Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help with Trojan.W32.Looksky

Started by MargieMurray , Sep 10 2007 06:04 PM

  • Please log in to reply

#1
MargieMurray
Posted 10 September 2007 - 06:04 PM

MargieMurray

    Member

  • Member
  • PipPip
  • 10 posts
I am not able to delete the Trojan.W32.Looksky that I have contracted.

I read some other posts that said to run some scans which I have done and the results are here.

SmitfraudFix
SmitFraudFix v2.222

Scan done at 16:02:48.15, Mon 09/10/2007
Run from C:\Documents and Settings\Margie\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\msmdev.dll FOUND !
C:\WINDOWS\msmhost.dll FOUND !
C:\WINDOWS\nsduo.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Margie


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Margie\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Margie\FAVORI~1

C:\DOCUME~1\Margie\FAVORI~1\Error Cleaner.url FOUND !
C:\DOCUME~1\Margie\FAVORI~1\Privacy Protector.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\Margie\Desktop\Error Cleaner.url FOUND !
C:\DOCUME~1\Margie\Desktop\Privacy Protector.url FOUND !
C:\DOCUME~1\Margie\Desktop\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\VideoAccessCodec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: SiS 900-Based PCI Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 68.105.28.12
DNS Server Search Order: 68.105.29.12
DNS Server Search Order: 68.105.28.11

HKLM\SYSTEM\CCS\Services\Tcpip\..\{95695B4C-59E1-48BF-A286-E2324EF3D3BC}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{95695B4C-59E1-48BF-A286-E2324EF3D3BC}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

DSS Main Log
Deckard's System Scanner v20070905.67
Run by Margie on 2007-09-10 16:14:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
63: 2007-09-10 23:15:54 UTC - RP346 - Deckard's System Scanner Restore Point
62: 2007-09-10 20:56:30 UTC - RP345 - Removed Citrix Presentation Server Client
61: 2007-09-10 20:25:25 UTC - RP344 - Removed Rhapsody Player Engine
60: 2007-09-10 07:34:31 UTC - RP343 - Software Distribution Service 3.0
59: 2007-09-09 22:16:08 UTC - RP342 - System Checkpoint


-- First Restore Point --
1: 2007-07-09 20:32:16 UTC - RP284 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-10 16:31:11
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\WINDOWS\system32\Keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Margie\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft...amp;ar=iesearch
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft...amp;ar=iesearch
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {3CB70CC2-303F-4A6C-824D-013AE8CFDB6B} - C:\WINDOWS\nsduo.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKEY_LOCAL_MACHINE\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKEY_LOCAL_MACHINE\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Data Deposit Box.lnk = C:\Program Files\Data Deposit Box\Data Deposit Box\startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://las.mlxchange...ontrol/SISC.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://las.mlxchange...ectComboBox.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.passalong...ork/install.exe
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://las.mlxchange...ClientUtils.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} () - http://mediaplayer.w...ler/install.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://las.mlxchange...ol/IRCSharc.cab
O16 - DPF: {A43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C} (IMMail Class) - http://www.passalong...TPIMActiveX.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineco...loadcontrol.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O21 - SSODL: msmhost - {0D336F75-53B7-4C34-A050-9C776E180A90} - C:\WINDOWS\msmhost.dll
O21 - SSODL: msmdev - {9A53D56E-2D9A-4FA9-A9B8-4D65962D6E3C} - C:\WINDOWS\msmdev.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sisidex - c:\windows\system32\drivers\sisidex.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R0 sisperf (Add Performance Filter Driver) - c:\windows\system32\drivers\sisperf.sys <Not Verified; Silicon Integrated Systems Corp.; SiS Filer Driver>
R1 SiSEsc (SISLIB_ESC) - c:\windows\system32\sisesc.sys
R1 SiSkp - c:\windows\system32\drivers\srvkp.sys <Not Verified; Silicon Integrated Systems Corporation; SiS ® WindowsXP Display Manager>
R3 SiS315 - c:\windows\system32\drivers\sisgrp.sys <Not Verified; Silicon Integrated Systems Corporation; SiS ® Compatible Super VGA Miniport Driver for Windows XP>

S0 kl1 - c:\windows\system32\drivers\kl1.sys (file missing)
S3 NPF (Netgroup Packet Filter) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - c:\program files\antivir personaledition classic\sched.exe <Not Verified; Avira GmbH; Scheduler>

S3 Online Backup Service - c:\program files\data deposit box\data deposit box\nts.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-08-10 and 2007-09-10 -----------------------------

2007-09-10 16:04:52 2670 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-10 16:01:55 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-09-10 16:01:54 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-09-10 16:01:54 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-10 16:01:52 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-09-10 09:24:14 0 d-------- C:\Documents and Settings\Bill\Application Data\Grisoft
2007-09-10 00:17:24 0 d-------- C:\WINDOWS\system32\NtmsData
2007-09-09 23:24:38 286720 --a------ C:\WINDOWS\msmhost.dll <Not Verified; ; msmhost>
2007-09-09 23:24:38 335872 --a------ C:\WINDOWS\msmdev.dll
2007-09-09 23:24:36 237568 --a------ C:\WINDOWS\nsduo.dll <Not Verified; ; nsduo>
2007-09-09 23:23:32 0 d-------- C:\Program Files\VideoAccessCodec
2007-08-31 17:55:30 0 d-------- C:\Documents and Settings\Mikayla\Application Data\Google
2007-08-23 12:35:40 0 d-------- C:\WINDOWS\SxsCaPendDel
2007-08-12 16:02:38 139264 --a------ C:\WINDOWS\system32\IDEproperty.dll <Not Verified; ; IDEproperty Dynamic Link Library>
2007-08-12 16:02:38 49024 --a------ C:\WINDOWS\system32\drivers\sisidex.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
2007-08-12 16:02:37 9472 --a------ C:\WINDOWS\system32\drivers\sisperf.sys <Not Verified; Silicon Integrated Systems Corp.; SiS Filer Driver>
2007-08-11 16:07:53 0 d-------- C:\Documents and Settings\Margie\Application Data\Help
2007-08-10 15:17:53 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-08-10 00:45:00 10752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-08-10 00:44:58 0 d-------- C:\Program Files\ffdshow
2007-08-10 00:44:35 36 --a------ C:\WINDOWS\system32\m4p.dat
2007-08-10 00:44:32 0 d-------- C:\Program Files\Mp4 Player


-- Find3M Report ---------------------------------------------------------------

2007-09-10 13:56:42 0 d-------- C:\Program Files\Citrix
2007-09-10 13:56:42 0 d-------- C:\Documents and Settings\Margie\Application Data\ICAClient
2007-09-10 13:25:35 0 d-------- C:\Program Files\Real
2007-09-06 13:07:57 2886 --a------ C:\Program Files\i_view32.ini
2007-08-28 15:46:32 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-08-23 14:45:30 0 d-------- C:\Documents and Settings\Margie\Application Data\Real
2007-08-23 12:50:44 0 d-------- C:\Program Files\Roxio
2007-08-23 12:50:44 0 d-------- C:\Program Files\Common Files\Roxio Shared
2007-08-23 12:37:39 0 d-------- C:\Program Files\QuoteTracker
2007-08-23 12:36:07 0 d-------- C:\Program Files\Apple Software Update
2007-08-23 12:35:09 0 d-------- C:\Program Files\Common Files
2007-08-10 15:15:45 0 d-------- C:\Program Files\QuickTime
2007-07-23 21:39:21 0 d-------- C:\Program Files\Windows Media Bonus Pack for Windows XP
2007-07-23 19:49:23 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-07-23 19:49:16 0 d-------- C:\Program Files\Common Files\InstallShield
2007-07-16 23:05:54 372772 --a------ C:\WINDOWS\system32\GeacView.dll <Not Verified; Geac Corp; GeacView Dynamic Link Library>
2007-06-29 15:26:55 4230 --a------ C:\WINDOWS\mozver.dat
2007-06-20 11:59:45 53248 --a------ C:\WINDOWS\system32\silc_dll.dll
2007-06-20 11:59:45 926241 --a------ C:\WINDOWS\system32\model.dat
2007-06-20 11:59:44 729088 --a------ C:\WINDOWS\system32\LDPackage.dll <Not Verified; ; LDPackag Dynamic Link Library>
2007-06-20 11:59:41 249856 --a------ C:\WINDOWS\system32\rlxf.dll <Not Verified; RelevantKnowledge; RelevantKnowledge>
2007-06-20 11:57:40 344064 --a------ C:\WINDOWS\system32\rlls.dll <Not Verified; RelevantKnowledge; RelevantKnowledge>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CB70CC2-303F-4A6C-824D-013AE8CFDB6B}]
09/08/2007 08:22 AM 237568 --a------ C:\WINDOWS\nsduo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark 4200 Series"="C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe" [01/16/2004 03:04 AM]
"FaxCenterServer4_in_1"="C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" [01/22/2004 11:59 AM]
"@"="" []
"SoundMan"="SOUNDMAN.EXE" [08/15/2003 04:34 PM C:\WINDOWS\SOUNDMAN.EXE]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [07/12/2002 07:15 PM]
"SiS Windows KeyHook"="C:\WINDOWS\System32\keyhook.exe" [09/12/2003 06:46 PM]
"AGRSMMSG"="AGRSMMSG.exe" [06/29/2004 10:06 AM C:\WINDOWS\AGRSMMSG.exe]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [09/10/2007 01:41 PM]
"RemoteControl"="C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe" [10/27/2003 03:04 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 02:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Data Deposit Box.lnk - C:\Program Files\Data Deposit Box\Data Deposit Box\startup.exe [1/15/2007 10:33:03 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"msmhost"= {0D336F75-53B7-4C34-A050-9C776E180A90} - C:\WINDOWS\msmhost.dll [09/08/2007 08:21 AM 286720]
"msmdev"= {9A53D56E-2D9A-4FA9-A9B8-4D65962D6E3C} - C:\WINDOWS\msmdev.dll [09/08/2007 08:21 AM 335872]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2007-09-10 16:49:42 ------------


DSS Extra Log
Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.50GHz
Percentage of Memory in Use: 58%
Physical Memory (total/avail): 479.48 MiB / 201.07 MiB
Pagefile Memory (total/avail): 1122.18 MiB / 855 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1956.58 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 57.26 GiB total, 33.23 GiB free.
D: is Fixed (NTFS) - 83.01 GiB total, 42.81 GiB free.
E: is Fixed (NTFS) - 28.78 GiB total, 21.47 GiB free.
F: is CDROM (No Media)
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC35L060AVVA07-0 - 57.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 57.26 GiB - C:

\\.\PHYSICALDRIVE1 - ST3120023A - 111.79 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 83.01 GiB - D:
\PARTITION1 - Installable File System - 28.78 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: Avira AntiVir PersonalEdition v 6.39.1.112
(Avira GmbH)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Documents and Settings\\Bill\\Local Settings\\Temp\\~os2C5.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Bill\\Local Settings\\Temp\\~os2C5.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Margie\\Local Settings\\Temp\\~os237.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Margie\\Local Settings\\Temp\\~os237.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"c:\\windows\\system32\\rlvknlg.exe"="c:\\windows\\system32\\rlvknlg.exe:*:Enabled:rlvknlg.exe"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Margie\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MURRAY03
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Margie
LOGONSERVER=\\MURRAY03
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Margie\LOCALS~1\Temp
TMP=C:\DOCUME~1\Margie\LOCALS~1\Temp
USERDOMAIN=MURRAY03
USERNAME=Margie
USERPROFILE=C:\Documents and Settings\Margie
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Bill (admin)
Margie (admin)
Mikayla (admin)
Mercedes (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E06E4F4E-72D6-4497-BFFD-BCB43077C2F4}\setup.exe" -l0x9 -uninst
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint Plus --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Agere Systems PCI Soft Modem --> agrsmdel
AOpen AOConfig 2.00.06 --> "C:\Program Files\AOpen\AOConfig\unins000.exe"
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Avira AntiVir PersonalEdition Classic --> C:\Program Files\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Data Deposit Box --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD6A909B-7FCB-43FD-95D9-D8801B8693C7}\setup.exe" -l0x9 -removeonly
Direct Show Ogg Vorbis Filter (remove only) --> "C:\WINDOWS\system32\OggDSuninst.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
eBook TTReBookLite[1] --> C:\WINDOWS\dbrmdwb.exe "TTReBookLite[1]"
ffdshow [rev 918] [2007-02-12] --> "C:\Program Files\ffdshow\unins000.exe"
Form Viewer --> MsiExec.exe /X{873D68B3-EDE5-4DFD-85AC-FFC430FB7EE2}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
IrfanView (remove only) --> C:\Program Files\iv_uninstall.exe
Lexmark 4200 Series --> C:\WINDOWS\System32\spool\drivers\w32x86\3\LXBMUN5C.EXE -dLexmark 4200 Series
Lexmark 4200 Series Fax Solutions --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{C439D065-5B64-4563-A6B9-1AA202633E13} /l1033 /z/U
Lizardtech DjVu Control --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{105CFC7C-6992-11D5-BD9D-000102C10FD8}\Setup.exe" -l0x9
Media Library Management Wizard --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplibwiz.inf,DefaultUninstall
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MicroWorlds EX Web Player --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\101\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C15EF442-868C-4524-8935-851224E17392}\setup.exe" -l0x9 -removeonly
MicroWorlds Web Player --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\LCSI\MicroWorlds Web Player\Uninst.isu"
Move Networks Player for Internet Explorer --> "C:\Documents and Settings\Bill\Application Data\Move Networks\ie_bin\unins000.exe"
Movie Maker Background Music Files --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mmmusic.inf,DefaultUninstall
Movie Maker Sound Effects --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mmsounds.inf,DefaultUninstall
Movie Maker Title Images --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mmtitle.inf,DefaultUninstall
Mozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (1.5.0.10) --> C:\Program Files\Mozilla Thunderbird\uninstall\uninstall.exe /ua "1.5.0.10 (en-US)"
Mozilla Thunderbird (2.0.0.6) --> C:\PROGRA~1\Mozilla Thunderbird\uninstall\helper.exe
neoDVDstandard --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{D1AD7439-FBCA-4345-A780-2A5617EBA9DE} /l1033
PassAlong Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC4732F4-665D-4E6B-8E50-74D6B6FBE5A9}\install.exe" -l0x9
PlexTools Professional V2.20 --> MsiExec.exe /X{E5F32102-16F1-42D1-84F4-1E8DCD4A0F7D}
Plus! MP3 Audio Converter LE --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\audcle.inf,DefaultUninstall
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RapidPlayer v4.0 ActiveX Control --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{31C2F32D-C5DD-4583-8181-B48591CA231C}\Setup.exe" -l0x9
Real Estate Transaction Viewer --> C:\PROGRA~1\TRANSA~1\UNWISE.EXE C:\PROGRA~1\TRANSA~1\INSTALL.LOG
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Roxio DVDMax Player --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BA0CA1B4-5491-11D7-97BC-00055D0CA761}\setup.exe" -uninstall
SiS 661FX_760_741_M661FX_M760_M741 --> Rundll32 SiSInst.dll,Uninstall VGA,r,0
SiS 900 PCI Fast Ethernet Adapter Driver --> C:\Progra~1\SiSLan\Uninst.exe
SiSAGP driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DC226AC9-0314-496C-BE6A-B6A132628466}\setup.exe" -l0x9
Video Access Codec v1.4 --> C:\Program Files\VideoAccessCodec\Uninstall.exe
Wal-Mart Music Downloads Store --> MsiExec.exe /I{A6A13E30-656F-4876-9B03-FBD4D712BB40}
WebVideo Support --> C:\WINDOWS\main_uninstaller.exe
Windows Media Bonus Pack for Windows XP --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmbonus.inf,DefaultUninstall
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type4322 / Warning
Event Submitted/Written: 09/10/2007 04:35:16 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'VBS/Click.A'
in the file
C:\Documents and Settings\Margie\Local Settings\Temp\tmp361.tmp

Event Record #/Type4321 / Warning
Event Submitted/Written: 09/10/2007 04:35:13 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'VBS/Click.A'
in the file
C:\Documents and Settings\Margie\Local Settings\Temp\tmp361.tmp

Event Record #/Type4316 / Error
Event Submitted/Written: 09/10/2007 03:22:01 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type4299 / Error
Event Submitted/Written: 09/10/2007 01:16:47 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application explorer.exe, version 6.0.2900.3156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type4297 / Error
Event Submitted/Written: 09/10/2007 01:05:58 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9014 / Error
Event Submitted/Written: 09/10/2007 03:34:35 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
kl1

Event Record #/Type8983 / Error
Event Submitted/Written: 09/10/2007 03:31:26 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
kl1

Event Record #/Type8954 / Error
Event Submitted/Written: 09/10/2007 03:07:46 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
kl1

Event Record #/Type8927 / Error
Event Submitted/Written: 09/10/2007 02:54:52 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
kl1

Event Record #/Type8900 / Error
Event Submitted/Written: 09/10/2007 02:46:02 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
kl1



-- End of Deckard's System Scanner: finished at 2007-09-10 16:49:42 ------------

Please Advise as to how to proceed from here.

Thanks!
  • 0

Advertisements

#2
MargieMurray
Posted 10 September 2007 - 10:09 PM

MargieMurray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I believe that this is resolved at this point.
  • 0

#3
don77
Posted 12 September 2007 - 08:26 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hello and welcome MargieMurray

Could you post back a fresh DSS log
Would be helpful to see the results of Acy\tive scan

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

  • 0

#4
MargieMurray
Posted 13 September 2007 - 04:48 PM

MargieMurray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here is DSS scan report:

Deckard's System Scanner v20070905.67
Run by Margie on 2007-09-13 15:44:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-13 15:45:29
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Data Deposit Box\Data Deposit Box\startup.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Data Deposit Box\Data Deposit Box\backup.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Margie\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xanga.com...e/yourhome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft...amp;ar=iesearch
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft...amp;ar=iesearch
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {3CB70CC2-303F-4A6C-824D-013AE8CFDB6B} - C:\WINDOWS\nsduo.dll (file missing)
O4 - HKEY_LOCAL_MACHINE\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKEY_LOCAL_MACHINE\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKEY_LOCAL_MACHINE\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Data Deposit Box.lnk = C:\Program Files\Data Deposit Box\Data Deposit Box\startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://las.mlxchange...ontrol/SISC.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://las.mlxchange...ectComboBox.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.passalong...ork/install.exe
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://las.mlxchange...ClientUtils.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} () - http://mediaplayer.w...ler/install.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://las.mlxchange...ol/IRCSharc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C} (IMMail Class) - http://www.passalong...TPIMActiveX.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineco...loadcontrol.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe


-- Files created between 2007-08-13 and 2007-09-13 -----------------------------

2007-09-13 15:23:17 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-09-12 22:00:13 0 d-------- C:\Program Files\Loonies
2007-09-10 16:04:52 2670 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-10 09:24:14 0 d-------- C:\Documents and Settings\Bill\Application Data\Grisoft
2007-09-10 00:17:24 0 d-------- C:\WINDOWS\system32\NtmsData
2007-08-31 17:55:30 0 d-------- C:\Documents and Settings\Mikayla\Application Data\Google
2007-08-23 12:35:40 0 d-------- C:\WINDOWS\SxsCaPendDel


-- Find3M Report ---------------------------------------------------------------

2007-09-11 16:12:40 2847 --a------ C:\Program Files\i_view32.ini
2007-09-10 13:56:42 0 d-------- C:\Program Files\Citrix
2007-09-10 13:56:42 0 d-------- C:\Documents and Settings\Margie\Application Data\ICAClient
2007-09-10 13:25:35 0 d-------- C:\Program Files\Real
2007-08-28 15:46:32 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-08-23 14:45:30 0 d-------- C:\Documents and Settings\Margie\Application Data\Real
2007-08-23 12:50:44 0 d-------- C:\Program Files\Roxio
2007-08-23 12:50:44 0 d-------- C:\Program Files\Common Files\Roxio Shared
2007-08-23 12:37:39 0 d-------- C:\Program Files\QuoteTracker
2007-08-23 12:36:07 0 d-------- C:\Program Files\Apple Software Update
2007-08-23 12:35:09 0 d-------- C:\Program Files\Common Files
2007-08-11 16:07:53 0 d-------- C:\Documents and Settings\Margie\Application Data\Help
2007-08-10 15:15:45 0 d-------- C:\Program Files\QuickTime
2007-08-10 00:45:01 0 d-------- C:\Program Files\ffdshow
2007-08-10 00:44:35 36 --a------ C:\WINDOWS\system32\m4p.dat
2007-07-23 21:39:21 0 d-------- C:\Program Files\Windows Media Bonus Pack for Windows XP
2007-07-23 19:49:23 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-07-23 19:49:16 0 d-------- C:\Program Files\Common Files\InstallShield
2007-07-16 23:05:54 372772 --a------ C:\WINDOWS\system32\GeacView.dll <Not Verified; Geac Corp; GeacView Dynamic Link Library>
2007-06-29 15:26:55 4230 --a------ C:\WINDOWS\mozver.dat
2007-06-20 11:59:45 53248 --a------ C:\WINDOWS\system32\silc_dll.dll
2007-06-20 11:59:45 926241 --a------ C:\WINDOWS\system32\model.dat
2007-06-20 11:59:44 729088 --a------ C:\WINDOWS\system32\LDPackage.dll <Not Verified; ; LDPackag Dynamic Link Library>
2007-06-20 11:59:41 249856 --a------ C:\WINDOWS\system32\rlxf.dll <Not Verified; RelevantKnowledge; RelevantKnowledge>
2007-06-20 11:57:40 344064 --a------ C:\WINDOWS\system32\rlls.dll <Not Verified; RelevantKnowledge; RelevantKnowledge>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CB70CC2-303F-4A6C-824D-013AE8CFDB6B}]
C:\WINDOWS\nsduo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark 4200 Series"="C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe" [01/16/2004 03:04 AM]
"FaxCenterServer4_in_1"="C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" [01/22/2004 11:59 AM]
"@"="" []
"SoundMan"="SOUNDMAN.EXE" [08/15/2003 04:34 PM C:\WINDOWS\SOUNDMAN.EXE]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [07/12/2002 07:15 PM]
"SiS Windows KeyHook"="C:\WINDOWS\System32\keyhook.exe" [09/12/2003 06:46 PM]
"AGRSMMSG"="AGRSMMSG.exe" [06/29/2004 10:06 AM C:\WINDOWS\AGRSMMSG.exe]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [09/10/2007 01:41 PM]
"RemoteControl"="C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe" [10/27/2003 03:04 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 02:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Data Deposit Box.lnk - C:\Program Files\Data Deposit Box\Data Deposit Box\startup.exe [1/15/2007 10:33:03 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2007-09-13 15:46:22 ------------
  • 0

#5
MargieMurray
Posted 13 September 2007 - 05:00 PM

MargieMurray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I tried several times to download the Panda scan and could not do it. Only once did I have a window pop up to download ActiveX which I allowed. Every other time I tried to download the scan I got this message

An error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are:

Not allowing the application's ActiveX control to be downloaded.

Problems with the Internet connection.

The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,...


I tried restarting my system and still received the same message.

Can you tell from the updated DSS scan if my computer is clean?

Margie
  • 0

#6
don77
Posted 13 September 2007 - 07:31 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Looks good but I would still like to see an online scan

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”


O2 - BHO: MSVPS System - {3CB70CC2-303F-4A6C-824D-013AE8CFDB6B} - C:\WINDOWS\nsduo.dll (file missing)


Close out HJT

Next
TrendMicro™ HouseCall Java Scan
  • Please go HERE to run the Trend Micro™ HouseCall Scan.
  • Click Scan now. It's free!
  • Read and put a Check next to Yes I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • Under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  • You may receive a Security Warning about the TrendMicro Java applet, click YES.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.

Post back a fresh HJT log for me please
  • 0

#7
MargieMurray
Posted 15 September 2007 - 04:57 PM

MargieMurray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I did the fix that you asked for. Here is the HJT log following that:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:27 PM, on 9/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xanga.com...e/yourhome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Data Deposit Box.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://las.mlxchange...ontrol/SISC.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://las.mlxchange...ectComboBox.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.passalong...ork/install.exe
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://las.mlxchange...ClientUtils.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://las.mlxchange...ol/IRCSharc.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.su...indows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C} (IMMail Class) - http://www.passalong...TPIMActiveX.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineco...loadcontrol.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe

--
End of file - 6142 bytes


I cannot run the other scan that you recommended. It gets to my Napster music files and stops.

MargieMurray
  • 0

#8
don77
Posted 16 September 2007 - 04:46 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
  • Please download LSPFix from here.
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of rlls.dll .
  • Select every instance of and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>.
Next

Download and scan with SUPERAntiSypware Free for Home Users
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Post back a fresh HJT log please
  • 0

#9
MargieMurray
Posted 17 September 2007 - 12:20 AM

MargieMurray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I completed all of the above steps however, I am now unable to access the internet from that computer. I am posting this from a second computer on my network so I know the network is working.
  • 0

#10
MargieMurray
Posted 17 September 2007 - 04:57 PM

MargieMurray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I have gone online with live chat with both my router manufacturer (re-entered all the router settings) and my ISP provider and they have diagnosed that the problem is with the computer and not their services/equipment.

Please help. I am still unable to connect to the Internet.
  • 0

Advertisements

#11
don77
Posted 17 September 2007 - 08:43 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
do you have a floppy disc ?

can you do the following this will give both the main and extra txt from DSS copy you copy them to the floppy carry them over to the machine that has access and post the logs for me please

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt
  • 0

#12
MargieMurray
Posted 17 September 2007 - 09:10 PM

MargieMurray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks for your assistance.

I tried the steps that you asked for and was unable to open DSS in that manner. I did still have the shortcut on my desktop so opened it from there and it automatically ran the scan. Here is the only report log that came up.

Deckard's System Scanner v20070905.67
Run by Margie on 2007-09-17 19:52:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis (run as Margie.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:12 PM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Data Deposit Box\Data Deposit Box\startup.exe
C:\Program Files\Data Deposit Box\Data Deposit Box\backup.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Margie\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Margie.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Data Deposit Box.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://las.mlxchange...ontrol/SISC.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://las.mlxchange...ectComboBox.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.passalong...ork/install.exe
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://las.mlxchange...ClientUtils.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://las.mlxchange...ol/IRCSharc.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.su...indows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C} (IMMail Class) - http://www.passalong...TPIMActiveX.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineco...loadcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95695B4C-59E1-48BF-A286-E2324EF3D3BC}: NameServer = 68.105.28.12,68.105.29.1
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe

--
End of file - 6156 bytes

-- Files created between 2007-08-17 and 2007-09-17 -----------------------------

2007-09-16 23:09:55 0 d-------- C:\Program Files\BroadJump
2007-09-16 17:23:27 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-16 17:23:14 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-09-16 17:23:14 0 d-------- C:\Documents and Settings\Margie\Application Data\SUPERAntiSpyware.com
2007-09-16 13:25:30 0 d-------- C:\Restore
2007-09-15 13:58:07 0 d-------- C:\Documents and Settings\Margie\.housecall6.6
2007-09-15 13:57:17 0 d-------- C:\WINDOWS\Sun
2007-09-15 13:57:17 0 d-------- C:\Documents and Settings\Margie\Application Data\Sun
2007-09-15 13:55:51 0 d-------- C:\Program Files\Java
2007-09-15 13:55:21 0 d-------- C:\Program Files\Common Files\Java
2007-09-15 13:47:18 0 d-------- C:\Program Files\Trend Micro
2007-09-13 15:23:17 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-09-12 22:00:13 0 d-------- C:\Program Files\Loonies
2007-09-10 16:04:52 2964 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-10 09:24:14 0 d-------- C:\Documents and Settings\Bill\Application Data\Grisoft
2007-09-10 00:17:24 0 d-------- C:\WINDOWS\system32\NtmsData
2007-08-31 17:55:30 0 d-------- C:\Documents and Settings\Mikayla\Application Data\Google
2007-08-23 12:35:40 0 d-------- C:\WINDOWS\SxsCaPendDel


-- Find3M Report ---------------------------------------------------------------

2007-09-17 08:14:07 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-15 13:55:21 0 d-------- C:\Program Files\Common Files
2007-09-14 15:35:13 2875 --a------ C:\Program Files\i_view32.ini
2007-09-10 13:56:42 0 d-------- C:\Program Files\Citrix
2007-09-10 13:56:42 0 d-------- C:\Documents and Settings\Margie\Application Data\ICAClient
2007-09-10 13:25:35 0 d-------- C:\Program Files\Real
2007-08-28 15:46:32 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-08-23 14:45:30 0 d-------- C:\Documents and Settings\Margie\Application Data\Real
2007-08-23 12:50:44 0 d-------- C:\Program Files\Roxio
2007-08-23 12:50:44 0 d-------- C:\Program Files\Common Files\Roxio Shared
2007-08-23 12:37:39 0 d-------- C:\Program Files\QuoteTracker
2007-08-23 12:36:07 0 d-------- C:\Program Files\Apple Software Update
2007-08-11 16:07:53 0 d-------- C:\Documents and Settings\Margie\Application Data\Help
2007-08-10 15:15:45 0 d-------- C:\Program Files\QuickTime
2007-08-10 00:45:01 0 d-------- C:\Program Files\ffdshow
2007-08-10 00:44:35 36 --a------ C:\WINDOWS\system32\m4p.dat
2007-07-23 21:39:21 0 d-------- C:\Program Files\Windows Media Bonus Pack for Windows XP
2007-07-23 19:49:23 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-07-23 19:49:16 0 d-------- C:\Program Files\Common Files\InstallShield
2007-07-16 23:05:54 372772 --a------ C:\WINDOWS\system32\GeacView.dll <Not Verified; Geac Corp; GeacView Dynamic Link Library>
2007-06-29 15:26:55 4230 --a------ C:\WINDOWS\mozver.dat
2007-06-20 11:59:45 53248 --a------ C:\WINDOWS\system32\silc_dll.dll
2007-06-20 11:59:45 926241 --a------ C:\WINDOWS\system32\model.dat
2007-06-20 11:59:44 729088 --a------ C:\WINDOWS\system32\LDPackage.dll <Not Verified; ; LDPackag Dynamic Link Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark 4200 Series"="C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe" [01/16/2004 03:04 AM]
"FaxCenterServer4_in_1"="C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" [01/22/2004 11:59 AM]
"@"="" []
"SoundMan"="SOUNDMAN.EXE" [08/15/2003 04:34 PM C:\WINDOWS\SOUNDMAN.EXE]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [07/12/2002 07:15 PM]
"SiS Windows KeyHook"="C:\WINDOWS\System32\keyhook.exe" [09/12/2003 06:46 PM]
"AGRSMMSG"="AGRSMMSG.exe" [06/29/2004 10:06 AM C:\WINDOWS\AGRSMMSG.exe]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [09/10/2007 01:41 PM]
"RemoteControl"="C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe" [10/27/2003 03:04 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 02:25 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [04/13/2005 03:48 AM]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [09/10/2002 09:26 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Data Deposit Box.lnk - C:\Program Files\Data Deposit Box\Data Deposit Box\startup.exe [1/15/2007 10:33:03 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2007-09-17 19:52:46 ------------

Will this be enough for you to tell what is going on?
  • 0

#13
don77
Posted 18 September 2007 - 04:36 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Lets check some settings on your system:
  • Enter your Control Panel and double-click on Network Connections
  • Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL, or AOL Connection.
  • Left click on Properties
  • Double-Click on the Internet Protocol (TCP/IP) item
  • Select the radio dial that says Obtain DNS Servers Automatically
  • Press OK twice to get out of the properties screen
  • Restart the computer
Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

ipconfig /flushdns (The space between g and / is needed)
regsvr32 netshell.dll
regsvr32 netcfgx.dll
regsvr32 netman.dll
Exit

Restart the computer.
  • 0

#14
MargieMurray
Posted 18 September 2007 - 09:17 AM

MargieMurray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I have followed all of the listed steps.

When I entered the commands in red the first one (regsvr32 netshell.dll) gave me a message saying not recognized as command operable program or batch file. The other two were successful.

I don't know if this is helpful, but when I run Windows diagnostics for connectivity it tells me that there is a corrupted IP routing table and the default route is missing or invalid.

Just FYI, I am leaving on vacation early Wednesday morning. If this is not resolved by Tuesday night I won't be able to respond for two weeks.

Edited by MargieMurray, 18 September 2007 - 09:30 AM.

  • 0

#15
MargieMurray
Posted 18 September 2007 - 10:40 PM

MargieMurray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
My husband was able to download a fix program that fixed our problem.

Thanks for your time and assistance. All is running well now.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP