Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Background Changed: 'warning Spyware Detected On Computer Please Install Antivirus Or Spyware To Clean Computer' On Blue Screen


  • This topic is locked This topic is locked
3 replies to this topic

#1 Nathan Leonard

Nathan Leonard

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 19 July 2008 - 12:55 PM

My sister brought me her computer to fix it for her, said it was running really slow. When I first started the computer up and logged into Windows, I found a blue screen with a warning on it, "Warning Spyware Detected On Computer Please Install Antivirus Or Spyware To Clean Computer". I knew then that she had gotten some malware somewhere. I had to press ctrl-alt-delete and manually run the explorer bar, and then I got an error stating that Windows Explorer has encountered a problem and needs to close. I have been working around this and have searched the internet for ways to fix this malware problem. I have downloaded Malwarebytes' Anti-Malware and ran that, removing over 270 Trojans. But to no avail, the blue screen with the warning is still there and you still have to run explorer.exe manually. Here are my Deckard's System Scanner logs.




Deckard's System Scanner v20071014.68
Run by Michele McClure on 2008-07-19 12:35:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
55: 2008-07-19 17:36:06 UTC - RP1529 - Deckard's System Scanner Restore Point
54: 2008-07-18 23:22:30 UTC - RP1528 - System Checkpoint
53: 2008-07-10 18:11:37 UTC - RP1527 - System Checkpoint
52: 2008-07-09 17:48:43 UTC - RP1526 - System Checkpoint
51: 2008-07-08 17:18:40 UTC - RP1525 - System Checkpoint


-- First Restore Point --
1: 2008-04-20 22:16:10 UTC - RP1475 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Michele McClure.exe) -------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-19 12:39:58
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Visual IP InSight\TDS\ARUpld32.exe
C:\Program Files\Visual IP InSight\TDS\ARMon32a.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dwwin.exe
\\Lastxp\D\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearcher.info
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\Program Files\ComcastToolbar\comcasttoolbar.dll
O2 - BHO: {3aea1246-1d0a-939b-f664-74f5fd094396} - {693490df-5f47-466f-b939-a0d16421aea3} - C:\WINDOWS\system32\qquqnbxd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B75E6A6E-1364-4FD3-A07E-2A08A30C748E} - C:\WINDOWS\system32\ljJdCsss.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E00CEB14-BF84-4A4B-8279-3EBE29D4D47C} - C:\WINDOWS\system32\qoMdDsTJ.dll (file missing)
O2 - BHO: (no name) - {EE44E910-ECE6-4D7F-8422-6A0DC3905D61} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\Program Files\ComcastToolbar\comcasttoolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Users System] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PostSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\atgban.dll" DllStart
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [lphcrsbj0eg5r] C:\WINDOWS\system32\lphcrsbj0eg5r.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKLM\..\Run: [AXPDefender] C:\Program Files\AXPDefender\AXPDefender.exe
O4 - HKLM\..\Run: [BM377b248f] Rundll32.exe "C:\WINDOWS\system32\njuqpxbc.dll",s
O4 - HKLM\..\Run: [Live.com] C:\DOCUME~1\Shawn_2\LOCALS~1\Temp\kmq2.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdjdw.exe] C:\WINDOWS\system32\kdjdw.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunServices: [Users System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Users System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunServices: [Users System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Program Files\Mozilla Firefox\plugins\GetFlash.exe -p
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKUS\S-1-5-18\..\Run: [MicrosoftUpdate] svhest.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MicrosoftUpdate] svhest.exe (User 'Default user')
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jmwnw64m.exe
O4 - Global Startup: .protected
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm088YYUS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?0167c103443a47cd8f2d428379b16a31
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?0167c103443a47cd8f2d428379b16a31
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Shawn\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 () - http://69.65.108.158/Java/cfs40320.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/9/b...heckControl.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - AppInit_DLLs: qquqnbxd.dll
O20 - Winlogon Notify: byXOebXQ - C:\WINDOWS\system32\byXOebXQ.dll (file missing)
O20 - Winlogon Notify: ljJdCsss - C:\WINDOWS\system32\ljJdCsss.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Visual IP InSight Client (TDS) (InverseLaunchIPI_TDS) - Visual Networks - C:\Program Files\Visual IP InSight\TDS\LaunchIPI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


--
End of file - 13212 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 cdrbsvsd - c:\windows\system32\drivers\cdrbsvsd.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R2 ScFBPNT2 (CanoScan FBP2 Port Driver) - c:\windows\system32\drivers\scfbpnt2.sys

S1 ksecddd - c:\windows\system32\drivers\ksecddd.sys (file missing)
S3 sysrest.sys - c:\windows\system32\sysrest.sys
S3 TnIDriver - c:\docume~1\shawn\locals~1\temp\tni1e1.tmp (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 InverseLaunchIPI_TDS (Visual IP InSight Client (TDS)) - c:\program files\visual ip insight\tds\launchipi.exe <Not Verified; Visual Networks; Visual IP InSight>
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-19 11:46:00 256 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-07-18 18:00:00 408 --a------ C:\WINDOWS\Tasks\Norton Security Scan.job
2008-07-09 17:07:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-06-22 03:00:00 488 --a------ C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job


-- Files created between 2008-06-19 and 2008-07-19 -----------------------------

2008-07-18 18:19:52 81920 -----n--- C:\WINDOWS\system32\fwbwbqiy.dll
2008-07-18 18:16:55 102912 --a------ C:\WINDOWS\system32\xmtrba.dll
2008-07-18 18:16:52 102912 --a------ C:\WINDOWS\system32\dwmscoqc.dll
2008-07-18 18:14:32 93696 --a------ C:\WINDOWS\system32\njuqpxbc.dll
2008-07-18 17:29:01 0 d-------- C:\Documents and Settings\Michele McClure\Application Data\Malwarebytes
2008-07-18 17:25:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-18 17:25:36 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-26 08:50:33 108032 --a------ C:\WINDOWS\system32\nfsnlwrf.dll
2008-06-26 08:50:02 95744 --a------ C:\WINDOWS\system32\vsgwvmjn.dll
2008-06-26 08:49:54 0 d-------- C:\Documents and Settings\Kyla\Application Data\AXPFixer
2008-06-26 08:49:42 0 d-------- C:\Documents and Settings\Kyla\Application Data\AXPDefender
2008-06-24 07:57:05 33792 -----n--- C:\WINDOWS\system32\ljJdCsss.dll
2008-06-24 07:56:35 136704 --a------ C:\WINDOWS\system32\qquqnbxd.dll
2008-06-24 07:45:46 127488 --a------ C:\WINDOWS\system32\dehcqvxd.dll
2008-06-19 05:45:54 134656 --a------ C:\WINDOWS\system32\xeukgtdu.dll
2008-06-19 05:45:06 129536 --a------ C:\WINDOWS\system32\xettggvu.dll


-- Find3M Report ---------------------------------------------------------------

2008-07-18 19:11:56 62464 -----n--- C:\WINDOWS\system32\kdjdw.exe
2008-07-18 19:11:55 13312 -----n--- C:\WINDOWS\system32\rtmipr.dll
2008-07-18 17:28:15 0 d-------- C:\Program Files\Application
2008-07-14 06:54:11 0 d-------- C:\Program Files\FBrowsingAdvisor
2008-07-09 09:49:14 0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-06-26 08:50:00 15328 --a------ C:\WINDOWS\system32\sysrest.sys
2008-06-19 06:23:46 0 d-------- C:\Program Files\LimeWire
2008-06-17 07:16:49 0 d-------- C:\Program Files\AXPFixer
2008-06-17 07:14:59 131584 --a------ C:\WINDOWS\system32\jvhapktp.dll
2008-06-17 07:10:42 131584 --a------ C:\WINDOWS\system32\jqakvvws.dll
2008-06-15 12:00:54 0 d-------- C:\Documents and Settings\Michele McClure\Application Data\AXPDefender
2008-06-15 12:00:43 0 d-------- C:\Program Files\AXPDefender
2008-06-15 11:54:18 128512 --a------ C:\WINDOWS\system32\ufmbhnjh.dll
2008-06-14 10:50:04 14336 --a------ C:\ux21ky.exe
2008-06-14 10:45:45 130560 --a------ C:\WINDOWS\system32\tgdvtgia.dll
2008-06-14 10:42:28 23040 --a------ C:\WINDOWS\system32\sysrest32.exe
2008-06-14 10:41:43 133632 --a------ C:\WINDOWS\system32\bmdpbyoc.dll
2008-06-12 21:11:53 135168 --a------ C:\WINDOWS\system32\crivpibj.dll
2008-06-12 21:10:41 125952 --a------ C:\WINDOWS\system32\gjkbuvdh.dll
2008-06-12 08:27:04 135168 --a------ C:\WINDOWS\system32\veldwbcu.dll
2008-06-12 08:26:33 125952 --a------ C:\WINDOWS\system32\ghlsfjfx.dll
2008-06-09 11:55:03 92160 --a------ C:\WINDOWS\system32\lphcrsbj0eg5r.exe
2008-06-09 09:28:18 111616 --a------ C:\WINDOWS\system32\inxkeulv.dll
2008-06-09 09:26:02 108544 --a------ C:\WINDOWS\system32\wrdgeroo.dll
2008-06-09 09:24:28 108544 --a------ C:\WINDOWS\system32\jeqeqark.dll
2008-06-07 11:25:40 111616 --a------ C:\WINDOWS\system32\xxsydnbs.dll
2008-06-07 11:21:23 101376 --a------ C:\WINDOWS\system32\xotqaibr.dll
2008-06-06 08:12:36 105472 --a------ C:\WINDOWS\system32\mjigthgx.dll
2008-06-05 18:28:24 0 d-------- C:\Documents and Settings\Michele McClure\Application Data\AVGTOOLBAR
2008-06-05 17:47:00 106496 --a------ C:\WINDOWS\system32\juwrrvgn.dll
2008-06-05 17:41:59 102400 --a------ C:\WINDOWS\system32\cbgijogj.dll
2008-06-05 17:13:25 0 d-------- C:\Program Files\Windows Live
2008-06-02 19:27:47 103424 --a------ C:\WINDOWS\system32\etoqecah.dll
2008-06-01 22:06:08 4212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-06-01 21:47:45 104448 --a------ C:\WINDOWS\system32\rhmohdhv.dll
2008-06-01 19:36:26 108544 --a------ C:\WINDOWS\system32\letbdape.dll
2008-06-01 19:28:01 104448 --a------ C:\WINDOWS\system32\kmswvkty.dll
2008-06-01 19:01:24 108544 --a------ C:\WINDOWS\system32\wpcgsybj.dll
2008-06-01 19:00:55 104448 --a------ C:\WINDOWS\system32\bjlsodok.dll
2008-06-01 18:55:32 413 --a------ C:\995.bat
2008-06-01 15:34:16 0 d-------- C:\Program Files\ZoneAlarmSB
2008-06-01 13:28:47 413 --a------ C:\664.bat
2008-06-01 13:27:48 111831 --a------ C:\smss.exe
2008-06-01 13:27:20 70656 --a------ C:\msconfig.exe
2008-06-01 09:01:03 0 d-------- C:\Program Files\FBrowserAdvisor
2008-06-01 09:00:15 0 d-------- C:\Program Files\SurfingSoftware
2008-06-01 09:00:02 0 d-------- C:\Program Files\PlayMP3z
2008-05-31 22:01:17 108544 --a------ C:\WINDOWS\system32\yqvmgxlw.dll
2008-05-31 21:44:31 104448 --a------ C:\WINDOWS\system32\xkmmbsck.dll
2008-05-29 17:56:08 111616 --a------ C:\WINDOWS\system32\wvsyqhfa.dll
2008-05-29 17:44:08 106496 --a------ C:\WINDOWS\system32\xkfmsjeg.dll
2008-05-28 17:47:01 112640 --a------ C:\WINDOWS\system32\uoxhwgcb.dll
2008-05-28 17:41:39 109568 --a------ C:\WINDOWS\system32\qgfymghm.dll
2008-05-28 16:33:20 754802 --ahs---- C:\WINDOWS\system32\JTsDdMoq.ini2
2008-05-28 16:18:54 109568 --a------ C:\WINDOWS\system32\oefsgxxj.dll
2008-05-28 08:22:23 104448 --a------ C:\WINDOWS\system32\bjgrbmql.dll


-- Registry Dump ---------------------------------------------------------------



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com

19 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-19 12:40:53 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 2400+
Percentage of Memory in Use: 40%
Physical Memory (total/avail): 607.48 MiB / 359.52 MiB
Pagefile Memory (total/avail): 672.47 MiB / 516.32 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.86 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.23 GiB total, 5.66 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST340015A - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.23 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: ZoneAlarm Firewall v7.0.473.000 (Check Point, LTD.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Documents and Settings\\Ape\\Local Settings\\Temp\\.tt6.tmp"="C:\\Documents and Settings\\Ape\\Local Settings\\Temp\\.tt6.tmp:*:Enabled:enable"
"C:\\WINDOWS\\system32\\sysrest32.exe"="C:\\WINDOWS\\system32\\sysrest32.exe:*:Enabled:enable"


-- Environment Variables -------------------------------------------------------



-- User Profiles ---------------------------------------------------------------

Michele McClure (admin)
Kyla
Ape (admin)
Shawn_2 (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type196 / Error
Event Submitted/Written: 07/19/2008 11:30:57 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x1000b1db.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type194 / Error
Event Submitted/Written: 07/19/2008 11:30:49 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x1000b1db.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type193 / Error
Event Submitted/Written: 07/19/2008 11:28:15 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x1000b1db.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type184 / Error
Event Submitted/Written: 07/18/2008 07:28:49 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Event Record #/Type183 / Error
Event Submitted/Written: 07/18/2008 07:28:37 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x1000b1db.
Processing media-specific event for [explorer.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type48 / Error
Event Submitted/Written: 07/19/2008 00:35:47 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {601AC3DC-786A-4EB0-BF40-EE3521E70BFB} did not register with DCOM within the required timeout.

Event Record #/Type47 / Error
Event Submitted/Written: 07/19/2008 11:46:00 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type46 / Error
Event Submitted/Written: 07/19/2008 11:43:01 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {601AC3DC-786A-4EB0-BF40-EE3521E70BFB} did not register with DCOM within the required timeout.

Event Record #/Type31 / Error
Event Submitted/Written: 07/19/2008 11:28:53 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type30 / Error
Event Submitted/Written: 07/19/2008 11:28:51 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Windows User Mode Driver Framework service terminated unexpectedly. It has done this 1 time(s).



-- End of Deckard's System Scanner: finished at 2008-07-19 12:40:53 ------------

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:50 PM

Posted 19 July 2008 - 02:31 PM

Hello. I am PropagandaPanda (Panda or PP for short) and I will be helping you with your log.

I will need some time to look over your computer's log(s). You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of a few guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
With Regards,
The Panda

#3 Nathan Leonard

Nathan Leonard
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 19 July 2008 - 03:00 PM

Hello Panda, thank you for replying to my post. I have actually just got off the phone with my sister and was coming here to post that I no longer need any help. Due to other problems that she has with this computer, I am doing a full wipe and re-install. Mostly due to some Windows files missing and some other files that are corrupted to the point that I cannot even keep explorer running long enough to do anything at all with the computer. I also found out that she had disabled the firewall and anti-virus on the computer, so I believe that a wipe and re-install would be faster and easier.

Again thank you for being willing to help. I will certainly come back with the next problem that I have that I cannot solve on my own.

Nathan

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:50 PM

Posted 19 July 2008 - 03:09 PM

Hello.

That is a good decision. Thanks for letting us know.

I will ask for this topic to be closed.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users