Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91734 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] help help help help help


  • This topic is locked This topic is locked
23 replies to this topic

#16 Bri

Bri

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 28 April 2008 - 11:13 PM

Are you sure (Y/N)?processed file: C:\271.bat
@Echo off
:A
Del C:\services.exe
If Exist C:\services.exe Goto A
:B
Del C:\csrss.exe
If Exist C:\csrss.exe Goto B
:C
Del C:\smss.exe
If Exist C:\smss.exe Goto C
:D
Del C:\svchost.exe
If Exist C:\svchost.exe Goto D
:E
Del C:\ctfmon.exe
If Exist C:\ctfmon.exe Goto E
Del C:\271.bat

!update.exe;C:\Deckard\System Scanner\20080423021328\backup\DOCUME~1\Bri\LOCALS~1\Temp;Trojan.DownLoader.45540;;
NDR7.tmp;C:\Deckard\System Scanner\20080423021328\backup\DOCUME~1\Bri\LOCALS~1\Temp;Trojan.DownLoader.45540;;
3 Months Free NetZero.exe;C:\Documents and Settings\All Users\Start Menu;Trojan.Click.1487;;
QUAR1.94814;C:\Documents and Settings\Bri\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine;Adware.ClickSpring;;
Setup.exe\data001;C:\Documents and Settings\Bri\Desktop\Setup.exe;Adware.Zango;;
Setup.exe;C:\Documents and Settings\Bri\Desktop;Archive contains infected objects;Moved.;
hctp[1];C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\K84PO5UD;Trojan.Virtumod.346;;
kriv[2];C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\K84PO5UD;Trojan.Virtumod.based;;
idkfa[1];C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\OFYSWIPU;Trojan.Virtumod.372;;
kriv[1];C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\S16X0Q0Q;Trojan.Virtumod.370;;
glas[2];C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\T1NEVXOL;Trojan.Virtumod.based;;
ptch[2];C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\T1NEVXOL;Trojan.Virtumod.based;;
3 Months Free NetZero.exe;C:\Program Files\Dell\Launcher\files;Trojan.Click.1487;;
A0058271.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP599;Adware.ClickSpring;;
A0058287.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP600;Trojan.Virtumod.287;;
A0058308.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP600;Trojan.DownLoader.45546;;
A0058323.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP602;Trojan.DownLoader.45546;;
A0058450.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP602;Trojan.DownLoader.45546;;
A0058474.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP602;Trojan.Virtumod.based;;
A0059520.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP606;Trojan.DownLoader.45546;;
A0059523.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP606;Adware.ClickSpring.origin;;
A0059528.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP606;Adware.ClickSpring;;
A0059536.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP606;Trojan.Qoologic.29;;
A0059539.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP606;Trojan.MulDrop.14649;;
A0059540.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP606;Trojan.MulDrop.9222;;
A0059585.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP607;Adware.ClickSpring.origin;;
A0059590.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP607;Adware.ClickSpring;;
A0059773.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP608;Trojan.Virtumod.based;;
A0059774.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP608;Trojan.Virtumod.346;;
A0059775.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP608;Trojan.Virtumod.346;;
A0059799.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP609;Adware.ClickSpring.origin;;
A0059804.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP609;Adware.ClickSpring;;
A0059820.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP610;Adware.ClickSpring;;
A0059987.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Adware.ClickSpring;;
A0060096.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Trojan.Virtumod.346;;
A0060097.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Adware.ClickSpring.origin;;
A0060099.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Trojan.Virtumod.346;;
A0060100.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Trojan.Virtumod.based;;
A0060101.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Trojan.Virtumod.based;;
A0060102.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Trojan.Virtumod.based;;
A0060103.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Trojan.Virtumod.based;;
A0060104.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Adware.ClickSpring.origin;;
A0064251.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Trojan.Insider;;
A0064253.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Trojan.Stars.187;;
A0064254.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Adware.ClickSpring;;
A0064256.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Trojan.Rond;;
A0064257.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Trojan.MulDrop.9222;;
A0064258.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Trojan.MulDrop.14649;;
A0064259.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Trojan.Qoologic.29;;
A0064261.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Trojan.DownLoader.45546;;
A0064262.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Trojan.Edmod;;
A0064263.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Trojan.DownLoader.39189;;
A0064264.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622;Trojan.DownLoader.39189;;
A0064282.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP623;Trojan.Rond;;
A0064283.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP623;Trojan.MulDrop.9222;;
A0064284.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP623;Trojan.MulDrop.14649;;
A0064285.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP623;Trojan.Qoologic.29;;
A0064288.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP623;Trojan.Insider;;
A0064289.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP623;Trojan.Edmod;;
A0064290.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP623;Trojan.DownLoader.45546;;
A0064291.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP623;Trojan.Stars.187;;
A0064293.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP623;Trojan.DownLoader.39189;;
A0064294.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP623;Trojan.DownLoader.39189;;
A0064297.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP623;Adware.ClickSpring;;
A0064417.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP623;Trojan.Virtumod.274;;
A0064418.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP623;Trojan.Virtumod.287;;
A0066537.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP624;Adware.ClickSpring.origin;;
A0066541.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP624;Trojan.Virtumod.based;;
A0066542.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP624;Trojan.Virtumod.372;;
A0066556.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP624;Trojan.DownLoader.39189;;
A0067554.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP625;Adware.Hotbar;;
A0067556.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP625;Adware.Hotbar;;
A0067773.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP627;Adware.ClickSpring;;
A0067774.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP627;Trojan.PurityAd.origin;;
A0067776.dll;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP627;Adware.ClickSpring;;
A0067891.exe\data001;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP628\A0067891.exe;Adware.Zango;;
A0067891.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP628;Archive contains infected objects;Moved.;
altjeghh.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.Virtumod.based;;
aonmwbea.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.Virtumod.based;;
bkhpqllb.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.AVKill.408;;
clwpntfl.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.AVKill.408;;
ddcDSMeF.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.Virtumod.287;;
dmydolpt.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.Virtumod.based;;
dsnvmtoc.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.Virtumod.based;;
edqfguof.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.AVKill.408;;
ejlshssv.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.Virtumod.based;;
fccayARH.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.Virtumod.based;;
fndirirp.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.AVKill.408;;
hyawrsuh.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.Virtumod.331;;
kccbcxjm.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.Virtumod.based;;
kqospofl.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.Virtumod.based;;
nayxfqwr.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.Virtumod.based;;
pgmpnuvp.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.Virtumod.based;;
qjejsfxd.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.Virtumod.318;;
rskxoyto.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.AVKill.408;;
urqRJBTJ.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.Virtumod.287;;
ydyrakor.dll;C:\_OTMoveIt\MovedFiles\04282008_000438\WINDOWS\system32;Trojan.Virtumod.370;;



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:35 AM, on 4/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
C:\WINDOWS\system32\dllhost.exe
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\utilman.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell....amp;appindex=ds
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P35 "EPSON Stylus CX3800 Series (Copy 1)" /O6 "USB002" /M "Stylus CX3800"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P35 "EPSON Stylus CX3800 Series (Copy 2)" /O5 "LPT1:" /M "Stylus CX3800"
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Bri\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1200370412712
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 9143 bytes

    Advertisements

Register to Remove


#17 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 29 April 2008 - 02:07 AM

Hi Bri,

Clean with OTMoveIt again:
  • Double-click OTMoveIt2.exe to start the program.
  • Copy the lines in the OTMoveIt file list below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    OTMoveIt File List:
    C:\271.bat
    C:\Documents and Settings\Bri\DoctorWeb
    C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\K84PO5UD\hctp[1]
    C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\K84PO5UD\kriv[2]
    C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\OFYSWIPU\idkfa[1]
    C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\S16X0Q0Q\kriv[1]
    C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\T1NEVXOL\glas[2]
    C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\T1NEVXOL\ptch[2]
    EmptyTemp
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Then click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • If OTMoveIt asks to reboot your computer, allow it to do so. The report will appear in Notepad after the reboot.
  • Close OTMoveIt2

Once complete, please post the new OTMoveIt report and let me know how your computer is running now.
ASAP & UNITE Member

#18 Bri

Bri

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 29 April 2008 - 11:05 PM

My computer seems to be running alot better. I am able to use the internet now and its not moving as slow. File/Folder C:\271.bat not found. File/Folder C:\Documents and Settings\Bri\DoctorWeb not found. < C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\K84PO5UD\hctp[1] > File/Folder C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\K84PO5UD\hctp[1] not found. < C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\K84PO5UD\kriv[2] > File/Folder C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\K84PO5UD\kriv[2] not found. < C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\OFYSWIPU\idkfa[1] > File/Folder C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\OFYSWIPU\idkfa[1] not found. < C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\S16X0Q0Q\kriv[1] > File/Folder C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\S16X0Q0Q\kriv[1] not found. < C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\T1NEVXOL\glas[2] > File/Folder C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\T1NEVXOL\glas[2] not found. < C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\T1NEVXOL\ptch[2] > File/Folder C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\T1NEVXOL\ptch[2] not found. < EmptyTemp > File delete failed. C:\DOCUME~1\Bri\LOCALS~1\Temp\WERaa96.dir00\appcompat.txt scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\Bri\LOCALS~1\Temp\WERad2e.dir00\appcompat.txt scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\Bri\LOCALS~1\Temp\WERb573.dir00\appcompat.txt scheduled to be deleted on reboot. Temp folders emptied. IE temp folders emptied. OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04292008_225022 Files moved on Reboot... File C:\DOCUME~1\Bri\LOCALS~1\Temp\WERaa96.dir00\appcompat.txt not found! File C:\DOCUME~1\Bri\LOCALS~1\Temp\WERad2e.dir00\appcompat.txt not found! File C:\DOCUME~1\Bri\LOCALS~1\Temp\WERb573.dir00\appcompat.txt not found!

#19 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 29 April 2008 - 11:25 PM

Hi Bri,

That looks OK and I'm glad to hear things are running better. Here are some important final steps:

Clean up with OTMoveIt2:
  • Double-click OTMoveIt2.exe to start the program.
  • Close all other programs apart from OTMoveIt2 as this step will require a reboot
  • On the OTMoveIt main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.

Re-hide hidden/system files and folders:
Click Start -> My Computer
Select the Tools menu, click Folder Options and select the View tab
Under the Hidden files and folders heading SELECT Do not show hidden files and folders
CHECK the Hide extensions for known file types option
CHECK the Hide protected operating system files (recommended) option
Press OK

Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and press OK
Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm

------------------------------------------------------------------------

If all the above went well, I think your machine is now clean of malware :)

There was one problem that occurred during cleaning, which is that MalwareBytes Antimalware appears to have removed a legitimate file associated with your Panda Internet Security program. I don't know the function of the file in question, but I strongly recommend you reinstall this package to ensure it is working correctly.

Here are some tips to help you keep your computer clean:

You have a good antivirus program installed, however I recommend you install antispyware software with real-time capabilities - this means it protects you from system changes and spyware while you are working, not just removing malware after it has been installed. There are a range of paid-for and free packages available, a free one I can recommend is Windows Defender, available here:
http://www.microsoft...re/default.mspx

I recommend you install a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.
Also: subscribe to the mailing list to get update notifications.

Please take care when downloading programs. One of the easiest ways to be infected is to download freeware/shareware programs which come laden with malware - this includes allowing websites to install browser plug-ins or ActiveX controls. Before downloading, it is crucial to check whether the source is reputable.
One way to check is to use McAfee SiteAdvisor. Copy the domain name into the space provided and SiteAdvisor will give you a report on the website which can help you decide if it is safe. They also have a toolbar for IE and Firefox which adds this functionality to your browser.

Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

Find out more about how to prevent infection in the future
http://forum.malware...pic.php?p=33687

Please post back to let me know that you have read this, and if there are any further issues.
ASAP & UNITE Member

#20 Bri

Bri

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 30 April 2008 - 12:52 AM

I have finished all the steps and read everything but there is a window that keeps popping up that says "WebProxy.exe Unable to Locate component. This application has failed to start because PavMiCli.dll was not found. Re-installing the application may fix this problem."

#21 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 30 April 2008 - 01:05 AM

As I mentioned in my post, that file appears to be a legitimate file associated with Panda Internet Security, but it was removed by MalwareBytes Antimalware. I have reported the false positive to the developer of the program, but unfortunately it looks like it's gone from your computer so reinstallation or a repair installation of that program will be necessary. Do you have the installation program or CD for Panda Internet Security?
ASAP & UNITE Member

#22 Bri

Bri

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 30 April 2008 - 01:45 AM

Yeah I kinda figured out thats what you were taking about after I posted that. I reinstalled it and it seems to be working fine. Thanks for all your help!

#23 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 30 April 2008 - 01:46 AM

Great :) You're most welcome and best of luck!
ASAP & UNITE Member

#24 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 30 April 2008 - 01:47 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
ASAP & UNITE Member

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users