Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Blue/Yellow Spyware Warning! [RESOLVED]

Started by keanu53 , Jun 14 2008 11:08 AM

  • This topic is locked This topic is locked

#1
keanu53
Posted 14 June 2008 - 11:08 AM

keanu53

    New Member

  • Member
  • Pip
  • 7 posts
Hello,
I need help. I have been infected and cant seem to get rid of this virus/spyware. Can anyone help me. I have read some of the other posts and pasted my log from Hijackthis below.


Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-14 12:57:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:35 PM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {791699A3-79E5-404E-947F-68FB1D4E57BD} - C:\WINDOWS\system32\awtsPhhg.dll
O4 - HKLM\..\Run: [e435bda0] rundll32.exe "C:\WINDOWS\system32\ymninydj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

--
End of file - 2303 bytes

-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-14 12:14:32 92544 --a------ C:\WINDOWS\system32\ymninydj.dll
2008-06-14 12:13:12 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-14 12:13:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-14 12:13:00 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-14 11:45:25 0 d-------- C:\Program Files\RogueRemover FREE
2008-05-19 17:39:33 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-19 17:38:49 0 d-------- C:\Program Files\Spyware Doctor
2008-05-19 17:38:49 0 d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-05-19 17:34:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-19 17:30:54 0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-05-19 17:26:36 0 d-------- C:\Program Files\CCleaner
2008-05-19 17:19:28 0 d-------- C:\Program Files\Trend Micro
2008-05-17 12:50:49 0 d-------- C:\Documents and Settings\Owner\Application Data\AXPDefender
2008-05-17 12:50:37 0 d-------- C:\Program Files\AXPDefender
2008-05-16 22:28:58 237776 --ahs---- C:\WINDOWS\system32\ghhPstwa.ini2
2008-05-16 22:28:53 317824 --a------ C:\WINDOWS\system32\awtsPhhg.dll
2008-05-16 22:24:17 15360 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-05-16 22:24:12 29824 --a------ C:\WINDOWS\system32\cbXOfdBQ.dll
2008-05-16 22:24:06 81920 --a------ C:\WINDOWS\oadkxrts.exe
2008-05-16 22:24:05 212992 --a------ C:\WINDOWS\vbksrofa.dll
2008-05-16 22:22:55 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>


-- Find3M Report ---------------------------------------------------------------

2008-05-15 22:24:25 0 d-------- C:\Program Files\LimeWire
2008-05-07 16:32:31 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-05-07 16:26:25 50288 --a----c- C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-05 17:17:18 0 d-------- C:\Program Files\iTunes
2008-05-05 17:15:44 0 d-------- C:\Program Files\iPod
2008-05-05 17:11:30 0 d-------- C:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{791699A3-79E5-404E-947F-68FB1D4E57BD}]
05/16/2008 10:28 PM 317824 --a------ C:\WINDOWS\system32\awtsPhhg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"e435bda0"="C:\WINDOWS\system32\ymninydj.dll" [06/14/2008 12:14 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 06/14/2008 11:22 AM 15360 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtsPhhg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gmT63.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lsX62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lsX63.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\weJ85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingm51.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkq30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqw27.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c109d842-bda1-11db-b529-0050da21e74c}]
AutoRun\command- fooool.exe
explore\Command- fooool.exe
open\Command- fooool.exe

*Newly Created Service* - MBAMCATCHME



-- End of Deckard's System Scanner: finished at 2008-06-14 13:00:54 ------------
  • 0

Advertisements

#2
Rorschach112
Posted 14 June 2008 - 12:12 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

  • Download FixIEDef.exe by ShadowPuterDude to the Desktop.
  • Double-click FixIEDef.exe.
    Posted Image
  • Click the Extract Button.
    Posted Image
  • There will be a new folder on your desktop. Locate the FixIEDef folder and double click.
    Posted Image
  • Locate FixIEDef.bat and double-click on it.
    Posted Image

    WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running. The icons and Start Menu on your Desktop will not be visible while FixIEDef is running. This is necessary to remove parts of the infection that would otherwise not be removed. FixIEDef will re-start Explorer at the end of the removal process

    NOTE: You will need to temporarily disable any programs you have running that will block attempts to edit the registry. As FixIEDef calls REGEDIT to delete registry keys added by Zlob, Trojan.Downloader.Delf, AntiSpyPro, and IE Defender.

    FixIEDef will now run.
    Posted Image
  • You can safely close the Command Console after Explorer has restarted.

    Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. See: http://www.beyondlog...processutil.htm



Then reboot and post a new DSS log
  • 0

#3
keanu53
Posted 15 June 2008 - 06:21 PM

keanu53

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-15 20:20:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:16 PM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)

--
End of file - 2644 bytes

-- Files created between 2008-05-15 and 2008-06-15 -----------------------------

2008-06-15 19:59:29 0 d--h----- C:\$AVG8.VAULT$
2008-06-14 18:59:32 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-14 18:59:20 0 d-------- C:\Program Files\AVG
2008-06-14 18:59:19 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-14 12:14:32 92544 -----n--- C:\WINDOWS\system32\ymninydj.dll
2008-06-14 12:13:12 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-14 12:13:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-14 12:13:00 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-14 11:45:25 0 d-------- C:\Program Files\RogueRemover FREE
2008-05-19 17:39:33 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-19 17:38:49 0 d-------- C:\Program Files\Spyware Doctor
2008-05-19 17:38:49 0 d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-05-19 17:34:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-19 17:30:54 0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-05-19 17:26:36 0 d-------- C:\Program Files\CCleaner
2008-05-19 17:19:28 0 d-------- C:\Program Files\Trend Micro
2008-05-16 22:28:58 237920 --ahs---- C:\WINDOWS\system32\ghhPstwa.ini2
2008-05-16 22:28:53 317824 -----n--- C:\WINDOWS\system32\awtsPhhg.dll


-- Find3M Report ---------------------------------------------------------------

2008-05-15 22:24:25 0 d-------- C:\Program Files\LimeWire
2008-05-07 16:32:31 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-05-07 16:26:25 50288 --a----c- C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-05 17:17:18 0 d-------- C:\Program Files\iTunes
2008-05-05 17:15:44 0 d-------- C:\Program Files\iPod
2008-05-05 17:11:30 0 d-------- C:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\Program Files\NavNT\vptray.exe" [09/24/2001 07:59 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/14/2008 06:59 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gmT63.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lsX62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lsX63.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\weJ85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingm51.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winio16.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkq30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqw27.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c109d842-bda1-11db-b529-0050da21e74c}]
AutoRun\command- fooool.exe
explore\Command- fooool.exe
open\Command- fooool.exe




-- End of Deckard's System Scanner: finished at 2008-06-15 20:22:24 ------------
  • 0

#4
Rorschach112
Posted 15 June 2008 - 06:41 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
C:\WINDOWS\system32\ymninydj.dll
C:\WINDOWS\system32\ghhPstwa.ini2
C:\WINDOWS\system32\awtsPhhg.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gmT63.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lsX62.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lsX63.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\weJ85.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingm51.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winio16.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkq30.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqw27.sys
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c109d842-bda1-11db-b529-0050da21e74c}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcProc
purity 
EmptyTemp
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Reboot and post a new DSS log
  • 0

#5
keanu53
Posted 16 June 2008 - 06:05 AM

keanu53

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
MoveIT log:

Explorer killed successfully
LoadLibrary failed for C:\WINDOWS\system32\ymninydj.dll
C:\WINDOWS\system32\ymninydj.dll NOT unregistered.
C:\WINDOWS\system32\ymninydj.dll moved successfully.
C:\WINDOWS\system32\ghhPstwa.ini2 moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\awtsPhhg.dll
C:\WINDOWS\system32\awtsPhhg.dll NOT unregistered.
C:\WINDOWS\system32\awtsPhhg.dll moved successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gmT63.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gmT63.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lsX62.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lsX62.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lsX63.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lsX63.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\weJ85.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\weJ85.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingm51.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingm51.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winio16.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winio16.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkq30.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkq30.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqw27.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqw27.sys\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c109d842-bda1-11db-b529-0050da21e74c} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c109d842-bda1-11db-b529-0050da21e74c}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcProc >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcProc\\ deleted successfully.
< purity >
< EmptyTemp >
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06162008_080157
  • 0

#6
keanu53
Posted 16 June 2008 - 06:11 AM

keanu53

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
DSS log after moveIt:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-16 08:08:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:18 AM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 2699 bytes

-- Files created between 2008-05-16 and 2008-06-16 -----------------------------

2008-06-15 19:59:29 0 d--h----- C:\$AVG8.VAULT$
2008-06-14 18:59:32 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-14 18:59:20 0 d-------- C:\Program Files\AVG
2008-06-14 18:59:19 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-14 12:13:12 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-14 12:13:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-14 12:13:00 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-14 11:45:25 0 d-------- C:\Program Files\RogueRemover FREE
2008-05-19 17:39:33 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-19 17:38:49 0 d-------- C:\Program Files\Spyware Doctor
2008-05-19 17:38:49 0 d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-05-19 17:34:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-19 17:30:54 0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-05-19 17:26:36 0 d-------- C:\Program Files\CCleaner
2008-05-19 17:19:28 0 d-------- C:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-05-15 22:24:25 0 d-------- C:\Program Files\LimeWire
2008-05-07 16:32:31 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-05-07 16:26:25 50288 --a----c- C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-05 17:17:18 0 d-------- C:\Program Files\iTunes
2008-05-05 17:15:44 0 d-------- C:\Program Files\iPod
2008-05-05 17:11:30 0 d-------- C:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\Program Files\NavNT\vptray.exe" [09/24/2001 07:59 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/14/2008 06:59 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [04/27/2007 05:17 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-06-16 08:10:23 ------------
  • 0

#7
Rorschach112
Posted 16 June 2008 - 06:45 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Also tell me how your PC is running
  • 0

#8
keanu53
Posted 17 June 2008 - 10:38 AM

keanu53

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, June 17, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 16, 2008 23:08:02
Records in database: 875027


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\

Scan statistics
Files scanned 113903
Threat name 36
Infected objects 96
Suspicious objects 0
Duration of the scan 04:01:14

File name Threat name Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00D40000.VBN Infected: Trojan.Java.Femad 4

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00D40000.VBN Infected: Trojan.Win32.LowZones.cu 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00F80000.VBN Infected: Trojan.Java.Femad 4

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00F80000.VBN Infected: Trojan.Win32.LowZones.cu 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01C80000.VBN Infected: Trojan-Downloader.Win32.Agent.cp 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02AC0000.VBN Infected: Trojan-Downloader.Win32.Agent.cp 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02B00000.VBN Infected: Trojan.Win32.Monderb.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02B00001.VBN Infected: Trojan.Win32.Agent.mtm 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02BC0000.VBN Infected: Trojan.Win32.Monderb.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02BC0001.VBN Infected: Trojan.Win32.Monderb.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02C00000.VBN Infected: Trojan-Downloader.Win32.Mutant.yf 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02C00001.VBN Infected: Trojan-Downloader.Win32.Mutant.yf 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02C40000.VBN Infected: Trojan-Downloader.Win32.Mutant.yf 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02DC0000.VBN Infected: Trojan-Downloader.Win32.Mutant.yf 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03500000.VBN Infected: Trojan-Dropper.Win32.Agent.son 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03500001.VBN Infected: Trojan.Win32.Agent.mtm 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03700000.VBN Infected: Trojan-Downloader.Win32.Mutant.yf 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03F00000.VBN Infected: Exploit.HTML.Mht 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04600000.VBN Infected: Trojan-Dropper.Win32.Delf.av 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04700000.VBN Infected: Trojan.Java.ClassLoader.Dummy.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04700001.VBN Infected: Exploit.Java.ByteVerify 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04700002.VBN Infected: Trojan.Java.ClassLoader.d 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04700003.VBN Infected: Trojan.Java.ClassLoader.Dummy.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04BC0000.VBN Infected: Trojan.Win32.Agent.mtm 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04BC0002.VBN Infected: Trojan-Downloader.Win32.Mutant.yl 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04D00000.VBN Infected: Exploit.HTML.Mht 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04D00001.VBN Infected: Trojan.Java.ClassLoader.c 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04D00001.VBN Infected: Exploit.Java.ByteVerify 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04D00001.VBN Infected: Trojan.Java.ClassLoader.Dummy.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04D00001.VBN Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04E80000.VBN Infected: Trojan-Dropper.Win32.Agent.son 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05400000.VBN Infected: Exploit.HTML.Mht 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05700000.VBN Infected: Trojan.Java.ClassLoader.c 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05700000.VBN Infected: Exploit.Java.ByteVerify 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05700000.VBN Infected: Trojan.Java.ClassLoader.Dummy.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05700000.VBN Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05E00000.VBN Infected: Trojan.Java.ClassLoader.b 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06140000.VBN Infected: Trojan.Java.Femad 4

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06140000.VBN Infected: Trojan.Win32.LowZones.cu 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06140001.VBN Infected: Trojan.Java.ClassLoader.b 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06140002.VBN Infected: Trojan.Java.ClassLoader.u 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06140003.VBN Infected: Trojan.Java.ClassLoader.k 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06140004.VBN Infected: Exploit.Java.ByteVerify 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06140005.VBN Infected: Trojan.Java.ClassLoader.d 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06540000.VBN Infected: Rootkit.Win32.Agent.l 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06540001.VBN Infected: Trojan.Java.ClassLoader.u 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06540002.VBN Infected: Trojan.Java.ClassLoader.Dummy.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06540003.VBN Infected: Trojan.Java.ClassLoader.d 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\067C0000.VBN Infected: Trojan.BAT.KillProc.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\067C0001.VBN Infected: Trojan.Java.ClassLoader.Dummy.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\067C0002.VBN Infected: Trojan.Java.ClassLoader.i 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\067C0003.VBN Infected: Trojan.Java.SaveFile 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\067C0004.VBN Infected: Trojan.Java.ClassLoader.d 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\067C0005.VBN Infected: Trojan.Java.Femad 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\067C0006.VBN Infected: Trojan.Java.StartPage.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06A80000.VBN Infected: Trojan.Java.Femad 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\075C0000.VBN Infected: Exploit.HTML.IESlice.d 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07700000.VBN Infected: Trojan.Win32.Monderb.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07700001.VBN Infected: Trojan-Dropper.Win32.Agent.son 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08100000.VBN Infected: Trojan-Downloader.WMA.Wimad.d 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08180000.VBN Infected: Trojan-Downloader.WMA.Wimad.d 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08240000.VBN Infected: Trojan-Downloader.WMA.Wimad.d 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08380000.VBN Infected: Exploit.VBS.Phel.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\083C0000.VBN Infected: Trojan.Java.ClassLoader.c 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\083C0000.VBN Infected: Exploit.Java.ByteVerify 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\083C0000.VBN Infected: Trojan.Java.ClassLoader.Dummy.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\083C0000.VBN Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08C00000.VBN Infected: Exploit.HTML.IESlice.d 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D80000.VBN Infected: not-a-virus:AdWare.Win32.FWN.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09CC0000.VBN Infected: Exploit.HTML.Mht 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09CC0001.VBN Infected: Exploit.HTML.Mht 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09D00000.VBN Infected: Trojan-Downloader.Win32.Agent.cp 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09D00001.VBN Infected: Trojan-Downloader.Win32.Agent.cp 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09D00002.VBN Infected: Trojan.Java.ClassLoader.c 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09D00002.VBN Infected: Exploit.Java.ByteVerify 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09D00002.VBN Infected: Trojan.Java.ClassLoader.Dummy.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09D00002.VBN Infected: Trojan-Downloader.Java.OpenConnection.v 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EC00000.VBN Infected: Trojan-Downloader.Win32.Agent.cp 1

C:\Program Files\StreamCast\Morpheus\My Shared Folder\Morph2022.exe Infected: not-a-virus:AdWare.Win32.WurldMedia.d 1

C:\Program Files\StreamCast\Morpheus\My Shared Folder\Morph2022.exe Infected: not-a-virus:AdWare.Win32.WurldMedia.e 1

C:\Program Files\StreamCast\Morpheus\My Shared Folder\Morph2022.exe Infected: not-a-virus:AdWare.Win32.Gator.3210 1

C:\Program Files\StreamCast\Morpheus\My Shared Folder\Morph2022.exe Infected: Trojan-Downloader.Win32.Stubby.b 1

C:\WINDOWS\system\UpdInstall.exe Infected: not-a-virus:AdWare.Win32.Look2Me.b 1

C:\WINDOWS\system32\mocupd.exe Infected: not-a-virus:AdWare.Win32.WurldMedia.h 1

C:\WINDOWS\system32\mocupd.exe Infected: not-a-virus:AdWare.Win32.WurldMedia.b 1

C:\WINDOWS\system32\msguard.dll Infected: not-a-virus:AdWare.Win32.Look2Me.an 1

C:\WINDOWS\system32\qoMdAQjj.dll.vir Infected: Trojan-Downloader.Win32.ConHook.rr 1

The selected area was scanned.

Pc is running OK...little slow i guess.
  • 0

#9
Rorschach112
Posted 17 June 2008 - 10:50 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
C:\Program Files\StreamCast\Morpheus\My Shared Folder\Morph2022.exe
C:\WINDOWS\system\UpdInstall.exe
C:\WINDOWS\system32\mocupd.exe
C:\WINDOWS\system32\msguard.dll
C:\WINDOWS\system32\qoMdAQjj.dll.vir
purity 
EmptyTemp
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • 0

#10
keanu53
Posted 18 June 2008 - 06:12 AM

keanu53

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Explorer killed successfully
C:\Program Files\StreamCast\Morpheus\My Shared Folder\Morph2022.exe moved successfully.
C:\WINDOWS\system\UpdInstall.exe moved successfully.
C:\WINDOWS\system32\mocupd.exe moved successfully.
C:\WINDOWS\system32\msguard.dll NOT unregistered.
C:\WINDOWS\system32\msguard.dll moved successfully.
File/Folder C:\WINDOWS\system32\qoMdAQjj.dll.vir not found.
< purity >
< EmptyTemp >
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06182008_080319
  • 0

#11
Rorschach112
Posted 18 June 2008 - 06:22 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Post a new DSS log
  • 0

#12
keanu53
Posted 18 June 2008 - 06:04 PM

keanu53

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-18 19:59:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:54 PM, on 6/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 2674 bytes

-- Files created between 2008-05-18 and 2008-06-18 -----------------------------

2008-06-15 19:59:29 0 d--h----- C:\$AVG8.VAULT$
2008-06-14 18:59:32 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-14 18:59:20 0 d-------- C:\Program Files\AVG
2008-06-14 18:59:19 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-14 12:13:12 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-14 12:13:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-14 12:13:01 34296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-14 12:13:01 15864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-14 12:13:00 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-14 11:45:25 0 d-------- C:\Program Files\RogueRemover FREE
2008-05-19 17:39:33 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-19 17:38:49 0 d-------- C:\Program Files\Spyware Doctor
2008-05-19 17:38:49 0 d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-05-19 17:34:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-19 17:30:54 0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-05-19 17:26:36 0 d-------- C:\Program Files\CCleaner
2008-05-19 17:19:28 0 d-------- C:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-06-18 08:36:59 0 d-------- C:\Program Files\VCW VicMan's Photo Editor
2008-05-15 22:24:25 0 d-------- C:\Program Files\LimeWire
2008-05-07 16:32:31 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-05-07 16:26:25 50288 --a----c- C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-05 17:17:18 0 d-------- C:\Program Files\iTunes
2008-05-05 17:15:44 0 d-------- C:\Program Files\iPod
2008-05-05 17:11:30 0 d-------- C:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\Program Files\NavNT\vptray.exe" [09/24/2001 07:59 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/14/2008 06:59 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [04/27/2007 05:17 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-06-18 20:00:50 ------------
  • 0

#13
Rorschach112
Posted 19 June 2008 - 06:47 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean

  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.




You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here




Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#14
Rorschach112
Posted 23 June 2008 - 06:06 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP