0

I have lots of popups and when I click links on google I am redirected to bogus antivirus/anti spyware websites. Earlier today I had a worm.win32.netsky virus, witch took over my background picture, disabled task manager, kept making popups for me to download their anti spyware programs. I think I removed most of it using spyware doctor. I am still having popups from this NeXplore thing, and I am still redirected from google when I try clicking a link. When I tried using my Malwarebytes it didn't work. It can't locate mbam.exe. I tried re-installing it, at the last stage when it finishes installing and goes to open the program, a window pops up and this is what it says:

Unable to execute file:
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

CreateProcess failed; code 2.
The system cannot find the file specified.

If anyone could help, that would be great.

thanks,

-Nick

2
Contributors
22
Replies
23
Views
7 Years
Discussion Span
Last Post by jholland1964
0

# Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
# Restart your computer (very important).
# Download and run this utility. mbam-clean.exe
# It will ask to restart your computer (please allow it to).

Download a randomized renamed mbam.exe version from here. Place the renamed mbam.exe in the Program Files\Malwarebytes' Anti-Malware folder on the infected PC and launch the renamed file.
Then malwarebytes should run. Update it and then do a Full Scan with it. When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
Reboot afterwards.

Post back with the MBA-M log.
Judy

0

K, I got it working.. here is the results.. I am not having any more pop-ups but I am still getting redirected via search engines.

Malwarebytes' Anti-Malware 1.44
Database version: 3646
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/31/2010 1:38:35 PM
mbam-log-2010-01-31 (13-38-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 234091
Time elapsed: 1 hour(s), 43 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

0

Your MBA-M was not updated. The database is weeks out of date. Your database version shows 3646 and the current version is 3669. You need to update the program before each and every run, it has daily updates at the very least. Please update the program and run the scan again.
Reboot and then give me a HJT System Scan log.

0

K, I scanned with MBAM and it found 2 things.. one trojan something and the other.. I see loads of them all the time.. random letters .exe like it's weird... anyways, I had to restart my system for the removal to take effect so I don't have my MBAM log, here is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:27 PM, on 2/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\LMabcoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\2Wire Wireless Manager\2Wire.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - (no file)
O2 - BHO: XBTP05494 - {37138967-CD8A-4b6e-8254-5EED6A50BB69} - C:\PROGRA~1\REDZEE~1\redzee.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {34F459B8-1D37-4FF2-9EFA-192D8E3ABA6F} - (no file)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: BigSeekPro Toolbar - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\BigSeekPro Toolbar\tbcore3.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [2Wire Wireless Manager] "C:\Program Files\2Wire Wireless Manager\2Wire.exe" -a
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://support.rexplorer.net/iftw_install//iftwclix.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155136083828
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155147674453
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firstamres.com/mapviewer/mapviewer.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20C3805F-FCA5-4D9A-AF47-4E98F6E2D66D}: NameServer = 4.2.2.1 192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{20C3805F-FCA5-4D9A-AF47-4E98F6E2D66D}: NameServer = 4.2.2.1 192.168.1.254
O17 - HKLM\System\CS2\Services\Tcpip\..\{20C3805F-FCA5-4D9A-AF47-4E98F6E2D66D}: NameServer = 4.2.2.1 192.168.1.254
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll hovogove.dll c:\windows\system32\dayiwiwu.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: bevudisil - {20210bc9-0d4d-4eca-97af-bfc0dee784bb} - c:\windows\system32\dayiwiwu.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {20210bc9-0d4d-4eca-97af-bfc0dee784bb} - c:\windows\system32\dayiwiwu.dll (file missing)
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lmab_device - - C:\WINDOWS\system32\LMabcoms.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10212 bytes

0

The MBA-M log is found IN the program under the Logs tab. Please go there, open the log and copy/paste that log back here.
Judy

0

The log can be found within the MBA-M program under the Logs Tab. Go there and open the logs until you find the correct one, then copy/paste it back here.
Judy

0

double post? :O

Haha, here it is.

Malwarebytes' Anti-Malware 1.44
Database version: 3673
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

2/1/2010 5:11:20 PM
mbam-log-2010-02-01 (17-11-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 235491
Time elapsed: 1 hour(s), 21 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Your PC Protector (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

Files Infected:
C:\ygjst.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

0

Yeah, sorry about that double post, didn't notice until now.
Please download ComboFix by sUBs from HERE or HERE
· You must download it to and run it from your Desktop
· Physically disconnect from the internet.
· Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

· Double click combofix.exe & follow the prompts.
· When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
· Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only
!!

Post back here with the combofix log.
Judy

0

I can't put AVG off with taskmanager because I can't get it open because something is glitching it.. Should I still scan with AVG running?

0

Open AVG and turn it off from within the program itself. If you must, use msconfig and stop AVG9_TRAY from auto starting there and also go into Services there in msconfig and stop these two:AVG Free WatchDog
Symantec Core LC (this is an old remainder of a Norton Program, it must be disabled also
Also, Spybot TeaTimer is running, this interferes with fixes, turn it off and just leave it off. It is more trouble than it is worth:
Disable Spybot's TeaTimer

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
After you have done ALL of the above then reboot the computer and try the combofix.
Judy

0

k, I went in msconfig and removed everything with avg and the symantec thing... When I tried running the ComboFix it said avg would interfere or something and then I clicked x and it kept going so I rebooted my computer. I tried uninstalling avg so I could use the combofix but I can't uninstall it from add/remove programs on cpanel... How can I stop AVG?

0

Did you reboot the computer after using msconfig? You have to do that also. All msconfig does is let you stop the auto booting of the program the NEXT time you reboot, it doesn't turn off the program that is all ready running.

To disable the Resident Shield, please:

* Open AVG User Interface.
* Double-click on the Resident Shield.
* Un-tick the option Resident Shield active.
* Save the changes.
To disable the Personal E-mail Scanner (if it is installed), please:

* Open AVG User Interface.
* In menu Tools select Advanced settings.
* Go to E-mail Scanner - Servers - POP3, and click on the POP3 server (usually AutoPOP3:10110).
* Un-tick the option Activate this server and use it for receiving e-mails.
* Repeat the same for SMTP server.

Then you have to reboot the computer.
After the reboot then check Task Manager to be sure none are running IF any are running then Highlight and click End Process.

Edited by jholland1964: n/a

0

I told you my task manager doesn't work. I rebooted the computer like 5 times... Earlier it said all the components were disabled but CF said it wasn't so I don't know.

0

What exactly happens when you try to uninstall AVG via Add/Remove?

Did you try uninstalling using Safe Mode?

Edited by jholland1964: n/a

0

I see you are offline however I must give this instruction:
Since you attempted to run Combofix and say you "x" ed out of it but it seemed to continue to run you really need to Uninstall Combofix and download a new copy of it just to be certain the program itself was not damaged.
To do this do the following:
* Click START then RUN
* Now type Combofix /u in the runbox and click OK. The space between the combofix and the /u, it must be there.
When shown the disclaimer, Select "2"

Then using the links above download a new copy of combofix and follow the steps given.

0

I did that and guess what? It ran combo fix, now I have a window open saying warning!!! omfg u got avg open and its freaking out at me again, I don't think I installed it, here is a detailed explanation of what happenned.

k, I clicked on combo fix, the warning window of avg pops up, I x it, then another one pops up again saying

antivirus: AVG Anti-Virus Free

The above real time scanner(s) are still active but ComboFix shall continue to run. Kindly note that this is at your own risk.

See... That window is open right now.. I don't think it is running yet even thought it says it "shall CONTINUE to run" at MY OWN RISK. Mmm.. I think my ComboFix works, I'll try going in safe mode and uninstalling AVG

0

Yes, I KNOW combofix will run when an anti-virus program is enabled, that is NOT the point, you do NOT want it to run while and antivirus program is running because the anti-virus program can interfere with any fixes it attempts.
Did you read my post concerning uninstalling combofix? Please do so and follow those instructions.
You DO NOT want AVG running when combofix is working, this is why you MUST either stop it or uninstall it.

PLEASE, do one thing at a time. Please read instructions and follow them EXACTLY.

0

I wasn't trying to teach you that combofix can run while AVG is up.. What I was trying to say was that AVG says it's disabled but ComboFix says AVG is running and I have to scan at my own risk, I just tried uninstalling avg in safe mode, no luck. I get an error every time.

FYI: I read ur post, I typed that in run, it opened up combo fix, if you read what I said.

"I did that and guess what? It ran combo fix."

I did what you told me to do and put it in the run box.. it opened up combofix.. I wasn't trying to run it.. Please read my post over again.. :\

Edited by Nickb96: n/a

0

What does the error say?

Just delete the combofix from the desktop and totally out of your recycle bin.

Edited by jholland1964: n/a

0

what does the error say?
Please don't run combofix, uninstall it as i have instructed twice now.

dont do caps at me i told u the thing runs the program it doesnt uninstall it

PLEASE go back and read my last 2 posts on page 2.

Edited by Nickb96: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.