Ran Malwarebytes, no internet. Here's the logs, please help!

[rockaroller]

DDS (Ver_10-03-17.01) - NTFSx86

Run by Scott at 0:48:55.22 on Sat 07/03/2010

Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_20

Microsoft

Attach.rar

[RPMcMurphy]

Hello rockaroller and welcome to Malwarebytes. I

[rockaroller]

Thanks for your help! I have an issue. Twice I have tried to run GMER Rootkit Scanner, and my computer crashes about 85% of the way through. My screen turns blue and I get a message that says "Windows has encountered a problem, and has been shut down to protect such and such....." The error code is: fglcypow.sys

I am running Windows Vista 32. Any help to over come this hurdle would be greatly appreciated!

[RPMcMurphy]

Try once more, this time uncheck everything except "Sections"

If you still can't get GMER to run try this instead:

Please download Rootkit Unhooker and save it on your desktop.

• Disable your security programs
  
• Double click RKUnhookerLE.exe to run it
  
• Click the Report tab, then click Scan
  
• Check Drivers, Stealth Code, Files, and Code Hooks
  
• Uncheck the rest, then click OK
  
• When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  
• Wait till the scanner has finished then go File > Save Report
  
• Save the report somewhere you can find it. Click Close
  
• Copy the entire contents of the report and paste it in your next reply.
  

Note - You may get this warning it is ok, just ignore it: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?

[rockaroller]

I ran it with only sections checked, here's what I got:

ark.rar

[RPMcMurphy]

Hello,

P2P - I see you have P2P software (uTorrent & FrostWire) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Malware authors use P2P filesharing as a major conduit to spread their wares. I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at Malarebytes are complete.

Download Combofix from either of the links below, and save it to your desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

• When finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt.
  

Please include the following in your next post:

• ComboFix log
  

[rockaroller]

ComboFix 10-07-05.03 - Scott 07/06/2010 9:16.1.4 - x86

Microsoft

[RPMcMurphy]

Hi,

Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DDS::

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
Folder::
c:\users\Scott\AppData\Local\ccayhpcjt

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
  

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • 
    
  • Spyware, adware, dialers, and other riskware
    
  • Archives
    
  • E-mail databases
    

  [*]Click on My Computer under the green Scan bar to the left to start the scan.

  [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

  [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

  [*]Click View report... at the bottom.

  [*] Click the Save report... button.

  

  [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Please include the following in your next post:

• ComboFix log
  
• Kaspersky log
  
• How is the computer running now?
  

[rockaroller]

ComboFix 10-07-05.03 - Scott 07/07/2010 9:43.2.4 - x86

Microsoft

[rockaroller]

Internet is working again, but I keep getting error messages when I switch users. Something about RunDrll or something.

[RPMcMurphy]

Hello,

If you can give me the exact error message you get when you switch users I'd be happy to try to track down the trouble. Please run these now:

Please download OTM

• Save it to your desktop.
  
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files
  C:\Users\Brandi\AppData\Local\VirtualStore\Program Files\FrostWire\something crazy steven curtis (hot new track).au
  C:\Users\Brandi\AppData\Local\VirtualStore\Program Files\Incomplete\Preview-T-4224012-lift me up racheal lampa HIT TOP50.mp3
  C:\Users\Brandi\AppData\Local\VirtualStore\Program Files\Incomplete\Preview-T-5248294-casper slide.mp3
  C:\Users\Brandi\AppData\Local\VirtualStore\Program Files\Incomplete\Preview-T-5280977-something crazy steven curtis (hot new track).au
  C:\Users\Brandi\AppData\Local\VirtualStore\Program Files\Incomplete\Preview-T-5995321-something crazy steven curtis new single.mp3
  C:\Users\Brandi\AppData\Local\VirtualStore\Program Files\Incomplete\T-4224012-lift me up racheal lampa HIT TOP50.mp3
  C:\Users\Brandi\AppData\Local\VirtualStore\Program Files\Incomplete\T-5248294-casper slide.mp3
  C:\Users\Brandi\AppData\Local\VirtualStore\Program Files\Incomplete\T-5995321-something crazy steven curtis new single.mp3
  C:\Users\Guest\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\18364cfd-117c9c45
  C:\Users\Guest\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\18364cfd-117c9c45
  C:\Users\Guest\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\7803273e-2e9d03e3
  C:\Users\Guest\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\7803273e-2e9d03e3
  C:\Users\Scott\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\3921a40b-7eaa4a9a
  C:\Users\Scott\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\3921a40b-7eaa4a9a
  C:\Users\Scott\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\4f1b949b-1d51b9b3
  C:\Users\Scott\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\30554cdc-56ea45a7
  C:\Users\Scott\Incomplete\T-4170999-get what you need jet(Disk 1).mp3
  C:\Users\Scott\Incomplete\T-5306214-steal your fire.mp3
  C:\Users\Scott\Incomplete\T-5745425-The Allman Brothers band - Jessica.mp3
  C:\Users\Scott\Incomplete\T-5868257-get what you need jet new single.mp3
  
  :Commands
  [EmptyFlash]
  [EmptyTemp]

  
  

• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTM and reboot your PC.
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

• Click the Update tab
  
• Click Check for Updates
  
• If an update is found, it will download and install the latest version.
  
• The program will close to update and reopen.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:

• OTM log
  
• MBAM log
  
• The exact dll error you are getting
  

[rockaroller]

Files moved on Reboot...

File C:\Users\Brandi\AppData\Local\Temp\ppcrlui_6288_2 not found!

Registry entries deleted on Reboot...

**************************************************

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4311

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18928

7/14/2010 12:47:55 AM

mbam-log-2010-07-14 (00-47-55).txt

Scan type: Quick scan

Objects scanned: 172818

Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

********************************************

Error messages:

When I log onto a user account I get:

mpnotify.exe - Unable to locate Component

This Application failed to start because rfhelper.dll was not found.

Re-installing this application may fix this problem.

And when I log out, I get this error message:

Exception processing message 0xc0000135

Parameters 0x75FA92A0 0x75FA92A0 0x75FA92A0 0x75FA92A0

[rockaroller]

Also, I get this error when I log out:

Exception processing message 0xc0000135

Parameters 0x75BE92A0 0x75BE92A0 0x75BE92A0 0x75BE92A0

[RPMcMurphy]

Hi,

Go to My Computer-> Tools-> Folder Options-> View tab:

• Under the Hidden files and folders heading:
  
• Select - Show hidden files and folders.
  
• Uncheck- Hide protected operating system files (recommended) option.
  
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
  
• Click OK. (Remember to Hide files and folders once done)
  

Please go to one of the below sites to scan the following files:

virscan.org

Virus Total

click on Browse, and upload the following file for analysis:

C:\Qoobox\Quarantine\C\windows\system32\RFHelper.dll.vir

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If it says already scanned -- click "reanalyze now"

Please post the results in your next reply.

Please include the following in your next post:

• File analysis results
  

[rockaroller]

Hi,

Go to My Computer-> Tools-> Folder Options-> View tab:

• Under the Hidden files and folders heading:
  
• Select - Show hidden files and folders.
  
• Uncheck- Hide protected operating system files (recommended) option.
  
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
  
• Click OK. (Remember to Hide files and folders once done)
  

Please go to one of the below sites to scan the following files:

virscan.org

Virus Total

click on Browse, and upload the following file for analysis:

C:\Qoobox\Quarantine\C\windows\system32\RFHelper.dll.vir

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If it says already scanned -- click "reanalyze now"

Please post the results in your next reply.

Please include the following in your next post:

• File analysis results
  

I don't have a My Computer option on the start menu....

[rockaroller]

VirSCAN.org Scanned Report :

Scanned time : 2010/03/13 00:14:50 (EST)

Scanner results: Scanners did not find malware!

File Name : RFHelper.dll.vir

File Size : 1499136 byte

File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi

MD5 : 8a477bb3ddb52f930cc0fec899b7576c

SHA1 : bebbe60365ca6f0e5fb2fa218b9527f67a068b87

Online report : http://virscan.org/report/3bf763fea606ccba...c31715596d.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result

a-squared 4.5.0.8 20100313080157 2010-03-13 5.04 -

AhnLab V3 2010.03.13.00 2010.03.13 2010-03-13 1.02 -

AntiVir 8.2.1.180 7.10.5.66 2010-03-12 0.06 -

Antiy 2.0.18 20100312.3993126 2010-03-12 0.12 -

Arcavir 2009 201003121551 2010-03-12 0.08 -

Authentium 5.1.1 201003122325 2010-03-12 5.47 -

AVAST! 4.7.4 100313-0 2010-03-13 0.09 -

AVG 8.5.720 271.1.1/2742 2010-03-13 0.29 -

BitDefender 7.81008.5435980 7.30745 2010-03-13 5.56 -

ClamAV 0.95.3 10569 2010-03-13 0.36 -

Comodo 3.13.579 4244 2010-03-13 1.07 -

CP Secure 1.3.0.5 2010.03.12 2010-03-12 0.47 -

Dr.Web 5.0.1.12222 2010.03.13 2010-03-13 5.99 -

F-Prot 4.4.4.56 20100312 2010-03-12 5.20 -

F-Secure 7.02.73807 2010.03.13.02 2010-03-13 10.85 -

Fortinet 4.0.14 11.574 2010-03-12 0.34 -

GData 19.10786/19.815 20100313 2010-03-13 8.11 -

ViRobot 20100313 2010.03.13 2010-03-13 0.47 -

Ikarus T3.1.01.80 2010.03.12.75388 2010-03-12 5.69 -

JiangMin 13.0.900 2010.03.12 2010-03-12 6.11 -

Kaspersky 5.5.10 2010.03.12 2010-03-12 0.21 -

KingSoft 2009.2.5.15 2010.3.12.22 2010-03-12 0.68 -

McAfee 5.3.00 5918 2010-03-12 3.87 -

Microsoft 1.5502 2010.03.13 2010-03-13 7.37 -

Norman 6.01.09 6.01.00 2010-02-10 4.01 -

Panda 9.05.01 2010.03.12 2010-03-12 3.53 -

Trend Micro 9.120-1004 6.916.01 2010-03-12 0.05 -

Quick Heal 10.00 2010.03.13 2010-03-13 2.59 -

Rising 20.0 22.38.04.03 2010-03-12 1.35 -

Sophos 3.05.4 4.51 2010-03-13 3.58 -

Sunbelt 3.9.2410.2 5851 2010-03-12 4.72 -

Symantec 1.3.0.24 20100311.002 2010-03-11 0.00 -

nProtect 20100312.01 7727364 2010-03-12 7.01 -

The Hacker 6.5.0.3 v00125 2010-01-01 1.38 -

VBA32 3.12.12.2 20100311.2253 2010-03-11 3.29 -

VirusBuster 4.5.11.10 10.121.18/2036111 2010-03-12 2.83 -

[RPMcMurphy]

Hi,

Sorry, I gave you instructions for XP instead of Vista. You got me what I needed though.

Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DeQuarantine::

DeQuarantine::
C:\Qoobox\Quarantine\C\windows\system32\RFHelper.dll.vir
Quit::

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of the log in your next reply.

[rockaroller]

Dequarantine log:

C:\Qoobox\Quarantine\C\windows\system32\RFHelper.dll.vir -> C:\windows\system32\RFHelper.dll ( 1499136 bytes )

[RPMcMurphy]

How is it running now? That should solve the dll error you were getting.

[rockaroller]

Like a champ.

[RPMcMurphy]

Great! All we have left to do then are some important updates and cleanup:

JavaRa ...by: Paul McLain and Fred de Vries

Please download JavaRa (Copyright

[rockaroller]

I think I got it all , thanks a bunch man!!

[RPMcMurphy]

You're welcome. Take care.