0

I've tried a lot of things... Here is my log

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 11:20:53 PM, on 1/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\hijack\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Games\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6345 bytes

5
Contributors
33
Replies
34
Views
7 Years
Discussion Span
Last Post by jholland1964
0

Just saying you "tried a lot of things" tells us nothing. What EXACTLY have you done? We need logs from programs that you have run. How do you know you have this specific infection?

0

Just saying you "tried a lot of things" tells us nothing. What EXACTLY have you done? We need logs from programs that you have run. How do you know you have this specific infection?

My desktop is completely locked atm with a big huge message on the front of it that says "YOUR SYSTEM IS INFECTED"

I somehow got Internet Protector 2010 malware and it also came with the free bonus of smss32.exe - which reappears on every reboot after I delete the file.

As of right now, every time I reboot my computer my registry is changed and my Ctrl-Alt-Delete function is disabled. I go into the regedit program and delete the entry and can gain access to it, but my desktop is still locked and the virus/malware is obviously still present because everything I "fix" becomes an issue again immediately when I reboot.

0

Try this:
While your system boots, tap F8 continuously, until you get a boot options menu. Select "Safe Mode"
Start -> Run: msconfig
hide all Microsoft services (on services tab)
disable all (on services tab)
click on the startup tab and disable all.
close MS Configuration Utility
Restart PC
when the desktop comes back up, check the box in the dialog box and click OK
Hopefully, you have control of your system now.
Run a good anti-virus:
http://www.microsoft.com/Security_Essentials/
Or whatever you prefer.
Once the virus is removed, go back to msconfig and check the box beside "normal"

Post back here if you have any further issues., otherwise mark this thread as solved.

Good Luck

G

0

An error has prevented the installation process from completing. Please reboot and try again

That's pretty much the message I get whenever I try to install anything atm. It starts, but it won't complete.

Did the other bit with msconfig, and still got the same problems upon reboot

Internet Security 2010 is the name of the Malware. The file for the virus is smss32.exe

Any other ideas?

0

My desktop is completely locked atm with a big huge message on the front of it that says "YOUR SYSTEM IS INFECTED"

I somehow got Internet Protector 2010 malware and it also came with the free bonus of smss32.exe - which reappears on every reboot after I delete the file.

As of right now, every time I reboot my computer my registry is changed and my Ctrl-Alt-Delete function is disabled. I go into the regedit program and delete the entry and can gain access to it, but my desktop is still locked and the virus/malware is obviously still present because everything I "fix" becomes an issue again immediately when I reboot.

Follow these instructions found at bleepingcomputer. This method DEFINITELY DOES work as I used it just a few days ago to rid another computer of this same infection.
Definitely use the rkill.com

double-click on the rkill.com in order to automatically attempt to stop any processes associated with Internet Security 2010 and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Internet Security 2010 when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Internet Security 2010 . So, please try running Rkill until malware is no longer running.
Do not reboot your computer after running rkill as the malware programs will start again
Now you should download Malwarebytes' Anti-Malware, or MBAMand save it to your desktop:
# Once downloaded, close all programs and Windows on your computer, including this one.

# Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.

# When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing and is at the last screen, make sure you uncheck both of the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware check boxes. Then click on the Finish button. If Malwarebytes' prompts you to reboot, please do not do so.

If you receive a code 2 error while installing Malwarebytes's, please press the OK button to close these errors as we will resolve them in future steps.
This infection can and often does delete a core executable of Malwarebytes' you will need to download a new copy of it and put it in the C:\program files\Malwarebytes' Anti-Malware\ folder.
Malwarebytes EXE
When your browser prompts you where to save it to, please save it to the C:\program files\Malwarebytes' Anti-Malware\ folder. When downloading the file, it will have a random filename. Please leave the filename the way it is as it is important that it is not changed. You may want to write down the name of the file as you will need to know the name in the next step.
Once the file has been downloaded, open the C:\program files\Malwarebytes' Anti-Malware\ folder and double-click on the file you downloaded. MBAM will now start and you will be at the main program screen, click on the Update tab and update the program. Next click on the Scanner Tab and perform a Full Scan When the scan is complete you will receive a message that the scan is finished. Click on ok and then Show the Results.
Once you see the results click on the click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please post back here with that last MBA-M log.
Now if you want to continue using MBA-M and it is strongly suggested that you do as it is an excellent program it is suggested that you Uninstall the one you have on your computer, just in case it is still damaged, and download, install and update a new copy.
Judy

0

Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/6/2010 1:06:40 AM
mbam-log-2010-01-06 (01-06-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 191617
Time elapsed: 18 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Desktop Defender 2010 (Rogue.DesktopDefender) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\Program Files\Desktop Defender 2010\Desktop Defender 2010.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\InternetSecurity2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Matthew\Application Data\Desktopicon\eBayShortcuts.exe (Adware.ADON) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matthew\Local Settings\Temp\settdebugx.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matthew\Local Settings\Temp\wscsvc32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matthew\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matthew\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

0

No dice

I'm still infected after following that guide precisely. :(

0

Update:

Manually deleted smss32.exe and the pre-load definition, then ran msconfig and wiped all that for a 3rd time, then ran the above fix from bleepingcomputer and I am FINALLY clean it appears.

Thanks all for the input!

0

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe

You should probably post a DDS log as per the "Read Me" sticky post because it looks like MBAM missed this.....

0

Now getting a message for a few websites that is unusual:


Restricted Site!
This web site is restricted based on your security preferences.

Your system is infected. Please activate your antivirus software.


Ideas?

0

ran another full scan with mbam and it found absolutely nothing... Still getting the error - specifically with Facebook. Adjusting Internet Security Settings doesn't do anything.

Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/6/2010 9:28:35 PM
mbam-log-2010-01-06 (21-28-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 188131
Time elapsed: 41 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

0

Please do as PP has requested:

You should probably post a DDS log as per the "Read Me" sticky post because it looks like MBAM missed this.....

Download DDS by sUBs and save it to your Desktop.

Be sure follow the instructions below carefully!

• If your AV has a script blocker, please disable it
• DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

• Copy&Paste the DDS.txt into your post for assistance.
• Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

0

I believe I have narrowed down the problem to the file c:/windows/system32/helper32.dll

mbam did not pick up the file as a threat, but when I ran another Malware program called SUPERAntiSpyware it detected that file as a web-filter malware file possibly infected by what this post was originally posted about - that IS2010 malware.

When I quarantine that file, however, Firefox and IE completely stop functioning.

Also, the attach file button at the top of the screen isn't working so I'm going to post first the DDS.txt file, and then copy/paste the Attach.txt file after it. Not sure why I can't attach.

DDS (Ver_09-12-01.01) - NTFSx86  
Run by Matthew at 23:14:56.68 on Wed 01/06/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1584 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated)   {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
svchost.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\explorer.exe
C:\Program Files\SUPERAntiSpyware\17eef690-49a1-4b71-a38c-ff9c0910d91c.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Matthew\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = 
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [PCLEUSBTip] c:\program files\pinnacle\shared files\programs\usbtip\USBTip.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\helper32.dll
Trusted Zone: facebook.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matthew\applic~1\mozilla\firefox\profiles\5ty8lzf1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\matthew\application 

data\mozilla\firefox\profiles\5ty8lzf1.default\extensions\kodak-companion@mozilla.com\platform\winnt_x86-msvc\components\mozFotofox.dll
FF - plugin: c:\documents and settings\matthew\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\ign\download manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation 

foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\drivers\WlanUIG.sys [2004-4-8 347648]
S4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\games\dragon age\bin_ship\daupdatersvc.service.exe [2010-1-1 25832]

=============== Created Last 30 ================

2010-01-07 04:11:04	17920	----a-w-	c:\windows\system32\HELPER32.DLL
2010-01-07 03:17:33	0	d-----w-	c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-07 03:17:27	0	d-----w-	c:\program files\SUPERAntiSpyware
2010-01-07 03:17:27	0	d-----w-	c:\docume~1\matthew\applic~1\SUPERAntiSpyware.com
2010-01-07 01:42:50	0	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-01-06 07:23:18	195456	------w-	c:\windows\system32\MpSigStub.exe
2010-01-06 07:21:52	0	d-----w-	c:\program files\Microsoft Security Essentials
2010-01-06 06:37:32	1021440	----a-w-	c:\windows\system32\IS15.exe
2010-01-06 05:42:18	0	d-----w-	c:\docume~1\matthew\applic~1\Malwarebytes
2010-01-06 03:35:03	664	----a-w-	c:\windows\system32\d3d9caps.dat
2010-01-06 01:56:32	0	d--h--w-	c:\windows\system32\GroupPolicy
2010-01-06 01:26:17	2931	----a-w-	c:\windows\system32\warning.html
2010-01-03 21:33:34	0	d-----w-	c:\program files\common files\L&H
2010-01-03 21:33:27	0	d-----w-	c:\program files\Microsoft ActiveSync
2010-01-03 21:33:05	0	d-----w-	c:\windows\SHELLNEW
2010-01-03 20:58:42	0	---ha-w-	c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2010-01-03 19:36:52	471552	-c----w-	c:\windows\system32\dllcache\aclayers.dll
2010-01-03 19:11:32	0	dc-h--w-	c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2010-01-03 18:04:04	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-03 18:04:02	19160	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-01-03 18:04:02	0	d-----w-	c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-01 18:08:09	0	d-----w-	c:\docume~1\alluse~1\applic~1\BioWare
2010-01-01 16:48:07	0	d-----w-	c:\program files\common files\BioWare
2010-01-01 03:43:32	0	d-----w-	c:\program files\common files\DirectX
2009-12-30 16:51:09	274288	----a-w-	c:\windows\system32\mucltui.dll
2009-12-30 16:51:09	215920	----a-w-	c:\windows\system32\muweb.dll
2009-12-30 16:51:09	16736	----a-w-	c:\windows\system32\mucltui.dll.mui

==================== Find3M  ====================

2010-01-01 03:40:09	108144	----a-w-	c:\windows\system32\CmdLineExt.dll
2009-10-29 07:46:59	832512	----a-w-	c:\windows\system32\wininet.dll
2009-10-29 07:46:52	78336	----a-w-	c:\windows\system32\ieencode.dll
2009-10-29 07:46:50	17408	----a-w-	c:\windows\system32\corpol.dll
2009-10-21 05:38:36	75776	----a-w-	c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36	25088	----a-w-	c:\windows\system32\httpapi.dll
2009-10-13 10:30:16	270336	----a-w-	c:\windows\system32\oakley.dll
2009-10-12 13:38:19	149504	----a-w-	c:\windows\system32\rastls.dll
2009-10-12 13:38:18	79872	----a-w-	c:\windows\system32\raschap.dll
2008-09-07 01:42:17	32768	--sha-w-	c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 23:15:22.32 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/7/2007 7:59:36 PM
System Uptime: 1/6/2010 11:07:51 PM (0 hours ago)

Motherboard: http://www.abit.com.tw/ |  | IC7/IC7-G(Intel i875P-ICH5)
Processor:               Intel(R) Pentium(R) 4 CPU 2.80GHz | Socket 478 | 2806/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 69 GiB total, 17.763 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: 
Description: Photo AIO Printer 924
Device ID: USB\VID_413C&PID_5112&MI_00\6&3B2D3502&0&0000
Manufacturer: 
Name: Photo AIO Printer 924
PNP Device ID: USB\VID_413C&PID_5112&MI_00\6&3B2D3502&0&0000
Service: 

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1095&DEV_3112&SUBSYS_61121095&REV_02\4&1F7DBC9F&0&18F0
Manufacturer: 
Name: RAID Controller
PNP Device ID: PCI\VEN_1095&DEV_3112&SUBSYS_61121095&REV_02\4&1F7DBC9F&0&18F0
Service: 

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_1014147B&REV_02\3&13C0B0C5&0&FD
Manufacturer: 
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_1014147B&REV_02\3&13C0B0C5&0&FD
Service: 

==== System Restore Points ===================

RP1: 1/3/2010 4:26:52 PM - Software Distribution Service 3.0
RP2: 1/3/2010 4:32:54 PM - Installed Microsoft Office Professional Edition 2003
RP3: 1/4/2010 1:27:30 PM - Software Distribution Service 3.0
RP4: 1/6/2010 2:23:15 AM - Software Distribution Service 3.0
RP5: 1/6/2010 2:34:06 AM - Microsoft Antimalware Checkpoint
RP6: 1/6/2010 1:08:24 PM - Software Distribution Service 3.0
RP7: 1/6/2010 5:49:05 PM - Software Distribution Service 3.0
RP8: 1/6/2010 10:17:27 PM - Installed SUPERAntiSpyware Free Edition

==== Installed Programs ======================

2Wire Wireless Client
ABC (remove only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.6
AiO_Scan
Apple Mobile Device Support
Apple Software Update
CCleaner
CDDRV_Installer
Counter-Strike: Source
Day of Defeat: Source
Dell Photo AIO Printer 924
DivX Web Player
Dragon Age: Origins
DVD Shrink 3.2
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.0.8.5
EA Download Manager
erLT
Exult Version 1.2
Gothic III
Half-Life 2
Half-Life 2: Deathmatch
Half-Life 2: Lost Coast
Half-Life Deathmatch: Source
Half-Life: Source
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB954550-v5)
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
IGN Download Manager 2.3.3
Intel(R) PRO Network Adapters and Drivers
iTunes
Java 2 Runtime Environment, SE v1.4.2_15
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
KhalInstallWrapper
KODAK EASYSHARE Gallery Upload ActiveX Control
KODAK Gallery Upload Software
Laugh, Smile & Learn™
Logitech SetPoint
Magic ISO Maker v5.4 (build 0251)
MagicDisc 2.7.105
Malwarebytes' Anti-Malware
MediaCoder 0.6.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Security Essentials
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Move Media Player
Mozilla Firefox (3.0.17)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML4 Parser
Nero 7 Demo
NVIDIA Drivers
NVIDIA PhysX
Overlord
Pinnacle Instant DVD Recorder
Pirates of the Burning Sea
QFolder
QuickTime
Scan
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Sid Meier's Pirates!
Space Quest Collection(TM)
Steam
Studio 10 Bonus DVD
SUPERAntiSpyware Free Edition
Trillian
Ultima Collection
Unlocker 1.8.7
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Ventrilo Client
Virtual Earth 3D (Beta)
Warcraft III: All Products
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Wow Web Stats Client v3.0

==== Event Viewer Messages From Past Week ========

1/6/2010 2:42:59 AM, error: Microsoft Antimalware [1008]  - Microsoft Antimalware has encountered an 

error when taking action on spyware or other potentially unwanted software. For more information please 

see the following: 

http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:Win32/FakeRean&threatid=2147614454 	

User: MATT\Matthew 	Name: TrojanDownloader:Win32/FakeRean 	ID: 2147614454 	Severity: High 	

Category: Trojan Downloader 	Path:  	Action: Remove 	Error Code: 0x80508023 	Error description: The 

program could not find the spyware and other potentially unwanted software on this computer.  	Status:  

	Signature Version: AV: 1.71.1794.0, AS: 1.71.1794.0 	Engine Version: 1.1.5302.0
1/6/2010 12:13:48 AM, error: DCOM [10005]  - DCOM got error "%1058" attempting to start the service MDM 

with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
1/6/2010 1:36:15 AM, error: PlugPlayManager [11]  - The device Root\LEGACY_REQELGW\0000 disappeared from 

the system without first being prepared for removal.
1/5/2010 8:48:33 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service 

StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/5/2010 8:48:13 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service 

netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/5/2010 8:48:08 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service 

EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/4/2010 1:29:36 PM, error: Windows Update Agent [20]  - Installation Failure: Windows failed to install 

the following update with error 0x80070643: Windows Internet Explorer 7 for Windows XP.
1/3/2010 3:02:51 PM, information: Windows File Protection [64002]  - File replacement was attempted on 

the protected system file msihnd.dll. This file was restored to the original version to maintain system 

stability. The file version of the system file is 3.1.4001.5512.
1/3/2010 3:02:43 PM, information: Windows File Protection [64002]  - File replacement was attempted on 

the protected system file msi.dll. This file was restored to the original version to maintain system 

stability. The file version of the system file is 3.1.4001.5512.
1/3/2010 2:36:56 PM, error: Windows Update Agent [20]  - Installation Failure: Windows failed to install 

the following update with error 0x80070641: Office Genuine Advantage Notifications (KB949810).
1/3/2010 2:32:56 PM, error: DCOM [10005]  - DCOM got error "%1058" attempting to start the service 

wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/3/2010 2:02:43 PM, error: DCOM [10005]  - DCOM got error "%2" attempting to start the service 

MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
1/3/2010 1:40:10 PM, information: Windows File Protection [64005]  - The protected system file 

msiexec.exe was not restored to its original, valid version because the Windows File Protection 

restoration process was cancelled by user interaction, user name is Matthew. The file version of the bad 

file is unknown.
1/3/2010 1:38:42 PM, information: Windows File Protection [64002]  - File replacement was attempted on 

the protected system file c:\program files\internet explorer\iexplore.exe. This file was restored to the 

original version to maintain system stability. The file version of the system file is 7.0.6000.16945.
1/3/2010 1:36:34 PM, information: Windows File Protection [64002]  - File replacement was attempted on 

the protected system file c:\windows\system32\wbem\wmiprvse.exe. This file was restored to the original 

version to maintain system stability. The file version of the system file is 5.1.2600.5755.

==== End Of File ===========================
0

Here is an Explanation of pretty much exactly what I had going on last night. Helper32.dll seems to completely disable my ability to navigate to websites if I quarantine the file, but according to this website it is affiliated with my problem. Possible that it's the reason I'm getting the navigation error on Facebook.com?

0

We are familiar with this infection here. It is a very common one at this time.
I see one problem with your MBA-M...it was never updated. You obviously didn't follow all the instructions given originally concerning the use of MBA-M.

click on the Update tab and update the program.

The instructions also make it very clear that it is likely the infection will damage MBA-M during the cleaning and it should be uninstalled and reinistalled.
Did you do this?

Now if you want to continue using MBA-M and it is strongly suggested that you do as it is an excellent program it is suggested that you Uninstall the one you have on your computer, just in case it is still damaged, and download, install and update a new copy.

The original was not updated and the scan done this evening was not done with an updated version as the current database is 3506...several days newer than the one you originally installed. This is one absolute must with MBA-M update before each and every scan. This program sometimes has updates multiple times a day so there are times if a person runs MBA-M more than one time in one day there program could have more than one update during this period of time.
If you did not uninstall MBA-M after the clean up and download a new copy, not just reinstall using the original install file, then you must uninstall it now, delete the install files and download a brand new copy, install and update it.

Edited by jholland1964: n/a

0

That's because when I try to update it I get this:

An error occurred. Please report the following code to the Malwarebytes' Anti-Malware support team.
Error Code: 732 (12029, 0)


And I get that code on every fresh install. And yes, I'm downloading the replacement exe file

Edited by matt1028: n/a

0

That's because when I try to update it I get this:

An error occurred. Please report the following code to the Malwarebytes' Anti-Malware support team.
Error Code: 732 (12029, 0)


And I get that code on every fresh install. And yes, I'm downloading the replacement exe file

And did you read the original instructions I gave you?

If you receive a code 2 error while installing Malwarebytes's, please press the OK button to close these errors as we will resolve them in future steps.
This infection can and often does delete a core executable of Malwarebytes' you will need to download a new copy of it and put it in the C:\program files\Malwarebytes' Anti-Malware\ folder.
Malwarebytes EXE

You must use that file noted in the instructions. It has a random name and helps to "fool" the infection. Bleepingcomputer's instructions are very specific and DO work if followed to the letter from beginning to end. I said earlier, I personally have used these steps cleaning a computer with exactly the same infection and exactly the same symptoms you are experiencing and they do work if followed exactly, without any deviation.

0

here is my error code - notice the random numbers on the top of the window indicating that I did in fact follow your directions to download a replacement .exe file - as I said in my previous post. Yet I am still getting this error when I try to update the definitions...

Help!

0

I found the manual definitions installer on the malwarebytes' website and it's newer than the version I was using.

Scanning again...

0

New definitions, same result... :(

Malwarebytes' Anti-Malware 1.43
Database version: 3490
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/7/2010 1:06:48 AM
mbam-log-2010-01-07 (01-06-48).txt

Scan type: Full Scan (C:\|)
Objects scanned: 189015
Time elapsed: 42 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
0

Ok Matt, let's step back here. First of all I DO apologize but I was not previously aware that you were unable to update the program via the normal ways since you had not mentioned that. Also because you were running multiple manual removals I was not certain which steps you had been able to complete and which ones you had done fully or the exact order they were done.
Now you never posted a new HJT log AFTER the original cleaning, the only one you posted was the original.
One of the problems here, I believe anyway, is that you had at least two different infections; one was or is a worm and the other one was that Internet Security 2010. The other thing was at first you had no anti-virus program on the computer but sometime you did install the Microsoft Security Essentials, but failed to inform me that you had done so. No anti-virus program showed in the original HJT log but it does show in the DDS log.
The only mention that you attempted to install "something" was this comment:

An error has prevented the installation process from completing. Please reboot and try again

That's pretty much the message I get whenever I try to install anything atm. It starts, but it won't complete.

Did the other bit with msconfig, and still got the same problems upon reboot

Now while the Miscrosoft Security Essentials DOES show as running in the DDS log I have to assume that you did not think it installed.
There is a good chance that it has been damaged and or infected by the infections which is why you keep getting this message:

Restricted Site!
This web site is restricted based on your security preferences.

Your system is infected. Please activate your antivirus software.

Now I would like you to do the following:
Uninstall Microsoft Security Essentials via Add/Remove.

Next totally Uninstall MBA-M first using Add/Remove. Then do the following:
Restart your computer (very important).
Download and run this utility. mbam-clean.exe
It will ask to restart your computer (please allow it to).

Then I want you to follow the original steps I gave you, EXACTLY. NO manual removals, just the steps listed HERE This included downloading everything in the steps NEW, including the rskill.com file.
By manually removing those two files you were not removing the infection because those two files are NOT the only ones associated with the infection, so while getting some desired results they only worked long enough for the infection to bring them in again. That is obvious by the DDS log.

If you run into ANY problem please don't begin removing files manually, instead come back here immediately and post the problems you are having. This infection can be removed if steps are followed exactly as given, nothing more just those steps at this time.
Judy
F.Y.I. looking through the DDS log I see your computer is really way out of date, some of which could certainly lead to infections such as this one. Once the computer is clean there ARE some programs which definitely must be updated and I will give you those updates which are needed later.

Edited by jholland1964: n/a

0

The good news is that this time the software actually let me update it...

Scan running now.

I do have currently none of the symptoms I had last night after manually deleting the helper32.dll file and installing a fresh download of Internet Explorer 8 for XP.

But as you said, that doesn't mean I'm completely clean, hence why I came straight to this site today upon getting home from work.

I appreciate that you're taking the time to help me through this, and I will post the results when the scan finishes.

0

The good news is that this time the software actually let me update it...

Scan running now.

I do have currently none of the symptoms I had last night after manually deleting the helper32.dll file and installing a fresh download of Internet Explorer 8 for XP.

But as you said, that doesn't mean I'm completely clean, hence why I came straight to this site today upon getting home from work.

I appreciate that you're taking the time to help me through this, and I will post the results when the scan finishes.

Oh Matt, Matt, Matt...why in the world would you download new software when you don't know if your computer is clean or not? If it is NOT then the IE 8 could possibly be damaged too. The cardinal rule when dealing with an infected computer is to be absolutely certain that it is 100% clean before installing ANYTHING other than the security programs needed to clean it up.
Post your MBA-M log when complete and also a NEW HJT log. By the way you were using a beta version of HiJackThis so I would like to see a log from the current version of HiJackThis which you can get from HERE
You will have to UNINSTALL the other one from Add/Remove before downloading the new one.
Judy

0

m-bam found 7 new threats on the system but the system rebooted afterwards so no log this time.

I will say that currently, the only symptom that I'm getting - not that this means anything - is when I reboot my winlogon.exe file is creating 2 folders

C:\Program Files\microsoft frontpage
and
C:\Program Files\Internet Explorer\connection wizard

both folders are empty, but are locked (as in I have to use Unlocker to delete them - which I didn't do prior to running the m-bam scan) to the winlogon.exe file

Here is new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:51 PM, on 1/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://www.facebook.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx

--
End of file - 3499 bytes

Edited by matt1028: n/a

0

Re-followed the instructions to get you a log file. Didn't do anything except what you had instructed. Here is the result:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/7/2010 7:04:54 PM
mbam-log-2010-01-07 (19-04-54).txt

Scan type: Full Scan (C:\|)
Objects scanned: 192215
Time elapsed: 19 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
0

m-bam found 7 new threats on the system but the system rebooted afterwards so no log this time.

There is ALWAYS a log. Open the program, go to the Logs Tab. Go to the one before this latest scan and post it back here.

That HiJackThis log is incomplete.

I will say that currently, the only symptom that I'm getting - not that this means anything - is when I reboot my winlogon.exe file is creating 2 folders

How do you know that is what is creating the folders??? WHY are you looking through folders? Is that in the instructions given? Where are you seeing these folders?

I am going to say here Matt, this is becoming more and more difficult for me to deal with, I have no idea what you are doing, why you are doing it and if you ever complete steps exactly as given. Thus far I have not seen any evidence of that.

Edited by jholland1964: n/a

0

There is ALWAYS a log. Open the program, go to the Logs Tab. Go to the one before this latest scan and post it back here.

That HiJackThis log is incomplete.

Lesson learned now.

I deleted the program though and completely reinstalled everything new per the instructions when I ran it the 2nd time tonight. Sorry.

As far as my HiJackThis log, I am clicking on 'Do a System Scan and save a logfile' and then copy/paste the text window that opens up. Here it is again:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:58 PM, on 1/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://www.facebook.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx

--
End of file - 3558 bytes

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.