Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows firewall has detected (insert scary sounding file name here) [


  • This topic is locked This topic is locked

#1
Jaygriff

Jaygriff

    New Member

  • Member
  • Pip
  • 7 posts
I am having a problem with my system (obviously) where on ONE of the user profiles when the internet is accessed through either Firefox (which is our preferred browser) or IE that says that "Windows firewall has detected trojan-downloader.win32.agent.bq to protect your system click enable" Alternate file names that come up are trojan-spy.win32.keylogger.aa and trojan-clicker.win32.thy.h.

Of course when I click on the link, it takes me to a web address (www.antispyware-review.info) that wants me to buy some of their software to fix the 'problem.' A couple of things make me think it isn't an actual infection they are warning me about, rather their ad is. At some point, something has also removed his ability to access the windows task manager, although I did find out how to re-enable that.

1. it only pops up on my husband's username, I have never had this appear on mine
2. all the antivirus scans and adware scans have come up clean
3. It continued to pop up even after I installed an alternate firewall and disabled the original windows one.

I have run the malwarebytes software as recommended by your previous post and it comes up clean.
I tried to run windows update which is up to date with the exception of SP3 which for some reason it won't let me install.
I also have done full system scans with AdAware, PC Tools Spyware Dr., System Mechanic, Norton Anti virus, Spyware blaster, Spybot Search and Destroy, and have downloaded the Zonelabs firewall which we have currently running.
after restart, still having same issue.

****More system history Information*****

Recently I was forced due to constant computer crashes to reformat our hard drive reinstalling windows xp home edition sp2. Problem was the person that worked on our computer before had us running XP pro and we did not have a disk for it so I wound up purchasing a new copy of XP :::groans::: and installed it. (HP said that our computer was obsolete and a restore disk was no available for our system) Now when the computer reboots, we are prompted to choose to boot with either xp pro or xp home edition. I thought I had reformatted the HD so why is this still there? I have not tried to boot with XP pro yet.

*****edited to add hyjack this log*****

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:06 PM, on 8/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\udyfibyx.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [9OnHcEd4Ww] C:\Documents and Settings\Jim\Desktop\FlashPlayerH264Ext.exe
O4 - HKUS\S-1-5-21-606747145-1229272821-725345543-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Jim')
O4 - HKUS\S-1-5-21-606747145-1229272821-725345543-1005\..\Run: [ApiUi] C:\WINDOWS\system32\udyfibyx.exe (User 'Jim')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O21 - SSODL: ApiSrv - {6E1764FA-F752-29C7-7EBF-061861B87703} - C:\Program Files\dqvtkld\ApiSrv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6645 bytes

Edited by Jaygriff, 02 August 2008 - 07:39 PM.

  • 0

Advertisements


#2
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
Hello Jaygriff, Welcome to Geeks-To-Go.

My name is Gravity Gripp and I'll be working with you on these issues. For now, I will be reviewing your log but will be responding back soon. Also, please note that I am still in training so there may be a slight delay in my responses because I will be working with an expert on this.

I look forward to working with you :)
  • 0

#3
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
Alright, couple of things here.


STEP ONE
CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "put file path here"
  • Put a link to this Geeks to Go topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


    • C:\Program Files\dqvtkld\ApiSrv.dll

  • Click Open.
  • Click Post.
Thank you!


STEP TWO
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#4
Jaygriff

Jaygriff

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I guess I messed something up... I ran the DSS.exe but had a bunch of stuff running so closed it down and ran the dss.exe again but now only gives me the main.txt file and the other file is gone. I checked my system for it, removed all dss related files from my computer and re downloaded it but still no extra.txt file... and now the original extra file is gone :) is there something that I can do to get this file back or a way to have the scan done again? The following is the results from Main.txt

***edited to post main.txt when run from profile causing issues***

Deckard's System Scanner v20071014.68
Run by Jim on 2008-08-06 02:46:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 87% (more than 75%).


-- HijackThis (run as Jim.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:47:14 AM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\udyfibyx.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jim\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jim.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kucampus.kapl...ogin/login.aspx
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ApiUi] C:\WINDOWS\system32\udyfibyx.exe
O4 - HKLM\..\Policies\Explorer\Run: [9OnHcEd4Ww] C:\Documents and Settings\Jim\Desktop\FlashPlayerH264Ext.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O21 - SSODL: ApiSrv - {6E1764FA-F752-29C7-7EBF-061861B87703} - C:\Program Files\dqvtkld\ApiSrv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6179 bytes

-- Files created between 2008-07-06 and 2008-08-06 -----------------------------

2008-08-06 00:37:55 131104 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-05 15:03:08 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-08-05 15:02:36 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-08-05 15:00:10 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-08-05 14:52:39 0 d-------- C:\WINDOWS\SHELLNEW
2008-08-02 19:12:03 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-02 18:28:51 0 d-------- C:\Program Files\SpywareBlaster
2008-08-02 18:10:40 0 d-------- C:\Documents and Settings\Jay\Application Data\Malwarebytes
2008-08-02 17:37:46 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-08-02 17:37:04 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-08-02 17:36:26 0 d-------- C:\WINDOWS\Internet Logs
2008-08-02 15:16:09 0 d-------- C:\Documents and Settings\Jim\Application Data\Malwarebytes
2008-08-02 15:16:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-02 15:15:59 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 15:14:51 0 d-------- C:\Program Files\Common Files\Download Manager
2008-08-02 15:04:25 0 d-------- C:\Program Files\Trend Micro
2008-07-31 13:41:44 0 d-------- C:\Program Files\Lavasoft
2008-07-31 13:41:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-30 11:29:30 0 d-------- C:\Program Files\dqvtkld
2008-07-30 11:29:05 0 d-------- C:\Documents and Settings\All Users\Application Data\apufofqv
2008-07-30 11:28:58 98304 --a------ C:\WINDOWS\system32\udyfibyx.exe
2008-07-30 02:50:26 0 d-------- C:\Program Files\GamesBar
2008-07-30 02:50:07 0 d-------- C:\Program Files\Common Files\Oberon Media
2008-07-30 02:50:06 0 d-------- C:\Program Files\Oberon Media
2008-07-29 22:33:05 0 d-------- C:\Program Files\FedTerm
2008-07-27 18:54:42 0 d-------- C:\Program Files\zMUD
2008-07-27 18:53:29 0 d-------- C:\Program Files\CMUD
2008-07-27 13:25:05 0 d-------- C:\Program Files\Spyware Doctor
2008-07-27 13:25:05 0 d-------- C:\Documents and Settings\Jim\Application Data\PC Tools
2008-07-27 10:11:24 0 d-------- C:\Documents and Settings\Jim\Application Data\Google
2008-07-27 10:06:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-27 10:06:31 0 d-------- C:\Program Files\Google
2008-07-25 08:45:24 0 d-------- C:\Documents and Settings\Jim\Application Data\iolo
2008-07-24 15:19:33 0 d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-07-24 15:19:18 22528 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-07-24 15:19:18 34304 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-07-24 15:19:12 0 d-------- C:\Program Files\iolo
2008-07-23 13:55:56 0 d-------- C:\Program Files\Microsoft Money Plus
2008-07-17 10:44:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-16 16:28:12 0 d-------- C:\Documents and Settings\Jay\Application Data\Netscape
2008-07-15 10:13:49 0 d-------- C:\Documents and Settings\Jim\Application Data\Netscape
2008-07-15 10:13:37 0 d-------- C:\Program Files\Netscape
2008-07-10 02:57:42 0 d-------- C:\WINDOWS\Sun
2008-07-10 02:57:42 0 d-------- C:\Documents and Settings\Jay\Application Data\Sun
2008-07-10 02:55:49 0 d-------- C:\Program Files\Java
2008-07-10 02:52:27 0 d-------- C:\Program Files\Common Files\Java
2008-07-08 00:55:01 0 d-------- C:\Program Files\Symantec
2008-07-08 00:54:44 0 d-------- C:\Program Files\Symantec AntiVirus
2008-07-08 00:54:44 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-08 00:54:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-06 01:03:10 0 d---s---- C:\Documents and Settings\Jay\UserData


-- Find3M Report ---------------------------------------------------------------

2008-08-05 14:55:27 0 d-------- C:\Program Files\Common Files
2008-07-13 14:56:27 0 d-------- C:\Documents and Settings\Jim\Application Data\Adobe
2008-07-04 22:46:07 0 d-------- C:\Program Files\IrfanView
2008-06-28 08:27:40 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-06-27 21:06:42 0 d-------- C:\Program Files\Messenger
2008-06-27 07:57:35 0 d-------- C:\Documents and Settings\Jim\Application Data\Macromedia
2008-06-26 14:11:01 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-26 00:13:06 0 d-------- C:\Program Files\microsoft frontpage
2008-06-26 00:03:53 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-26 00:03:30 0 d-------- C:\Documents and Settings\Jim\Application Data\Mozilla
2008-06-25 23:37:28 0 d-------- C:\Documents and Settings\Jim\Application Data\Identities
2008-06-25 23:34:43 0 d-------- C:\Program Files\Yahoo!
2008-06-25 23:24:52 74703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-06-25 23:14:34 0 d-------- C:\Program Files\Windows Media Connect 2
2008-06-25 22:51:31 0 -rahs---- C:\MSDOS.SYS
2008-06-25 22:51:31 0 -rahs---- C:\IO.SYS
2008-06-25 22:51:31 0 --a------ C:\CONFIG.SYS
2008-06-25 22:51:31 0 --a------ C:\AUTOEXEC.BAT
2008-06-25 22:49:39 0 d--h----- C:\Program Files\WindowsUpdate
2008-06-25 22:49:34 0 d-------- C:\Program Files\Online Services
2008-06-25 22:48:33 0 d-------- C:\Program Files\Common Files\MSSoap
2008-06-25 22:48:22 0 d-------- C:\Program Files\Movie Maker
2008-06-25 22:47:48 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-25 22:46:41 0 d-------- C:\Program Files\MSN Gaming Zone
2008-06-25 22:46:29 0 d-------- C:\Program Files\Windows NT
2008-06-25 18:37:37 0 d-------- C:\Program Files\Common Files\ODBC
2008-06-25 18:37:34 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-06-25 18:37:04 62 --ahs---- C:\Documents and Settings\Jim\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 01:47 PM C:\WINDOWS\ALCXMNTR.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [11/21/2006 05:38 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [03/14/2007 07:49 PM]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [05/06/2008 04:36 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07/09/2008 09:05 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 08:00 AM]
"ApiUi"="C:\WINDOWS\system32\udyfibyx.exe" [07/30/2008 11:28 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"9OnHcEd4Ww"=C:\Documents and Settings\Jim\Desktop\FlashPlayerH264Ext.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ApiSrv"= {6E1764FA-F752-29C7-7EBF-061861B87703} - C:\Program Files\dqvtkld\ApiSrv.dll [07/30/2008 11:29 AM 122880]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"




-- End of Deckard's System Scanner: finished at 2008-08-06 02:48:12 ------------

Edited by Jaygriff, 06 August 2008 - 12:50 AM.

  • 0

#5
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
That's ok, we can get it back :)

STEP ONE
Click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt
  • 0

#6
Jaygriff

Jaygriff

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Main.txt follwed by extra.txt. thanks for the help.

Jay

Deckard's System Scanner v20071014.68
Run by Jay on 2008-08-06 14:29:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
71: 2008-08-06 04:41:20 UTC - RP71 - Deckard's System Scanner Restore Point
70: 2008-08-05 18:49:21 UTC - RP70 - Installed Microsoft Office Professional Edition 2003
69: 2008-08-04 23:22:43 UTC - RP69 - System Checkpoint
68: 2008-08-03 22:30:13 UTC - RP68 - System Checkpoint
67: 2008-08-02 22:28:58 UTC - RP67 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-06-26 03:05:47 UTC - RP1 - System Checkpoint


Performed disk cleanup.

Percentage of Memory in Use: 83% (more than 75%).


-- HijackThis (run as Jay.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:30:51 PM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jim\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jay.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [9OnHcEd4Ww] C:\Documents and Settings\Jim\Desktop\FlashPlayerH264Ext.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O21 - SSODL: ApiSrv - {6E1764FA-F752-29C7-7EBF-061861B87703} - C:\Program Files\dqvtkld\ApiSrv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6284 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\3&61AAA01&0&28
Manufacturer: Realtek
Name: Realtek RTL8139 Family PCI Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\3&61AAA01&0&28
Service: rtl8139


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 1840)
2008-07-30 11:29:30 122880 --a------ C:\Program Files\dqvtkld\ApiSrv.dll


-- Files created between 2008-07-06 and 2008-08-06 -----------------------------

2008-08-06 03:11:56 0 d-------- C:\Program Files\CMUD
2008-08-06 00:37:55 202784 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-05 15:03:08 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-08-05 15:02:36 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-08-05 15:00:10 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-08-05 14:52:39 0 d-------- C:\WINDOWS\SHELLNEW
2008-08-02 19:12:03 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-02 18:28:51 0 d-------- C:\Program Files\SpywareBlaster
2008-08-02 18:10:40 0 d-------- C:\Documents and Settings\Jay\Application Data\Malwarebytes
2008-08-02 17:37:46 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-08-02 17:37:04 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-08-02 17:36:26 0 d-------- C:\WINDOWS\Internet Logs
2008-08-02 15:16:09 0 d-------- C:\Documents and Settings\Jim\Application Data\Malwarebytes
2008-08-02 15:16:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-02 15:15:59 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 15:14:51 0 d-------- C:\Program Files\Common Files\Download Manager
2008-08-02 15:04:25 0 d-------- C:\Program Files\Trend Micro
2008-07-31 13:41:44 0 d-------- C:\Program Files\Lavasoft
2008-07-31 13:41:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-30 11:29:30 0 d-------- C:\Program Files\dqvtkld
2008-07-30 11:29:05 0 d-------- C:\Documents and Settings\All Users\Application Data\apufofqv
2008-07-30 11:28:58 98304 --a------ C:\WINDOWS\system32\udyfibyx.exe
2008-07-30 02:50:26 0 d-------- C:\Program Files\GamesBar
2008-07-30 02:50:07 0 d-------- C:\Program Files\Common Files\Oberon Media
2008-07-30 02:50:06 0 d-------- C:\Program Files\Oberon Media
2008-07-29 22:33:05 0 d-------- C:\Program Files\FedTerm
2008-07-27 18:54:42 0 d-------- C:\Program Files\zMUD
2008-07-27 18:53:29 0 d-------- C:\Program Files\CMUD3
2008-07-27 13:25:05 0 d-------- C:\Program Files\Spyware Doctor
2008-07-27 13:25:05 0 d-------- C:\Documents and Settings\Jim\Application Data\PC Tools
2008-07-27 10:11:24 0 d-------- C:\Documents and Settings\Jim\Application Data\Google
2008-07-27 10:06:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-27 10:06:31 0 d-------- C:\Program Files\Google
2008-07-25 08:45:24 0 d-------- C:\Documents and Settings\Jim\Application Data\iolo
2008-07-24 15:19:33 0 d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-07-24 15:19:18 22528 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-07-24 15:19:18 34304 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-07-24 15:19:12 0 d-------- C:\Program Files\iolo
2008-07-23 13:55:56 0 d-------- C:\Program Files\Microsoft Money Plus
2008-07-17 10:44:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-16 16:28:12 0 d-------- C:\Documents and Settings\Jay\Application Data\Netscape
2008-07-15 10:13:49 0 d-------- C:\Documents and Settings\Jim\Application Data\Netscape
2008-07-15 10:13:37 0 d-------- C:\Program Files\Netscape
2008-07-10 02:57:42 0 d-------- C:\WINDOWS\Sun
2008-07-10 02:57:42 0 d-------- C:\Documents and Settings\Jay\Application Data\Sun
2008-07-10 02:55:49 0 d-------- C:\Program Files\Java
2008-07-10 02:52:27 0 d-------- C:\Program Files\Common Files\Java
2008-07-08 00:55:01 0 d-------- C:\Program Files\Symantec
2008-07-08 00:54:44 0 d-------- C:\Program Files\Symantec AntiVirus
2008-07-08 00:54:44 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-08 00:54:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-06 01:03:10 0 d---s---- C:\Documents and Settings\Jay\UserData


-- Find3M Report ---------------------------------------------------------------

2008-08-05 23:15:19 0 d-------- C:\Documents and Settings\Jay\Application Data\Move Networks
2008-08-05 14:55:27 0 d-------- C:\Program Files\Common Files
2008-07-24 17:01:33 0 d-------- C:\Documents and Settings\Jay\Application Data\iolo
2008-07-04 22:46:07 0 d-------- C:\Program Files\IrfanView
2008-06-30 21:30:45 0 d-------- C:\Documents and Settings\Jay\Application Data\Microsoft Web Folders
2008-06-30 17:29:49 0 d-------- C:\Documents and Settings\Jay\Application Data\Adobe
2008-06-28 08:27:40 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-06-27 21:06:42 0 d-------- C:\Program Files\Messenger
2008-06-26 14:13:08 0 d-------- C:\Documents and Settings\Jay\Application Data\Help
2008-06-26 14:11:01 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-26 13:51:54 0 d-------- C:\Documents and Settings\Jay\Application Data\Gtek
2008-06-26 13:27:00 0 d-------- C:\Documents and Settings\Jay\Application Data\Macromedia
2008-06-26 00:13:06 0 d-------- C:\Program Files\microsoft frontpage
2008-06-26 00:07:33 0 d-------- C:\Documents and Settings\Jay\Application Data\Mozilla
2008-06-26 00:03:53 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-25 23:34:43 0 d-------- C:\Program Files\Yahoo!
2008-06-25 23:24:52 74703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-06-25 23:14:34 0 d-------- C:\Program Files\Windows Media Connect 2
2008-06-25 23:05:29 0 d-------- C:\Documents and Settings\Jay\Application Data\Identities
2008-06-25 22:51:31 0 -rahs---- C:\MSDOS.SYS
2008-06-25 22:51:31 0 -rahs---- C:\IO.SYS
2008-06-25 22:51:31 0 --a------ C:\CONFIG.SYS
2008-06-25 22:51:31 0 --a------ C:\AUTOEXEC.BAT
2008-06-25 22:49:39 0 d--h----- C:\Program Files\WindowsUpdate
2008-06-25 22:49:34 0 d-------- C:\Program Files\Online Services
2008-06-25 22:48:33 0 d-------- C:\Program Files\Common Files\MSSoap
2008-06-25 22:48:22 0 d-------- C:\Program Files\Movie Maker
2008-06-25 22:47:48 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-25 22:46:41 0 d-------- C:\Program Files\MSN Gaming Zone
2008-06-25 22:46:29 0 d-------- C:\Program Files\Windows NT
2008-06-25 18:37:37 0 d-------- C:\Program Files\Common Files\ODBC
2008-06-25 18:37:34 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-06-25 18:37:04 62 --ahs---- C:\Documents and Settings\Jay\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 01:47 PM C:\WINDOWS\ALCXMNTR.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [11/21/2006 05:38 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [03/14/2007 07:49 PM]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [05/06/2008 04:36 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07/09/2008 09:05 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 08:00 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"9OnHcEd4Ww"=C:\Documents and Settings\Jim\Desktop\FlashPlayerH264Ext.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ApiSrv"= {6E1764FA-F752-29C7-7EBF-061861B87703} - C:\Program Files\dqvtkld\ApiSrv.dll [07/30/2008 11:29 AM 122880]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8940 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-06 14:33:52 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 2400+
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 511.48 MiB / 194.56 MiB
Pagefile Memory (total/avail): 1250.25 MiB / 672.12 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.3 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 111.8 GiB total, 100.62 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG SV1204H - 111.81 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 111.8 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Firewall v7.0.483.000 (Check Point, LTD.)
AV: Symantec AntiVirus Corporate Edition v10.1.6.6000 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Jay\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MAINOFFICE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Jay
LOGONSERVER=\\MAINOFFICE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Jay\LOCALS~1\Temp
TMP=C:\DOCUME~1\Jay\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=MAINOFFICE
USERNAME=Jay
USERPROFILE=C:\Documents and Settings\Jay
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Jay (admin)
Jim (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Bejeweled 2 Deluxe --> "C:\Program Files\Oberon Media\Bejeweled 2 Deluxe\Uninstall.exe" "C:\Program Files\Oberon Media\Bejeweled 2 Deluxe\install.log"
Canon PIXMA iP3000 --> C:\WINDOWS\system32\CNMCP61.exe "-PRINTERNAMECanon PIXMA iP3000" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP3000 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP3000 Installer\Inst2\cnmi0409.dll"
CMUD 2.35 --> C:\Program Files\CMUD\uninst.exe
FedTerm v2.02 --> "C:\Program Files\FedTerm\unins000.exe"
Google Earth --> MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iolo technologies' System Mechanic 7 --> "C:\Program Files\iolo\System Mechanic 7\unins000.exe"
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Money Plus --> "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Money Shared Libraries --> MsiExec.exe /X{7F1B3341-A94E-4F5C-B587-CA0EB964221E}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Symantec AntiVirus --> MsiExec.exe /I{50E125D1-88E5-48CE-80AE-98EC9698E639}
VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
zMUD 7.21.0.0 --> C:\Program Files\zMUD\uninst.exe
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type455 / Error
Event Submitted/Written: 08/06/2008 00:53:33 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.6.0.30, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type445 / Warning
Event Submitted/Written: 08/05/2008 03:03:44 PM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Event Record #/Type433 / Error
Event Submitted/Written: 08/05/2008 02:17:19 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application WINWORD.EXE, version 9.0.0.2717, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type432 / Error
Event Submitted/Written: 08/05/2008 02:16:43 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application WINWORD.EXE, version 9.0.0.2717, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type431 / Error
Event Submitted/Written: 08/05/2008 02:12:08 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application WINWORD.EXE, version 9.0.0.2717, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2421 / Error
Event Submitted/Written: 08/06/2008 09:57:38 AM / 08/06/2008 09:58:20 AM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type2409 / Error
Event Submitted/Written: 08/06/2008 09:44:24 AM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type2391 / Error
Event Submitted/Written: 08/06/2008 02:42:49 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The PC Tools Security Service service failed to start due to the following error:
%%1053

Event Record #/Type2390 / Error
Event Submitted/Written: 08/06/2008 02:42:49 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the PC Tools Security Service service to connect.

Event Record #/Type2389 / Error
Event Submitted/Written: 08/06/2008 02:39:02 AM / 08/06/2008 02:39:32 AM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type



-- End of Deckard's System Scanner: finished at 2008-08-06 14:33:52 ------------
  • 0

#7
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
Jaygriff, it's looking like you have some new stuff here, but no worries, we can take care of it.


STEP ONE
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\Program Files\dqvtkld
    C:\Documents and Settings\All Users\Application Data\apufofqv
    C:\WINDOWS\system32\udyfibyx.exe
    C:\Documents and Settings\Jim\Desktop\FlashPlayerH264Ext.exe
    HKEY_CLASSES_ROOT\CLSID\{6E1764FA-F752-29C7-7EBF-061861B87703}
    purity
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


STEP TWO
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O4 - HKLM\..\Policies\Explorer\Run: [9OnHcEd4Ww] C:\Documents and Settings\Jim\Desktop\FlashPlayerH264Ext.exe
O21 - SSODL: ApiSrv - {6E1764FA-F752-29C7-7EBF-061861B87703} - C:\Program Files\dqvtkld\ApiSrv.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

STEP THREE
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#8
Jaygriff

Jaygriff

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ok, several files were removed by that OTMoveIt software and this is what I got from the malwarebytes software. Also the problem with the pop up on my husband's profile appears to be resolved. I have another question though, how do I get the computer to not ask whether I want to run xp pro? Do I have 2 operating systems installed now? Is this part of what might be slowing my system down?

Thank you for time.

Malwarebytes' Anti-Malware 1.24
Database version: 1036
Windows 5.1.2600 Service Pack 2

8:38:08 PM 8/9/2008
mbam-log-8-9-2008 (20-38-08).txt

Scan type: Quick Scan
Objects scanned: 39959
Time elapsed: 5 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#9
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
If you would please, do this: A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

To answer your question, in a sense yes, you have two operating systems installed. This generally wouldn't slow your system down but it may take up space on your hard drive. A hard drive can be split into separate partitions, think of a pie that is sliced. Each slice is a partitions of the whole pie. Typically, when you install an OS you remove any existing partitions because the installation will create a new partition.

Here are some instructions on how to remove the old windows installation, but be very careful following the directions as you could render your current installation useless. Also, you may want to wait until we are done here before you proceed with that.

http://support.micro...om/?kbid=888023
  • 0

#10
Jaygriff

Jaygriff

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Yes, I will wait until done here... I deleted (I thought) the partition on the drive and formatted the disk before installing my current installation.... that is why it is so confusing... Here is the log.



Explorer killed successfully
C:\Program Files\dqvtkld moved successfully.
C:\Documents and Settings\All Users\Application Data\apufofqv moved successfully.
File/Folder C:\WINDOWS\system32\udyfibyx.exe not found.
File/Folder C:\Documents and Settings\Jim\Desktop\FlashPlayerH264Ext.exe not found.
< HKEY_CLASSES_ROOT\CLSID\{6E1764FA-F752-29C7-7EBF-061861B87703} >
Registry key HKEY_CLASSES_ROOT\CLSID\{6E1764FA-F752-29C7-7EBF-061861B87703}\\ deleted successfully.
< purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\Jay\LOCALS~1\Temp\etilqs_uxbwb9ghvj3bfum28fOn scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Jay\LOCALS~1\Temp\fb_1088.lck scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Jay\LOCALS~1\Temp\Perflib_Perfdata_440.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Jay\LOCALS~1\Temp\Perflib_Perfdata_ea4.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Jay\LOCALS~1\Temp\sqlite_K0QwgS1lq6g8zH8 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\fb_1984.lck scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_624.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT07f92.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT07fa6.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08092008_200921

Files moved on Reboot...
File C:\DOCUME~1\Jay\LOCALS~1\Temp\etilqs_uxbwb9ghvj3bfum28fOn not found!
File C:\DOCUME~1\Jay\LOCALS~1\Temp\fb_1088.lck not found!
File C:\DOCUME~1\Jay\LOCALS~1\Temp\Perflib_Perfdata_440.dat not found!
File C:\DOCUME~1\Jay\LOCALS~1\Temp\Perflib_Perfdata_ea4.dat not found!
File C:\DOCUME~1\Jay\LOCALS~1\Temp\sqlite_K0QwgS1lq6g8zH8 not found!
File C:\WINDOWS\temp\fb_1984.lck not found!
File C:\WINDOWS\temp\Perflib_Perfdata_624.dat not found!
File C:\WINDOWS\temp\ZLT07f92.TMP not found!
File C:\WINDOWS\temp\ZLT07fa6.TMP not found!
C:\WINDOWS\temp\_avast4_\Webshlock.txt moved successfully.
  • 0

Advertisements


#11
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
Go ahead and post a new DSS log please. Just the main.txt will be ok this time.
  • 0

#12
Jaygriff

Jaygriff

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Deckard's System Scanner v20071014.68
Run by Jay on 2008-08-11 22:27:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jay.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:53 PM, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\zMUD\Zmud.exe
C:\Program Files\zMUD\Zmud.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jay\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jay.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-606747145-1229272821-725345543-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Jim')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4546 bytes

-- Files created between 2008-07-11 and 2008-08-11 -----------------------------

2008-08-09 20:13:58 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 17:12:50 0 d-------- C:\Program Files\Alwil Software
2008-08-06 03:11:56 0 d-------- C:\Program Files\CMUD
2008-08-06 00:37:55 1017888 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-05 15:03:08 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-08-05 15:02:36 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-08-05 15:00:10 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-08-05 14:52:39 0 d-------- C:\WINDOWS\SHELLNEW
2008-08-02 19:12:03 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-02 18:28:51 0 d-------- C:\Program Files\SpywareBlaster
2008-08-02 18:10:40 0 d-------- C:\Documents and Settings\Jay\Application Data\Malwarebytes
2008-08-02 17:37:46 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-08-02 17:37:04 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-08-02 17:36:26 0 d-------- C:\WINDOWS\Internet Logs
2008-08-02 15:16:09 0 d-------- C:\Documents and Settings\Jim\Application Data\Malwarebytes
2008-08-02 15:16:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-02 15:14:51 0 d-------- C:\Program Files\Common Files\Download Manager
2008-08-02 15:04:25 0 d-------- C:\Program Files\Trend Micro
2008-07-31 13:41:44 0 d-------- C:\Program Files\Lavasoft
2008-07-31 13:41:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-30 02:50:26 0 d-------- C:\Program Files\GamesBar
2008-07-30 02:50:07 0 d-------- C:\Program Files\Common Files\Oberon Media
2008-07-30 02:50:06 0 d-------- C:\Program Files\Oberon Media
2008-07-29 22:33:05 0 d-------- C:\Program Files\FedTerm
2008-07-27 18:54:42 0 d-------- C:\Program Files\zMUD
2008-07-27 18:53:29 0 d-------- C:\Program Files\CMUD3
2008-07-27 10:11:24 0 d-------- C:\Documents and Settings\Jim\Application Data\Google
2008-07-27 10:06:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-27 10:06:31 0 d-------- C:\Program Files\Google
2008-07-25 08:45:24 0 d-------- C:\Documents and Settings\Jim\Application Data\iolo
2008-07-24 15:19:33 0 d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-07-24 15:19:18 22528 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-07-24 15:19:18 34304 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-07-24 15:19:12 0 d-------- C:\Program Files\iolo
2008-07-23 13:55:56 0 d-------- C:\Program Files\Microsoft Money Plus
2008-07-17 10:44:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-16 16:28:12 0 d-------- C:\Documents and Settings\Jay\Application Data\Netscape
2008-07-15 10:13:49 0 d-------- C:\Documents and Settings\Jim\Application Data\Netscape
2008-07-15 10:13:37 0 d-------- C:\Program Files\Netscape


-- Find3M Report ---------------------------------------------------------------

2008-08-07 02:36:45 0 d-------- C:\Documents and Settings\Jay\Application Data\Move Networks
2008-08-06 17:07:27 0 d-------- C:\Program Files\Symantec AntiVirus
2008-08-05 14:55:27 0 d-------- C:\Program Files\Common Files
2008-07-24 17:01:33 0 d-------- C:\Documents and Settings\Jay\Application Data\iolo
2008-07-10 02:57:42 0 d-------- C:\Documents and Settings\Jay\Application Data\Sun
2008-07-10 02:56:39 0 d-------- C:\Program Files\Java
2008-07-10 02:52:27 0 d-------- C:\Program Files\Common Files\Java
2008-07-04 22:46:07 0 d-------- C:\Program Files\IrfanView
2008-06-30 21:30:45 0 d-------- C:\Documents and Settings\Jay\Application Data\Microsoft Web Folders
2008-06-30 17:29:49 0 d-------- C:\Documents and Settings\Jay\Application Data\Adobe
2008-06-28 08:27:40 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-06-27 21:06:42 0 d-------- C:\Program Files\Messenger
2008-06-26 14:13:08 0 d-------- C:\Documents and Settings\Jay\Application Data\Help
2008-06-26 14:11:01 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-26 13:51:54 0 d-------- C:\Documents and Settings\Jay\Application Data\Gtek
2008-06-26 13:27:00 0 d-------- C:\Documents and Settings\Jay\Application Data\Macromedia
2008-06-26 00:13:06 0 d-------- C:\Program Files\microsoft frontpage
2008-06-26 00:07:33 0 d-------- C:\Documents and Settings\Jay\Application Data\Mozilla
2008-06-26 00:03:53 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-25 23:34:43 0 d-------- C:\Program Files\Yahoo!
2008-06-25 23:24:52 74703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-06-25 23:14:34 0 d-------- C:\Program Files\Windows Media Connect 2
2008-06-25 23:05:29 0 d-------- C:\Documents and Settings\Jay\Application Data\Identities
2008-06-25 22:51:31 0 -rahs---- C:\MSDOS.SYS
2008-06-25 22:51:31 0 -rahs---- C:\IO.SYS
2008-06-25 22:51:31 0 --a------ C:\CONFIG.SYS
2008-06-25 22:51:31 0 --a------ C:\AUTOEXEC.BAT
2008-06-25 22:49:39 0 d--h----- C:\Program Files\WindowsUpdate
2008-06-25 22:49:34 0 d-------- C:\Program Files\Online Services
2008-06-25 22:48:33 0 d-------- C:\Program Files\Common Files\MSSoap
2008-06-25 22:48:22 0 d-------- C:\Program Files\Movie Maker
2008-06-25 22:47:48 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-25 22:46:41 0 d-------- C:\Program Files\MSN Gaming Zone
2008-06-25 22:46:29 0 d-------- C:\Program Files\Windows NT
2008-06-25 18:37:37 0 d-------- C:\Program Files\Common Files\ODBC
2008-06-25 18:37:34 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-06-25 18:37:04 62 --ahs---- C:\Documents and Settings\Jay\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 01:47 PM C:\WINDOWS\ALCXMNTR.EXE]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [05/06/2008 04:36 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07/09/2008 09:05 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/19/2008 10:38 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 08:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SMRequiresRestart"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,




-- End of Deckard's System Scanner: finished at 2008-08-11 22:29:07 ------------
  • 0

#13
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
Jaygriff, things are looking good. I'd like for you to do a scan with Kaspersky just to make sure we got everything.

STEP ONE
Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right cklick on the jre-6u7-windows-i586-p.exe and select "Run as an Administrator.")

[/LIST]
  • 0

#14
Jaygriff

Jaygriff

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 14, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 14, 2008 05:35:28
Records in database: 1092061
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 53688
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:42:46

No malware has been detected. The scan area is clean.

The selected area was scanned.
  • 0

#15
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
Jaygriff, everything is looking good. Unless you are having any further problems, I believe we can call this one closed. Follow the steps below to tidy up the mess we've made.


STEP ONE
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

STEP TWO
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


Also, The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • JKDefrag - A disk defragmenter and optimizer for Windows 2000/2003/XP/Vista. It is completely automatic and very easy to use, fast, low overhead and has several optimization strategies. After downloading the zip file, just extract JKDefrag.exe to your desktop and double click.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Pidgin - A Malware free Instant Messenger program which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN, MyspaceIM, GTalk)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP