0czz.exe
O4 - HKCU\..\Run: [cyick2n1jhjteitucozhi7fu3] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\s8piy2actpa.exe
O4 - HKCU\..\Run: [wlb6v96hawtj4fki3z6] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\gl0sfn3ek2.exe
O4 - HKCU\..\Run: [s79jxvktc26tlk3lyweuq6hjehc23syy80yhv2x] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\yes75x.exe
O4 - HKCU\..\Run: [r9mmy02p0uo8] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\f34picbl.exe
O4 - HKCU\..\Run: [o7x6nhku730w0ks7ubr35rs2v52pzx] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\hl337pue2w6jk.exe
O4 - HKCU\..\Run: [wqyppvr545] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\sg758chj.exe
O4 - HKCU\..\Run: [r7u1rxv9zatkij06t7cxw3f1bq583ncy6k] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\pnj5ce.exe
O4 - HKCU\..\Run: [fjupwtb212s6ap5lubh5tofz7hcn18hbmlh7pgt] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\sqleqyfnkluah.exe
O4 - HKCU\..\Run: [sk98q401lz3dyzkzr77jbsopmdksrbn] C:\DOCUME~1\RONWEL~1\LOCALS~1\Temp\l827ofxz.exe
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Startup: IMVU.lnk = C:\Documents and Settings\Ron Wells\Application Data\IMVUClient\IMVUClient.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: hpoddt01.exe.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - ?p=ZKfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ron Wells\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\docume~1\ronwel~1\locals~1\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\docume~1\ronwel~1\locals~1\temp\ntdll64.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D28D5BC-4526-4113-9423-F490067C15D7}: NameServer = 68.87.69.146,68.87.85.98
O17 - HKLM\System\CS1\Services\Tcpip\..\{5D28D5BC-4526-4113-9423-F490067C15D7}: NameServer = 68.87.69.146,68.87.85.98
O17 - HKLM\System\CS2\Services\Tcpip\..\{5D28D5BC-4526-4113-9423-F490067C15D7}: NameServer = 68.87.69.146,68.87.85.98
O17 - HKLM\System\CS3\Services\Tcpip\..\{5D28D5BC-4526-4113-9423-F490067C15D7}: NameServer = 68.87.69.146,68.87.85.98
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\hudawiwu.dll c:\windows\system32\sihosido.dll adejhk.dll c:\windows\system32\zegofuho.dll vlysuw.dll swlrcw.dll c:\windows\system32\napuruya.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\napuruya.dll
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\napuruya.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Curtains for Windows System Service (curtainssyssvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 11476 bytes


The computer is connected to the internet through a router.
Prankmunky
Active Member
 
Posts: 11
Joined: December 21st, 2005, 11:32 pm
Advertisement
Register to Remove

Re: Popups

Unread postby dan12 » March 8th, 2009, 6:35 am

welcome to malwareremoval forums

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Popups

Unread postby Prankmunky » March 8th, 2009, 3:41 pm

I got the program list as per your instructions, however when I went to post it I discovered a new symptom. Web pages won't load. Just a blank white screen comes up. Is it safe to save the text file to a usb and post it using a different computer? If not I suppose I could type it out.
Prankmunky
Active Member
 
Posts: 11
Joined: December 21st, 2005, 11:32 pm

Re: Popups

Unread postby dan12 » March 8th, 2009, 3:49 pm

Just copy and paste the install list straight into the thread.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Popups

Unread postby Prankmunky » March 8th, 2009, 6:50 pm

I'm currently posting via a different computer, as I'm unable to post from the infected computer. Every site i go to on the infected computer just comes up as a blank page.
Prankmunky
Active Member
 
Posts: 11
Joined: December 21st, 2005, 11:32 pm

Re: Popups

Unread postby Prankmunky » March 8th, 2009, 7:36 pm

I reset my router, now instead of a blank page it gives me an error message "connection reset" if I spam refresh the page will load eventually though.

µTorrent
1 Form Proposal Invoice 1.4
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
BCM V.92 56K Modem
CCleaner (remove only)
Comcast High-Speed Internet Install Wizard
Dell AIO Printer A920
Dell ResourceCD
DivX Web Player
eMusic Download Manager 4.1.1
Google Updater
HijackThis 2.0.2
HP Document Viewer 7.0
HP Image Zone Express
HP Imaging Device Functions 7.0
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
iTunes
J2SE Runtime Environment 5.0 Update 6
Medal of Honor Allied Assault
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft ActiveX Control Pad
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Money 2004 System Pack
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.7)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB954459)
Musicnotes Player V1.23.2
OCR Software by I.R.I.S 7.0
OpenMG Limited Patch 4.1-05-13-31-01
OpenMG Secure Module 4.1.00
Panda ActiveScan
PMP DV
QuickTime
RealPlayer
Rhapsody Player Engine
Security Manager
Security Update for Windows XP (KB960715)
Shockwave
Smart Defrag 1.10
Sonic DLA
SoundMAX
Spybot - Search & Destroy
Steam
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
Windows Live installer
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows XP Service Pack 2
Prankmunky
Active Member
 
Posts: 11
Joined: December 21st, 2005, 11:32 pm

Re: Popups

Unread postby dan12 » March 8th, 2009, 7:46 pm

What is your current antivirus program? You don't appear to be running with any!! something we need to address later.

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Important! Can you find out from your parents if they set these:

O17 - HKLM\System\CCS\Services\Tcpip\..\{5D28D5BC-4526-4113-9423-F490067C15D7}: NameServer = 68.87.69.146,68.87.85.98
O17 - HKLM\System\CS1\Services\Tcpip\..\{5D28D5BC-4526-4113-9423-F490067C15D7}: NameServer = 68.87.69.146,68.87.85.98
O17 - HKLM\System\CS2\Services\Tcpip\..\{5D28D5BC-4526-4113-9423-F490067C15D7}: NameServer = 68.87.69.146,68.87.85.98
O17 - HKLM\System\CS3\Services\Tcpip\..\{5D28D5BC-4526-4113-9423-F490067C15D7}: NameServer = 68.87.69.146,68.87.85.98

-----------------------------

You can download this to a pen drive on the good pc and transfer it across to the infected pc.

Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Popups

Unread postby Prankmunky » March 8th, 2009, 10:56 pm

I ran combofix. It failed to download Windows Recovery Console.

While it was running several error messages popped up.

ping.exe - Bad Image
The application or DLL C:\DOCUME~1\RONWEL~1\LOCAL~1\Temp\ntdll64.dll is a valid Windows image. Please check this against your installation diskette.

ntdll64.exe - Bad Image
The application or DLL C:\DOCUME~1\RONWEL~1\LOCAL~1\Temp\ntdll64.dll is a valid Windows image. Please check this against your installation diskette.

combofix - Download.cfexe - Bad Image
The application or DLL C:\DOCUME~1\RONWEL~1\LOCAL~1\Temp\ntdll64.dll is a valid Windows image. Please check this against your installation diskette.

Then combofix rebooted the computer, the background loaded, then this error message popped up.

FIles that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability. Windows must restore the original versions of these files. Insert your Windows XP home edition cd now.

Windows won't load beyond this. I asked my parents, they said they must have lost the disc, they don't have it anymore.

What should I do?
Prankmunky
Active Member
 
Posts: 11
Joined: December 21st, 2005, 11:32 pm

Re: Popups

Unread postby dan12 » March 9th, 2009, 5:50 am

Did you disable all security programs? av's firewalls, antimalware programs.
Are you running combo fix from the desktop?it has to be on the desktop!
Can you try something for me. I want you to re-name combofix.exe which should be on the desktop to Prankmunky.exe
Right click the combofix.exe on the desktop, in the drop down menu click rename.
Then try running again.

Let me know how it goes.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Popups

Unread postby Prankmunky » March 9th, 2009, 4:45 pm

Yes, I turned off everything, and ran it from the desktop. The problem is windows won't load.
Prankmunky
Active Member
 
Posts: 11
Joined: December 21st, 2005, 11:32 pm

Re: Popups

Unread postby dan12 » March 9th, 2009, 5:00 pm

Have you tried running it as i suggested?
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Popups

Unread postby Prankmunky » March 9th, 2009, 5:14 pm

No, I can't get into windows.
Prankmunky
Active Member
 
Posts: 11
Joined: December 21st, 2005, 11:32 pm

Re: Popups

Unread postby dan12 » March 9th, 2009, 5:24 pm

So the infected machine your unable to boot into windows?
It may well be that a reformat is your only option left.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Popups

Unread postby Prankmunky » March 9th, 2009, 9:49 pm

Alright, I called Dell and ordered a new Windows cd from them, they said it'd be here tomorrow or Wednesday at the latest.
Prankmunky
Active Member
 
Posts: 11
Joined: December 21st, 2005, 11:32 pm

Re: Popups

Unread postby dan12 » March 10th, 2009, 5:27 am

You want me to close up the thread,let me know if you need some guidance with reformat.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 27 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware