Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Firefox spyware please help [RESOLVED]

Started by brain1212 , Jan 05 2008 11:04 AM

This topic is locked

#1
brain1212

Posted 05 January 2008 - 11:04 AM

Member

Member
14 posts

I have been reading other peoples posts similar to my situation and thought this would be a great place to get some help. The same windows alert window pops up when I get on Firefox or IE. I have uninstalled firefox for the time being and am using mozzilla firebird as a browser for now (And I have not received a pop-up yet). Another thing that has been happening for a long while now is my browser (firefox or firebird) likes to crash all the time. I dont know if this is some spyware/virus or not, but I would like some guidance if possible. Please look at my Hijackthis log and help me out. Any help is much appreciated, thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:20 AM, on 1/5/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
D:\apps\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
D:\apps\VirusScan\VsStat.exe
D:\apps\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
D:\apps\VirusScan\Avconsol.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINNT\system32\wuauclt.exe
D:\Apps\NetGear\wlancfg4.EXE
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\MOZILLA\MOZILL~1\MOZILL~1.EXE
C:\Documents and Settings\Brian Norris\Desktop\Stuff\Virus stuff\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bftwym.t.rack.cc/sp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bftwym.t.rack.cc/sp.php (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bftwym.t.rack.cc/hp.php (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.psn.cn/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bftwym.t.rack.cc/sp.php (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bftwym.t.rack.cc/sp.php (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bftwym.t.rack.cc/hp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bftwym.t.rack.cc/sp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bftwym.t.rack.cc/sp.php (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.psn.cn/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchdot.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FFAF - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\BRIANN~1\LOCALS~1\Temp\loglnhk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "D:\apps\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = D:\Apps\NetGear\wlancfg.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Apps\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Apps\AOL\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Games\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Games\PartyPoker.net\partypokernet.exe (file missing)
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.belk...c.com/dwa7W.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - D:\apps\VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IIS Admin Service (IISADMIN) - Unknown owner - C:\WINNT\System32\inetsrv\inetinfo.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: FTP Publishing Service (MSFTPSVC) - Unknown owner - C:\WINNT\System32\inetsrv\inetinfo.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Simple Mail Transport Protocol (SMTP) (SMTPSVC) - Unknown owner - C:\WINNT\System32\inetsrv\inetinfo.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: World Wide Web Publishing Service (W3SVC) - Unknown owner - C:\WINNT\System32\inetsrv\inetinfo.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINNT\System32\mspmspsv.exe (file missing)

--
End of file - 7459 bytes

Please help.

#2
brain1212

Posted 07 February 2008 - 11:29 AM

Member

Topic Starter
Member
14 posts

Is there anyone that can help me?

#3
Essexboy

Posted 09 February 2008 - 11:24 AM

GeekU Moderator

Retired Staff
69,964 posts

Hi there I am sorry for the delay . I will need a fresh look at your system

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

#4
brain1212

Posted 09 February 2008 - 02:12 PM

Member

Topic Starter
Member
14 posts

Thanks for your response.

I downloaded DSS to my desktop and started the program up. The problem is that the program keeps crashing when it is "examining drivers". A program error box pops up and says "DSS
has generated errors and will be closed by Windows". I tried multiple times and I get the same results. (No additional windows were open).

Do you have any suggestions on what I need to do?

Oh yeah, I even disabled zonealarm and mcaffee and did the same thing.

Edited by brain1212, 09 February 2008 - 02:23 PM.

#5
Essexboy

Posted 09 February 2008 - 05:42 PM

GeekU Moderator

Retired Staff
69,964 posts

OK then lets try another spyware scan first to see if that works and/or reveals anything

FIRST

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bftwym.t.rack.cc/sp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bftwym.t.rack.cc/sp.php (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bftwym.t.rack.cc/hp.php (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.psn.cn/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bftwym.t.rack.cc/sp.php (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bftwym.t.rack.cc/sp.php (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bftwym.t.rack.cc/hp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bftwym.t.rack.cc/sp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bftwym.t.rack.cc/sp.php (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.psn.cn/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/w/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchdot.net
O2 - BHO: FFAF - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\BRIANN~1\LOCALS~1\Temp\loglnhk.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Download and then run SuperAntispyware

On the first page select Check for Updates
On completion select SCAN YOUR COMPUTER
On the next page select COMPLETE SCAN and tick ALL your drives
The next stage will take a while as your entire drive(s), memory and registry are scanned
When it has completed click NEXT
The next screen shows the problems found click OK
On the next screen place a tick against all items and select NEXT
Now to get the log Go to the PREFERENCES button on the right bottom
Select the STATISTICS/LOG tab
Highlight the scan just completed and click VIEW LOG
This will open a notepad text file copy and paste this to your next reply

Logs required : Superantispyware and Hijackthis

#6
brain1212

Posted 09 February 2008 - 07:45 PM

Member

Topic Starter
Member
14 posts

I guess there was some nasty stuff in there. It already removed the files and I rebooted my computer. I am still getting pop-ups too. Here is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/09/2008 at 08:35 PM

Application Version : 3.9.1008

Core Rules Database Version : 3399
Trace Rules Database Version: 1391

Scan type : Complete Scan
Total Scan Time : 00:44:08

Memory items scanned : 321
Memory threats detected : 0
Registry items scanned : 4544
Registry threats detected : 0
File items scanned : 26198
File threats detected : 68

Adware.Tracking Cookie
C:\Documents and Settings\Brian Norris\Cookies\brian norris@doubleclick[1].txt
C:\Documents and Settings\Brian Norris\Cookies\brian norris@casalemedia[2].txt
C:\Documents and Settings\Brian Norris\Cookies\brian [email protected][1].txt
C:\Documents and Settings\Brian Norris\Cookies\brian [email protected][2].txt
C:\Documents and Settings\Brian Norris\Cookies\brian norris@da-tracking[2].txt
C:\Documents and Settings\Brian Norris\Cookies\brian norris@specificclick[1].txt
C:\Documents and Settings\Brian Norris\Cookies\brian [email protected][1].txt
C:\Documents and Settings\Brian Norris\Cookies\brian norris@2o7[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@2o7[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@addynamix[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@adprofile[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][2].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][2].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][2].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@advertising[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@atdmt[2].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@atwola[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@bannerspace[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@bizrate[2].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@bluestreak[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][2].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][2].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@dealtime[2].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@doubleclick[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][2].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][2].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@fastclick[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@hitbox[2].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][2].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@intellisrv[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@maxserving[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@mediaplex[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@metareward[2].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@netfastmedia[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@optimost[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@overture[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@partypoker[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@pointroll[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@qksrv[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@questionmarket[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@realmedia[2].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@rightmedia[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][2].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@serving-sys[2].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@targetnet[2].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@trafficmp[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@tribalfusion[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@tripod[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@windowsmedia[1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][2].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian [email protected][1].txt
C:\Deckard\System Scanner\20080209150627\backup\DOCUME~1\BRIANN~1\LOCALS~1\Temp\Cookies\brian norris@zedo[2].txt

Dialer.Columb-ContentAccessPlugin
C:\DECKARD\SYSTEM SCANNER\20080209150627\BACKUP\DOCUME~1\BRIANN~1\LOCALS~1\TEMP\DIA3C.EXE

Trojan.ToolbarCC
C:\DECKARD\SYSTEM SCANNER\20080209150627\BACKUP\DOCUME~1\BRIANN~1\LOCALS~1\TEMP\LOGLNHK.DLL

Parasite.CoolWebSearch Variant
C:\DOCUMENTS AND SETTINGS\BRIAN NORRIS\APPLICATION DATA\WINLINK\WINLINK.DLL

Trojan.Downloader-Gen/SVCHost-Fake
C:\SVCHOST.EXE

W32.MyDoom
C:\WINNT\SYSTEM32\SVHOST.EXE

Just want to thank you for all of the help so far.

Edited by brain1212, 09 February 2008 - 08:15 PM.

#7
Essexboy

Posted 10 February 2008 - 07:13 AM

GeekU Moderator

Retired Staff
69,964 posts

I would now like you to retry the DSS programme

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

If that should fail again then

We will now do a deep search of your processes and files

Download avz4.zip from here

Unzip it to your desktop to a folder named avz4
Double click on AVZ.exe to run it.
Run an update by clicking the Auto Update button on the Right of the Log window:
Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

Start AVZ.
Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box.
Click on the “Execute selected scripts”.
Automatic scanning, healing and system check will be executed.
A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
All applications will work properly after the system restart.

When restarted

Start AVZ.
Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
Click on the "Execute selected scripts".
A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both zip files to your next post

#8
brain1212

Posted 10 February 2008 - 08:37 AM

Member

Topic Starter
Member
14 posts

Dss Failed again so here are the zip files from avz.

There are three log files. The first zip file (virusinfo_cure.zip) was the first scan I did and when it was about 86% through a window popped up saying something about an address failure (sorry I didnt remember it all). Don't know if you had ever seen or heard of that before.

So I did another "Healing/Quarantine and Advanced System Investigation" scan and this time no error box came up. This zip file is "virusinfo_syscure.zip"

And the last scan after reboot was done (Advance System Analysis)

EDIT: Well I just realized that the file "virusinfo_cure.zip" is too large to upload to the site (0.98 MB)

Attached Files

virusinfo_syscure.zip 28.5KB 135 downloads
virusinfo_syscheck.zip 27.51KB 106 downloads

Edited by brain1212, 10 February 2008 - 08:41 AM.

#9
Essexboy

Posted 10 February 2008 - 08:47 AM

GeekU Moderator

Retired Staff
69,964 posts

There is a possible rootkit there, I will try this programme first to try and get rid of it. If that fails I will go for a bigger hammer

AVZ FIX

Double click on AVZ.exe
Click File > Custom scripts

Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DeleteFile('aijtzvo.exe');
 DeleteFile('C:\documents and settings\brian norris\local settings\application data\aijtzvo.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Note: When you run the script, your PC will be restarted
Click Run
Restart your PC if it doesn't do it automatically.

ON COMPLETION

Start AVZ.
Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
Click on the "Execute selected scripts".
A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach the zip file to your next post

#10
brain1212

Posted 10 February 2008 - 09:04 AM

Member

Topic Starter
Member
14 posts

Here it is.

Attached Files

virusinfo_syscheck.zip 27.04KB 121 downloads

#11
Essexboy

Posted 10 February 2008 - 09:09 AM

GeekU Moderator

Retired Staff
69,964 posts

OK that appears to have killed it

One more tool to use to confirm

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#12
brain1212

Posted 10 February 2008 - 09:25 AM

Member

Topic Starter
Member
14 posts

ComboFix Log:

ComboFix 08-02.05.3 - Brian Norris 02/10/2008 10:19:27.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.3.1252.1.1033.18.73 [GMT -5:00]
Running from: C:\Documents and Settings\Brian Norris\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Brian Norris\Local Settings\Application Data\aijtzvo.dat
C:\Documents and Settings\Brian Norris\Local Settings\Application Data\aijtzvo_nav.dat
C:\Documents and Settings\Brian Norris\Local Settings\Application Data\aijtzvo_navps.dat
C:\WINNT\system32\Cache
C:\WINNT\system32\nvs2.inf
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm

((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-09 19:48 . 08-02-09 20:48 <DIR> d----c--- C:\Program Files\SUPERAntiSpyware
2008-02-09 19:48 . 08-02-09 19:48 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-09 19:48 . 08-02-09 19:48 <DIR> d----c--- C:\Documents and Settings\Brian Norris\Application Data\SUPERAntiSpyware.com
2008-02-09 19:48 . 08-02-09 19:48 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-09 14:59 . 08-02-09 14:59 <DIR> d----c--- C:\Deckard
2008-02-07 11:17 . 08-02-07 11:18 <DIR> d----c--- C:\Program Files\Intel
2008-02-07 11:17 . 06-01-12 14:52 1,904 -----c--- C:\WINNT\system32\SetupBD.din

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 13:55 --------- dc----w C:\Documents and Settings\Brian Norris\Application Data\winshow
2008-02-10 02:02 --------- dc----w C:\Program Files\Common Files\Caere
2008-02-10 01:39 --------- dc----w C:\Documents and Settings\Brian Norris\Application Data\winlink
2008-02-07 15:20 5,976,302 -c--a-w C:\WINNT\Internet Logs\tvDebug.zip
2008-01-12 20:18 --------- dc----w C:\Program Files\Viewpoint
2008-01-12 20:18 --------- dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-12 20:17 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-01-12 20:17 --------- dc----w C:\Documents and Settings\All Users\Application Data\Napster
2008-01-12 20:11 --------- dc----w C:\Documents and Settings\Brian Norris\Application Data\Canon
2008-01-01 14:34 --------- dc----w C:\Program Files\Maxis
2007-12-11 23:39 --------- dc----w C:\Program Files\Yahoo!
2007-08-05 22:08 1,353,728 -c--a-w C:\WINNT\Internet Logs\xDB2.tmp
2007-08-05 22:04 1,353,728 -c--a-w C:\WINNT\Internet Logs\xDB1.tmp
2002-04-21 01:37 271 ---h--w C:\Program Files\desktop.ini
2002-04-21 01:37 21,952 -c-h--w C:\Program Files\folder.htt
2001-11-23 16:08 712,704 -c--a-w C:\WINNT\inf\OTHER\audio3d.dll
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [07-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [01-11-15 10:08 1216512 C:\WINNT\mixer.exe]
"NeroCheck"="C:\WINNT\System32\NeroCheck.exe" [01-08-06 19:03 155648]
"NvCplDaemon"="C:\WINNT\System32\NvCpl.dll" [03-10-06 14:16 5058560]
"QuickTime Task"="D:\apps\quicktime\qttask.exe" [ ]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [02-10-14 14:09 57344]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-03-08 23:02 919280]
"Synchronization Manager"="mobsync.exe" [99-12-07 07:00 111376 C:\WINNT\system32\mobsync.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05-12-09 18:14 180269]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [99-12-07 07:00 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-10-15 18:03:03 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
MA111 Configuration Utility.lnk - D:\Apps\NetGear\wlancfg.exe [2005-12-27 14:51:40 459264]
Microsoft Office.lnk - D:\Apps\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
nwprovau.dll 02-07-22 14:05 139024 C:\WINNT\system32\NWPROVAU.DLL

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINNT\system32\DRIVERS\SONYPVM1.SYS [00-05-27 03:37 ]
R1 VIAPFD;VIAPFD;C:\WINNT\system32\Drivers\VIAPFD.SYS [01-05-04 10:24 ]
S2 SMTPSVC;Simple Mail Transport Protocol (SMTP);C:\WINNT\System32\inetsrv\inetinfo.exe []
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 11:22 ]
S3 ELNK3;3Com EtherLink III;C:\WINNT\system32\DRIVERS\elnk3.sys [99-09-24 18:16 ]
S3 ENDETECT;ENDETECT;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\ENDETECT.SYS []
S3 L2XPSR;L2XPSR;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\L2XPSR.SYS []
S3 NTSTPL1;NTSTPL1;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL1.SYS []
S3 NTSTPL2;NTSTPL2;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL2.SYS []
S3 OlCamudp;OLYMPUS Digital Camera;C:\WINNT\system32\Drivers\olcamudp.sys [00-02-08 08:55 ]
S3 TAPBIND;TAPBIND;C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TAPBIND1.SYS []
S3 UNDPX2A;UNDPX2A;C:\WINNT\system32\drivers\UNDPX2A.SYS []
S3 USB_RNDIS_2K;Westell WireSpeed Dual Connect Modem;C:\WINNT\system32\DRIVERS\usb8023k.sys [84-02-05 19:28 ]
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys [01-10-18 15:35 ]
S3 WLAN_USB;Wireless LAN USB Driver;C:\WINNT\system32\DRIVERS\MA111nd5.sys [02-12-23 09:35 ]
S3 XIRLINK;Veo PC Camera;C:\WINNT\system32\DRIVERS\ucdnt.sys [02-05-22 21:55 ]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 10:24:47
Windows 5.0.2195 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
D:\Apps\NetGear\wlancfg4.EXE
.
**************************************************************************
.
Completion time: 2008-02-10 10:26:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-10 15:26:34

---------------------------------------
------------------------------------------
---------------------------------------------

HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:49 AM, on 2/10/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Apps\NetGear\wlancfg4.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brian Norris\Desktop\Stuff\Virus stuff\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "D:\apps\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = D:\Apps\NetGear\wlancfg.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Apps\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Apps\AOL\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.belk...c.com/dwa7W.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IIS Admin Service (IISADMIN) - Unknown owner - C:\WINNT\System32\inetsrv\inetinfo.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: FTP Publishing Service (MSFTPSVC) - Unknown owner - C:\WINNT\System32\inetsrv\inetinfo.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Simple Mail Transport Protocol (SMTP) (SMTPSVC) - Unknown owner - C:\WINNT\System32\inetsrv\inetinfo.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: World Wide Web Publishing Service (W3SVC) - Unknown owner - C:\WINNT\System32\inetsrv\inetinfo.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINNT\System32\mspmspsv.exe (file missing)

--
End of file - 4592 bytes

#13
Essexboy

Posted 10 February 2008 - 09:31 AM

GeekU Moderator

Retired Staff
69,964 posts

Looks a lot better - how is your system running now ?

#14
brain1212

Posted 10 February 2008 - 09:43 AM

Member

Topic Starter
Member
14 posts

Seems to be running good. No pop ups yet. Seems a little bit quicker too. I sure do appreciate your time and help on this problem I had.

I do have a question for you.

I have another computer here (It dosnt seem to be infected, or atleast not acting like my computer was). If I took the same steps on it that you told me to do on mine, should that be an effective way of killing any viruses/trojans/ ect. off?

I put that same rootkit code on a computer that MAY not be infected, would it in anyway mess anything up?

Again, I do really appreciate all of your help. THANK YOU!!!

#15
Essexboy

Posted 10 February 2008 - 10:05 AM

GeekU Moderator

Retired Staff
69,964 posts

I have another computer here (It dosnt seem to be infected, or atleast not acting like my computer was). If I took the same steps on it that you told me to do on mine, should that be an effective way of killing any viruses/trojans/ ect. off?

I put that same rootkit code on a computer that MAY not be infected, would it in anyway mess anything up?

In a nutshell Yes, all the fixes were tailored to your current machine. If the other one is infected I would need to treat that as a different entity. You can post the log for that one next if you wish and I will look at it ..

Now the best part of the day ----- Your log now appears clean

You may now delete all the programmes I had you download

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:

SpywareBlaster to help prevent spyware from installing in the first place.

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Keep safe