There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
access audio avg avg 8 bios blue screen boot browser bsod computer crash css dell desktop driver drivers dvd email error excel explorer firefox firefox 3 freeze gimp graphics hard drive hardware help please hijackthis hjt hjt log install internet internet explorer itunes javascript keyboard laptop log malware monitor network networking openoffice outlook outlook 2003 outlook express password popups problem router seo slow sound sp3 spyware startup trojan usb video virtumonde virus vista vundo windows windows xp winxp wireless youtube
Malware Removal & HijackThis Logs
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Wallpaper changed to YOUR PRIVACY IS IN DANGER and other issues


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

 
Thread Tools
brainwave89's Avatar
Computer Specs
Senior Member with 137 posts.
  
Join Date: Aug 2007
Experience: Intermediate
14-May-2008, 10:12 PM #1
Wallpaper changed to YOUR PRIVACY IS IN DANGER and other issues
Thank you for looking and offering any suggestions to cleanse my system.
This is my symptoms:
Sometimes is not possible for me to shut down the computer.

My wallpaper on my XP Home Edition w/SP2 has changed to a reddish background with three reddish wishbone imags. It also says YOUR PRIVACY IS IN DANGER! DOWNLOAD PRIVACY PROTECTION SOFTWARE NOW!

I also receive a Spyware Alert pop-up box
Security Warning!
Worm.Win32.NetBooster detected on your machine. This virus is distributed via the Internet through e-mail and Active-X objects.......
Click Yes to remove it from your PC immediately.


On startup I receive a dialog box stating the following:
Windows Security Alert
Windows has detected an Internet attack attempt....
Somebody's trying to infect your PC with spyware or harmful viruses. Run full system scan now to protect your PC from Internet attacks, hijacking attempts, and spyware! Click here to download spyware removal for total protection.

When I am not connected to the Internet a box appears asking me if I want to work offline or try again. Eventually IE 7 opens up to safenavweb.com.

This the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:34 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\America Online 9.0d\waol.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\America Online 9.0d\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mediapipe.tv/join/reinsta...HFAAFWNVBMS7ER
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - C:\Program Files\Video ActiveX Access\iesbpl.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: Seekmo - {07AA283A-43D7-4CBE-A064-32A21112D94D} - C:\Program Files\Seekmo\bin\10.0.406.0\HostIE.dll
O3 - Toolbar: mkrndofl - {6E8E8B03-9F95-4E6D-9EE0-AF2305509D7B} - C:\WINDOWS\mkrndofl.dll
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0d\AOL.EXE" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O21 - SSODL: Microsoft DirectXb - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Ecjfcehc.dll (file missing)
O21 - SSODL: fairydom - - (no file)
O21 - SSODL: tdomgafw - {9A687AAC-F227-4138-A626-FE5EFD603479} - C:\WINDOWS\tdomgafw.dll
O21 - SSODL: wetkadmr - {E87A380D-C707-4DAE-B847-2D9FAE3CC752} - C:\WINDOWS\wetkadmr.dll
O22 - SharedTaskScheduler: - fairydom - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\WINDOWS\.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 6710 bytes
Last edited by brainwave89 : 14-May-2008 10:56 PM.
OldTimer's Avatar
Senior Member with 180 posts.
  
Join Date: Mar 2008
Experience: Einstein
15-May-2008, 12:26 AM #2
Hello brainwave89 and welcome to TSG. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      Reg - Desktop Components
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post.

Cheers.

OT
brainwave89's Avatar
Computer Specs
Senior Member with 137 posts.
  
Join Date: Aug 2007
Experience: Intermediate
15-May-2008, 01:21 AM #3
Thanks OldTimer. Here you go.
Cheers!
Attached Files
File Type: txt OTScanIt.Txt (173.3 KB, 189 views)
OldTimer's Avatar
Senior Member with 180 posts.
  
Join Date: Mar 2008
Experience: Einstein
15-May-2008, 09:50 AM #4
Hi brainwave89. Now let's see what we can do. Folow the steps below in order:

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:
Drivers to delete:
FOPN
FWSvc
musbehco
Files to delete:
%programfiles%\centerlock\centerlock.dll 
%programfiles%\shoppingreport\bin\2.0.26\shoppingreport.dll 
%systemdrive%\docume~1\chris\locals~1\temp\musbehco.sys
%systemroot%\knxsrgte.exe
%systemroot%\mkrndofl.dll
%systemroot%\mkrndofl.dll 
%systemroot%\qvlbodmnfxv.dll
%systemroot%\qvlbodmnfxv.dll 
%systemroot%\svorbmke.exe
%systemroot%\system32\apbrrewv.ini
%systemroot%\system32\bjgprqqx.ini
%systemroot%\system32\blackster.scr
%systemroot%\system32\bwqqiwqv.dll
%systemroot%\system32\cfbnpjvr.dll
%systemroot%\system32\ctfmona.exe
%systemroot%\system32\ctfmonb.bmp
%systemroot%\system32\ddccskdv.dll
%systemroot%\system32\ddccskdv.dll 
%systemroot%\system32\drivers\fopn.sys
%systemroot%\system32\ebwxbvdo.ini
%systemroot%\system32\edxugyeo.dll
%systemroot%\system32\hayrrcvq.ini
%systemroot%\system32\hpvhorho.dll
%systemroot%\system32\kr_done1de
%systemroot%\system32\odvbxwbe.dll
%systemroot%\system32\oeyguxde.ini
%systemroot%\system32\ohrohvph.ini
%systemroot%\system32\qdsba.dll
%systemroot%\system32\qjtxueow.dll
%systemroot%\system32\qvcrryah.dll
%systemroot%\system32\rvjpnbfc.ini
%systemroot%\system32\vdksccdd.ini
%systemroot%\system32\vdksccdd.ini2
%systemroot%\system32\vqwiqqwb.ini
%systemroot%\system32\vwerrbpa.dll
%systemroot%\system32\woeuxtjq.ini
%systemroot%\system32\xqqrpgjb.dll
%systemroot%\system32\yayayrkk.dll
%systemroot%\system32\yayayrkk.dll 
%systemroot%\tdomgafw.dll
%systemroot%\tdomgafw.dll 
%systemroot%\wetkadmr.dll
%systemroot%\wetkadmr.dll 
%userprofile%\desktop\antispywaremaster.lnk
%userprofile%\desktop\error cleaner.url
%userprofile%\desktop\privacy protector.url
%userprofile%\desktop\spyware&malware protection.url
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
c:\documents and settings\joe cauceglia.joe\local settings\temp\zan4.exe
Folders to delete:
%appdata%\tmprecenticons
%programfiles%\antispywaremaster
%programfiles%\antispywareshield
%programfiles%\centerlock
%programfiles%\virusheat 4.4
%systemroot%\privacy_danger
%systemroot%\system32\527631
c:\documents and settings\joe cauceglia.joe\local settings\temp\nsw7.tmp\
c:\documents and settings\joe cauceglia.joe\local settings\temp\nsz3.tmp\
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code:
[Kill Explorer]
[Unregister Dlls]
[Win32 Services - Non-Microsoft Only]
YY -> (FWSvc) Firewall service [Win32_Own | On_Demand | Stopped] -> 
[Driver Services - Non-Microsoft Only]
YY -> (FOPN) FOPN [File_System | Boot | Stopped] -> %SystemRoot%\System32\Drivers\FOPN.sys
YY -> (musbehco) musbehco [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\Chris\LOCALS~1\Temp\musbehco.sys
[Registry - Non-Microsoft Only]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN ->   [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [fairydom]
YN -> {79FEACFF-FFCE-815E-A900-316290B5B738} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\System32\Ecjfcehc.dll [Microsoft DirectXb]
NY -> {9A687AAC-F227-4138-A626-FE5EFD603479} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\tdomgafw.dll [tdomgafw]
YY -> {E87A380D-C707-4DAE-B847-2D9FAE3CC752} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\wetkadmr.dll [wetkadmr]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> {CE86878F-D099-4FFC-A4DC-E51D192063B1} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\yayaYRkK.dll []
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YN -> fairydom [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [ ]
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> yayaYRkK -> %SystemRoot%\system32\yayaYRkK.dll
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> 
YN -> HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://internetsearchservice.com
YN -> HKEY_LOCAL_MACHINE\: Main\\Search Bar -> http://internetsearchservice.com/ie6.html
YN -> HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://internetsearchservice.com
YN -> HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://internetsearchservice.com
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: Main\\Default_Search_URL -> http://internetsearchservice.com
YN -> HKEY_CURRENT_USER\: Main\\Search Bar -> http://internetsearchservice.com/ie6.html
YN -> HKEY_CURRENT_USER\: Main\\Search Page -> http://internetsearchservice.com
YN -> HKEY_CURRENT_USER\: Main\\Start Page -> http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
YN -> HKEY_CURRENT_USER\: Search\\SearchAssistant -> http://internetsearchservice.com
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {100EB1FD-D03E-47FD-81F3-EE91287F9465} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\ShoppingReport\Bin\2.0.26\ShoppingReport.dll [ShoppingReport]
YY -> {18CB1A7B-94CD-4582-8022-ADA16851E44B} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\CenterLock\CenterLock.dll [CenterLock Class]
YN -> {36ADA89D-2440-4DC4-820A-3A05E8630935} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\VIDEO ACTIVEX ACCESS\IESPLG.DLL [Reg Error: Value  does not exist or could not be read.]
YN -> {54160F28-994B-48DD-8D83-1B2F6B9EB054} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [527631 Class]
YY -> {559A0463-48BF-433C-AC59-289E222FB77A} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\qvlbodmnfxv.dll [DVA First]
YN -> {7C109800-A5D5-438F-9640-18D17E168B88} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\NetProject\sbmdl.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {CE86878F-D099-4FFC-A4DC-E51D192063B1} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\yayaYRkK.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {D9B86731-513C-4C08-82ED-CD0C263AD93F} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\ddcCSKDv.dll [Reg Error: Value  does not exist or could not be read.]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YY -> {A7CDDCDC-BEEB-4685-A062-978F5E07CEEE} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\ShoppingReport\Bin\2.0.26\ShoppingReport.dll [ShopperReports]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\VIDEO ACTIVEX ACCESS\IESBPL.DLL [Protection Bar]
YY -> {6E8E8B03-9F95-4E6D-9EE0-AF2305509D7B} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\mkrndofl.dll [mkrndofl]
YN -> {BA52B914-B692-46c4-B683-905236F6F655} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{07AA283A-43D7-4CBE-A064-32A21112D94D} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\VIDEO ACTIVEX ACCESS\IESBPL.DLL [Protection Bar]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. []
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{C5428486-50A0-4a02-9D20-520B59A9F9B2} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{C5428486-50A0-4a02-9D20-520B59A9F9B3} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\WINDOWS\system32\ddcCSKDv -> %SystemRoot%\system32\ddcCSKDv.dll
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\WinAntiVirus Pro 2006\Updater.exe -> C:\Program Files\WinAntiVirus Pro 2006\Updater.exe [C:\Program Files\WinAntiVirus Pro 2006\Updater.exe:*:Enabled:updater.exe]
[Files/Folders - Created Within 30 days]
NY -> 527631 -> %SystemRoot%\System32\527631
NY -> 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> apbrrewv.ini -> %SystemRoot%\System32\apbrrewv.ini
NY -> bjgprqqx.ini -> %SystemRoot%\System32\bjgprqqx.ini
NY -> bwqqiwqv.dll -> %SystemRoot%\System32\bwqqiwqv.dll
NY -> cfbnpjvr.dll -> %SystemRoot%\System32\cfbnpjvr.dll
NY -> ctfmona.exe -> %SystemRoot%\System32\ctfmona.exe
NY -> ctfmonb.bmp -> %SystemRoot%\System32\ctfmonb.bmp
NY -> ddcCSKDv.dll -> %SystemRoot%\System32\ddcCSKDv.dll
NY -> ebwxbvdo.ini -> %SystemRoot%\System32\ebwxbvdo.ini
NY -> edxugyeo.dll -> %SystemRoot%\System32\edxugyeo.dll
NY -> hayrrcvq.ini -> %SystemRoot%\System32\hayrrcvq.ini
NY -> hpvhorho.dll -> %SystemRoot%\System32\hpvhorho.dll
NY -> kr_done1de -> %SystemRoot%\System32\kr_done1de
NY -> odvbxwbe.dll -> %SystemRoot%\System32\odvbxwbe.dll
NY -> oeyguxde.ini -> %SystemRoot%\System32\oeyguxde.ini
NY -> ohrohvph.ini -> %SystemRoot%\System32\ohrohvph.ini
NY -> qjtxueow.dll -> %SystemRoot%\System32\qjtxueow.dll
NY -> qvcrryah.dll -> %SystemRoot%\System32\qvcrryah.dll
NY -> rvjpnbfc.ini -> %SystemRoot%\System32\rvjpnbfc.ini
NY -> vDKSCcdd.ini -> %SystemRoot%\System32\vDKSCcdd.ini
NY -> vDKSCcdd.ini2 -> %SystemRoot%\System32\vDKSCcdd.ini2
NY -> vqwiqqwb.ini -> %SystemRoot%\System32\vqwiqqwb.ini
NY -> vwerrbpa.dll -> %SystemRoot%\System32\vwerrbpa.dll
NY -> woeuxtjq.ini -> %SystemRoot%\System32\woeuxtjq.ini
NY -> xqqrpgjb.dll -> %SystemRoot%\System32\xqqrpgjb.dll
NY -> yayaYRkK.dll -> %SystemRoot%\System32\yayaYRkK.dll
NY -> knxsrgte.exe -> %SystemRoot%\knxsrgte.exe
NY -> mkrndofl.dll -> %SystemRoot%\mkrndofl.dll
NY -> privacy_danger -> %SystemRoot%\privacy_danger
NY -> 7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> qvlbodmnfxv.dll -> %SystemRoot%\qvlbodmnfxv.dll
NY -> svorbmke.exe -> %SystemRoot%\svorbmke.exe
NY -> tdomgafw.dll -> %SystemRoot%\tdomgafw.dll
NY -> wetkadmr.dll -> %SystemRoot%\wetkadmr.dll
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> 1 C:\Documents and Settings\Joe Cauceglia.JOE\My Documents\*.tmp files -> C:\Documents and Settings\Joe Cauceglia.JOE\My Documents\*.tmp
NY -> Error Cleaner.url -> %UserProfile%\Desktop\Error Cleaner.url
NY -> Privacy Protector.url -> %UserProfile%\Desktop\Privacy Protector.url
NY -> Spyware&Malware Protection.url -> %UserProfile%\Desktop\Spyware&Malware Protection.url
NY -> AntiSpywareMaster -> %ProgramFiles%\AntiSpywareMaster
NY -> AntiSpywareShield -> %ProgramFiles%\AntiSpywareShield
NY -> CenterLock -> %ProgramFiles%\CenterLock
NY -> VirusHeat 4.4 -> %ProgramFiles%\VirusHeat 4.4
[Files/Folders - Modified Within 30 days]
NY -> 527631 -> %SystemRoot%\System32\527631
NY -> 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> apbrrewv.ini -> %SystemRoot%\System32\apbrrewv.ini
NY -> bjgprqqx.ini -> %SystemRoot%\System32\bjgprqqx.ini
NY -> blackster.scr -> %SystemRoot%\System32\blackster.scr
NY -> bwqqiwqv.dll -> %SystemRoot%\System32\bwqqiwqv.dll
NY -> cfbnpjvr.dll -> %SystemRoot%\System32\cfbnpjvr.dll
NY -> ctfmona.exe -> %SystemRoot%\System32\ctfmona.exe
NY -> ctfmonb.bmp -> %SystemRoot%\System32\ctfmonb.bmp
NY -> ddcCSKDv.dll -> %SystemRoot%\System32\ddcCSKDv.dll
NY -> ebwxbvdo.ini -> %SystemRoot%\System32\ebwxbvdo.ini
NY -> edxugyeo.dll -> %SystemRoot%\System32\edxugyeo.dll
NY -> hayrrcvq.ini -> %SystemRoot%\System32\hayrrcvq.ini
NY -> hpvhorho.dll -> %SystemRoot%\System32\hpvhorho.dll
NY -> kr_done1de -> %SystemRoot%\System32\kr_done1de
NY -> odvbxwbe.dll -> %SystemRoot%\System32\odvbxwbe.dll
NY -> oeyguxde.ini -> %SystemRoot%\System32\oeyguxde.ini
NY -> ohrohvph.ini -> %SystemRoot%\System32\ohrohvph.ini
NY -> qdsba.dll -> %SystemRoot%\System32\qdsba.dll
NY -> qjtxueow.dll -> %SystemRoot%\System32\qjtxueow.dll
NY -> qvcrryah.dll -> %SystemRoot%\System32\qvcrryah.dll
NY -> rvjpnbfc.ini -> %SystemRoot%\System32\rvjpnbfc.ini
NY -> vDKSCcdd.ini -> %SystemRoot%\System32\vDKSCcdd.ini
NY -> vDKSCcdd.ini2 -> %SystemRoot%\System32\vDKSCcdd.ini2
NY -> vqwiqqwb.ini -> %SystemRoot%\System32\vqwiqqwb.ini
NY -> vwerrbpa.dll -> %SystemRoot%\System32\vwerrbpa.dll
NY -> woeuxtjq.ini -> %SystemRoot%\System32\woeuxtjq.ini
NY -> xqqrpgjb.dll -> %SystemRoot%\System32\xqqrpgjb.dll
NY -> yayaYRkK.dll -> %SystemRoot%\System32\yayaYRkK.dll
NY -> 7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> knxsrgte.exe -> %SystemRoot%\knxsrgte.exe
NY -> mkrndofl.dll -> %SystemRoot%\mkrndofl.dll
NY -> privacy_danger -> %SystemRoot%\privacy_danger
NY -> qvlbodmnfxv.dll -> %SystemRoot%\qvlbodmnfxv.dll
NY -> svorbmke.exe -> %SystemRoot%\svorbmke.exe
NY -> tdomgafw.dll -> %SystemRoot%\tdomgafw.dll
NY -> wetkadmr.dll -> %SystemRoot%\wetkadmr.dll
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
NY -> ZAN4.exe -> C:\Documents and Settings\Joe Cauceglia.JOE\Local Settings\Temp\ZAN4.exe
NY -> C:\Documents and Settings\Joe Cauceglia.JOE\Local Settings\Temp\nsw7.tmp\ -> C:\Documents and Settings\Joe Cauceglia.JOE\Local Settings\Temp\nsw7.tmp\
NY -> C:\Documents and Settings\Joe Cauceglia.JOE\Local Settings\Temp\nsz3.tmp\ -> C:\Documents and Settings\Joe Cauceglia.JOE\Local Settings\Temp\nsz3.tmp\
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 102 bytes -> %AllUsersProfile%\Application Data\TEMP:A11F741D
NY -> @Alternate Data Stream - 182 bytes -> %AllUsersProfile%\Application Data\TEMP:AA6DEB48
NY -> @Alternate Data Stream - 125 bytes -> %AllUsersProfile%\Application Data\TEMP:ECF5194F
NY -> TmpRecentIcons -> %AppData%\TmpRecentIcons
NY -> 1 C:\Documents and Settings\Joe Cauceglia.JOE\My Documents\*.tmp files -> C:\Documents and Settings\Joe Cauceglia.JOE\My Documents\*.tmp
NY -> AntiSpywareMaster.lnk -> %UserProfile%\Desktop\AntiSpywareMaster.lnk
NY -> Error Cleaner.url -> %UserProfile%\Desktop\Error Cleaner.url
NY -> Privacy Protector.url -> %UserProfile%\Desktop\Privacy Protector.url
NY -> Spyware&Malware Protection.url -> %UserProfile%\Desktop\Spyware&Malware Protection.url
[Extra Files]
%ProgramFiles%\ShoppingReport\
%ProgramFiles%\VIDEO ACTIVEX ACCESS\
%ProgramFiles%\NetProject\
[Empty Temp Folders]
[Start Explorer]
The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's run an online virus scan. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
    • Scan Options:
      • Scan Archives
        Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Just use the default settings.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Step #5

Post the following back here by copy/pasting them into the reply:
  • The Avenger report (c:\Avenger.txt)
  • The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
  • The online virus scan report (whichever one you ran)

Attach the following back here in the reply:
  • The new OTScanIt scan log

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
Reply

« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are Off
Refbacks are Off

Related Sites: Support.com | Tech Gift Ideas | Mobile TechGuy | Advertise on TSG
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 07:42 AM.
Copyright © 1996 - 2008 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0
Powered by Cermak Technologies, Inc.