Why me? please help!!

[cthis]

   Every other week it seems my computer is acting up. I've done a couple of topics and you guys looked at it and every thing checked out, but then it comes right back. My computer is running extremely slow. and when I type a search into the yahoo toolbar it gives me a bunch of random topics not related to my search. Also getting alot of popups, like registry defender. I may have downloaded something fishy, Please help. Thanks

[Saving space - attachment deleted by admin]

[evilfantasy]

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O20 - AppInit_DLLs: C:\WINDOWS\System32\dispex32.dll
- O20 - Winlogon Notify: 34b80127509 - C:\WINDOWS\System32\dispex32.dll

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services

:reg
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\34b80127509]

:files
c:\windows\System32\dispex32.dll
c:\windows\system32\437.tmp
c:\windows\nsreg.dat
c:\documents and settings\Carl Dant\Application Data\.wyzo
c:\windows\GnuHashes.ini
c:\windows\system32\GroupPolicyManifest
c:\windows\system32\158.tmp
c:\windows\system32\dispex32.dll
c:\windows\system32\GroupPolicy000.dat

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

[cthis]

Okay, I ran the OTMoveit and here is the log. However when I rebooted my computer, the entire screen was blank and nothing would come up at all. The only thing I knew to do was start a new process called explorer. I don't know if that was a bad thing or not but it was all I knew. Also I am still getting a ridiculous amount of popups. I've never had them before. Also my web browser is having trouble opening windows all of the sudden. I'm still connected to the internet but it says page not available. Also when I do a google search for something, it gives me a bunch of sites that aren't relavent to my search at all, sites like crackle.com, blinkx.com, current.com. etc. Something is seriously wrong with this machine.

[Saving space - attachment deleted by admin]

[evilfantasy]

Restart the computer and see if Windows loads OK without manually starting explorer.exe. Let me know.

[cthis]

Okay I restarted and it booted up fine, except for a window that said Data Execution Prevention stopped a windows explorer from opening. So I clicked close window and my screen went blank for 2 seconds followed by a send error report message that internet explorer had to close. So I clicked send report and the screen went blank again and did the same thing over. What should I do.

[evilfantasy]

OK I'm not liking the sounds of this.

• Go to Start, then Programs, then Accessories, then System Tools
  
• Choose System Restore

Pick a restore time prior to when you ran OTMoveIt3 and restore to then.

Let me know when you are done with that.

[cthis]

Okay it said that no changes have been made and could not restore. However it did boot up just fine, all of my processes are back and it's not as sluggish. But those *censored* popups are still there. Also I failed to mention that I accidentally deleted my Yahoo toolbar yesterday and when I reinstalled it, it would not let me create a sign-in seal. Also my keys aren't working right, I'm having to re-type almost everthing. Thanks again for all of your help, both times.

[evilfantasy]

OK we need to do things in order here. deal with the malware first then see what is still wrong.


• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
.
----------

Now open MalwareBytes and update it then run a full scan. The version you ran is way out of date, Database version: 1370, it is all the way up to 1442 now.

Please post the log it creates.

----------

Also post the 2 logs that RSIT creates. Use two posts to get everything posted if necessary.

Download

random's system information tool (RSIT) by random/random from and save it to your Desktop.

• Double click on RSIT.exe to run.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
  
• Please post the contents of both logs in the next reply.

[cthis]

Okay, I deleted combofix and updated malwarebytes. The malware scan didn't find anything, but just now when I opened my internet, sure enough, pop pop pop. Also I forgot to mention earlier when I ran a antispyware scan, about halfway through my entire screen went solid white, with the scan window in the center. All of the icons disappeared then reappeared, really strange. Anyway here are the logs.

[Saving space - attachment deleted by admin]

[evilfantasy]

What are these pop-ups? Porn random sites or what?

Suspicious files to scan

Please go to VirSCAN.org FREE on-line scan service
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

Code: [Select]

C:\WINDOWS\System32\dispex32.dll2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Click on the Upload button.
This will perform a scan across multiple different virus scanning engines.
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
[color="Red"]Important:[/color] Wait for all of the scanning engines to complete.
5. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
6. Paste the contents of the Clipboard in your next reply.

[cthis]

Ha, ha. No they aren't porn popups. The one that comes up most says "download registry defender". The other ones from what I can remember just want me to download some antivirus and spyware products. (The irony right). As for that file it was a virus from what I can tell.

[evilfantasy]

Please either copy and paste the results or give me the link to the results page at VirSCAN.org. .doc files are easily infected so I don't want to open an infection...

[cthis]

Okay gotcha. Here you go!

http://virscan.org/report/6e03a5069c142d4b0bed3bd23e500aad.html

This is the only way I could get it. Hope it works.

[evilfantasy]

Yep thats it

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O20 - Winlogon Notify: 34b80127509 - C:\WINDOWS\System32\dispex32.dll

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\34b80127509]
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

Download Lop S&D by Eric_71 and save it to your Desktop. Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. If needed see: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.

• Double-click Lop S&D.exe
  
• Choose the language by typing of the corresponding letter and press Enter
• Click OK at the informative window
  
• Type 1, to choose Option 1 (Search) then press Enter
  
• Wait until the end of the scan
• A report will be generated, post the contents of it in your next reply.

A copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt

[cthis]

Okay, the hijack was ran and then finished. I pressed scan again by mistake and the file was there again. So I deleted it again, then saved fixme.exe to the desktop. It did successfully add to the registry. So that's done. Here is the log from Lopsd

[Saving space - attachment deleted by admin]