I have an older computer with my company (windows 2000 pro), so most of my stuff is probably outdated. Spybot said I had virtumonde, so I tried cleaning it with that and updated my Java. No more pop-ups, however Internet Explorer has trouble with Yahoo and other search domains, as well as sites like Myspace, etc. It doesn't show errors, it just tries to load them, but nothing happens.

One more thing: Safemode doesn't work on this computer. It used to, but now I just get a blue error screen when trying to start in safemode.

Anyways...any help you can provide would be highly appreciated. Thanks in advance...

I ran hijackthis, and here is the log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:01 AM, on 4/23/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
c:\program files\consultec\winasap2000\db\bin\ibguard.exe
C:\Program Files\PrintFleet Local Beacon\LocalBeacon.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\Program Files\PrintCounts\PrintCounts NSDP Client\PrintCounts NSDP Client.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
c:\program files\consultec\winasap2000\db\bin\ibserver.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\system32\mobsync.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINNT\system32\Rundll32.exe
C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Office\Office10\MSACCESS.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\zero.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yfainc.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C6E1D31-790B-4EAB-A041-3EE91A682668} - C:\WINNT\system32\nnnoNeBq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {F50B3F5E-856E-4757-9BB1-B35D46CA7719} - C:\WINNT\system32\geBqOfGy.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [64f8023b] rundll32.exe "C:\WINNT\system32\foqktana.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [BM67cb31a7] Rundll32.exe "C:\WINNT\system32\pvrdfrlt.dll",s
O4 - HKLM\..\Policies\Explorer\Run: [uizlj] C:\WINNT\system32\uizlj.exe
O4 - HKLM\..\Policies\Explorer\Run: [nhqnq] C:\WINNT\system32\nhqnq.exe
O4 - HKLM\..\Policies\Explorer\Run: [eprds] C:\WINNT\system32\eprds.exe
O4 - HKLM\..\Policies\Explorer\Run: [axwxh] C:\WINNT\system32\axwxh.exe
O4 - HKLM\..\Policies\Explorer\Run: [tempx] C:\WINNT\system32\tempx.exe
O4 - HKLM\..\Policies\Explorer\Run: [uyps] C:\WINNT\system32\uyps.exe
O4 - HKLM\..\Policies\Explorer\Run: [nrzb] C:\WINNT\system32\nrzb.exe
O4 - HKLM\..\Policies\Explorer\Run: [mkqov] C:\WINNT\system32\mkqov.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208954017076
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = yfadomain.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = yfadomain.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = yfadomain.local
O20 - Winlogon Notify: geBqOfGy - C:\WINNT\SYSTEM32\geBqOfGy.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - InterBase Software Corp. - c:\program files\consultec\winasap2000\db\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - InterBase Software Corp. - c:\program files\consultec\winasap2000\db\bin\ibserver.exe
O23 - Service: LocalBeacon 1.5.1 - - C:\Program Files\PrintFleet Local Beacon\LocalBeacon.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: PrintCounts NSDP Client (PrintCounts NSDP Client.exe) - PrintCounts - C:\Program Files\PrintCounts\PrintCounts NSDP Client\PrintCounts NSDP Client.exe

--
End of file - 6236 bytes

Hello and welcome to Safer Networking Forums.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


I will be back as soon as possible with your first instructions!

I have an older computer with my company....

Before we can begin, I need to know a few things. Is this computer, your computer at work or at home? If it is a home computer, did you bring it home from your work?

Here is Safer Networking Forums policy on computers at someone's work/job:

http://forums.spybot.info/showpost.php?p=25712&postcount=5


Note:
When the infected computer in question is a company machine in the workplace, and you are an employee.

Your organization must give their permission for assistance to be received in the removal of malware. The intention of this forum is not to replace a company's IT department.

More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

Please inform your IT department or Supervisor when a workplace computer has been infected, immediately.

Thank you for your understanding.

Thanks for responding!

This is for one of my computers at home, and I mostly use it for anything work-related. It is a personal computer, but a pretty out-dated one, so I don't typically use it for games or stuff like that. Sorry about any confusion!

Thanks for clearing that up, let's begin. :)

Step # 1 Download CCleaner

Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.

Double click on the ccsetup.exe file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location.
Under Install Options, choose all the default settings except I would recommend that you unclick/untick install the Yahoo! Toolbar, unless you want it. You can also Uncheck the 'Automatically check for updates' box.
Click Install then finish to complete installation.


Step # 2 Retrieve the Installed Programs List from CCleaner

Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.


Step # 3: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to save ComboFix.exe to your Desktop

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleaning the system:

CCleaner Uninstall List
C:\ComboFix.txt
New HijackThis log.

Well, there's a new development. I couldn't even get the thing to start up this morning...in any safe mode or normal mode. It's an old system, so I'm not upset...I figured I'd have to buy a new computer eventually anyway! So I'll just have to format and reinstall windows for now.

However, thanks for offering the help. I guess I should've come here sooner! This place is great...I'll definitely be back if I have any other problems. Thanks again.

You're welcome. Glad to help for the short amount of time that I could.

Once you have your computer formatted and Windows reinstalled, here are some tips to help keep your computer clean and safe on the Net.


Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use a Firewall - I cannot stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
Computer Safety On line - Software Firewalls (http://forum.malwareremoval.com/viewtopic.php?p=56#56)
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Windows Update Site Frequently It is important that you visit Microsoft Windows Update (http://www.windowsupdate.com) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
You should scan your computer with Spybot S&D on a regular basis just as you would an anti- virus software. A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware from Your Computer (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.subratam.org/index.php?showtopic=5931)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back (http://spyware-free.us/2006/01/time-to-fight-back.html). Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Good luck!


Please reply one last time so that I know you have read my post and this thread can be closed.