Tech Support Forum banner
Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
2 Posts
Discussion Starter · #1 ·
24 hours ago I was deleting realllly old links out of my favorites and clicked on one that brought up a black command prompt screen that just flashed in the top left.

I am running Windows XP Home Version

Immediately after closing the window the malware was installed on my computer, the background of my desktop turned red with a biohazard symbol in the middle that has a message under it saying "YOUR PRIVACY IS IN DANGER!" and under that it says "Download Privacy Protection Now"

The address for this message is file:///C/:/WINDOWS/privacy_danger/Index.htm

Three new icons have also appeared with the properties address of : http:/viruswebproduct.com/shandler.php

There is a continuous popup message that says Download AdwareRemover2007 for free.....
the address for this is: http:/scanner .adwareremover2007.com/2/?advid=1216- Windows Internet Explorer

when it first happened i tried to open any program on my comp it would say:
control.exe
application not found

but it has since gotten worse...now i cannot see any of my programs in my start menu....everything in start menu is GONE...file search, control panel, run...all i can see is my printers and fax and turn off computer. the only icons i can see are in my taskbar and when i click on them it says again: application not found. before it got this bad i even tried to install AVG to see if that would help...but when it was done installing and i click on it...it said: which program would you like to use to open this program." and that was after i did setup and installed it on my comp. :(

lastly if i try to go to task mangager it says: this action has been disabled "by the administrator"...it starting to say that for everything now.

System Restore would not let me go back to another checkpoint nor could I create a new checkpoint date.

This is what I have done to try to repair but to no avail:

I deleted the file for the desktop background and manually deleted it but it comes back everytime the computor is restarted.

and here i sit begging for someone to help me. The only this it will allow me to do now is get on the internet and even thats hard 'cause all links are gone, homepage etc....and if i click on a new link to go somewhere else within a site...it bring up a new webpage (overiddiing the page i'm on) with extreamely Explicitly junk.

I'm aplogize if it seems like i'm ranting i'm just so upset that this has happened and just want to cry. Thank you for taking the time to read my lengthy problem.

lost & confused/Vickie
 

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
Hello digitaltidbits, and Welcome. Apologies for any delay in replying, but we have been rather busy lately.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

If you still require assistance for this issue, and since it has been a few days since you first posted, please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

Thank you.
 

·
Registered
Joined
·
2 Posts
Discussion Starter · #3 ·
sorry i took so long i've been out of town. Thanks for your help
vickie



Deckard's System Scanner v20071014.68
Run by FCCI FRONT DESK on 2008-06-21 11:33:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-06-21 15:33:28 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-21 11:37:00
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.5730.13)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\FCCI FRONT DESK\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/hws/sb/dell/en/side.html?hl=en&client=dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {039FAD84-9627-466B-9BFA-FC6938EF89EE} - (no file)
O2 - BHO: (no name) - {056C6BC0-1F01-44F6-99F9-81C026445303} - (no file)
O2 - BHO: (no name) - {26661DF8-FF92-476A-A0DE-D9CCEE95DE1B} - C:\WINDOWS\system32\urqqnnLC.dll
O2 - BHO: (no name) - {26ca51e4-2551-469a-8c5f-c15e9c18083a} - (no file)
O2 - BHO: (no name) - {3BE3EDC3-5EAD-4C58-95C1-42D1AF89D87F} - C:\WINDOWS\system32\fccdefgH.dll (file missing)
O2 - BHO: (no name) - {451cbc11-b4e9-48ac-9b23-9e9f133e3194} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {598b1d77-8e5a-4a81-9095-567f9a88c0e9} - (no file)
O2 - BHO: {bfa81c87-7cd1-ee7b-b7d4-c8a9d519e767} - {767e915d-9a8c-4d7b-b7ee-1dc778c18afb} - C:\WINDOWS\system32\kfqkqfyg.dll
O2 - BHO: (no name) - {a23c560b-04bd-4b5b-a8e8-8169abf1a3fb} - C:\WINDOWS\system32\iifdEVnN.dll (file missing)
O2 - BHO: (no name) - {b7ebcb46-12e0-4e72-af79-a9afdd71b9b8} - (no file)
O2 - BHO: (no name) - {c355fe9b-dda9-43f3-9439-26896c50b8f6} - C:\WINDOWS\system32\ssqQigHB.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O2 - BHO: (no name) - {C716EB38-7079-44CA-BD70-117FFB92D7F5} - C:\WINDOWS\system32\opnLeFWP.dll (file missing)
O2 - BHO: (no name) - {EA692A3C-129D-4541-AA2D-3191CD7A6026} - C:\WINDOWS\system32\cbXPjkJd.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: nmwegbsf - {8255476E-97F9-470F-9190-031DD1941B74} - C:\WINDOWS\nmwegbsf.dll (file missing)
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\FCCIFR~1\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\FCCI FRONT DESK\cftmon.exe
O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\FCCIFR~1\LOCALS~1\Temp\rbnpsrv.exe/r
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [10290858] rundll32.exe "C:\WINDOWS\system32\aceqddku.dll",b
O4 - HKLM\..\Run: [BM131a3bc4] Rundll32.exe "C:\WINDOWS\system32\jhjpmabv.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [Jtyynty] "C:\Documents and Settings\FCCI FRONT DESK\Application Data\?asks\??oolsv.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://www.deviantart.com (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1213458586078
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: urqqnnlc - C:\WINDOWS\system32\urqqnnLC.dll
O21 - SSODL: adgpfoxs - {1CF271B2-C7ED-48BF-A723-1128CAD1EC3E} - C:\WINDOWS\adgpfoxs.dll (file missing)
O21 - SSODL: erpobmsw - {561F9034-3A2F-4617-89F7-2C929407E37F} - C:\WINDOWS\erpobmsw.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Trend Micro Central Control Component (sfctlcom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (tmbmserver) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (tmpfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: - file:///C:/Documents%20and%20Settings/FCCI%20FRONT%20DESK/Local%20Settings/Application%20Data/Microsoft/Wallpaper1.bmp

--
End of file - 11754 bytes

-- HijackThis Fixed Entries (C:\Program Files\Hijack This\backups\) ------------

backup-20060803-174717-172 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
backup-20060803-174717-183 O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
backup-20060803-174717-266 O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
backup-20060803-174717-358 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
backup-20060803-174717-963 O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
backup-20060803-174718-147 O17 - HKLM\System\CCS\Services\Tcpip\..\{DCDD99E9-A29F-49B4-825D-98F12ECC559A}: NameServer = 138.210.81.3,205.160.188.2
backup-20060803-174718-288 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
backup-20060803-174718-885 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

S1 bzsqlpa - c:\windows\system32\bzsqlpa.sys
S3 ADM8511 (Belkin USB Ethernet Adapter) - c:\windows\system32\drivers\net8511.sys <Not Verified; ADMtek; ADM8511 USB 10/100 Fast Ethernet Adapter>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 Schedule (Task Scheduler) - c:\windows\system32\drivers\spools.exe (file missing)
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-21 and 2008-06-21 -----------------------------

2008-06-20 20:39:01 92416 --a------ C:\WINDOWS\system32\aceqddku.dll
2008-06-19 19:34:26 242937 --ahs---- C:\WINDOWS\system32\dJkjPXbc.ini2
2008-06-19 19:34:24 322432 --a------ C:\WINDOWS\system32\cbXPjkJd.dll
2008-06-17 23:46:29 6690 --a------ C:\WINDOWS\system32\llcwrnog.dll
2008-06-17 23:43:29 110336 --a------ C:\WINDOWS\system32\kfqkqfyg.dll
2008-06-17 23:40:29 95360 --a------ C:\WINDOWS\system32\jhjpmabv.dll
2008-06-17 20:48:01 0 d-------- C:\Documents and Settings\FCCI FRONT DESK\Application Data\MySpace
2008-06-17 20:47:51 0 d-------- C:\Program Files\MySpace
2008-06-16 23:38:20 6690 --a------ C:\WINDOWS\system32\dkmdblmb.dll
2008-06-15 23:37:44 6690 --a------ C:\WINDOWS\system32\ejafdmvs.dll
2008-06-14 23:37:13 92544 --a------ C:\WINDOWS\system32\acuogrxw.dll
2008-06-14 20:53:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-14 13:00:15 0 d-------- C:\WINDOWS\system32\scripting
2008-06-14 13:00:14 0 d-------- C:\WINDOWS\l2schemas
2008-06-14 13:00:13 0 d-------- C:\WINDOWS\system32\en
2008-06-14 13:00:11 0 d-------- C:\WINDOWS\system32\bits
2008-06-14 12:54:09 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-14 12:50:43 0 d-------- C:\WINDOWS\network diagnostic
2008-06-13 23:35:49 688263 --ahs---- C:\WINDOWS\system32\PWFeLnpo.ini2
2008-06-13 23:35:39 0 d---s---- C:\Documents and Settings\Administrator\UserData
2008-06-13 21:28:28 92544 --a------ C:\WINDOWS\system32\danrmhjg.dll
2008-06-13 21:27:47 237806 --ahs---- C:\WINDOWS\system32\Hgfedccf.ini2
2008-06-12 19:59:49 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 19:30:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-10 23:55:37 6687 --a------ C:\WINDOWS\system32\pheunekx.dll
2008-06-10 23:15:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-06-10 23:15:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-10 20:40:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-06-10 20:40:15 0 d-------- C:\Program Files\Trend Micro
2008-06-09 23:03:46 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-09 22:49:17 372313 --ahs---- C:\WINDOWS\system32\NnVEdfii.ini2
2008-06-07 21:53:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\ICAClient
2008-06-07 13:21:08 0 d-------- C:\Documents and Settings\FCCI FRONT DESK\Application Data\AVGTOOLBAR
2008-06-07 13:19:57 0 d-------- C:\Documents and Settings\FCCI FRONT DESK\Application Data\?asks
2008-06-07 13:19:37 0 d-------- C:\Documents and Settings\FCCI FRONT DESK\Application Data\?ystem
2008-06-07 12:28:00 0 d-------- C:\Documents and Settings\FCCI FRONT DESK\Application Data\TmpRecentIcons
2008-06-07 11:03:26 383196 --ahs---- C:\WINDOWS\system32\BHgiQqss.ini2
2008-06-07 10:53:18 30336 --a------ C:\WINDOWS\system32\urqqnnLC.dll
2008-06-07 10:52:46 1 --a------ C:\d1.exe
2008-06-07 10:52:44 1 --a------ C:\d.exe
2008-06-07 10:52:43 2 --a------ C:\271124727
2008-06-07 10:52:37 0 --a------ C:\WINDOWS\system32\bzsqlpa.sys
2008-06-05 20:01:10 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-05 19:48:00 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-06-04 16:52:32 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet


-- Find3M Report ---------------------------------------------------------------

2008-06-15 18:29:49 0 d-------- C:\Program Files\Winamp
2008-06-14 16:21:27 0 d-------- C:\Program Files\Web Publish
2008-06-14 16:21:24 0 d-------- C:\Documents and Settings\FCCI FRONT DESK\Application Data\Identities
2008-06-14 13:01:13 0 d-------- C:\Program Files\Messenger
2008-06-14 13:00:11 0 d-------- C:\Program Files\Movie Maker
2008-06-14 12:53:43 0 d-------- C:\Program Files\Windows NT
2008-06-09 21:52:46 0 d-------- C:\Program Files\LimeWire
2008-06-09 21:44:22 0 d-------- C:\Documents and Settings\FCCI FRONT DESK\Application Data\?ystem
2008-06-08 12:03:04 0 d-------- C:\Documents and Settings\FCCI FRONT DESK\Application Data\?asks
2008-06-07 13:15:40 0 d-------- C:\Documents and Settings\FCCI FRONT DESK\Application Data\Lavasoft
2008-06-06 23:14:53 0 d-------- C:\Documents and Settings\FCCI FRONT DESK\Application Data\LimeWire
2008-06-05 20:01:10 0 d-------- C:\Program Files\Common Files
2008-06-05 19:58:02 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-04 16:52:36 0 d-------- C:\Documents and Settings\FCCI FRONT DESK\Application Data\Adobe
2008-06-04 16:45:56 0 d-------- C:\Program Files\AIM6
2008-05-15 23:14:54 0 d-------- C:\Program Files\Paint Shop Pro 6
2008-05-15 22:46:42 0 d-------- C:\Program Files\SmartDraw 2008
2008-05-15 21:38:57 0 d-------- C:\Documents and Settings\FCCI FRONT DESK\Application Data\SmartDraw
2008-05-15 19:34:35 0 d-------- C:\Documents and Settings\FCCI FRONT DESK\Application Data\AdobeUM
2008-05-03 20:47:50 0 d-------- C:\Program Files\AvantDVDPlayer
2008-05-03 20:44:25 1488242 --a------ C:\avantdvdplayer.exe <Not Verified; Excellent Technology Exchange; >
2008-05-03 20:36:19 0 d-------- C:\Program Files\Common Files\AVSMedia
2008-05-03 20:36:18 0 d-------- C:\Program Files\AVSMedia
2008-05-03 20:28:33 0 --a------ C:\Documents and Settings\FCCI FRONT DESK\Application Data\AVSDVDPlayer.m3u


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{039FAD84-9627-466B-9BFA-FC6938EF89EE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{056C6BC0-1F01-44F6-99F9-81C026445303}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26661DF8-FF92-476A-A0DE-D9CCEE95DE1B}]
06/07/2008 10:53: VIRUS ALERT! 30336 --a------ C:\WINDOWS\system32\urqqnnLC.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26ca51e4-2551-469a-8c5f-c15e9c18083a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BE3EDC3-5EAD-4C58-95C1-42D1AF89D87F}]
C:\WINDOWS\system32\fccdefgH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{451cbc11-b4e9-48ac-9b23-9e9f133e3194}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{598b1d77-8e5a-4a81-9095-567f9a88c0e9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{767e915d-9a8c-4d7b-b7ee-1dc778c18afb}]
06/17/2008 23:43: VIRUS ALERT! 110336 --a------ C:\WINDOWS\system32\kfqkqfyg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a23c560b-04bd-4b5b-a8e8-8169abf1a3fb}]
C:\WINDOWS\system32\iifdEVnN.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b7ebcb46-12e0-4e72-af79-a9afdd71b9b8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c355fe9b-dda9-43f3-9439-26896c50b8f6}]
C:\WINDOWS\system32\ssqQigHB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5AF49A2-94F3-42BD-F434-2604812C897D}]
C:\WINDOWS\system32\jfiehayd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C716EB38-7079-44CA-BD70-117FFB92D7F5}]
C:\WINDOWS\system32\opnLeFWP.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA692A3C-129D-4541-AA2D-3191CD7A6026}]
06/19/2008 19:34: VIRUS ALERT! 322432 --a------ C:\WINDOWS\system32\cbXPjkJd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"jdgf894jrghoiiskd"="C:\DOCUME~1\FCCIFR~1\LOCALS~1\Temp\winlogan.exe" []
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" []
"autoload"="C:\Documents and Settings\FCCI FRONT DESK\cftmon.exe" []
"advap32"="C:\DOCUME~1\FCCIFR~1\LOCALS~1\Temp\rbnpsrv.exe/r" []
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [02/16/2008 00:56: VIRUS ALERT!]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/19/2006 12:20: VIRUS ALERT!]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"10290858"="C:\WINDOWS\system32\aceqddku.dll" [06/20/2008 20:39: VIRUS ALERT!]
"BM131a3bc4"="C:\WINDOWS\system32\jhjpmabv.dll" [06/17/2008 23:40: VIRUS ALERT!]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04/14/2008 05:42: VIRUS ALERT!]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" []
"Jtyynty"="C:\Documents and Settings\FCCI FRONT DESK\Application Data\?asks\??oolsv.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43: VIRUS ALERT!]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ntuser"=C:\WINDOWS\system32\drivers\spools.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [6/5/2008 8:00:50 PM]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [10/23/2006 12:01:50 AM]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [5/5/2006 9:55:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"NoDispCPL"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"NoStartMenuMorePrograms"=0 (0x0)
"NoSetFolders"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"= C:\WINDOWS\system32\jfiehayd.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{26661DF8-FF92-476A-A0DE-D9CCEE95DE1B}"= C:\WINDOWS\system32\urqqnnLC.dll [06/07/2008 10:53: VIRUS ALERT! 30336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"adgpfoxs"= {1CF271B2-C7ED-48BF-A723-1128CAD1EC3E} - C:\WINDOWS\adgpfoxs.dll [ ]
"erpobmsw"= {561F9034-3A2F-4617-89F7-2C929407E37F} - C:\WINDOWS\erpobmsw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqnnlc]
urqqnnLC.dll 06/07/2008 10:53: VIRUS ALERT! 30336 C:\WINDOWS\system32\urqqnnLC.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\cbXPjkJd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533c5b84-ec70-11d2-9505-00c04f79deaf}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Program Neighborhood Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Program Neighborhood Agent.lnk
backup=C:\WINDOWS\pss\Program Neighborhood Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-06-21 11:42:23 ------------
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
Let's see about cleaning this machine.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


For Windows XP Professional Service Pack 3, you may use the Recovery Console package for Windows XP Professional Service Pack 2.


As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

If you have any questions along the way, STOP and ask them before proceeding.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

It does not appear as though DSS was allowed to download and install HijackThis. To produce a HijackThis log for your next reply, please do this:

Please download HijackThis to your desktop

Alternate link

Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

---------------------------------------------------------------------------------------------
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top