Tech Support Forum banner
Status
Not open for further replies.
1 - 3 of 3 Posts

·
Registered
Joined
·
1 Posts
Discussion Starter · #1 ·
My daughter's laptop is now controlled by a program that has set the wallpaper to a flashing warning sign, put a red icon button in the bottom right tray that has a constant text bubble indicating "Warning! Security report...your computer is infected..." Occasionally a website will attempt to boot up directing me to buy spyware and an error occasionally appears that refernces an error with "nttdll64.exe"

I can't access task manager or change the wallpaper. I've followed all your instructions to gather the system data and am going to attach. Please help!



DDS (Ver_09-03-16.01) - NTFSx86
Run by dad at 2:37:43.44 on Fri 05/08/2009
Internet Explorer: 7.0.5730.13

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://antivirus-xppro-2009.com/?code=0000657
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: : {5d19e761-eb0a-4011-9328-a11143e15ccd} - c:\windows\system32\pekfpxy.dll
BHO: c:\windows\system32\jkshfuiehi.dll: {c2ba40a1-74f3-42bd-f434-12345a2c8953} - c:\windows\system32\jkshfuiehi.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [reader_s] c:\documents and settings\dad\reader_s.exe
uRun: [SYS32DLL] SYS32DLL
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [FaxCenterServer] "c:\program files\dell pc fax\fm3032.exe" /s
mRun: [dlcxmon.exe] "c:\program files\dell photo aio printer 926\dlcxmon.exe"
mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 926\memcard.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,[email protected]
mRun: [LSA Shellu] c:\documents and settings\heather\lsass.exe
mRun: [Framework Windows] frmwrk32.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [sysldtray] c:\windows\ld08.exe
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} - hxxp://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: crypt - crypts.dll
Notify: igfxcui - igfxsrvc.dll
Notify: otwhwsul - pekfpxy.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\jkshfuiehi.dll: {c2ba40a1-74f3-42bd-f434-12345a2c8953} - c:\windows\system32\jkshfuiehi.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-08 02:04 1,400 a------- c:\windows\system32\ahtn.htm
2009-05-08 01:32 104,960 a------- c:\windows\system32\ntdll64.exe
2009-05-08 01:14 <DIR> --d----- c:\docume~1\dad\applic~1\jkectgbc
2009-05-07 23:53 <DIR> --d----- c:\docume~1\dad\applic~1\DellFaxCtr
2009-05-07 23:47 <DIR> --d----- c:\docume~1\dad\applic~1\Intuit
2009-05-07 23:47 <DIR> --d----- c:\docume~1\dad\applic~1\AOL
2009-05-07 23:47 <DIR> --d----- c:\documents and settings\dad\WINDOWS
2009-05-07 23:47 <DIR> --d----- c:\docume~1\dad\applic~1\You've Got Pictures Screensaver
2009-05-07 23:47 <DIR> --d----- c:\docume~1\dad\applic~1\Symantec
2009-05-07 23:47 <DIR> --d----- c:\documents and settings\dad
2009-05-07 23:23 90,748 a------- c:\windows\system32\drivers\e94b5686.sys
2009-05-07 23:23 205,312 a------- C:\vfmf.exe
2009-05-07 23:22 578,560 a------- c:\windows\system32\oycaliw
2009-05-07 23:22 578,560 a------- c:\windows\system32\oiurjezn
2009-05-07 23:05 81,920 a------- C:\adspl.exe
2009-05-07 23:05 578,560 a------- c:\windows\system32\duksbv
2009-05-07 23:05 113,664 a------- C:\prylxoqb.exe
2009-05-07 22:55 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-05-07 22:54 443 a------- c:\windows\system32\MRT.INI
2009-05-07 22:46 17,408 a------- c:\windows\system32\SYS32DLL.exe
2009-05-07 22:46 <DIR> --d----- c:\windows\system32\796525
2009-05-07 22:46 0 a------- c:\windows\mqcd.dbt
2009-05-07 22:45 15,872 ----h--- c:\windows\ld08.exe
2009-05-07 22:45 39,425 a------- c:\windows\system32\reader_s.exe
2009-05-07 22:45 28,672 a------- c:\windows\system32\inqby.sr
2009-05-07 22:45 32,768 a------- c:\windows\system32\ferryl.cbv
2009-05-07 22:45 32,768 a------- c:\windows\system32\fairy.an
2009-05-07 22:45 28,672 a------- c:\windows\system32\dolman.zt
2009-05-07 22:45 79,360 a------- c:\windows\system32\ashl.nq
2009-05-07 22:45 2 a------- C:\-1262639300
2009-05-07 22:44 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-05-07 22:44 33,280 a------- c:\windows\system32\crypts.dll
2009-05-07 22:44 262,144 a------- c:\windows\system32\nvrsk.dll
2009-05-07 22:44 81,920 a------- C:\jlopfmwe.exe
2009-05-07 22:44 113,664 a------- c:\windows\system32\azton.mt
2009-05-07 22:44 113,664 a------- C:\opsnkt.exe
2009-05-07 22:44 15,000 a------- c:\windows\system32\jkshfuiehi.dll
2009-05-07 20:51 <DIR> --d----- c:\program files\Chec
2009-05-07 20:31 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-07 20:24 4,785 a------- c:\windows\system32\warning.gif
2009-05-07 20:23 1 a------- c:\windows\system32\uniq.tll
2009-05-07 20:23 22,528 a------- c:\windows\system32\frmwrk32.exe
2009-05-07 20:20 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-05-07 20:20 35,328 -c------ c:\windows\system32\dllcache\sc.exe
2009-05-07 20:20 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-05-07 20:20 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-05-07 20:20 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-05-07 20:20 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-05-07 20:20 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-07 20:19 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-05-07 20:19 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-05-07 20:19 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-05-07 20:18 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-05-07 20:18 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-05-07 20:18 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-05-05 22:26 5,632 a------- c:\windows\system32\ptpusb.dll
2009-05-05 22:26 159,232 a------- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-05-08 00:22 118,784 a------- c:\windows\web\wallpaper\living beaches wallpaper #3 dir\uninstall.exe
2009-05-07 22:55 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-05-07 22:44 578,560 a------- c:\windows\system32\user32.DLL
2009-05-07 11:55 3,766 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2008-09-20 02:18 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092020080921\index.dat

============= FINISH: 2:40:48.68 ===============
 

Attachments

·
Premium Member
Joined
·
29,790 Posts
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please explain why this computer has no antivirus program installed and running. This is an open invitation for infection.

It can take as little as eight seconds to infect an unprotected computer.

Please keep this computer offline except when downloading tools and posting in the forum until we get one installed. Let me know your intentions for an antivirus program.

------------------------------------------------------

Please go to: VirusTotal
  • On the page you'll find a Browse button.
  • Next to the Browse button you'll see a box to enter text.
  • Please copy/paste the following bolded text into the box:

    c:\windows\explorer.exe

  • Then click the Send File button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analysed: click Reanalyse file now
  • Once scanned, copy and paste the results in your next reply.
  • Please repeat for the following file:

    c:\windows\system32\userinit.exe
------------------------------------------------------
 

·
Premium Member
Joined
·
29,790 Posts
Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------
 
1 - 3 of 3 Posts
Status
Not open for further replies.
Top