Spyware Protect 2009 alert (CADMAN303)

View previous topic View next topic Go down

Spyware Protect 2009 alert (CADMAN303)

Post by CADMAN303 on Wed Mar 04, 2009 6:07 pm

I have Spyware protect 2009 alert malware virus on my computer.
The operating system is XP.
I have to boot in safe mode othewise it locks up on a bogus blue screen with a bogus message.
I would like to know what are the steps to remove this from my system.
I have tried to remove it but it always returns.

Thanks for any help.

CADMAN303
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-03-04
OS OS : XP
Points Points : 28498
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Protect 2009 alert (CADMAN303)

Post by Belahzur on Wed Mar 04, 2009 6:30 pm

Execute this in safe mode.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Thanks

Post by CADMAN303 on Wed Mar 04, 2009 6:49 pm

I will do this tonite since the computer is at home

CADMAN303

CADMAN303
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-03-04
OS OS : XP
Points Points : 28498
# Likes # Likes : 0

View user profile

Back to top Go down

DDS.txt

Post by CADMAN303 on Thu Mar 05, 2009 12:59 pm

DDS (Ver_09-02-01.01) - NTFSx86 MINIMAL
Run by P-Computer at 5:58:57.01 on Thu 03/05/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.134 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\P-Computer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [rundll32.exe] rundll32.exe "c:\documents and settings\p-computer\application data\macromedia\common\1b0bc0121.dll""
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MalwareRemovalBot] c:\program files\malwareremovalbot\MalwareRemovalBot.exe -boot
uRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
uRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [rundll32.exe] rundll32.exe "c:\documents and settings\p-computer\application data\macromedia\common\1b0bc0121.dll""
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - [You must be registered and logged in to see this link.]
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-6-20 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-20 47640]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2006-1-13 26488]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-3-3 52240]
S2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-2-18 36368]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-2-18 333328]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2009-3-3 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-3-3 648456]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-03-04 22:40 --d----- c:\windows\LastGood.Tmp
2009-03-04 22:40 2,833 a------- c:\windows\system32\spupdsvc.inf
2009-03-04 22:34 --d----- c:\windows\system32\scripting
2009-03-04 22:34 --d----- c:\windows\l2schemas
2009-03-04 22:34 --d----- c:\windows\system32\en
2009-03-04 22:34 --d----- c:\windows\system32\bits
2009-03-04 22:31 --d----- c:\windows\ServicePackFiles
2009-03-04 22:29 --d----- c:\windows\network diagnostic
2009-03-04 22:22 --d----- c:\windows\EHome
2009-03-04 22:14 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-04 21:50 --d----- c:\windows\system32\log
2009-03-04 17:53 --d----- c:\program files\CCleaner
2009-03-04 17:37 --d----- c:\docume~1\p-comp~1\applic~1\MalwareRemovalBot
2009-03-04 17:37 --d----- c:\program files\MalwareRemovalBot
2009-03-03 21:32 138,384 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-03 21:32 52,496 a------- c:\windows\system32\drivers\tmactmon.sys
2009-03-03 21:32 52,240 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-03-03 20:04 --d----- c:\windows\system32\LogFiles
2009-03-03 15:07 --d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2009-03-02 07:46 364,560 a------- c:\windows\sysguard.exe

==================== Find3M ====================

2009-03-04 22:38 77,859 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-02 23:27 4,704 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 6:00:14.54 ===============

CADMAN303
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-03-04
OS OS : XP
Points Points : 28498
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Protect 2009 alert (CADMAN303)

Post by Belahzur on Thu Mar 05, 2009 5:10 pm

Hello.
Thanks for the log, I can see the problem. The malware has made itself a nice little hiding place in the registry so we have to remove that before we can remove the problem.

  • Now open a new notepad file.
  • Input this into the notepad file:

    regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32"
    start notepad C:\look.txt

  • Save this as look.bat, save it to your desktop.
  • Double click look.bat to run it.
  • Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware Protect 2009 alert (CADMAN303)

Post by CADMAN303 on Thu Mar 05, 2009 8:36 pm

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"VIDC.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"MSVideo8"="VfWWDM32.dll"
"wave1"="C:\\DOCUME~1\\P-COMP~1\\APPLIC~1\\MACROM~1\\Common\\1b0bc0121.dll"
"midi1"="C:\\DOCUME~1\\P-COMP~1\\APPLIC~1\\MACROM~1\\Common\\1b0bc0121.dll"
"mixer1"="C:\\DOCUME~1\\P-COMP~1\\APPLIC~1\\MACROM~1\\Common\\1b0bc0121.dll"
"aux"="wdmaud.drv"
"midi2"="C:\\DOCUME~1\\P-COMP~1\\APPLIC~1\\MACROM~1\\Common\\1b0bc0121.dll"
"aux1"="C:\\DOCUME~1\\P-COMP~1\\APPLIC~1\\MACROM~1\\Common\\1b0bc0121.dll"
"mixer2"="C:\\DOCUME~1\\P-COMP~1\\APPLIC~1\\MACROM~1\\Common\\1b0bc0121.dll"
"aux2"="C:\\DOCUME~1\\P-COMP~1\\APPLIC~1\\MACROM~1\\Common\\1b0bc0121.dll"
"wave2"="C:\\DOCUME~1\\P-COMP~1\\APPLIC~1\\MACROM~1\\Common\\1b0bc0121.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"mixer"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"

CADMAN303
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-03-04
OS OS : XP
Points Points : 28498
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Protect 2009 alert (CADMAN303)

Post by Belahzur on Thu Mar 05, 2009 8:41 pm

Thanks. Lets remove it now.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\program files\malwareremovalbot
    c:\documents and settings\p-computer\application data\macromedia\common\1b0bc0121.dll
    c:\windows\sysguard.exe

    :reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "wave1"="wdmaud.drv"
    "midi1"="wdmaud.drv"
    "mixer1"="wdmaud.drv"
    "midi2"="wdmaud.drv"
    "aux1"="wdmaud.drv"
    "mixer2"="wdmaud.drv"
    "aux2"="wdmaud.drv"
    "wave2"="wdmaud.drv"
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "rundll32.exe"=-
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MalwareRemovalBot"=-
    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "rundll32.exe"=-


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware Protect 2009 alert (CADMAN303)

Post by CADMAN303 on Fri Mar 06, 2009 1:00 pm

========== FILES ==========
c:\program files\MalwareRemovalBot moved successfully.
LoadLibrary failed for c:\documents and settings\p-computer\application data\macromedia\common\1b0bc0121.dll
c:\documents and settings\p-computer\application data\macromedia\common\1b0bc0121.dll NOT unregistered.
c:\documents and settings\p-computer\application data\macromedia\common\1b0bc0121.dll moved successfully.
c:\windows\sysguard.exe moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\"wave1"|"wdmaud.drv" /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\"midi1"|"wdmaud.drv" /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\"mixer1"|"wdmaud.drv" /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\"midi2"|"wdmaud.drv" /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\"aux1"|"wdmaud.drv" /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\"mixer2"|"wdmaud.drv" /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\"aux2"|"wdmaud.drv" /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\\"wave2"|"wdmaud.drv" /E : value set successfully!
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\rundll32.exe deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MalwareRemovalBot deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\rundll32.exe deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03062009_075242

CADMAN303
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-03-04
OS OS : XP
Points Points : 28498
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Protect 2009 alert (CADMAN303)

Post by Belahzur on Fri Mar 06, 2009 6:03 pm

Hello.
Please post a new DDS log now. Re-run DDS and post the DDS.txt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware Protect 2009 alert (CADMAN303)

Post by CADMAN303 on Fri Mar 06, 2009 6:11 pm

DDS (Ver_09-02-01.01) - NTFSx86 MINIMAL
Run by P-Computer at 13:05:55.48 on Fri 03/06/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.133 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\P-Computer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
uRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - [You must be registered and logged in to see this link.]
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-6-20 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-20 47640]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2006-1-13 26488]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-3-3 52240]
S2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-2-18 36368]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-2-18 333328]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2009-3-3 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-3-3 648456]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-03-06 07:52 --d----- C:\_OTMoveIt
2009-03-04 22:40 --d----- c:\windows\LastGood.Tmp
2009-03-04 22:40 2,833 a------- c:\windows\system32\spupdsvc.inf
2009-03-04 22:34 --d----- c:\windows\system32\scripting
2009-03-04 22:34 --d----- c:\windows\l2schemas
2009-03-04 22:34 --d----- c:\windows\system32\en
2009-03-04 22:34 --d----- c:\windows\system32\bits
2009-03-04 22:31 --d----- c:\windows\ServicePackFiles
2009-03-04 22:29 --d----- c:\windows\network diagnostic
2009-03-04 22:22 --d----- c:\windows\EHome
2009-03-04 22:14 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-04 21:50 --d----- c:\windows\system32\log
2009-03-04 17:53 --d----- c:\program files\CCleaner
2009-03-04 17:37 --d----- c:\docume~1\p-comp~1\applic~1\MalwareRemovalBot
2009-03-03 21:32 138,384 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-03 21:32 52,496 a------- c:\windows\system32\drivers\tmactmon.sys
2009-03-03 21:32 52,240 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-03-03 20:04 --d----- c:\windows\system32\LogFiles
2009-03-03 15:07 --d----- c:\docume~1\alluse~1\applic~1\Trend Micro

==================== Find3M ====================

2009-03-04 22:38 77,859 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-02 23:27 4,704 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 13:07:17.90 ===============

CADMAN303
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-03-04
OS OS : XP
Points Points : 28498
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Protect 2009 alert (CADMAN303)

Post by Belahzur on Fri Mar 06, 2009 6:24 pm

Hello.
Good news.
The dead run value didn't return.
Just need to use the OTMoveIt to remove one last folder, then I think we can call this a rap.


  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\docume~1\p-comp~1\applic~1\MalwareRemovalBot
    C:\Documents and Settings\P-Computer\Desktop\dds.scr


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware Protect 2009 alert (CADMAN303)

Post by CADMAN303 on Fri Mar 06, 2009 6:32 pm

========== FILES ==========
c:\docume~1\p-comp~1\applic~1\MalwareRemovalBot\Settings moved successfully.
c:\docume~1\p-comp~1\applic~1\MalwareRemovalBot\Log moved successfully.
c:\docume~1\p-comp~1\applic~1\MalwareRemovalBot moved successfully.
C:\Documents and Settings\P-Computer\Desktop\dds.scr moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03062009_132933

CADMAN303
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-03-04
OS OS : XP
Points Points : 28498
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Protect 2009 alert (CADMAN303)

Post by Belahzur on Fri Mar 06, 2009 6:34 pm

That should do it. Lets remove OTMoveIt now, don't need it anymore.
How is the machine running now?


  • Please double-click OTMoveIt3.exe to run it again.
  • Press the green CleanUp! button this time.
  • Press Yes cleanup process prompt.
  • It will start cleaning now, and will want to reboot after, please allow it to do so.
  • It will make a log of what it has removed, but I don't need to see the log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware Protect 2009 alert (CADMAN303)

Post by CADMAN303 on Fri Mar 06, 2009 7:11 pm

This is the exact error message I get and it just locks up:

A problem has been detected and windows has been shut down to prevent damage to your computer.

DRIVER_IRQL_NOT_LESS_OR_EQUal

If this is the first time you've seen this stop error screen,
restart your computer, If this screen appears again, follow
these steps:

Check to make sure any new hardware or software is properly installed.
If this is a new installation, ask your hardware or software manufacturer
for any Windows updates you might need.

If problems continue, disable or remove any newly installed hardware
or software. Disable BIOS memory options such as caching or shadowing.
If you need to use safe mode to remove or disable components, restart
your conputer press F8 to select Advanced Startup Options, and then
select Safe Mode.

Technicak Information:

*** STOP: 0x000000D1 (0x23CF000,0x00000002,0x00000000,0xAA389CF6)


Beginning dump of physical memory
physical memory dump complete.
Contact your system administrator or technical support group for further assistance.

I don't know what to do next.

CADMAN303

CADMAN303
Novice
Novice

Posts Posts : 41
Joined Joined : 2009-03-04
OS OS : XP
Points Points : 28498
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware Protect 2009 alert (CADMAN303)

Post by Belahzur on Fri Mar 06, 2009 7:23 pm

Ah.
We've seen a few of the driver not less or equal messages, Doctor_Inferno is usually pretty good at figuring these out.
Open a thread in our hardware forum section and copy and paste that error message into your post there, the other techs of this forum know more in that area than I do.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum