Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

virus problems, zlob and others [RESOLVED]

Started by xvz1300royalstar , Jul 08 2008 06:55 AM

  • This topic is locked This topic is locked

#1
xvz1300royalstar
Posted 08 July 2008 - 06:55 AM

xvz1300royalstar

    Member

  • Member
  • PipPip
  • 14 posts
Sorry to be vague with the title. I have been having problems since yesterday. I was getting pop ups saying safety alert and then sites would open up offering virus protection etc. The desktop background was going white and automatic updates were turning off themselves.

I ran avg which is on the pc as well as spybot, a-squared, smitfraudfix, mcafee rootkit.

The safety alert pop ups have stopped but now I get unwanted websites opening up everytime I click a link etc

AVG keeps flashing an alert about Zlob.ZHG detected on open. I click to add to vault, or clean but it keeps coming back.

Any help would be greatly appreciated.

Robert
  • 0

Advertisements

#2
Mike
Posted 08 July 2008 - 07:26 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi,

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Note:These logs may be too large to post in one reply, if so, please post extra.txt in a seperate reply.
  • 0

#3
xvz1300royalstar
Posted 08 July 2008 - 07:50 AM

xvz1300royalstar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
thanks, here are the reports...

Deckard's System Scanner v20071014.68
Run by robert on 2008-07-08 14:42:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
43: 2008-07-08 13:42:38 UTC - RP341 - Deckard's System Scanner Restore Point
42: 2008-07-08 13:16:27 UTC - RP340 - ComboFix created restore point
41: 2008-07-07 14:13:23 UTC - RP339 - Restore Operation
40: 2008-07-07 10:49:07 UTC - RP338 - Last known good configuration
39: 2008-07-07 10:48:59 UTC - RP337 - Avg8 Update


-- First Restore Point --
1: 2008-07-07 10:48:47 UTC - RP299 - Installed ElectroSoft for Windows


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-08 14:44:26
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Documents and Settings\robert\Desktop\dss.exe
C:\WINDOWS\system32\wscntfy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\WINDOWS\TEMP\E_SA3.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


--
End of file - 6552 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 AGV - c:\windows\system32\drivers\agv.sys <Not Verified; GeoVision Inc.; >
R3 GV650V3 - c:\windows\system32\drivers\gv650v3.sys <Not Verified; GeoVision Inc.; >
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
Service:

Class GUID:
Description: Multimedia Controller
Device ID: PCI\VEN_109E&DEV_0878&SUBSYS_763C650B&REV_11\5&7B97277&0&2110F0
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_109E&DEV_0878&SUBSYS_763C650B&REV_11\5&7B97277&0&2110F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01741028&REV_02\4&1C660DD6&0&40F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01741028&REV_02\4&1C660DD6&0&40F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_01741028&REV_02\3&172E68DD&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_01741028&REV_02\3&172E68DD&0&FD
Service:


-- Files created between 2008-06-08 and 2008-07-08 -----------------------------

2008-07-08 14:15:45 68096 --a------ C:\WINDOWS\zip.exe
2008-07-08 14:15:45 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-08 14:15:45 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-08 14:15:45 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-08 14:15:45 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-08 14:15:45 98816 --a------ C:\WINDOWS\sed.exe
2008-07-08 14:15:45 80412 --a------ C:\WINDOWS\grep.exe
2008-07-08 14:15:45 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-08 14:02:19 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-08 14:02:07 0 d-------- C:\Documents and Settings\robert\Application Data\Mozilla
2008-07-08 10:33:25 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-07-08 09:56:24 88576 --a------ C:\WINDOWS\system32\fyjmnowv.dll
2008-07-07 14:45:50 1942 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-07 14:45:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-07 14:37:45 0 d-------- C:\Program Files\Panda Security
2008-07-07 14:32:53 0 d-------- C:\fsaua.data
2008-07-07 13:55:02 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-01 11:06:47 0 d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-07-01 10:32:13 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-07-01 10:32:13 47360 --a------ C:\Documents and Settings\robert\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-07-01 10:32:12 0 d-------- C:\Documents and Settings\robert\Application Data\Vso
2008-07-01 10:32:04 0 d-------- C:\Program Files\DVDFab 5
2008-06-18 20:33:27 0 d--h----- C:\$AVG8.VAULT$
2008-06-18 14:13:22 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-18 14:13:21 0 d-------- C:\Program Files\AVG
2008-06-18 14:13:20 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-18 13:58:54 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-06-18 13:58:17 0 d-------- C:\WINDOWS\Prefetch
2008-06-18 13:44:38 0 d-------- C:\WINDOWS\provisioning
2008-06-18 13:44:38 0 d-------- C:\WINDOWS\peernet
2008-06-18 13:43:37 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-18 13:38:53 0 d-------- C:\WINDOWS\EHome
2008-06-18 13:36:45 0 d-------- C:\40e4226daa249bc40e
2008-06-18 13:28:27 0 d-------- C:\WINDOWS\system32\bits
2008-06-18 13:28:13 0 d-------- C:\WINDOWS\system32\PreInstall
2008-06-18 13:28:11 0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-18 10:20:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-06-18 10:20:39 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-18 10:20:11 0 d-------- C:\Documents and Settings\robert\Application Data\Google
2008-06-18 10:19:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-06-18 10:19:42 0 d-------- C:\Program Files\Google
2008-06-18 10:18:12 0 d-------- C:\Documents and Settings\robert\Application Data\Macromedia
2008-06-18 10:18:12 0 d-------- C:\Documents and Settings\robert\Application Data\Adobe
2008-06-16 13:52:40 0 d-------- C:\Documents and Settings\All Users\Application Data\UDL
2008-06-16 13:46:36 111932 --a------ C:\WINDOWS\system32\EPPICPrinterDB.dat
2008-06-16 13:46:36 1139 --a------ C:\WINDOWS\system32\EPPICPresetData_PT.dat
2008-06-16 13:46:36 1120 --a------ C:\WINDOWS\system32\EPPICPresetData_IT.dat
2008-06-16 13:46:36 1107 --a------ C:\WINDOWS\system32\EPPICPresetData_GE.dat
2008-06-16 13:46:36 1129 --a------ C:\WINDOWS\system32\EPPICPresetData_FR.dat
2008-06-16 13:46:36 1136 --a------ C:\WINDOWS\system32\EPPICPresetData_ES.dat
2008-06-16 13:46:36 1104 --a------ C:\WINDOWS\system32\EPPICPresetData_EN.dat
2008-06-16 13:46:36 1146 --a------ C:\WINDOWS\system32\EPPICPresetData_DU.dat
2008-06-16 13:46:36 1129 --a------ C:\WINDOWS\system32\EPPICPresetData_CF.dat
2008-06-16 13:46:36 1139 --a------ C:\WINDOWS\system32\EPPICPresetData_BP.dat
2008-06-16 13:46:36 4943 --a------ C:\WINDOWS\system32\EPPICPattern6.dat
2008-06-16 13:46:36 21390 --a------ C:\WINDOWS\system32\EPPICPattern5.dat
2008-06-16 13:46:36 11811 --a------ C:\WINDOWS\system32\EPPICPattern4.dat
2008-06-16 13:46:36 24903 --a------ C:\WINDOWS\system32\EPPICPattern3.dat
2008-06-16 13:46:36 20148 --a------ C:\WINDOWS\system32\EPPICPattern2.dat
2008-06-16 13:46:36 31053 --a------ C:\WINDOWS\system32\EPPICPattern131.dat
2008-06-16 13:46:36 27417 --a------ C:\WINDOWS\system32\EPPICPattern121.dat
2008-06-16 13:46:36 26154 --a------ C:\WINDOWS\system32\EPPICPattern1.dat
2008-06-16 13:46:35 0 d-------- C:\Documents and Settings\robert\Application Data\InstallShield
2008-06-16 13:45:59 0 d-------- C:\Documents and Settings\All Users\Application Data\EPSON
2008-06-16 13:42:38 0 d-------- C:\Program Files\epson
2008-06-16 10:26:13 0 d-------- C:\Program Files\Common Files\L&H
2008-06-16 10:26:01 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-06-16 10:25:27 0 d-------- C:\Program Files\Microsoft Works
2008-06-16 10:20:39 0 dr-h----- C:\MSOCache


-- Find3M Report ---------------------------------------------------------------

2008-07-01 10:32:18 34 --a------ C:\Documents and Settings\robert\Application Data\pcouffin.log
2008-07-01 10:32:13 1144 --a------ C:\Documents and Settings\robert\Application Data\pcouffin.inf
2008-07-01 10:32:13 7887 --a------ C:\Documents and Settings\robert\Application Data\pcouffin.cat
2008-06-19 03:15:45 0 d-------- C:\Program Files\Messenger
2008-06-18 13:44:38 0 d-------- C:\Program Files\Movie Maker
2008-06-18 13:43:20 0 d-------- C:\Program Files\Windows NT
2008-06-18 10:20:39 0 d-------- C:\Program Files\Common Files
2008-06-16 13:54:23 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-16 13:53:36 0 d-------- C:\Program Files\Common Files\InstallShield


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [09/03/2006 15:29]
"nwiz"="nwiz.exe" [09/03/2006 15:29 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [09/03/2006 15:29]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [04/07/2008 09:15]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [08/07/2008 14:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 17:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:56]
"EPSON Stylus DX4400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.exe" [01/03/2007 07:01]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [25/06/2008 10:59]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-07-08 14:45:21 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 57%
Physical Memory (total/avail): 510.98 MiB / 215.07 MiB
Pagefile Memory (total/avail): 1249.6 MiB / 967.94 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1912.04 MiB

C: is Fixed (NTFS) - 232.88 GiB total, 212.96 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 38.28 GiB total, 11.79 GiB free.

\\.\PHYSICALDRIVE1 - Maxtor 6E040L0 - 38.29 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 38.28 GiB - E:

\\.\PHYSICALDRIVE0 - WDC WD2500JS-00MHB0 - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\robert\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AWV-AJM090H9Y9H
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\robert
LOGONSERVER=\\AWV-AJM090H9Y9H
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\robert\LOCALS~1\Temp
TMP=C:\DOCUME~1\robert\LOCALS~1\Temp
USERDOMAIN=AWV-AJM090H9Y9H
USERNAME=robert
USERPROFILE=C:\Documents and Settings\robert
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

robert (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
a-squared Anti-Malware 3.5 --> "C:\Program Files\a-squared Anti-Malware\unins000.exe"
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Broadcom 440x 10/100 Integrated Controller --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033
Camera RAW Plug-In for EPSON Creativity Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8DAC1AE4-33D1-4A78-8A42-00E09EDECC3E}\SETUP.EXE" -l0x9 UNINST
CX4300_5500_DX4400 manual --> C:\Program Files\EPSON\TPMANUAL\CX4300_5500_DX4400\ENG\USE_G\DOCUNINS.EXE
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.0.3.0 --> "C:\Program Files\DVDFab 5\unins000.exe"
ElectroSoft for Windows --> MsiExec.exe /X{5516739C-881F-4EBB-BC14-DA22CBD2F0AF}
EPSON Attach To Email --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Copy Utility 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\SETUP.EXE" -l0x9 -UnInstall
EPSON Easy Photo Print --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B66E665A-DF96-4C38-9422-C7F74BC1B4E5}\SETUP.EXE" -l0x9 UNINST
EPSON File Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2EB81825-E9EE-44F4-8F51-1240C3898DC6}\Setup.exe" -l0x9 UNINST
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Scan Assistant --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x9 -u
EPSON Web-To-Page --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\SETUP.EXE" -l0x9 -anything
getPlus®_ocx --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Microsoft Office Small Business Edition 2003 --> MsiExec.exe /I{91CA0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type136 / Error
Event Submitted/Written: 07/07/2008 02:58:15 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.5.2.20, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type135 / Error
Event Submitted/Written: 07/07/2008 02:58:13 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.5.2.20, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type133 / Error
Event Submitted/Written: 07/07/2008 02:31:30 PM
Event ID/Source: 1 / nview_info
Event Description:
NVIEW : iexplore: WAIT_TIMEOUT, while waiting for a read to clear - resetting read event

Event Record #/Type124 / Error
Event Submitted/Written: 07/01/2008 10:37:07 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dvdfab.exe, version 5.0.3.0, faulting module dvdfab.exe, version 5.0.3.0, fault address 0x0006e56c.
Processing media-specific event for [dvdfab.exe!ws!]

Event Record #/Type106 / Warning
Event Submitted/Written: 06/18/2008 01:59:01 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2545 / Error
Event Submitted/Written: 07/08/2008 02:18:06 PM
Event ID/Source: 6161 / Print
Event Description:
A guide and tutorial on usi...robertEPSON Stylus DX4400 SeriesNT EMF 1.0080010\\AWV-AJM090H9Y9H259 (0x103)

Event Record #/Type2471 / Error
Event Submitted/Written: 07/07/2008 03:25:25 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type2470 / Error
Event Submitted/Written: 07/07/2008 03:25:19 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type2469 / Error
Event Submitted/Written: 07/07/2008 03:24:45 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type2468 / Error
Event Submitted/Written: 07/07/2008 03:21:05 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
AvgLdx86
AvgMfx86
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
pavboot
RasAcd
Rdbss
Tcpip



-- End of Deckard's System Scanner: finished at 2008-07-08 14:45:21 ------------
  • 0

#4
Mike
Posted 08 July 2008 - 08:27 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Your Antivirus is disabled please re-enable it.

Can you tell me the path to the file that AVG is reporting?

Please temporarily disable A-squared Hijack Free and Spybot Search and destroy. Take a look here on how to disable them http://wiki.castleco...toring_Programs

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
C:\WINDOWS\system32\fyjmnowv.dll
C:\WINDOWS\system32\tmp.reg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
emptytemp
purity
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Now,

Download the latest version of Java Runtime Environment (JRE) 6 Update 6. Once done, uninstall any older versions of Java through add or remove programs.

Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Post back with the requested logs + re-run DSS and post back with main.txt (extra.txt won't be produced)
  • 0

#5
xvz1300royalstar
Posted 08 July 2008 - 08:31 AM

xvz1300royalstar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi,

AVG reports C:\windows|mrvtdpqe.exe
  • 0

#6
Mike
Posted 08 July 2008 - 08:51 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
OK,

Continue with the other steps and will get it cleaned up.
  • 0

#7
xvz1300royalstar
Posted 09 July 2008 - 03:12 AM

xvz1300royalstar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
hi,

I can only find JRE6 update 7. I take it this will be ok?

Robert

Edited by xvz1300royalstar, 09 July 2008 - 03:59 AM.

  • 0

#8
xvz1300royalstar
Posted 09 July 2008 - 04:03 AM

xvz1300royalstar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
this is the report from OTmoveit...

Explorer killed successfully
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fyjmnowv.dll
C:\WINDOWS\system32\fyjmnowv.dll NOT unregistered.
C:\WINDOWS\system32\fyjmnowv.dll moved successfully.
C:\WINDOWS\system32\tmp.reg moved successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}\\ deleted successfully.
< emptytemp >
File delete failed. C:\DOCUME~1\robert\LOCALS~1\Temp\~DFE359.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07092008_095521

Files moved on Reboot...
File C:\DOCUME~1\robert\LOCALS~1\Temp\~DFE359.tmp not found!
  • 0

#9
Mike
Posted 09 July 2008 - 04:07 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
https://cds.sun.com/...S-CDS_Developer

Download that one.
  • 0

#10
xvz1300royalstar
Posted 09 July 2008 - 07:21 AM

xvz1300royalstar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
here is the kaspersky report...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, July 9, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, July 09, 2008 02:58:31
Records in database: 930461
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 122133
Threat name: 10
Infected objects: 29
Suspicious objects: 1145
Duration of the scan: 02:58:36


File name / Threat name / Threats count
C:\Documents and Settings\robert\Desktop\old hard drive\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 48
C:\Documents and Settings\robert\Desktop\old hard drive\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\051C0000\477CAD6C.VBN Infected: Trojan.Win32.Agent.jr 1
C:\Documents and Settings\robert\Desktop\old hard drive\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05E80000.VBN Infected: Trojan-Downloader.Win32.Small.anq 1
C:\Documents and Settings\robert\Desktop\old hard drive\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05E80001.VBN Infected: Trojan-Downloader.Win32.Small.anq 1
C:\Documents and Settings\robert\Desktop\old hard drive\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05E80002.VBN Infected: Trojan-Downloader.Win32.Small.anq 1
C:\Documents and Settings\robert\Desktop\old hard drive\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05E80003.VBN Infected: Trojan-Downloader.Win32.Small.anq 1
C:\Documents and Settings\robert\Desktop\old hard drive\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06540000.VBN Infected: Backdoor.Win32.Breplibot.z 1
C:\Documents and Settings\robert\Desktop\old hard drive\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\082C0000.VBN Infected: Backdoor.Win32.Breplibot.ac 1
C:\Documents and Settings\robert\Desktop\virus stuff\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\robert\Local Settings\Application Data\Identities\{8B201A7C-62E8-4E85-A860-7793BBEFF856}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 234
C:\Documents and Settings\robert\Local Settings\Application Data\Identities\{8B201A7C-62E8-4E85-A860-7793BBEFF856}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Downloader.Win32.Agent.hzc 1
C:\Documents and Settings\robert\Local Settings\Application Data\Identities\{8B201A7C-62E8-4E85-A860-7793BBEFF856}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Paylap.kf 2
C:\Documents and Settings\robert\Local Settings\Application Data\Identities\{8B201A7C-62E8-4E85-A860-7793BBEFF856}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\robert\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 103
C:\Documents and Settings\robert\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Downloader.Win32.Agent.hzc 1
C:\Program Files\a-squared Anti-Malware\unins000.exe Infected: Trojan-Downloader.Win32.Agent.vmp 1
C:\Program Files\DVDFab 5\unins000.exe Infected: Trojan-Downloader.Win32.Agent.vpx 1
E:\Documents and Settings\Administrator\Desktop\backups\outlook backup.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 119
E:\Documents and Settings\Administrator\Desktop\backups\outlook backup.pst Infected: Trojan-Downloader.Win32.Agent.hzc 1
E:\Documents and Settings\Administrator\Desktop\backups\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 234
E:\Documents and Settings\Administrator\Desktop\backups\Outlook Express\Deleted Items.dbx Infected: Trojan-Downloader.Win32.Agent.hzc 1
E:\Documents and Settings\Administrator\Desktop\backups\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Paylap.kf 2
E:\Documents and Settings\Administrator\Desktop\backups\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2
E:\Documents and Settings\Administrator\Desktop\New Folder (2)\confirm your data .msg Suspicious: Trojan-Spy.HTML.Fraud.gen 2
E:\Documents and Settings\Administrator\Desktop\New Folder (2)\please confirm your data! -Thu 17 Jan 2008 07 13 35 -0600.msg Suspicious: Trojan-Spy.HTML.Fraud.gen 2
E:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{0F300A23-F227-4928-B907-D0A14B3D78BB}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 359
E:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{0F300A23-F227-4928-B907-D0A14B3D78BB}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Downloader.Win32.Agent.hzc 2
E:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{0F300A23-F227-4928-B907-D0A14B3D78BB}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Paylap.kf 2
E:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{0F300A23-F227-4928-B907-D0A14B3D78BB}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 4
E:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 36
E:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\051C0000\477CAD6C.VBN Infected: Trojan.Win32.Agent.jr 1
E:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05E80000.VBN Infected: Trojan-Downloader.Win32.Small.anq 1
E:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05E80001.VBN Infected: Trojan-Downloader.Win32.Small.anq 1
E:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05E80002.VBN Infected: Trojan-Downloader.Win32.Small.anq 1
E:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05E80003.VBN Infected: Trojan-Downloader.Win32.Small.anq 1
E:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06540000.VBN Infected: Backdoor.Win32.Breplibot.z 1
E:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\082C0000.VBN Infected: Backdoor.Win32.Breplibot.ac 1

The selected area was scanned.
  • 0

Advertisements

#11
xvz1300royalstar
Posted 09 July 2008 - 07:27 AM

xvz1300royalstar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
here is the new dss report...

Deckard's System Scanner v20071014.68
Run by robert on 2008-07-09 14:23:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-09 14:24:35
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\robert\Local Settings\Temp\jkos-robert\binaries\ScanningProcess.exe
C:\Documents and Settings\robert\Local Settings\Temp\jkos-robert\binaries\ScanningProcess.exe
C:\Documents and Settings\robert\Desktop\virus stuff\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\WINDOWS\TEMP\E_SA3.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...t/PCPitStop.CAB
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../pcpitstop2.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


--
End of file - 7768 bytes

-- Files created between 2008-06-09 and 2008-07-09 -----------------------------

2008-07-09 13:11:30 0 d-------- C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-07-09 13:10:44 0 d-------- C:\Program Files\PCPitstop
2008-07-09 12:46:35 0 d-------- C:\WINDOWS\LastGood
2008-07-09 11:00:46 0 d-------- C:\WINDOWS\Sun
2008-07-09 11:00:46 0 d-------- C:\Documents and Settings\robert\Application Data\Sun
2008-07-09 10:59:04 0 d-------- C:\Program Files\Java
2008-07-09 10:57:27 0 d-------- C:\Program Files\Common Files\Java
2008-07-09 10:38:08 95 --a------ C:\WINDOWS\system32\productregistry
2008-07-09 10:35:17 0 d-------- C:\Sun
2008-07-09 09:47:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-07-08 14:15:45 68096 --a------ C:\WINDOWS\zip.exe
2008-07-08 14:15:45 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-08 14:15:45 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-08 14:15:45 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-08 14:15:45 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-08 14:15:45 98816 --a------ C:\WINDOWS\sed.exe
2008-07-08 14:15:45 80412 --a------ C:\WINDOWS\grep.exe
2008-07-08 14:15:45 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-08 14:02:19 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-08 14:02:07 0 d-------- C:\Documents and Settings\robert\Application Data\Mozilla
2008-07-08 10:33:25 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-07-07 14:45:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-07 14:37:45 0 d-------- C:\Program Files\Panda Security
2008-07-07 14:32:53 0 d-------- C:\fsaua.data
2008-07-07 13:55:02 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-01 11:06:47 0 d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-07-01 10:32:13 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-07-01 10:32:13 47360 --a------ C:\Documents and Settings\robert\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-07-01 10:32:12 0 d-------- C:\Documents and Settings\robert\Application Data\Vso
2008-07-01 10:32:04 0 d-------- C:\Program Files\DVDFab 5
2008-06-18 20:33:27 0 d--h----- C:\$AVG8.VAULT$
2008-06-18 14:13:22 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-18 14:13:21 0 d-------- C:\Program Files\AVG
2008-06-18 14:13:20 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-18 13:58:54 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-06-18 13:58:17 0 d-------- C:\WINDOWS\Prefetch
2008-06-18 13:44:38 0 d-------- C:\WINDOWS\provisioning
2008-06-18 13:44:38 0 d-------- C:\WINDOWS\peernet
2008-06-18 13:43:37 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-18 13:38:53 0 d-------- C:\WINDOWS\EHome
2008-06-18 13:36:45 0 d-------- C:\40e4226daa249bc40e
2008-06-18 13:28:27 0 d-------- C:\WINDOWS\system32\bits
2008-06-18 13:28:13 0 d-------- C:\WINDOWS\system32\PreInstall
2008-06-18 13:28:11 0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-18 10:20:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-06-18 10:20:39 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-18 10:20:11 0 d-------- C:\Documents and Settings\robert\Application Data\Google
2008-06-18 10:19:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-06-18 10:19:42 0 d-------- C:\Program Files\Google
2008-06-18 10:18:12 0 d-------- C:\Documents and Settings\robert\Application Data\Macromedia
2008-06-18 10:18:12 0 d-------- C:\Documents and Settings\robert\Application Data\Adobe
2008-06-16 13:52:40 0 d-------- C:\Documents and Settings\All Users\Application Data\UDL
2008-06-16 13:46:36 111932 --a------ C:\WINDOWS\system32\EPPICPrinterDB.dat
2008-06-16 13:46:36 1139 --a------ C:\WINDOWS\system32\EPPICPresetData_PT.dat
2008-06-16 13:46:36 1120 --a------ C:\WINDOWS\system32\EPPICPresetData_IT.dat
2008-06-16 13:46:36 1107 --a------ C:\WINDOWS\system32\EPPICPresetData_GE.dat
2008-06-16 13:46:36 1129 --a------ C:\WINDOWS\system32\EPPICPresetData_FR.dat
2008-06-16 13:46:36 1136 --a------ C:\WINDOWS\system32\EPPICPresetData_ES.dat
2008-06-16 13:46:36 1104 --a------ C:\WINDOWS\system32\EPPICPresetData_EN.dat
2008-06-16 13:46:36 1146 --a------ C:\WINDOWS\system32\EPPICPresetData_DU.dat
2008-06-16 13:46:36 1129 --a------ C:\WINDOWS\system32\EPPICPresetData_CF.dat
2008-06-16 13:46:36 1139 --a------ C:\WINDOWS\system32\EPPICPresetData_BP.dat
2008-06-16 13:46:36 4943 --a------ C:\WINDOWS\system32\EPPICPattern6.dat
2008-06-16 13:46:36 21390 --a------ C:\WINDOWS\system32\EPPICPattern5.dat
2008-06-16 13:46:36 11811 --a------ C:\WINDOWS\system32\EPPICPattern4.dat
2008-06-16 13:46:36 24903 --a------ C:\WINDOWS\system32\EPPICPattern3.dat
2008-06-16 13:46:36 20148 --a------ C:\WINDOWS\system32\EPPICPattern2.dat
2008-06-16 13:46:36 31053 --a------ C:\WINDOWS\system32\EPPICPattern131.dat
2008-06-16 13:46:36 27417 --a------ C:\WINDOWS\system32\EPPICPattern121.dat
2008-06-16 13:46:36 26154 --a------ C:\WINDOWS\system32\EPPICPattern1.dat
2008-06-16 13:46:35 0 d-------- C:\Documents and Settings\robert\Application Data\InstallShield
2008-06-16 13:45:59 0 d-------- C:\Documents and Settings\All Users\Application Data\EPSON
2008-06-16 13:42:38 0 d-------- C:\Program Files\epson
2008-06-16 10:26:13 0 d-------- C:\Program Files\Common Files\L&H
2008-06-16 10:26:01 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-06-16 10:25:27 0 d-------- C:\Program Files\Microsoft Works
2008-06-16 10:20:39 0 dr-h----- C:\MSOCache


-- Find3M Report ---------------------------------------------------------------

2008-07-09 10:57:27 0 d-------- C:\Program Files\Common Files
2008-07-01 10:32:18 34 --a------ C:\Documents and Settings\robert\Application Data\pcouffin.log
2008-07-01 10:32:13 1144 --a------ C:\Documents and Settings\robert\Application Data\pcouffin.inf
2008-07-01 10:32:13 7887 --a------ C:\Documents and Settings\robert\Application Data\pcouffin.cat
2008-06-19 03:15:45 0 d-------- C:\Program Files\Messenger
2008-06-18 13:44:38 0 d-------- C:\Program Files\Movie Maker
2008-06-18 13:43:20 0 d-------- C:\Program Files\Windows NT
2008-06-16 13:54:23 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-16 13:53:36 0 d-------- C:\Program Files\Common Files\InstallShield


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [09/03/2006 15:29]
"nwiz"="nwiz.exe" [09/03/2006 15:29 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [09/03/2006 15:29]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [04/07/2008 09:15]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [08/07/2008 14:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"PC Pitstop Optimize Reminder"="C:\Program Files\PCPitstop\Optimize2\Reminder.exe" [31/01/2008 13:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 17:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:56]
"EPSON Stylus DX4400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.exe" [01/03/2007 07:01]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [25/06/2008 10:59]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-07-09 14:25:55 ------------
  • 0

#12
xvz1300royalstar
Posted 09 July 2008 - 07:28 AM

xvz1300royalstar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi,

I have completed the tasks requested earlier and have posted all the reults in the 3 replies above.
I look forward to hearing from you with further instructions etc.

Regards

Robert
  • 0

#13
Mike
Posted 09 July 2008 - 07:44 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
OK, I will post back in a bit.

Edited by Mike, 09 July 2008 - 07:49 AM.

  • 0

#14
Mike
Posted 09 July 2008 - 12:03 PM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
What is your E:\ Drive, just a seperate harddrive?

You have some infections residing in OutLook Express, Go through your inbox and deleted box and remove any bad emails you can find. This includes the backups that you made.

Delete everything in this folder: C:\Documents and Settings\robert\Desktop\old hard drive\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\

and this one: E:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine

  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\fsaua.data
C:\Program Files\a-squared Anti-Malware\unins000.exe
C:\Program Files\DVDFab 5\unins000.exe
E:\Documents and Settings\Administrator\Desktop\New Folder (2)
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Now let's try and sweep out some registry entries,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


And do another scan with Kaspersky (I know it's long) so we can confirm if your email infection issue is still present.

Edited by Mike, 09 July 2008 - 12:04 PM.

  • 0

#15
xvz1300royalstar
Posted 10 July 2008 - 05:05 AM

xvz1300royalstar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi,

the E drive is an older hard drive installed into the machine.

here is the otmoveit log file...

Explorer killed successfully
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fyjmnowv.dll
C:\WINDOWS\system32\fyjmnowv.dll NOT unregistered.
C:\WINDOWS\system32\fyjmnowv.dll moved successfully.
C:\WINDOWS\system32\tmp.reg moved successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}\\ deleted successfully.
< emptytemp >
File delete failed. C:\DOCUME~1\robert\LOCALS~1\Temp\~DFE359.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07092008_095521

Files moved on Reboot...
File C:\DOCUME~1\robert\LOCALS~1\Temp\~DFE359.tmp not found!



here is the mbam log....

Malwarebytes' Anti-Malware 1.20
Database version: 935
Windows 5.1.2600 Service Pack 2

11:56:42 10/07/2008
mbam-log-7-10-2008 (11-56-42).txt

Scan type: Quick Scan
Objects scanned: 39292
Time elapsed: 4 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{f70c9bf7-63da-40cc-a57c-b874b07259e0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nqgpedlr.bxod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nqgpedlr.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I will now do the kaspersky scan and post the results when completed.

Regards

Robert
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP