Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

johnnyo808

14 Posts

3408

December 8th, 2007 21:00

Pop ups, system alerts, complete slow down!

Through the research I have done so far believe I may have been infected by  trojan.zlob.n.   The symptoms are: numerous pop ups, many of which offer spyware removel; system alert and system performance warnings; computer runs very very slow; and when typing, not all keystrokes are recognized, causing even further slow downs, I have to type slow and verify that all keystrokes are recognized. 
 
Hijackthis log file below. As I am at my wits end with this I appreciate any help.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:49 PM, on 12/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Shield 3\SystemGuardAlerter.exe
C:\Program Files\iolo\System Shield 3\AntiVirus\ioloAV.exe
C:\Program Files\iolo\System Shield 3\Personal Firewall\ioloFW.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\JOEY\MYDOCU~1\PPPATC~1\nslookup.exe
C:\WINDOWS\system32\T?sks\e?plorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\khpjgkgs.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\iolo\System Shield 3\IoloSGCtrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iolo\System Shield 3\SystemShield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iolo\System Shield 3\AntiVirus\iAVEmailScanner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://pages.ebay.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\alfdqgdf.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [40a53621] rundll32.exe "C:\WINDOWS\system32\vkoryqwi.dll",b
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Shield 3\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Shield 3\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Shield 3\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\JOEY\MYDOCU~1\PPPATC~1\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Htqia] C:\WINDOWS\system32\T?sks\e?plorer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106689347232
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DomainService -   - C:\WINDOWS\system32\khpjgkgs.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Shield 3\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 6877 bytes

Bugbatter

4 Apprentice

 • 

20.5K Posts

December 8th, 2007 22:00

Welcome. Thank you for using Dell Community Forums. Father Christmas 2
I am reviewing your log. So far I see a couple of infections.
In the meantime, you can help me by doing the following:

* Have you have posted this log on another forum? If so, please provide a link to the topic.

* If you are using any cracked software, please remove it.
Definition of cracked software:
http://en.wikipedia.org/wiki/Software_cracking

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.
The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state.

* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log. Please do not do anything else until you get further instructions.

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures.
Please follow all instructions in sequence, and do not run any fixes or scanners on your own because this may cause conflicts with the tools that I am using.

* Please disable realtime monitoring, except for your anti-virus, so it does not interfere while we are fixing your system. That would apply to your SystemGuardAlerter.

* Please launch Hijackthis again.

At the Main window select "Open the misc tool section"
Then select "Open uninstall manager"
Then "save list" and save it to your desktop.

Copy and paste that list as a reply to this thread. Thanks.

* If your replies do not fit in one post while we are handling your issue, please reply to yourself until all text is submitted. It may take several posts.





























Bugbatter

4 Apprentice

 • 

20.5K Posts

December 9th, 2007 01:00

Let's try this..
Reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.

Run Disk Cleanup in each user's profile:
Click "Start > Programs > Accessories > System Tools > Disk Cleanup"
Please make sure only the following are checked:
-- Downloaded Program Files
-- Temporary Internet Files
-- Recycle Bin
-- Temporary Files
Click "OK" and Disk Cleanup will delete those files for you.

Try the uninstalls that way.

Reboot back into Safemode but select Safemode with Networking this time.

Try to download HJT Installer for version 2.02 from Here to your desktop.
If not available use this alternate link: Here
  • Click the Download button. When the Trend Micro HJT install box appears, double click on the HJTInstall.exe. Click on Install.
  • It will be installed by default here: C:\Program Files\Trend Micro\HijackThis.
  • A shortcut to the application will also be placed on your Desktop.

    If that goes well, reboot normally and open Hijackthis. Then select "Open uninstall manager"
    Then "save list" and save it to your desktop.

    Copy and paste that list as a reply to this thread.

    I'll keep my fingers crossed that all goes well.

johnnyo808

14 Posts

December 9th, 2007 01:00

First off, thank you for your response to this problem.
 
No, I have not posted this anywhere else. 
Also, this is my computer, so that is not a problem. 
And I have not fixed any entries with HijackThis.
 
However, I went into remove P2P software and started getting low disk space warnings.  So I tried removing other large apps. that would free up space, but when I tried to remove some larger ones, it would not allow me to because there was not enough disk space.  Apparently this is now eating up my disk space, because even after removing a couple of the apps, I now show 0 disk space available.
 
I tried to go ahead and run HijackThis again and noticed it is gone.  The folder and previous log file are there still there, bet the exe file is gone, as well as the dektop shortcut.  When I try downloading it again, I get the following error message:
 
C:\Documents and settings|JOEY|Local settings\Temporary internet files\Content.IE5\LZMXMZ8Z\HJT Install[2].exe is not a valid Win32 application.
 
Am I out of luck now?

johnnyo808

14 Posts

December 9th, 2007 10:00

Everything seemed to go fine up until the last step.  After selecting "Open uninstall manager"  the list appears, but when I select "save list" the application closes.  Therefore, I am unable to post it.

Bugbatter

4 Apprentice

 • 

20.5K Posts

December 9th, 2007 11:00

Were you able to remove the P2P programs?

johnnyo808

14 Posts

December 9th, 2007 12:00

Yes, I was also able to delete a number of other programs that I did not use.  I was able to free up almost 1.5GB of space.  But I just checked now, and I am back down to @ 300MB.

Bugbatter

4 Apprentice

 • 

20.5K Posts

December 9th, 2007 13:00

We may have to do as much as we can in Safemode.

Please go back into Safemode with Networking. See if you can do this in Safemode:

1. Please download Combofix from HERE

** Take note that the link is case sensitive
Save ComboFix to the desktop. **Note: It is important that it is saved directly to, and run from your desktop**

In the event you already have Combofix, please delete it as this is a new version.
* Close any open browsers. Disconnect from the internet.
* Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
2. Double click ComboFix.exe and follow the prompts.
You will temporarily lose the Desktop while the scan is running. Once the scan is done your Desktop will return to normal.

3. When finished, it will produce a log for you. Post that log in your next reply.
Notes:
* Do not mouseclick ComboFix's window while it's running. That may cause it to stall.
* ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

* Don't forget to enable your anti-virus before coming back online to post your logs.

Note: The above instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

johnnyo808

14 Posts

December 9th, 2007 15:00

OK, seems like there is always going to be "something" that happens. 
 
I ran Combofix and it listed a number of files that were being deleted.  Then automatically restarted the computer.  I did not get a log that I could post. 

Bugbatter

4 Apprentice

 • 

20.5K Posts

December 9th, 2007 16:00

Try running ComboFix again. See if it will produce a log. If no log, let me know exactly what happens. Thanks.

johnnyo808

14 Posts

December 9th, 2007 17:00

OK that did it.  Here it is:
 
ComboFix 07-12-09.1 - JOEY 2007-12-09 13:57:35.3 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.253 [GMT -5:00]
Running from: C:\Documents and Settings\JOEY\Desktop\ComboFix.exe
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\JOEY\Favorites\Online Security Guide.lnk
C:\Documents and Settings\JOEY\My Documents\PPPATC~1
C:\Documents and Settings\JOEY\My Documents\PPPATC~1\?ppPatch\
C:\Documents and Settings\JOEY\My Documents\PPPATC~1\nslookup.exe
C:\Documents and Settings\JOEY\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\JOEY\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\JOEY\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\irof
C:\Program Files\Common Files\irof\irofa.exe
C:\Program Files\Common Files\irof\irofa.lck
C:\Program Files\Common Files\irof\irofd\class-barrel
C:\Program Files\Common Files\irof\irofd\irofc.dll
C:\Program Files\Common Files\irof\irofd\vocabulary
C:\Program Files\Common Files\irof\irofh
C:\Program Files\Common Files\irof\irofl.exe
C:\Program Files\Common Files\irof\irofl.lck
C:\Program Files\Common Files\irof\irofm.exe
C:\Program Files\Common Files\irof\irofm.lck
C:\Program Files\Common Files\irof\irofp.exe
C:\Program Files\inetget2
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outlook
C:\Program Files\outlook\v.tmp
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive8.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack10.exe
C:\Program Files\QdrPack\QdrPack9.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\QdrPack\zhydupd.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\wininstall.exe
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.6\wbuninst.exe
C:\Program Files\web buying\v1.8.6\webbuying.exe
C:\Program Files\WinAble
C:\Program Files\WinAble\winable.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\b103.exe
C:\WINDOWS\b148.exe
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Crack.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\irof
C:\WINDOWS\irof\irof.dat
C:\WINDOWS\irof\wu
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\alfdqgdf.dllbox
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\efccyxw.dll
C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\jjkmp.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\ssqrppm.dll
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\vtursrs.dll
C:\WINDOWS\system32\yayyaaw.dll
C:\WINDOWS\uninstall_nmon.vbs
C:\winlogon.exe
C:\x.dat
C:\z.dat
C:\WINDOWS\Fonts\'
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\core
 
 

(((((((((((((((((((((((((   Files Created from 2007-11-09 to 2007-12-09  )))))))))))))))))))))))))))))))
.
2007-12-09 11:04 . 2007-12-09 11:04   d-------- C:\Program Files\iolo
2007-12-08 19:04 . 2007-12-08 19:04 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-12-08 19:01 . 2007-12-08 19:01 432 --a------ C:\WINDOWS\system32\iolo.ini
2007-12-08 18:56 . 2007-07-25 08:42 126,976 --a------ C:\WINDOWS\system32\iavlsp.dll
2007-12-08 18:55 . 2007-12-08 18:55   d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2007-12-08 18:53 . 2007-12-08 18:53 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2007-12-08 18:02 . 2007-12-08 18:02   d-------- C:\Program Files\Trend Micro
2007-12-08 17:02 . 2007-12-08 18:48   d-------- C:\Program Files\AntiVirusPro
2007-12-08 03:54 . 2007-12-08 03:54 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-07 21:26 . 2007-12-07 21:26   d-------- C:\Program Files\Common Files\Authentium
2007-12-07 21:22 . 2007-12-07 21:30   d-------- C:\Documents and Settings\JOEY\Application Data\iolo
2007-12-07 21:22 . 2007-12-09 07:01   d----c--- C:\Documents and Settings\All Users\Application Data\iolo
2007-12-06 20:10 . 2007-12-06 20:10 134 --a--c--- C:\n.bat
2007-12-06 20:09 . 2007-12-06 20:09   d-------- C:\Temp\bkR11
2007-12-06 20:02 . 2007-12-09 11:23   d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-06 19:38 . 2007-12-08 21:26   d-------- C:\RECOVERY
2007-12-06 14:35 . 2007-12-09 07:00   d-------- C:\Program Files\Runtime Software
2007-12-01 15:30 . 2007-12-01 15:30   d-------- C:\Documents and Settings\JOEY\Application Data\Snapfish
2007-11-25 11:09 . 2007-12-09 12:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-25 11:09 . 2007-11-25 11:09 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-25 11:07 . 2007-11-25 11:07   d-------- C:\Program Files\iTunes
2007-11-25 11:05 . 2007-11-25 11:06   d-------- C:\Program Files\QuickTime
2007-11-25 11:05 . 2007-11-25 11:05   d-------- C:\Program Files\Apple Software Update
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-09 16:00 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-09 12:05 --------- d-----w C:\Program Files\WinTV
2007-12-09 12:03 --------- d-----w C:\Program Files\Pinnacle
2007-12-09 01:59 --------- d-----w C:\Program Files\NCH Swift Sound
2007-12-09 01:59 --------- d-----w C:\Program Files\IrfanView
2007-12-09 01:57 --------- d-----w C:\Program Files\BearShare
2007-12-07 01:09 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(9).dsk
2007-12-07 01:09 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(8).dsk
2007-12-07 01:09 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(7).dsk
2007-12-07 01:09 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(6).dsk
2007-12-07 01:09 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(5).dsk
2007-12-07 01:09 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(4).dsk
2007-12-07 01:09 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(3).dsk
2007-12-07 01:09 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(2).dsk
2007-12-07 01:09 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(10).dsk
2007-11-25 16:07 --------- d-----w C:\Program Files\iPod
2007-11-17 18:10 --------- d-----w C:\Program Files\Quicken
2007-11-09 11:50 --------- d-----w C:\Documents and Settings\JOEY\Application Data\NCH Swift Sound
2007-10-28 11:44 --------- d-----w C:\Documents and Settings\SYDNEY\Application Data\Apple Computer
2007-10-11 11:33 --------- d-----w C:\Documents and Settings\JOEY\Application Data\DivX
2007-04-18 15:21 74,760 ----a-w C:\Documents and Settings\JOEY\Application Data\GDIPFONTCACHEV1.DAT
2006-03-07 00:11 28,672 ----a-w C:\Documents and Settings\JOEY\envupdat.dll
2001-08-18 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2005-07-29 21:24 472 --sha-r C:\WINDOWS\am9leSBoaWxsZW5icmFuZHQ\uA65ym1CuqUPtqc2wAIRtJk.vbs
2004-08-04 07:56 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d67412fe-89a8-419f-a2cb-7d04bd8ee11a}]
   C:\WINDOWS\system32\phvevxu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE5CF4E0-1485-4C7E-A06C-2B6EE220404F}]
   C:\WINDOWS\system32\pmkjj.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"SystemGuardAlerter"="C:\Program Files\iolo\System Shield 3\SystemGuardAlerter.exe" [2007-11-07 20:10]
"iolo AntiVirus"="C:\Program Files\iolo\System Shield 3\AntiVirus\ioloAV.exe" [2007-11-03 11:09]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrppm]
ssqrppm.dll
S3 BENDER;Pinnacle DV/AV Capture;C:\WINDOWS\system32\drivers\bender.sys
S3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\system32\drivers\HCWBT8XX.sys
S3 iaudUSB;iaudUSB;C:\WINDOWS\system32\Drivers\iAudUSB.sys
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-12-08 04:34:26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 14:00:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-09 14:01:30
.
 --- E O F ---

Bugbatter

4 Apprentice

 • 

20.5K Posts

December 9th, 2007 18:00

You had a password stealer on there. This malware/spyware is designed to steal your private information. That includes all passwords, logins to forums and your email details & other websites and most of all your Bank, Credit card or Paypal details.
It is vital that after you have been cleaned up you change all your passwords and it is necessary to get in touch with your Bank or other financial body to inform them that your details may ( probably have ) been stolen.
It also seems to be able to steal all your emails so anything you have emailed to anybody is no longer confidential.

You will find your stolen passwords are here:
C:\Qoobox\quarantine\C\Documents and Settings\User\x.dat.vir

Right-click on each to rename them:
Rename z.dat.vir to z.txt
Rename x.dat.vir to x.txt

• Move the two files back to the location where they originated from.
• Here:
C:\x.dat
C:\z.dat

You will need to see exactly WHAT was stolen and needs to be changed.
Now that they are .txt files, you should be able to open them in Notepad. Write the passwords etc. down so you can change them as soon as we can clean your system.
Following that, DELETE those two .txt files.

Did you remove BearShare? If not, do it now, please.

You are still infected, so let me know after you have done all that, and we will proceed with cleaning.

johnnyo808

14 Posts

December 9th, 2007 22:00

Fortunately, the only thing I found was outlook express passwords.  Yes bearshare was removed.

Bugbatter

4 Apprentice

 • 

20.5K Posts

December 9th, 2007 23:00

Open Notepad and copy/paste the following text between the dotted lines into it. Do not copy the dotted lines.
** Make sure you copy/paste ALL the text at once.
----------------------------------------------------------------------------------------------- 

File::
C:\WINDOWS\system32\vbzip10.dll
C:\n.bat
C:\Documents and Settings\JOEY\envupdat.dll
C:\WINDOWS\system32\phvevxu.dll

Folder::
C:\Program Files\BearShare
C:\Temp\bkR11

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d67412fe-89a8-419f-a2cb-7d04bd8ee11a}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE5CF4E0-1485-4C7E-A06C-2B6EE220404F}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrppm]


--------------------------------------------------------------------------------------------------------

Save this as CFScript.txt

Photo Sharing and Video Hosting at Photobucket

Referring to the picture above, drag CFScript into ComboFix.exe
You will be prompted to run Combofix again. Follow the same instructions you did before for running ComboFix.
CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced here: C:\ComboFix.txt

Please submit a sample of this file:
C:\WINDOWS\am9leSBoaWxsZW5icmFuZHQ\uA65ym1CuqUPtqc2wAIRtJk.vbs

to Virus Total --
http://www.virustotal.com/en/indexf.html
At the top of the page you will see:
Select file>Browse>Send
Just follow the prompts.
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

When you get the report, please post back the exact results.
Also include the contents of the new ComboFix log in your next reply along with a new HijackThis log. Let me know how things are running.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Message Edited by Bugbatter on 12-09-2007 08:21 PM

johnnyo808

14 Posts

December 10th, 2007 00:00

I do not see the file:
C:\WINDOWS\am9leSBoaWxsZW5icmFuZHQ\uA65ym1CuqUPtqc2wAIRtJk.vbs

ComboFix log:

ComboFix 07-12-09.1 - JOEY 2007-12-09 21:17:06.4 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.225 [GMT -5:00]
Running from: C:\Documents and Settings\JOEY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JOEY\Desktop\CFScript.txt

FILE
C:\Documents and settings\JOEY\envupdat.dll
C:\n.bat
C:\WINDOWS\system32\phvevxu.dll
C:\WINDOWS\system32\vbzip10.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and settings\JOEY\envupdat.dll
C:\n.bat
C:\Program files\BearShare
C:\Program files\BearShare\BearShare.dat
C:\Program files\BearShare\db\config.bin
C:\Program files\BearShare\db\gwebcache.dat
C:\Program files\BearShare\db\Hostiles-Chat.txt
C:\Program files\BearShare\db\Hostiles.txt
C:\Program files\BearShare\db\library.dat
C:\Program files\BearShare\db\SearchTemplates.ini
C:\Program files\BearShare\FreePeers.ini
C:\Program files\BearShare\Logs\memory.txt
C:\Program files\BearShare\Logs\ordinal.txt
C:\Program files\BearShare\UNWISE.EXE
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\WINDOWS\system32\vbzip10.dll

.
(((((((((((((((((((((((((   Files Created from 2007-11-10 to 2007-12-10  )))))))))))))))))))))))))))))))
.

2007-12-09 11:04 . 2007-12-09 11:04 

 d-------- C:\Program Files\iolo
2007-12-08 19:01 . 2007-12-08 19:01 432 --a------ C:\WINDOWS\system32\iolo.ini
2007-12-08 18:56 . 2007-07-25 08:42 126,976 --a------ C:\WINDOWS\system32\iavlsp.dll
2007-12-08 18:55 . 2007-12-08 18:55   d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2007-12-08 18:53 . 2007-12-08 18:53 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2007-12-08 18:02 . 2007-12-08 18:02   d-------- C:\Program Files\Trend Micro
2007-12-08 17:02 . 2007-12-08 18:48   d-------- C:\Program Files\AntiVirusPro
2007-12-08 03:54 . 2007-12-08 03:54 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-07 21:26 . 2007-12-07 21:26   d-------- C:\Program Files\Common Files\Authentium
2007-12-07 21:22 . 2007-12-07 21:30   d-------- C:\Documents and Settings\JOEY\Application Data\iolo
2007-12-07 21:22 . 2007-12-09 07:01   d----c--- C:\Documents and Settings\All Users\Application Data\iolo
2007-12-06 20:02 . 2007-12-09 11:23   d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-06 19:38 . 2007-12-08 21:26   d-------- C:\RECOVERY
2007-12-06 14:35 . 2007-12-09 07:00   d-------- C:\Program Files\Runtime Software
2007-12-01 15:30 . 2007-12-01 15:30   d-------- C:\Documents and Settings\JOEY\Application Data\Snapfish
2007-11-25 11:09 . 2007-12-09 14:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-25 11:09 . 2007-11-25 11:09 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-25 11:07 . 2007-11-25 11:07   d-------- C:\Program Files\iTunes
2007-11-25 11:05 . 2007-11-25 11:06   d-------- C:\Program Files\QuickTime
2007-11-25 11:05 . 2007-11-25 11:05   d-------- C:\Program Files\Apple Software Update

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-09 16:00 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-09 12:05 --------- d-----w C:\Program Files\WinTV
2007-12-09 12:03 --------- d-----w C:\Program Files\Pinnacle
2007-12-09 01:59 --------- d-----w C:\Program Files\NCH Swift Sound
2007-12-09 01:59 --------- d-----w C:\Program Files\IrfanView
2007-12-07 01:09 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(9).dsk
2007-12-07 01:09 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(8).dsk
2007-12-07 01:09 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(7).dsk
2007-12-07 01:09 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(6).dsk
2007-12-07 01:09 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(5).dsk
2007-12-07 01:09 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(4).dsk
2007-12-07 01:09 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(3).dsk
2007-12-07 01:09 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(2).dsk
2007-12-07 01:09 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(10).dsk
2007-11-25 16:07 --------- d-----w C:\Program Files\iPod
2007-11-17 18:10 --------- d-----w C:\Program Files\Quicken
2007-11-09 11:50 --------- d-----w C:\Documents and Settings\JOEY\Application Data\NCH Swift Sound
2007-10-28 11:44 --------- d-----w C:\Documents and Settings\SYDNEY\Application Data\Apple Computer
2007-10-11 11:33 --------- d-----w C:\Documents and Settings\JOEY\Application Data\DivX
2007-04-18 15:21 74,760 ----a-w C:\Documents and Settings\JOEY\Application Data\GDIPFONTCACHEV1.DAT
2001-08-18 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2005-07-29 21:24 472 --sha-r C:\WINDOWS\am9leSBoaWxsZW5icmFuZHQ\uA65ym1CuqUPtqc2wAIRtJk.vbs
2004-08-04 07:56 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

(((((((((((((((((((((((((((((   snapshot@2007-12-09_14.00.32.39   )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-09 17:18:02 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-12-10 02:11:10 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-09 17:18:02 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-10 02:11:10 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d67412fe-89a8-419f-a2cb-7d04bd8ee11a}]
   C:\WINDOWS\system32\phvevxu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"SystemGuardAlerter"="C:\Program Files\iolo\System Shield 3\SystemGuardAlerter.exe" [2007-11-07 20:10]
"iolo AntiVirus"="C:\Program Files\iolo\System Shield 3\AntiVirus\ioloAV.exe" [2007-11-03 11:09]

S3 BENDER;Pinnacle DV/AV Capture;C:\WINDOWS\system32\drivers\bender.sys
S3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\system32\drivers\HCWBT8XX.sys
S3 iaudUSB;iaudUSB;C:\WINDOWS\system32\Drivers\iAudUSB.sys
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-08 04:34:26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\DOCUME~1\JOEY\LOCALS~1\Temp\yjfijsxy.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 21:21:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-09 21:22:40 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-09 14:01
.
 --- E O F ---

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:59 PM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://pages.ebay.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {d67412fe-89a8-419f-a2cb-7d04bd8ee11a} - C:\WINDOWS\system32\phvevxu.dll (file missing)
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Shield 3\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Shield 3\AntiVirus\ioloAV.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106689347232
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Shield 3\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4977 bytes



Message Edited by johnnyo808 on 12-09-2007 09:08 PM

Bugbatter

4 Apprentice

 • 

20.5K Posts

December 10th, 2007 01:00

Please launch HijackThis and place a checkmark next to the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {d67412fe-89a8-419f-a2cb-7d04bd8ee11a} - C:\WINDOWS\system32\phvevxu.dll (file missing)
O15 - Trusted Zone: *.frame.crazywinnings.com
Close all windows except HijackThis and click "Fix Checked"
Close HijackThis.

Restart your computer in normal mode.

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply along with a fresh HijackThis log.
  • Click Close to exit the program.


Message Edited by Bugbatter on 12-10-2007 04:15 PM

Was this post helpful?

View All

No Events found!

Top