I'm having trouble accessing anti-virus sites (and Microsoft pages as well) on the internet with my Asus Eee laptop. I've tried using a range of different browsers, deactivating Windows Firewall, and downloading Malwarebytes' Anti-Malware from a "clean" computer and transferring it to my own.

Still no success, though.

Following the guidelines for posting on the forum I came across the following two problems:

1. I couldn't run Microsoft® Windows® Malicious Software Removal Tool ("problem loading page" error message)

2. I couldn't run ESET Online Scanner or any of the other suggested scanners ("problem loading page" error message all over)

I'm attaching the Malwarebytes' log and attach.txt. Below is the DDS.txt:

---


DDS (Ver_09-12-01.01) - NTFSx86
Run by Jacob Schmidt Madsen at 15:35:51.95 on Wed 01/06/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.427 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\AsScrPro.exe
C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Jacob Schmidt Madsen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://eeepc.asus.com/global
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynAsusAcpi] c:\program files\synaptics\syntp\SynAsusAcpi.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ASUS Screen Saver Protector] c:\windows\AsScrPro.exe
mRun: [LiveUpdate] c:\program files\asus\liveupdate\LiveUpdate.exe auto
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\aibelive\voice command\skype4com.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jacobs~1\applic~1\mozilla\firefox\profiles\n05tv92q.default\
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-6 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-6-23 55152]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-6-1 38912]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-6 38224]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-6-1 39040]
S2 yuqfruhv;Time Server;c:\windows\system32\svchost.exe -k netsvcs [2009-5-20 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-6-23 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-7 533360]

=============== Created Last 30 ================

2010-01-06 11:58:50 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-06 11:58:35 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-06 11:58:35 0 d-----w- c:\docume~1\jacobs~1\applic~1\SUPERAntiSpyware.com
2010-01-06 11:58:06 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-06 11:06:16 0 d-----w- c:\docume~1\jacobs~1\applic~1\Malwarebytes
2010-01-06 11:06:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-06 11:06:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 11:06:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-06 11:06:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-06 10:46:23 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-06 10:42:34 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2010-01-06 10:42:33 0 d-----w- c:\program files\McAfee Security Scan
2010-01-06 10:26:17 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-06 10:24:17 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-06 10:24:06 0 d-----w- c:\program files\Lavasoft
2010-01-06 09:50:05 6144 ----a-w- c:\windows\system32\drivers\ASUSHWIO.SYS
2010-01-03 06:58:02 0 ----a-w- c:\documents and settings\jacob schmidt madsen\temp.dat
2010-01-03 06:57:47 0 d-----w- c:\documents and settings\jacob schmidt madsen\.oces
2009-12-27 18:38:29 0 d-----w- c:\docume~1\jacobs~1\applic~1\OpenOffice.org
2009-12-27 18:37:24 0 d-----w- c:\program files\JRE
2009-12-27 18:37:19 0 d-----w- c:\program files\OpenOffice.org 3
2009-12-27 18:37:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-27 18:37:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-23 06:57:26 0 d-----w- C:\Digital signatur
2009-12-14 07:22:43 0 d-----w- c:\program files\MoRUN.net

==================== Find3M ====================

2009-12-28 19:21:21 30388 ----a-w- c:\docume~1\jacobs~1\applic~1\wklnhst.dat
2009-10-30 00:29:08 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-03-21 14:06:58 154406 --sha-r- c:\windows\system32\zwghg.dll
2009-07-02 02:49:12 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 15:36:15.82 ===============

---

I'd be most grateful for any help received.

Cheers,

Jacob

Recommended Answers

All 11 Replies

You can access other websites, but not a few?

I can apparently access all other sites than microsoft.com and anti-virus sites, lavasoft.com being a notable exception (though installing and running Ad-Aware didn't yield any results).

I can apparently access all other sites than microsoft.com and anti-virus sites, lavasoft.com being a notable exception (though installing and running Ad-Aware didn't yield any results).

it a virus - it is not detected by many anti virus software (ir detect but after full infections - and only from another PC)

this virus is coming from skype AND with flash disk (and some other ways i did not found..) - it hides itself under well knows icons (winamp, nero , msn etc...)

you know if you are infected:
- if you now longer have any anti virus software you had (avira, avg.. had disappear from computers i found infected)
- no longer can access any antivirus/firewall website
- regedit shows it was dissabled be administrator
- all ( the ones i have checked ) anti virus installers are shut down - so you can't install new

- and don't try to use safe mode - it is corrupt ( didn't worked at all)

to disable this virus you will need to do following BEFORE you can download and install antivirus/antimalware to finish job.

download Tune Up Utilities (it have it own task manager and registry editor)
use tuneup utilities task manager (as you may not be able to use windows one)

kill exporer.exe as virus using it to renew itself
kill all [random name process *.exe] - make sure you know that do not kill needed one

use cmd comand and delete hiden exe and bat files in these locations:
- in root folder of all disk you have (be careful with c: as there are hidden files that do not belong to virus) virus names are long and random - easy to recognize
temp folder
(dir /ah *.exe, *.bat, - to find ; attrib -s -h -r [file name]to make possible to delete; del [file name])

use msconfig (or tune up utilities start up managers) to delete virus from start up
before deleting - look at the path in registry key and then from there the path to file itself - delete file, registry key and then start up entry

reboot system
if you find and deleted all these file no random name files will appear in task manager
now you can enter antivirus websites and download any which will finish it

you need to put value to 0 in DisableRegistryTools which can be found:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

if you want to use regedit from windows

that about it - i hope it help - if need write i will put some more detail.

Also check your hosts file typically located @ c:\windows\system32\drivers\etc\hosts
I have seen many attacks that redirect anti-virus sites to your loopback adapter disabling you to install/update.

HTHs
sinnerFA

ignore my previous post - i looked at your logs more carefully - you do not have processes that belong to the virus i described

then you said you can't load any anti virus website i at once assumed (as i have real pain with this virus on several completely different computers)
sorry

Also check your hosts file typically located @ c:\windows\system32\drivers\etc\hosts
I have seen many attacks that redirect anti-virus sites to your loopback adapter disabling you to install/update.

HTHs
sinnerFA

I'm not quite sure what you mean by checking my hosts file. I've located it and opened it with my notepad, but don't really know what more to do about it.

Can you tell me what I should be on the lookout for?

Cheers,

Purusha

ignore my previous post - i looked at your logs more carefully - you do not have processes that belong to the virus i described

Thanks a lot for taking the time, Vidmaa. Much appreciated.

Cheers,

Purusha

I scanned the USB stick that I suspect to be the culprit with Ad-Aware, and discovered a "high-level security threat" named Win32.Worm.Kido - probably the worm that has eaten its way into my laptop.

I'm attaching the scan log in case it'll be of any help.

Hosts file is located at C:\Windows\System32\drivers\etc
And infected file would have a lot of ip address / URL pairs.
A normal hosts file should look like this:

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost

Use notepad to open, view, edit Hosts file. Safe to delete it all and save as a blank file if you want, or copy the text from my last post (if yours is infected).

Good Luck!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.