Need help removing Trojan-downloader. [RESOLVED]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

Need help removing Trojan-downloader. [RESOLVED]

Options

RoninJai View Member Profile	Aug 10 2008, 07:13 PM Post #1
Member Posts: 41 OS: XP	Hello. I was stupid and got nailed by AntivirusXP, or whatever it was called. I got rid of that, but I am still getting Windows Security Alerts warning about these things: Trojan-Spy.Win32.GreenScreen Trojan-Spy.Win32.KeyLogger.aa Trojan-Downloader.Win32.Agent.bq Trojan-Spy.HTML.Bankfraud.dq Assistance is needed, will be appreciated. HJT Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:12:03 PM, on 8/10/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PSIService.exe C:\sfmgr\sfmgr.exe C:\spm\spmdib.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\Wacom_Tablet.exe C:\WINDOWS\system32\ZuneBusEnum.exe C:\WINDOWS\Explorer.EXE C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe C:\Documents and Settings\All Users\Application Data\wvytivul\ozedktyz.exe C:\WINDOWS\system32\Wacom_Tablet.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Logitech\Gaming Software\LWEMon.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Zune\ZuneLauncher.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DNA\btdna.exe C:\WINDOWS\system32\onuxqtyz.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [procgen] C:\WINDOWS\system32\gfmdadqn.exe O4 - HKCU\..\Run: [encmdmsg] C:\WINDOWS\system32\onuxqtyz.exe O4 - HKCU\..\Run: [uisetadm] C:\WINDOWS\system32\apelmnqp.exe O4 - HKCU\..\Run: [strutil] C:\WINDOWS\system32\tqlkpiju.exe O4 - HKLM\..\Policies\Explorer\Run: [2qyTcfGkb2] C:\Documents and Settings\All Users\Application Data\wvytivul\ozedktyz.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206825955625 O21 - SSODL: AppSmart - {67C384E2-B85F-51CE-70A8-058926768881} - C:\Program Files\hwctukd\AppSmart.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: CaReTaKeR-CT NetMgr 1.2.1 (sfmgr) - Unknown owner - C:\sfmgr\sfmgr.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\spm\spmdib.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe -- End of file - 8069 bytes

Mike View Member Profile	Aug 11 2008, 03:22 AM Post #2
Malware Monger Posts: 2,740 OS: XP Professional SP3	Hi there Please follow these instructions in order. You have ad-aware on your PC, please make sure that it is temporarily disabled - see here for instructions on how to do so http://wiki.castlecops.com/Malware_Removal...toring_Programs Please open HijackThis again and choose "Do a system scan only". Please put a check next to each of the following entries (if still present): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O4 - HKCU\..\Run: [procgen] C:\WINDOWS\system32\gfmdadqn.exe O4 - HKCU\..\Run: [encmdmsg] C:\WINDOWS\system32\onuxqtyz.exe O4 - HKCU\..\Run: [uisetadm] C:\WINDOWS\system32\apelmnqp.exe O4 - HKCU\..\Run: [strutil] C:\WINDOWS\system32\tqlkpiju.exe O4 - HKLM\..\Policies\Explorer\Run: [2qyTcfGkb2] C:\Documents and Settings\All Users\Application Data\wvytivul\ozedktyz.exe O21 - SSODL: AppSmart - {67C384E2-B85F-51CE-70A8-058926768881} - C:\Program Files\hwctukd\AppSmart.dll Now please close all open windows except HJT and press "Fix checked". Then, Please download the OTMoveIt2 by OldTimer. Save it to your desktop. Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator") Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): CODE [kill explorer] C:\WINDOWS\system32\gfmdadqn.exe C:\WINDOWS\system32\onuxqtyz.exe C:\WINDOWS\system32\apelmnqp.exe C:\WINDOWS\system32\tqlkpiju.exe C:\Documents and Settings\All Users\Application Data\wvytivul C:\Program Files\hwctukd emptytemp purity [start explorer] Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste. Click the red Moveit! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply. Close OTMoveIt2 If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. And, Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close all other windows before proceeding. Double-click on dss.exe and follow the prompts. When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Note:These logs may be too large to post in one reply, if so, please post extra.txt in a separate reply.

RoninJai View Member Profile	Aug 11 2008, 12:02 PM Post #4
Member Posts: 41 OS: XP	Dss Extra.txt: Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Home Edition (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz CPU 1: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz CPU 2: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz CPU 3: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz Percentage of Memory in Use: 24% Physical Memory (total/avail): 2047.22 MiB / 1547.93 MiB Pagefile Memory (total/avail): 3943.76 MiB / 3630.08 MiB Virtual Memory (total/avail): 2047.88 MiB / 1935.4 MiB C: is Fixed (NTFS) - 78.13 GiB total, 63.91 GiB free. D: is CDROM (No Media) E: is Fixed (NTFS) - 154.75 GiB total, 9.13 GiB free. \\.\PHYSICALDRIVE0 - WDC WD2500KS-00MJB0 - 232.88 GiB - 2 partitions \PARTITION0 (bootable) - Installable File System - 78.13 GiB - C: \PARTITION1 - Extended w/Extended Int 13 - 154.75 GiB - E: -- Security Center ------------------------------------------------------------- AUOptions is set to notify before install. Windows Internal Firewall is enabled. FirstRunDisabled is set. AntivirusOverride is set. AV: Symantec AntiVirus Corporate Edition v10.0.1.1000 (Symantec Corporation) [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe::Enabled:DNA" "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe::Enabled:BitTorrent" "E:\\Dev\\ARCA Remax DEV\\ARCA.exe"="E:\\Dev\\ARCA Remax DEV\\ARCA.exe::Enabled:ARCA" "C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"="C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe::Enabled:Dreamweaver MX" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe::Enabled:Bonjour" "C:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"="C:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe::Enabled:Adobe Dreamweaver CS3" "E:\\Games\\GRID Demo\\GRID.exe"="E:\\Games\\GRID Demo\\GRID.exe::Enabled:GRID Demo" "C:\\Program Files\\Pidgin\\pidgin.exe"="C:\\Program Files\\Pidgin\\pidgin.exe::Enabled:Pidgin" "C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe::Enabled:Autodesk 3ds Max 9 32-bit" "C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"="C:\\Program Files\\Autodesk\\Backburner\\monitor.exe::Enabled:backburner 2.3 monitor" "C:\\Program Files\\Autodesk\\Backburner\\manager.exe"="C:\\Program Files\\Autodesk\\Backburner\\manager.exe::Enabled:backburner 2.3 manager" "C:\\Program Files\\Autodesk\\Backburner\\server.exe"="C:\\Program Files\\Autodesk\\Backburner\\server.exe::Enabled:backburner 2.3 server" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Mike_D\Application Data CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=DIPONIO-TSF ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Mike_D LOGONSERVER=\\DIPONIO-TSF NUMBER_OF_PROCESSORS=4 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\backburner 2\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Autodesk\Backburner\;C:\Program Files\Common Files\Softimage PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0f0b ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Mike_D\LOCALS~1\Temp TMP=C:\DOCUME~1\Mike_D\LOCALS~1\Temp USERDOMAIN=DIPONIO-TSF USERNAME=Mike_D USERPROFILE=C:\Documents and Settings\Mike_D windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Mike_D (admin) Guest (guest) -- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER --> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Illustrator 8.0\DeIsL1.isu" -c"C:\Program Files\Adobe\Illustrator 8.0\Uninst.dll" --> MsiExec.exe /I{0CDCA5CD-C404-41FD-9216-9B4B3D24A7AA} --> MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057} --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf 3DMark06 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F3AD00A-1819-4B15-BB7D-08B3586336D7}\setup.exe" -l0x9 -removeonly 3dsmax ancillary install --> MsiExec.exe /I{7C8B5E63-821A-4DFB-BDFA-19854D88EC5C} Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95} Adobe Asset Services CS3 --> MsiExec.exe /I{8BC84ECC-EA87-49C0-93C0-2B5DF62745CD} Adobe Bridge CS3 --> MsiExec.exe /I{68CF6DD2-8BA3-4A70-81D8-7CC5F24C9BA2} Adobe Bridge Start Meeting --> MsiExec.exe /I{7F3A2319-79CF-4701-95FB-034E99281808} Adobe Camera Raw 4.0 --> MsiExec.exe /I{183B7569-90FB-4C56-9761-0EEB002CAB83} Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C} Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D} Adobe Device Central CS3 --> MsiExec.exe /I{20B83B31-09C4-4F0E-9774-EF8A12A0A527} Adobe Dreamweaver CS3 --> C:\Program Files\Common Files\Adobe\Installers\435a6af7459cb02a9c1138113a26e93\Setup.exe Adobe Dreamweaver CS3 --> MsiExec.exe /I{F01D5ED5-D53A-4468-B428-149DC2CB3110} Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{4DF98D0B-637E-42B4-B9D6-EB7693D2FBF8} Adobe Extension Manager CS3 --> MsiExec.exe /I{2A539CD9-0F75-4875-9A32-E06DD93C4114} Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Help Viewer CS3 --> MsiExec.exe /I{733D84D6-AAFD-4368-A1D0-F2734F6B9082} Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C} Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003} Adobe Setup --> MsiExec.exe /I{3A12C952-61D5-4C3B-B68B-8CFBE47E22F1} Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312} Adobe Update Manager CS3 --> MsiExec.exe /I{D1C59F81-66FD-4E8E-B9F7-F4B2442D5222} Adobe Version Cue CS3 Client --> MsiExec.exe /I{41C3C974-EC5E-494C-AFE6-E31D92E2E6CB} Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F} Autodesk 3ds Max 9 32-bit --> MsiExec.exe /I{E96D4088-AAC5-437F-9E39-EC0E387897B4} Autodesk 3ds Max 9 SDK --> MsiExec.exe /I{E5490F28-894F-4721-BFFB-D682D74CF93E} Autodesk DWF Viewer 7 --> MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057} Backburner --> MsiExec.exe /I{3D347E6D-5A03-4342-B5BA-6A771885F379} BitTorrent --> C:\Program Files\BitTorrent\uninst.exe CDDRV_Installer --> MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A} Corel Paint Shop Pro Photo XI --> MsiExec.exe /X{E1C7EF5E-3A7B-4ED4-A48B-F70F1B36EAB4} DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN DNA --> "C:\Program Files\DNA\btdna.exe" /UNINSTALL FBX Plugin 2006.08 for Max 9.0 --> C:\Program Files\Autodesk\FBX\FbxPlugins\2006.08\Max90\Uninstall.exe FileZilla Client 3.0.11 --> C:\Program Files\FileZilla FTP Client\uninstall.exe Final Draft 7 --> MsiExec.exe /I{78D62D17-D970-42DA-B8CF-5E5576293B33} Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72} Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9 -removeonly Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}\setup.exe" -l0x9 -removeonly GRID Demo --> "C:\Program Files\InstallShield Installation Information\{3C850287-4CD5-4FAD-BE39-A4AF7851A7C6}\setup.exe" -runfromtemp -l0x0009 -removeonly GTK+ Runtime 2.12.8 rev a (remove only) --> C:\Program Files\Common Files\GTK\2.0\uninst.exe High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe" HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050} Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070} KhalInstallWrapper --> MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355} LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U Logitech Gaming Software 5.02 --> MsiExec.exe /X{64B20B36-AEE7-4DD4-897C-C5DA5C218F60} Logitech SetPoint --> C:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe -runfromtemp -l0x0009 -removeonly Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe" Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe" Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 --> "C:\WINDOWS\$NtUninstallWdf01007$\spuninst\spuninst.exe" Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9} Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00} Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7} Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe Mp3tag v2.40 --> C:\Program Files\Mp3tag\Mp3tagUninstall.EXE MSI Live Update 3 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MSI\Live Update 3\Uninst.isu" MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E} MyHeritage Family Tree Builder --> C:\Program Files\MyHeritage\Bin\Uninstall.exe NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI OLYMPUS C-3.0W95E --> C:\WINDOWS\uninst.exe -fC:\OLYMPUS\CAMERA95\DeIsL1.isu On the Rain-Slick Precipice of Darkness, Episode One --> C:\Program Files\Hothead Games\Precipice of Darkness\uninstall.exe OpenAL --> "C:\Program Files\OpenAL\OalinstGridRelease.exe" /U Photo Viewer --> MsiExec.exe /I{67183F00-3DDC-497B-A090-4E2B79EAF1CD} Pidgin --> C:\Program Files\Pidgin\pidgin-uninst.exe PokerStars --> "E:\Games\PokerStars\PokerStarsUninstall.exe" /u:PokerStars QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175} Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly rFactor (remove only) --> "E:\Dev\rFactor\Uninstall.exe" Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A} Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A} SOFTIMAGE License Server 1.1.11.1502 --> C:\Program Files\InstallShield Installation Information\{D2975B11-82F4-47D9-A0AC-99E36A0E9ECB}\setup.exe -runfromtemp -l0x0009 -removeonly SOFTIMAGE XSI 6.5 --> C:\Softimage\XSI_6.5\Setup\setup.exe -runfromtemp -l0x0009 -removeonly Symantec AntiVirus --> MsiExec.exe /I{3248E093-5288-4CA9-B3AB-11A675FEA1F9} TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe" TortoiseSVN 1.4.8.12137 (32 bit) --> MsiExec.exe /X{1E010E57-0453-4A84-A899-47EEA104661C} VideoLAN VLC media player 0.8.6h --> C:\Program Files\VideoLAN\VLC\uninstall.exe Wacom Tablet --> C:\Program Files\Tablet\Wacom\Remove.exe /u Winamp --> "C:\Program Files\Winamp\UninstWA.exe" Winamp Toolbar for Internet Explorer --> "C:\Program Files\Winamp Toolbar\uninstall.exe" Windows Driver Package - (mr7910) Image (08/08/2006 1.4.0.0) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\DPInstXP.exe /u C:\WINDOWS\system32\DRVSTORE\mr7910_1FFEF370F39864F3AAA62219D434AE06B02B70AB\mr7910.inf Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe" Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe" Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840} WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe XML Paper Specification Shared Components Pack 1.0 --> Zune --> C:\Program Files\Zune\ZuneSetup.exe /x Zune --> MsiExec.exe /X{FF70513F-E3A7-402F-84FB-B7810A064BE2} Zune Language Pack (ES) --> MsiExec.exe /X{EE4ACABF-531E-419A-9225-B8E0FA4955AF} Zune Language Pack (FR) --> MsiExec.exe /X{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3} -- Application Event Log ------------------------------------------------------- Event Record #/Type2896 / Warning Event Submitted/Written: 08/11/2008 01:42:11 PM Event ID/Source: 4101 / SPM_syslog Event Description: SPM_WARNING (C:\spm\spmdib.exe): The service "SPM License Server" is probably not correctly installed (check registry entries). Event Record #/Type2895 / Error Event Submitted/Written: 08/11/2008 01:42:11 PM Event ID/Source: 4100 / SPM_syslog Event Description: SPM_ERROR (C:\spm\spmdib.exe): Can't get display name for service: "SPM License Server" (The specified service does not exist as an installed service.) Event Record #/Type2893 / Error Event Submitted/Written: 08/11/2008 01:42:08 PM Event ID/Source: 2 / RaySat_3dsmax9_32 Server Event Description: (1632) getservbyname: The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for. (0x2afc) Event Record #/Type2883 / Warning Event Submitted/Written: 08/10/2008 08:31:58 PM Event ID/Source: 4101 / SPM_syslog Event Description: SPM_WARNING (C:\spm\spmdib.exe): The service "SPM License Server" is probably not correctly installed (check registry entries). Event Record #/Type2882 / Error Event Submitted/Written: 08/10/2008 08:31:58 PM Event ID/Source: 4100 / SPM_syslog Event Description: SPM_ERROR (C:\spm\spmdib.exe): Can't get display name for service: "SPM License Server" (The specified service does not exist as an installed service.) -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type9735 / Warning Event Submitted/Written: 08/11/2008 01:49:57 PM Event ID/Source: 4226 / Tcpip Event Description: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. Event Record #/Type9710 / Warning Event Submitted/Written: 08/10/2008 11:57:41 PM Event ID/Source: 4226 / Tcpip Event Description: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. Event Record #/Type9707 / Warning Event Submitted/Written: 08/10/2008 10:37:58 PM Event ID/Source: 4226 / Tcpip Event Description: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. Event Record #/Type9706 / Warning Event Submitted/Written: 08/10/2008 10:05:05 PM Event ID/Source: 4226 / Tcpip Event Description: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. Event Record #/Type9705 / Warning Event Submitted/Written: 08/10/2008 09:20:09 PM Event ID/Source: 4226 / Tcpip Event Description: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. -- End of Deckard's System Scanner: finished at 2008-08-11 14:00:42 ------------

Mike View Member Profile	Aug 11 2008, 01:33 PM Post #5
Malware Monger Posts: 2,740 OS: XP Professional SP3	Hi there Would you know what F:\Centrum is? What is your F:\ drive (you can look if you go to start > My computer and check the F:\ drive. Could you possibly look (don't run the file!) and see if it is a file or a folder? Right click it and go to properties, tell me what it says there. Please fix this line with Hijack This: O4 - HKCU\..\Run: [ComEn] C:\WINDOWS\system32\zmzmvmpq.exe Now, Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator") Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): CODE C:\WINDOWS\system32\zmzmvmpq.exe HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8ccd1d0-511c-11dd-adbb-0019dbf7cb31} Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste. Click the red Moveit! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply. Close OTMoveIt2 If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. And, Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Post back with the logs - also re-run DSS and post with main.txt

RoninJai View Member Profile	Aug 11 2008, 01:53 PM Post #6
Member Posts: 41 OS: XP	F:/Centrum is a keychain flash drive that I use sometimes. (It was free from the Centrum Vitamin people, hence the name.) Its not currently, nor was it, connected to the USB port when I ran those scans. Running out for a bit, I will post new logs when I return. This post has been edited by RoninJai: Aug 11 2008, 01:54 PM

Mike View Member Profile	Aug 11 2008, 02:01 PM Post #7
Malware Monger Posts: 2,740 OS: XP Professional SP3	Good to know I'll wait on the logs.

Mike View Member Profile	Aug 12 2008, 07:32 AM Post #9
Malware Monger Posts: 2,740 OS: XP Professional SP3	Hi there Your logs look good, any problems still? If not we will go on to removing the tools.

RoninJai View Member Profile	Aug 12 2008, 11:38 AM Post #10
Member Posts: 41 OS: XP	Everything seems good on this end. No popups.

Mike View Member Profile	Aug 12 2008, 02:09 PM Post #11
Malware Monger Posts: 2,740 OS: XP Professional SP3	Glad to hear it Let's remove the tools I had you use. Please open OTMoveIt2: Double click OTMoveIt.exe. Click the CleanUp! button. Select Yes when the "Begin cleanup Process?" prompt appears. If you are prompted to Reboot during the cleanup, select Yes. Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so. Right-click on "My Computer." The "System Properties" dialogue box will appear, showing a number of tabs. From here you can reset System Restore and configure Automatic Updates. First, click the System Restore tab. Check the box beside "Turn off System Restore" Click "Apply" At the prompt, click "Yes" Wait while your system deletes existing Restore Points, this may take a few moments. Uncheck the box beside "Turn off System Restore" Click "Apply" At the prompt, click "Yes" Your system will now create a new Restore Point. Now that your are clean, you'll want to stay that way. Some important things that you should keep in mind in order to protect yourself: Use common sense. This is the big one! Don't download programs from suspicious sites and be careful where you browse. Things you can do to avoid downloading bad programs: Google the program. Read reviews and opinions from other people on the internet, if you dont see any reports of foul play - then there more than likely is none. Stay away from Cracks! However luring the thought of free software can be it's not worth the hassle and potential danger of getting infected. Download the program directly from the website of the developer - then you can be certain you haven't downloaded a bogus copy. Read the EULA (End User License Agreement) - Find out exactly what you are downloading. A good tool to aid you in this would be EULAyzer. Keep your programs updated! Software developers update their programs to patch possible security risks. Do a scan once in a while for outdated programs using Secunia's Software Inspector Keep your protection programs up to date! No matter how good your Antivirus or Antispyware program is, without an updated set of definitions it will do you no good against the new infections. If you run a free program make sure to update them at least once a week. Make sure that windows updates is enabled. Keeping your system up to date is a must - to turn on automatic updates take a look at this article by Microsoft. I have listed two programs to boost your security while using no resources. SpywareBlaster Take a look at the tutorial here. ZonedOut Adds thousands of websites to your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Also consider using an alternative web browser. Two big named ones, both far superior to Internet Explorer in terms of security and performance, would be Firefox and Opera. Make a habit of scanning your computer for viruses every week or so and backing up important files regularly. Please also read Expert Tony Klein's excellent article: How I got Infected in the First Place Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.

RoninJai View Member Profile	Aug 12 2008, 02:27 PM Post #12
Member Posts: 41 OS: XP	Everything seems to be A-OK. Thank you kind sir, you are a gentleman and a scholar.

Mike View Member Profile	Aug 12 2008, 02:32 PM Post #13
Malware Monger Posts: 2,740 OS: XP Professional SP3	Thanks for the kind words Take care and have a great day still! Mike

Mike View Member Profile	Aug 12 2008, 02:32 PM Post #14
Malware Monger Posts: 2,740 OS: XP Professional SP3	Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Need help removing trojan.vundo [RESOLVED]	4 / 444	27th October 2005 - 03:17 PM SFGiantsCats03 started - last by greyknight17
Virus, Spyware and Trojan Removal Need help removing Trojan.Vundo [RESOLVED] 12	16 / 956	1st November 2005 - 05:35 AM clear gel started - last by don77
Virus, Spyware and Trojan Removal Need help Removing Trojan Downloader.xs, *whataboutadog.com [RESOLVED] 123	36 / 6,455	23rd February 2008 - 04:59 PM JOMO started - last by sage5
Virus, Spyware and Trojan Removal Need help removing Trojan Downloader and HTML/Framer [RESOLVED]	10 / 1,566	18th July 2008 - 11:13 AM Jacksown started - last by Mike