Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Popups/win32 Trojan


  • This topic is locked This topic is locked
14 replies to this topic

#1 matt12

matt12

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 30 June 2008 - 05:14 AM

Hi there,

I am getting advertising pop-ups saying that my computer is infected and that I should download software to scan and remove it. I presume this is from Virtumonde.

I have run spybot S&D which keeps finding Virtumonde and Win32.Agent.qt. When I click "Fix the problems" it says that they have been fixed but when I scan again they are found again. I also have Ad-aware but this cannot find the problems. I am running F-Secure Antivirus but this cannot find any problems either.

The following are copies of the DSS reports and Kaspersky report.

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-30 21:59:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
24: 2008-06-30 09:59:30 UTC - RP467 - Deckard's System Scanner Restore Point
23: 2008-06-30 07:49:43 UTC - RP466 - Spybot-S&D Spyware removal
22: 2008-06-30 06:46:16 UTC - RP465 - System Checkpoint
21: 2008-06-29 05:30:26 UTC - RP464 - Spybot-S&D Spyware removal
20: 2008-06-28 23:33:12 UTC - RP463 - Installed Adobe Photoshop


-- First Restore Point --
1: 2008-04-30 07:48:00 UTC - RP444 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-30 22:01:26
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Documents and Settings\All Users\Application Data\vaxypkvw\vqxehqla.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\F-Secure\Common\FSM32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dslsbwpe.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\ServiceWrapper-7681197.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\backWeb-7681197.exe
C:\Program Files\F-Secure\Common\FSMA32.exe
C:\Program Files\F-Secure\Common\FSMB32.exe
C:\Program Files\F-Secure\Common\fch32.exe
C:\Program Files\F-Secure\Common\FAMEH32.exe
C:\Program Files\F-Secure\Common\FNRB32.exe
C:\Program Files\F-Secure\Common\FIH32.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Owner\Local Settings\Temp\jkos-Owner\binaries\ScanningProcess.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2FAB6BF8-71CD-49C2-57C1-094A5099C20C} - C:\WINDOWS\system32\winstr.dll
O2 - BHO: (no name) - {39B52884-1242-4DBD-55DB-0AA95759BA9B} - C:\WINDOWS\system32\apimsg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=032907 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [dynepclw] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\dynepclw.dll"
O4 - HKLM\..\Run: [fodstgpo] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\fodstgpo.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [pvrxmssx] C:\WINDOWS\system32\dslsbwpe.exe
O4 - HKCU\..\Run: [xktllgqy] C:\WINDOWS\system32\vyjeluvi.exe
O4 - HKLM\..\Policies\Explorer\Run: [cDqRsJiTtc] C:\Documents and Settings\All Users\Application Data\vaxypkvw\vqxehqla.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154670691664
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} () - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - Winlogon Notify: wintqv32 - C:\WINDOWS\system32\wintqv32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\ServiceWrapper-7681197.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.exe
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\fsaa.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe


--
End of file - 9660 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology (StarForce); SF FrontLine>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology (StarForce); SF FrontLine>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync04 (StarForce Protection Synchronization Driver (version 4.x)) - c:\windows\system32\drivers\sfsync04.sys <Not Verified; Protection Technology (StarForce); SF FrontLine>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.0.1) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.0.1>
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R2 F-Secure Filter (F-Secure File System Filter) - c:\program files\f-secure\anti-virus\win2k\fsfilter.sys
R2 F-Secure Gatekeeper - c:\program files\f-secure\anti-virus\win2k\fsgk.sys
R2 F-Secure Recognizer (F-Secure File System Recognizer) - c:\program files\f-secure\anti-virus\win2k\fsrec.sys
R2 FSpm (F-Secure Policy Manager) - c:\program files\f-secure\common\fspm.sys <Not Verified; F-Secure Corporation; F-Secure Management Agent>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes AG; CDRTools>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BackWeb Client - 7681197 (F-Secure BackWeb) - c:\progra~1\f-secure\backweb\7681197\program\servic~1.exe
R2 F-Secure Gatekeeper Handler Starter - "c:\program files\f-secure\anti-virus\fsgk32st.exe" <Not Verified; F-Secure Corp.; F-Secure Corp. Startup service>
R2 FSMA (F-Secure Management Agent) - "c:\program files\f-secure\common\fsma32.exe" <Not Verified; F-Secure Corporation; F-Secure Management Agent>
R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 WLANKEEPER - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSOFSet Service>
R3 F-Secure Network Request Broker - "c:\program files\f-secure\common\fnrb32.exe" <Not Verified; F-Secure Corporation; F-Secure Management Agent>

S2 FSAA (F-Secure Authentication Agent) - "c:\program files\f-secure\common\fsaa.exe" <Not Verified; F-Secure Corporation. All Rights Reserved.; F-Secure Authentication Agent>
S3 F-Secure BackWeb LAN Access - "c:\program files\f-secure\backweb\7681197\program\fsbwlan.exe"
S3 Pscevernrr -


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_542214F1&REV_01\3&61AAA01&0&FE
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_542214F1&REV_01\3&61AAA01&0&FE
Service:


-- Files created between 2008-05-30 and 2008-06-30 -----------------------------

2008-06-30 19:52:38 114688 --a------ C:\Documents and Settings\All Users\Application Data\fodstgpo.dll
2008-06-30 19:52:37 114688 --a------ C:\WINDOWS\system32\winstr.dll
2008-06-30 19:52:36 90112 --a------ C:\WINDOWS\system32\vyjeluvi.exe
2008-06-30 19:12:43 691545 --a------ C:\WINDOWS\unins000.exe
2008-06-30 19:12:42 2539 --a------ C:\WINDOWS\unins000.dat
2008-06-29 16:13:27 0 d-------- C:\VundoFix Backups
2008-06-29 15:19:50 0 d-------- C:\Program Files\SpywareBlaster
2008-06-29 15:17:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-06-29 15:05:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-06-29 15:05:24 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-29 15:05:24 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-29 15:05:24 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-29 15:05:24 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-29 15:05:24 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-29 15:05:23 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-29 15:05:23 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-29 15:05:23 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-29 15:05:23 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-29 11:46:41 32256 --a------ C:\WINDOWS\system32\wintqv32.dll
2008-06-29 11:46:10 110592 --a------ C:\WINDOWS\system32\apimsg.dll
2008-06-29 11:46:10 0 d-------- C:\Documents and Settings\All Users\Application Data\vaxypkvw
2008-06-29 11:46:10 110592 --a------ C:\Documents and Settings\All Users\Application Data\dynepclw.dll
2008-06-29 11:46:08 81920 --a------ C:\WINDOWS\system32\dslsbwpe.exe
2008-06-29 11:45:54 32256 --a------ C:\WINDOWS\system32\winmzj32.dll
2008-06-29 11:35:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-06-29 11:34:59 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-08 20:41:14 0 d-------- C:\Program Files\Exterminate It!
2008-05-31 13:04:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2008-06-29 16:13:23 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-06-29 11:41:40 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-06-29 11:34:59 0 d-------- C:\Program Files\Common Files
2008-06-29 11:34:30 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-29 11:33:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-25 20:51:46 0 d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-06-25 20:19:41 0 d-------- C:\Documents and Settings\Owner\Application Data\skypePM
2008-06-20 21:36:55 0 d-------- C:\Program Files\PacificPoker4
2008-06-15 11:33:37 0 d-------- C:\Program Files\QuickTime
2008-05-31 13:05:02 0 d-------- C:\Program Files\Lavasoft
2008-05-22 20:11:10 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2FAB6BF8-71CD-49C2-57C1-094A5099C20C}]
30/06/2008 07:52 p.m. 114688 --a------ C:\WINDOWS\system32\winstr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39B52884-1242-4DBD-55DB-0AA95759BA9B}]
29/06/2008 11:46 a.m. 110592 --a------ C:\WINDOWS\system32\apimsg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [30/10/2004 02:59 p.m.]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [04/03/2005 11:26 a.m.]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [13/09/2004 11:33 a.m.]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 03:25 a.m.]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [20/09/2005 09:35 a.m.]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [20/09/2005 09:36 a.m.]
"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/05/2007 10:44 p.m.]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.exe" [06/06/2002 11:52 a.m.]
"dynepclw"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\dynepclw.dll" []
"fodstgpo"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\fodstgpo.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [05/08/2004 12:00 a.m.]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 04:45 p.m.]
"pvrxmssx"="C:\WINDOWS\system32\dslsbwpe.exe" [29/06/2008 11:46 a.m.]
"xktllgqy"="C:\WINDOWS\system32\vyjeluvi.exe" [30/06/2008 07:52 p.m.]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [29/06/2008 11:34:30 a.m.]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"cDqRsJiTtc"=C:\Documents and Settings\All Users\Application Data\vaxypkvw\vqxehqla.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 07/09/2004 04:08 p.m. 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wintqv32]
wintqv32.dll 29/06/2008 11:46 a.m. 32256 C:\WINDOWS\system32\wintqv32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-06-30 22:02:12 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.70GHz
Percentage of Memory in Use: 32%
Physical Memory (total/avail): 766.21 MiB / 514.39 MiB
Pagefile Memory (total/avail): 1875.09 MiB / 1471.2 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1915.76 MiB

C: is Fixed (NTFS) - 19.53 GiB total, 12.81 GiB free.
D: is CDROM (Unformatted)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 36.35 GiB total, 28.03 GiB free.
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HTS548060M9AT00 - 55.89 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 19.53 GiB - C:
\PARTITION1 - Installable File System - 36.35 GiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"F:\\Games\\Best Old Games - Collection\\volleyball\\Volejbal\\volley.exe"="F:\\Games\\Best Old Games - Collection\\volleyball\\Volejbal\\volley.exe:*:Disabled:volley"
"C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\Program Files\\Cyanide\\GameCenter\\GameCenter.exe"="C:\\Program Files\\Cyanide\\GameCenter\\GameCenter.exe:*:Enabled:GameCenter"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"G:\\DC++\\DCPlusPlus.exe"="G:\\DC++\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Cyanide\\Pro Cycling Manager\\Cym2005.exe"="C:\\Program Files\\Cyanide\\Pro Cycling Manager\\Cym2005.exe:*:Disabled:Pro Cycling Manager"
"G:\\rmDC++0.403D[1]\\rmDC.exe"="G:\\rmDC++0.403D[1]\\rmDC.exe:*:Disabled:rmDC"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Disabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\system32\\winver.exe"="C:\\WINDOWS\\system32\\winver.exe:*:Enabled:winver"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MATT
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\MATT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=MATT
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\BWUnin-6.1.4.41-7681197L.exe -AppId 7681197
--> MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CBBB5EED-CC92-49F2-A276-D5433F39D1EB}\Setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Accord SDK 5.1 Runtime --> C:\Program Files\Accelrys\Accord50\Accordsk\RTDeinstall\Setup.exe
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Ahead Nero Burning ROM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
C-Major Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
CloneDVD2 --> "C:\Program Files\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD2"
DAEMON Tools --> MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}
DC++ 0.670 --> "G:\DC++\uninstall.exe"
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
F-Secure Anti-Virus --> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Virus"
F-Secure BackWeb --> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure BackWeb"
F-Secure Management Agent --> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure Management Agent"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
Internal Network Card Power Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F528948-0E80-4C96-B455-DE4167CB1DF7}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Flash 8 --> MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Macromedia Flash 8 Video Encoder --> MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash Player 8 Plugin --> MsiExec.exe /X{91057632-CA70-413C-B628-2D3CDBBB906B}
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDriver --> MsiExec.exe /I{28DA872A-0848-48CF-B749-19A198157A2A}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
mToolkit --> MsiExec.exe /I{CA9BAADB-C262-4E05-B2E2-CEE8CE9809EC}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Pacific Poker --> C:\PROGRA~1\PACIFI~1\UNWISE.EXE C:\PROGRA~1\PACIFI~1\INSTALL.LOG
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
TWIN PS TO PC CONVERTER --> C:\PROGRA~1\TWINCO~1\UNWISE.EXE C:\PROGRA~1\TWINCO~1\INSTALL.LOG
VGA USB Camera --> C:\WINDOWS\CleanDev.exe C:\WINDOWS\ov519.TXT
VideoLAN VLC media player 0.8.5 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type5586 / Error
Event Submitted/Written: 06/30/2008 07:50:30 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type5550 / Error
Event Submitted/Written: 06/28/2008 11:19:51 AM
Event ID/Source: 103 / F-Secure Anti-Virus
Event Description:
4 2008-06-28 11:19:51+13:00 matt MATT\Owner F-Secure Anti-Virus
Cannot read sector while scanning I:.

Event Record #/Type5549 / Error
Event Submitted/Written: 06/28/2008 11:19:51 AM
Event ID/Source: 103 / F-Secure Anti-Virus
Event Description:
3 2008-06-28 11:19:51+13:00 matt MATT\Owner F-Secure Anti-Virus
Cannot read sector while scanning I:.

Event Record #/Type5548 / Error
Event Submitted/Written: 06/28/2008 10:37:13 AM
Event ID/Source: 103 / F-Secure Anti-Virus
Event Description:
2 2008-06-28 10:37:13+13:00 matt MATT\Owner F-Secure Anti-Virus
Cannot read sector while scanning I:.

Event Record #/Type5547 / Error
Event Submitted/Written: 06/28/2008 10:37:12 AM
Event ID/Source: 103 / F-Secure Anti-Virus
Event Description:
1 2008-06-28 10:37:12+13:00 matt MATT\Owner F-Secure Anti-Virus
Cannot read sector while scanning I:.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type24487 / Error
Event Submitted/Written: 06/30/2008 09:02:01 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type24486 / Error
Event Submitted/Written: 06/30/2008 09:01:53 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type24485 / Error
Event Submitted/Written: 06/30/2008 09:01:49 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type24484 / Error
Event Submitted/Written: 06/30/2008 09:01:45 PM / 06/30/2008 09:01:49 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type24457 / Warning
Event Submitted/Written: 06/30/2008 06:12:57 PM / 06/30/2008 06:13:27 PM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel® PRO/100 VE Network Connection: Adapter Link Down



-- End of Deckard's System Scanner: finished at 2008-06-30 22:02:12 ------------




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, June 30, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 30, 2008 07:45:24
Records in database: 898257
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 51584
Threat name: 6
Infected objects: 14
Suspicious objects: 0
Duration of the scan: 01:04:17


File name / Threat name / Threats count
C:\WINDOWS\system32\wintqv32.dll/C:\WINDOWS\system32\wintqv32.dll Infected: Trojan.Win32.Obfuscated.dwj 1
C:\Documents and Settings\All Users\Application Data\vaxypkvw\vqxehqla.exe/C:\Documents and Settings\All Users\Application Data\vaxypkvw\vqxehqla.exe Infected: Trojan.Win32.Obfuscated.gx 1
C:\WINDOWS\system32\dslsbwpe.exe/C:\WINDOWS\system32\dslsbwpe.exe Infected: Trojan.Win32.Obfuscated.gx 1
C:\Documents and Settings\All Users\Application Data\vaxypkvw\vqxehqla.exe Infected: Trojan.Win32.Obfuscated.gx 1
C:\Documents and Settings\Owner\Local Settings\Temp\win278.exe.bak Infected: Trojan.Win32.Obfuscated.gx 1
C:\Documents and Settings\Owner\My Documents\My Skype Content\docs.zip Infected: Trojan-Dropper.Win32.ExeBundle.b 1
C:\Documents and Settings\Owner\My Documents\My Skype Content\spoof.exe Infected: Trojan-Dropper.Win32.ExeBundle.b 1
C:\WINDOWS\iexplorer.reg Infected: Trojan.WinREG.StartPage 1
C:\WINDOWS\system32\dslsbwpe.exe Infected: Trojan.Win32.Obfuscated.gx 1
C:\WINDOWS\system32\nnnmlJyv.dll.vir Infected: Trojan.Win32.Inject.dfx 1
C:\WINDOWS\system32\vyjeluvi.exe Infected: Trojan.Win32.Obfuscated.gx 1
C:\WINDOWS\system32\winmzj32.dll Infected: Trojan.Win32.Obfuscated.dwj 1
C:\WINDOWS\system32\wintqv32.dll Infected: Trojan.Win32.Obfuscated.dwj 1
C:\WINDOWS\Web\def.htm Infected: not-virus:Hoax.HTML.Secureinvites.c 1

The selected area was scanned.



Any help would be greatly appreciated.

Thanks and regards,


Matt

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:54 AM

Posted 01 July 2008 - 04:39 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Also post a new log from DSS.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 matt12

matt12
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 02 July 2008 - 04:30 AM

Hi Sam,

Thanks for the prompt reply. I have MBAM. It found a couple of registry errors. The logs for MBAM and DSS are shown below.



Malwarebytes' Anti-Malware 1.19
Database version: 913
Windows 5.1.2600 Service Pack 2

9:23:59 p.m. 2/07/2008
mbam-log-7-2-2008 (21-23-59).txt

Scan type: Quick Scan
Objects scanned: 40544
Time elapsed: 5 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wintqv32 (Dialer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-02 21:25:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-02 21:25:22
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
C:\Documents and Settings\All Users\Application Data\vaxypkvw\vqxehqla.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\F-Secure\Common\FSM32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dslsbwpe.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\ServiceWrapper-7681197.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure\Common\FSMA32.exe
C:\Program Files\F-Secure\Common\FSMB32.exe
C:\Program Files\F-Secure\Common\fch32.exe
C:\Program Files\F-Secure\Common\FNRB32.exe
C:\Program Files\F-Secure\Common\FAMEH32.exe
C:\Program Files\F-Secure\Common\FIH32.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\backWeb-7681197.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2FAB6BF8-71CD-49C2-57C1-094A5099C20C} - C:\WINDOWS\system32\winstr.dll
O2 - BHO: (no name) - {39B52884-1242-4DBD-55DB-0AA95759BA9B} - C:\WINDOWS\system32\apimsg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=032907 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [dynepclw] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\dynepclw.dll"
O4 - HKLM\..\Run: [fodstgpo] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\fodstgpo.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [pvrxmssx] C:\WINDOWS\system32\dslsbwpe.exe
O4 - HKCU\..\Run: [xktllgqy] C:\WINDOWS\system32\vyjeluvi.exe
O4 - HKLM\..\Policies\Explorer\Run: [cDqRsJiTtc] C:\Documents and Settings\All Users\Application Data\vaxypkvw\vqxehqla.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154670691664
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} () - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\ServiceWrapper-7681197.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.exe
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\fsaa.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe


--
End of file - 9533 bytes

-- Files created between 2008-06-02 and 2008-07-02 -----------------------------

2008-07-02 21:17:43 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-02 21:17:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-02 21:17:39 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-30 19:52:38 114688 --a------ C:\Documents and Settings\All Users\Application Data\fodstgpo.dll
2008-06-30 19:52:37 114688 --a------ C:\WINDOWS\system32\winstr.dll
2008-06-30 19:52:36 90112 --a------ C:\WINDOWS\system32\vyjeluvi.exe
2008-06-30 19:12:43 691545 --a------ C:\WINDOWS\unins000.exe
2008-06-30 19:12:42 2539 --a------ C:\WINDOWS\unins000.dat
2008-06-29 16:13:27 0 d-------- C:\VundoFix Backups
2008-06-29 15:19:50 0 d-------- C:\Program Files\SpywareBlaster
2008-06-29 15:17:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-06-29 15:05:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-06-29 15:05:24 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-29 15:05:24 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-29 15:05:24 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-29 15:05:24 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-29 15:05:24 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-29 15:05:23 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-29 15:05:23 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-29 15:05:23 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-29 15:05:23 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-29 11:46:41 32256 --a------ C:\WINDOWS\system32\wintqv32.dll
2008-06-29 11:46:10 110592 --a------ C:\WINDOWS\system32\apimsg.dll
2008-06-29 11:46:10 0 d-------- C:\Documents and Settings\All Users\Application Data\vaxypkvw
2008-06-29 11:46:10 110592 --a------ C:\Documents and Settings\All Users\Application Data\dynepclw.dll
2008-06-29 11:46:08 81920 --a------ C:\WINDOWS\system32\dslsbwpe.exe
2008-06-29 11:45:54 32256 --a------ C:\WINDOWS\system32\winmzj32.dll
2008-06-29 11:35:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-06-29 11:34:59 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-08 20:41:14 0 d-------- C:\Program Files\Exterminate It!


-- Find3M Report ---------------------------------------------------------------

2008-07-01 20:15:33 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-06-29 11:41:40 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-06-29 11:34:59 0 d-------- C:\Program Files\Common Files
2008-06-29 11:34:30 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-29 11:33:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-25 20:51:46 0 d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-06-25 20:19:41 0 d-------- C:\Documents and Settings\Owner\Application Data\skypePM
2008-06-20 21:36:55 0 d-------- C:\Program Files\PacificPoker4
2008-06-15 11:33:37 0 d-------- C:\Program Files\QuickTime
2008-05-31 13:05:02 0 d-------- C:\Program Files\Lavasoft
2008-05-31 13:04:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-22 20:11:10 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2FAB6BF8-71CD-49C2-57C1-094A5099C20C}]
30/06/2008 07:52 p.m. 114688 --a------ C:\WINDOWS\system32\winstr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39B52884-1242-4DBD-55DB-0AA95759BA9B}]
29/06/2008 11:46 a.m. 110592 --a------ C:\WINDOWS\system32\apimsg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [30/10/2004 02:59 p.m.]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [04/03/2005 11:26 a.m.]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [13/09/2004 11:33 a.m.]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 03:25 a.m.]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [20/09/2005 09:35 a.m.]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [20/09/2005 09:36 a.m.]
"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/05/2007 10:44 p.m.]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.exe" [06/06/2002 11:52 a.m.]
"dynepclw"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\dynepclw.dll" []
"fodstgpo"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\fodstgpo.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [05/08/2004 12:00 a.m.]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 04:45 p.m.]
"pvrxmssx"="C:\WINDOWS\system32\dslsbwpe.exe" [29/06/2008 11:46 a.m.]
"xktllgqy"="C:\WINDOWS\system32\vyjeluvi.exe" [30/06/2008 07:52 p.m.]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [29/06/2008 11:34:30 a.m.]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"cDqRsJiTtc"=C:\Documents and Settings\All Users\Application Data\vaxypkvw\vqxehqla.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 07/09/2004 04:08 p.m. 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-07-02 21:25:42 ------------




Look forward to hearing from you. Cheers,

Matt

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:54 AM

Posted 02 July 2008 - 09:35 AM

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\wintqv32.dll
    C:\WINDOWS\system32\apimsg.dll
    C:\Documents and Settings\All Users\Application Data\vaxypkvw
    C:\Documents and Settings\All Users\Application Data\dynepclw.dll
    C:\WINDOWS\system32\dslsbwpe.exe
    C:\WINDOWS\system32\winmzj32.dll
    C:\Documents and Settings\All Users\Application Data\fodstgpo.dll
    C:\WINDOWS\system32\winstr.dll
    C:\WINDOWS\system32\vyjeluvi.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\dynepclw
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\fodstgpo
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\pvrxmssx
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\xktllgqy
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


==============



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Also post a new log from DSS.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 matt12

matt12
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 03 July 2008 - 05:23 AM

Hi again Sam,

I had some trouble with OTMoveIt2. It kept becoming non-responsive. I eventually unticked the 'Unregister DLL's and OCX's' box and then it ran fine (I think?). Here are the logs from OTMoveIt2, Kaspersky and DSS.



File/Folder C:\WINDOWS\system32\wintqv32.dll not found.
C:\WINDOWS\system32\apimsg.dll moved successfully.
File/Folder C:\Documents and Settings\All Users\Application Data\vaxypkvw not found.
C:\Documents and Settings\All Users\Application Data\dynepclw.dll moved successfully.
C:\WINDOWS\system32\dslsbwpe.exe moved successfully.
C:\WINDOWS\system32\winmzj32.dll moved successfully.
C:\Documents and Settings\All Users\Application Data\fodstgpo.dll moved successfully.
C:\WINDOWS\system32\winstr.dll moved successfully.
C:\WINDOWS\system32\vyjeluvi.exe moved successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\dynepclw >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\dynepclw deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\fodstgpo >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\fodstgpo deleted successfully.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\pvrxmssx >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\pvrxmssx deleted successfully.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\xktllgqy >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\xktllgqy deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07032008_203057




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, July 3, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, July 03, 2008 08:08:06
Records in database: 909933
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 52170
Threat name: 6
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 01:05:00


File name / Threat name / Threats count
C:\Deckard\System Scanner\20080702212511\backup\DOCUME~1\Owner\LOCALS~1\Temp\win278.exe.bak Infected: Trojan.Win32.Obfuscated.gx 1
C:\Documents and Settings\Owner\My Documents\My Skype Content\docs.zip Infected: Trojan-Dropper.Win32.ExeBundle.b 1
C:\Documents and Settings\Owner\My Documents\My Skype Content\spoof.exe Infected: Trojan-Dropper.Win32.ExeBundle.b 1
C:\WINDOWS\iexplorer.reg Infected: Trojan.WinREG.StartPage 1
C:\WINDOWS\system32\nnnmlJyv.dll.vir Infected: Trojan.Win32.Inject.dfx 1
C:\WINDOWS\Web\def.htm Infected: not-virus:Hoax.HTML.Secureinvites.c 1
C:\_OTMoveIt\MovedFiles\07032008_175513\WINDOWS\system32\wintqv32.dll Infected: Trojan.Win32.Obfuscated.dwj 1
C:\_OTMoveIt\MovedFiles\07032008_202849\Documents and Settings\All Users\Application Data\vaxypkvw\vqxehqla.exe Infected: Trojan.Win32.Obfuscated.gx 1
C:\_OTMoveIt\MovedFiles\07032008_203057\WINDOWS\system32\dslsbwpe.exe Infected: Trojan.Win32.Obfuscated.gx 1
C:\_OTMoveIt\MovedFiles\07032008_203057\WINDOWS\system32\vyjeluvi.exe Infected: Trojan.Win32.Obfuscated.gx 1
C:\_OTMoveIt\MovedFiles\07032008_203057\WINDOWS\system32\winmzj32.dll Infected: Trojan.Win32.Obfuscated.dwj 1

The selected area was scanned.



Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-03 22:16:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-03 22:16:23
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Documents and Settings\All Users\Application Data\vaxypkvw\vqxehqla.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\F-Secure\Common\FSM32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dslsbwpe.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\ServiceWrapper-7681197.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\backWeb-7681197.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure\Common\FSMA32.exe
C:\Program Files\F-Secure\Common\FSMB32.exe
C:\Program Files\F-Secure\Common\fch32.exe
C:\Program Files\F-Secure\Common\FAMEH32.exe
C:\Program Files\F-Secure\Common\FNRB32.exe
C:\Program Files\F-Secure\Common\FIH32.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0CFC7AFC-4322-1AF7-8A7B-05184D8F07D4} - C:\WINDOWS\system32\GenChkSrv.dll
O2 - BHO: (no name) - {2FAB6BF8-71CD-49C2-57C1-094A5099C20C} - C:\WINDOWS\system32\winstr.dll (file missing)
O2 - BHO: (no name) - {39B52884-1242-4DBD-55DB-0AA95759BA9B} - C:\WINDOWS\system32\apimsg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=032907 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [sxutkjct] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\sxutkjct.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [jhehwuqg] C:\WINDOWS\system32\tyhkjebk.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154670691664
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} () - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - Winlogon Notify: wintqv32 - C:\WINDOWS\system32\wintqv32.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\ServiceWrapper-7681197.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.exe
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\fsaa.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe


--
End of file - 9353 bytes

-- Files created between 2008-06-03 and 2008-07-03 -----------------------------

2008-07-03 17:49:54 98304 --a------ C:\WINDOWS\system32\GenChkSrv.dll
2008-07-03 17:49:54 98304 --a------ C:\Documents and Settings\All Users\Application Data\sxutkjct.dll
2008-07-03 17:49:52 81920 --a------ C:\WINDOWS\system32\tyhkjebk.exe
2008-07-02 21:17:43 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-02 21:17:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-02 21:17:39 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-30 19:12:43 691545 --a------ C:\WINDOWS\unins000.exe
2008-06-30 19:12:42 2539 --a------ C:\WINDOWS\unins000.dat
2008-06-29 16:13:27 0 d-------- C:\VundoFix Backups
2008-06-29 15:19:50 0 d-------- C:\Program Files\SpywareBlaster
2008-06-29 15:17:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-06-29 15:05:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-06-29 15:05:24 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-29 15:05:24 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-29 15:05:24 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-29 15:05:24 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-29 15:05:24 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-29 15:05:23 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-29 15:05:23 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-29 15:05:23 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-29 15:05:23 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-29 11:35:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-06-29 11:34:59 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-08 20:41:14 0 d-------- C:\Program Files\Exterminate It!


-- Find3M Report ---------------------------------------------------------------

2008-07-01 20:15:33 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-06-29 11:41:40 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-06-29 11:34:59 0 d-------- C:\Program Files\Common Files
2008-06-29 11:34:30 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-29 11:33:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-25 20:51:46 0 d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-06-25 20:19:41 0 d-------- C:\Documents and Settings\Owner\Application Data\skypePM
2008-06-20 21:36:55 0 d-------- C:\Program Files\PacificPoker4
2008-06-15 11:33:37 0 d-------- C:\Program Files\QuickTime
2008-05-31 13:05:02 0 d-------- C:\Program Files\Lavasoft
2008-05-31 13:04:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-22 20:11:10 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CFC7AFC-4322-1AF7-8A7B-05184D8F07D4}]
03/07/2008 05:49 p.m. 98304 --a------ C:\WINDOWS\system32\GenChkSrv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2FAB6BF8-71CD-49C2-57C1-094A5099C20C}]
C:\WINDOWS\system32\winstr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39B52884-1242-4DBD-55DB-0AA95759BA9B}]
C:\WINDOWS\system32\apimsg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [30/10/2004 02:59 p.m.]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [04/03/2005 11:26 a.m.]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [13/09/2004 11:33 a.m.]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 03:25 a.m.]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [20/09/2005 09:35 a.m.]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [20/09/2005 09:36 a.m.]
"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/05/2007 10:44 p.m.]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.exe" [06/06/2002 11:52 a.m.]
"sxutkjct"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\sxutkjct.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [05/08/2004 12:00 a.m.]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 04:45 p.m.]
"jhehwuqg"="C:\WINDOWS\system32\tyhkjebk.exe" [03/07/2008 05:49 p.m.]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [29/06/2008 11:34:30 a.m.]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 07/09/2004 04:08 p.m. 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wintqv32]
wintqv32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-07-03 22:16:53 ------------



Cheers,

Matt

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:54 AM

Posted 03 July 2008 - 10:13 AM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {0CFC7AFC-4322-1AF7-8A7B-05184D8F07D4} - C:\WINDOWS\system32\GenChkSrv.dll
O2 - BHO: (no name) - {2FAB6BF8-71CD-49C2-57C1-094A5099C20C} - C:\WINDOWS\system32\winstr.dll (file missing)
O2 - BHO: (no name) - {39B52884-1242-4DBD-55DB-0AA95759BA9B} - C:\WINDOWS\system32\apimsg.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [sxutkjct] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\sxutkjct.dll"
O4 - HKCU\..\Run: [jhehwuqg] C:\WINDOWS\system32\tyhkjebk.exe
O20 - Winlogon Notify: wintqv32 - C:\WINDOWS\system32\wintqv32.dll (file missing)




Delete these files with OTMoveit just like you did with the others.

C:\Documents and Settings\Owner\My Documents\My Skype Content\docs.zip
C:\Documents and Settings\Owner\My Documents\My Skype Content\spoof.exe 
C:\WINDOWS\iexplorer.reg 
C:\WINDOWS\system32\nnnmlJyv.dll.vir 
C:\WINDOWS\Web\def.htm
C:\WINDOWS\system32\GenChkSrv.dll
C:\Documents and Settings\All Users\Application Data\sxutkjct.dll
C:\WINDOWS\system32\tyhkjebk.exe


Please post the resulting log from OTMoveit and a new DSS log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 matt12

matt12
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 04 July 2008 - 02:45 AM

Hi Sam,

Ran HijackThis but I could not find:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

There were only R1 - HKLM entries.

Below are the OTMoveIt and DSS logs.




C:\Documents and Settings\Owner\My Documents\My Skype Content\docs.zip moved successfully.
C:\Documents and Settings\Owner\My Documents\My Skype Content\spoof.exe moved successfully.
C:\WINDOWS\iexplorer.reg moved successfully.
C:\WINDOWS\system32\nnnmlJyv.dll.vir moved successfully.
C:\WINDOWS\Web\def.htm moved successfully.
File/Folder C:\WINDOWS\system32\GenChkSrv.dll not found.
C:\Documents and Settings\All Users\Application Data\sxutkjct.dll moved successfully.
C:\WINDOWS\system32\tyhkjebk.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07042008_193954




Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-04 19:41:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:10 p.m., on 4/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=032907 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154670691664
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7439 bytes

-- Files created between 2008-06-04 and 2008-07-04 -----------------------------

2008-07-04 17:52:19 0 d-------- C:\Program Files\Trend Micro
2008-07-02 21:17:43 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-02 21:17:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-02 21:17:39 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-30 19:12:43 691545 --a------ C:\WINDOWS\unins000.exe
2008-06-30 19:12:42 2539 --a------ C:\WINDOWS\unins000.dat
2008-06-29 16:13:27 0 d-------- C:\VundoFix Backups
2008-06-29 15:19:50 0 d-------- C:\Program Files\SpywareBlaster
2008-06-29 15:17:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-06-29 15:05:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-06-29 15:05:24 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-29 15:05:24 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-29 15:05:24 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-29 15:05:24 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-29 15:05:24 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-29 15:05:23 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-29 15:05:23 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-29 15:05:23 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-29 15:05:23 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-29 15:05:23 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-29 11:35:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-06-29 11:34:59 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-08 20:41:14 0 d-------- C:\Program Files\Exterminate It!


-- Find3M Report ---------------------------------------------------------------

2008-07-01 20:15:33 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-06-29 11:41:40 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-06-29 11:34:59 0 d-------- C:\Program Files\Common Files
2008-06-29 11:34:30 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-29 11:33:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-25 20:51:46 0 d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-06-25 20:19:41 0 d-------- C:\Documents and Settings\Owner\Application Data\skypePM
2008-06-20 21:36:55 0 d-------- C:\Program Files\PacificPoker4
2008-06-15 11:33:37 0 d-------- C:\Program Files\QuickTime
2008-05-31 13:05:02 0 d-------- C:\Program Files\Lavasoft
2008-05-31 13:04:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-22 20:11:10 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [30/10/2004 02:59 p.m.]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [04/03/2005 11:26 a.m.]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [13/09/2004 11:33 a.m.]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 03:25 a.m.]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [20/09/2005 09:35 a.m.]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [20/09/2005 09:36 a.m.]
"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/05/2007 10:44 p.m.]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.exe" [06/06/2002 11:52 a.m.]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [05/08/2004 12:00 a.m.]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 04:45 p.m.]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [29/06/2008 11:34:30 a.m.]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 07/09/2004 04:08 p.m. 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-07-04 19:41:28 ------------


Cheers,

Matt

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:54 AM

Posted 04 July 2008 - 09:23 AM

You are running an older version of Java. This can be a security risk so let's get you the latest version.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Your latest log is looking pretty good to me.
How are things on your end? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 matt12

matt12
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 04 July 2008 - 07:50 PM

Hi Sam,

I uninstalled all of the Java Runtime Environment entries apart from "J2SE Runtime Environment 5.0 update 10". When I tried to remove this it came up with "Internal Error 2318 C:\program files\java\jre 1.5.0_10\America\Curacao". I then clicked 'ok' and got a box saying "Fatal error during installation".

I have installed the new Java 6 update 6 though.

When I run Spybot S&D I am still getting a virtumonde entry. Here is the results log from Spybot S&D:



Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Virtumonde: [SBI $3BE84E58] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-823518204-2111687655-854245398-1003\Software\mwc

Virtumonde: [SBI $0FB400C8] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-823518204-2111687655-854245398-1003\Software\wkey

Virtumonde: [SBI $1F8EC695] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2004-04-27 unins000.exe (51.13.0.0)
2008-06-30 unins001.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2004-05-12 borlndmm.dll (7.0.4.453)
2004-05-12 delphimm.dll (7.0.4.453)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2004-05-12 UnzDll.dll (1.73.1.1)
2004-05-12 ZipDll.dll (1.73.2.0)
2008-06-18 Includes\Adware.sbi (*)
2008-06-18 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-04 Includes\Dialer.sbi (*)
2008-06-24 Includes\DialerC.sbi (*)
2008-06-03 Includes\HeavyDuty.sbi (*)
2008-06-17 Includes\Hijackers.sbi (*)
2008-06-17 Includes\HijackersC.sbi (*)
2008-06-25 Includes\Keyloggers.sbi (*)
2008-07-02 Includes\KeyloggersC.sbi (*)
2004-11-30 Includes\LSP.sbi (*)
2008-07-02 Includes\Malware.sbi (*)
2008-07-01 Includes\MalwareC.sbi (*)
2008-06-18 Includes\PUPS.sbi (*)
2008-07-01 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-11 Includes\Security.sbi (*)
2008-07-01 Includes\SecurityC.sbi (*)
2008-06-04 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-06-18 Includes\Spyware.sbi (*)
2008-06-17 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-06-25 Includes\Trojans.sbi (*)
2008-07-01 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll




I have also run another Kaspersky scan. The log is shown below:



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, July 5, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, July 04, 2008 19:42:32
Records in database: 913699
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 44665
Threat name: 6
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 00:53:35


File name / Threat name / Threats count
C:\Deckard\System Scanner\20080702212511\backup\DOCUME~1\Owner\LOCALS~1\Temp\win278.exe.bak Infected: Trojan.Win32.Obfuscated.gx 1
C:\_OTMoveIt\MovedFiles\07032008_175513\WINDOWS\system32\wintqv32.dll Infected: Trojan.Win32.Obfuscated.dwj 1
C:\_OTMoveIt\MovedFiles\07032008_202849\Documents and Settings\All Users\Application Data\vaxypkvw\vqxehqla.exe Infected: Trojan.Win32.Obfuscated.gx 1
C:\_OTMoveIt\MovedFiles\07032008_203057\WINDOWS\system32\dslsbwpe.exe Infected: Trojan.Win32.Obfuscated.gx 1
C:\_OTMoveIt\MovedFiles\07032008_203057\WINDOWS\system32\vyjeluvi.exe Infected: Trojan.Win32.Obfuscated.gx 1
C:\_OTMoveIt\MovedFiles\07032008_203057\WINDOWS\system32\winmzj32.dll Infected: Trojan.Win32.Obfuscated.dwj 1
C:\_OTMoveIt\MovedFiles\07042008_193954\Documents and Settings\Owner\My Documents\My Skype Content\docs.zip Infected: Trojan-Dropper.Win32.ExeBundle.b 1
C:\_OTMoveIt\MovedFiles\07042008_193954\Documents and Settings\Owner\My Documents\My Skype Content\spoof.exe Infected: Trojan-Dropper.Win32.ExeBundle.b 1
C:\_OTMoveIt\MovedFiles\07042008_193954\WINDOWS\iexplorer.reg Infected: Trojan.WinREG.StartPage 1
C:\_OTMoveIt\MovedFiles\07042008_193954\WINDOWS\system32\nnnmlJyv.dll.vir Infected: Trojan.Win32.Inject.dfx 1
C:\_OTMoveIt\MovedFiles\07042008_193954\WINDOWS\Web\def.htm Infected: not-virus:Hoax.HTML.Secureinvites.c 1

The selected area was scanned.


Can I delete the files located in "_OTMoveIt", or are they safe in this location? What about the "win278.exe.bak" located in "Deckard\System Scanner"?


Thanks,

Matt

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:54 AM

Posted 05 July 2008 - 07:49 AM

Everything that Kaspersky found is quarantined. We'll run a process at the end to clean up and remove all of the quarantined files.

Copy this text below into OTMoveit just like you have before and click Moveit.


C:\program files\java\jre 1.5.0_10
HKEY_USERS\S-1-5-21-823518204-2111687655-854245398-1003\Software\mwc
HKEY_USERS\S-1-5-21-823518204-2111687655-854245398-1003\Software\wkey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR



Reboot your computer.
Then run a new scan with Spybot and it should come up clean.

Let me know how it goes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 matt12

matt12
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 05 July 2008 - 06:35 PM

Hi Sam,

I ran OTMoveIt. Here is the log:


File/Folder C:\program files\java\jre 1.5.0_10 not found.
< HKEY_USERS\S-1-5-21-823518204-2111687655-854245398-1003\Software\mwc >
Registry key HKEY_USERS\S-1-5-21-823518204-2111687655-854245398-1003\Software\mwc\\ not found.
< HKEY_USERS\S-1-5-21-823518204-2111687655-854245398-1003\Software\wkey >
Registry key HKEY_USERS\S-1-5-21-823518204-2111687655-854245398-1003\Software\wkey\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR\\ not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07062008_105941


I then ran Spybot S&D and it found nothing.

Things are looking much better at this end now, thanks!

Cheers,

Matt

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:54 AM

Posted 06 July 2008 - 07:29 AM

Excellent! Let's clean things up and then I'll post some final recommendations for you.
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

============



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 matt12

matt12
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 07 July 2008 - 03:46 AM

Thanks Sam. Hopefully I am all clean now. I will let you know if I have any further problems.

Thanks again,

Matt

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:54 AM

Posted 07 July 2008 - 08:14 AM

Glad I could help you out! :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:54 AM

Posted 23 July 2008 - 06:40 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users