Help, I have a bug...Again...A false security program
There I was minding my own business, when this Desktop Security 2010 took over my computer and has been making me pull out what little hair I still have left,lol. I have been able to run rkill and malwarebytes programs after several attempts and finally have the computer semi working, now as long as I do not turn it off it operates, if I restart the whole process starts again....I am guessing that I probably need to delete or change something but I have reached the limits of my knowkledge...Someone please help...THANKS Al1 person needs an answerI do too
April 21st, 2010 12:23am

Ok you have managed to confuse me here. I deal with these things daily and never had this problem. When scanning with Malwarebytes I assume you are choosing to remove everything found and that you updated the data base prior to scanning. Follow the instructions below and I will guide you through this fix. Chances are this is the result of malware which is a type of infection. Please follow the instructions below. 1. Click Here to download HJTsetup.exe: 2. Click on "Download Now" 3. Save HJTsetup.exe to your desktop. 4. Double click on the HJTsetup.exe icon on your desktop. By default it will install to C:\Program Files\Hijack This. 5. Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue. 6. Put a check mark in the box to Create a desktop icon then click Next again. Continue to follow the rest of the prompts from there. 7. At the final dialogue box, click Finish. Hijack This will launch. 8. Click on the "Do a system scan and save a log" file button. The scan will ensue and a log file will be generated at the conclusion. 9. At the top of the log file click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. 10. Come back here to this topic and Paste the log in your next reply. DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. DO NOT install or uninstall anything or otherwise make changes to your computer until we are finished with this process. Regards, JoelSometimes deciding which battle to fight is the toughest battle of all.. Please visit my website @ http://repairbotsonline.weebly.com/ If I can take the time to answer you can take the time to vote to enable others to find solutions easier.
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2010 1:03am

Hi Joel, Thanks for coming to my rescue again, you helped me last time as well, You make it look easy. BTW, I did a onecare scan and it said I had two major problems but it did not tell me what to do, also when I tried originally to run the rkill and malwarebytes, I had to change the name of the .exe to get them to work thank you al Heres the log- Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 6:08:20 PM, on 4/20/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\system32\tcpsvcs.exe C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\S3trayp.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\program files\adobe\reader 8.0\esl\adobeaiod.exe C:\program files\microsoft silverlight\3.0.50106.0\servicemodelsystem3.0.50106.0.exe C:\program files\adobe\reader 8.0\esl\adobeaiod.exe C:\program files\common files\intuit\entitlement client v2\client\entitlementclientbootstrapentitlement.exe C:\program files\adobe\reader 8.0\reader\air\adobeacrobat.exe C:\program files\microsoft silverlight\3.0.50106.0\servicemodelsystem3.0.50106.0.exe C:\program files\common files\intuit\entitlement client v2\client\entitlementclientbootstrapentitlement.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKLM\..\Run: [AiodAdobe] c:\program files\adobe\reader 8.0\esl\adobeaiod.exe O4 - HKLM\..\Run: [Silverlightmscorlib] c:\program files\microsoft silverlight\3.0.50106.0\servicemodelsystem3.0.50106.0.exe O4 - HKLM\..\Run: [AcrobatAdobe] C:\program files\adobe\reader 8.0\esl\adobeaiod.exe O4 - HKLM\..\Run: [EntitlementClientBootstrapClient] c:\program files\common files\intuit\entitlement client v2\client\entitlementclientbootstrapentitlement.exe O4 - HKLM\..\Run: [AcrobatNPPDF328.1.0.2007051000] c:\program files\adobe\reader 8.0\reader\air\adobeacrobat.exe O4 - HKLM\..\Run: [VisualBasicCore] C:\program files\microsoft silverlight\3.0.50106.0\servicemodelsystem3.0.50106.0.exe O4 - HKLM\..\Run: [ClientEntitlement] C:\program files\common files\intuit\entitlement client v2\client\entitlementclientbootstrapentitlement.exe O4 - HKLM\..\Run: [wvwxvvdrv] rundll32.exe "wvvtqr.dll",s O4 - HKLM\..\Run: [ddbyxxsys] rundll32.exe "effcdc.dll",DllRegisterServer O4 - HKLM\..\RunServices: [ReportingDWIntl2012.0.4518.1014] c:\program files\common files\microsoft shared\dw\1058\dwintl20application.exe O4 - HKLM\..\RunServices: [ApplicationError] c:\program files\common files\microsoft shared\dw\1049\reportingerror.exe O4 - HKLM\..\RunServices: [AiodAcrobat] C:\program files\adobe\reader 8.0\esl\adobeaiod.exe O4 - HKLM\..\RunServices: [Systemmscorrc] C:\program files\microsoft silverlight\3.0.50106.0\servicemodelsystem3.0.50106.0.exe O4 - HKLM\..\RunServices: [EntitlementClientBootstrapClient] C:\program files\common files\intuit\entitlement client v2\client\entitlementclientbootstrapentitlement.exe O4 - HKLM\..\RunOnce: [TSC] "C:\Program Files\Trend Micro\Internet Security\tsc.exe" /HD O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [nnkljidrv] rundll32.exe "wvvtqr.dll",s O4 - HKUS\S-1-5-18\..\Run: [ddababsys] rundll32.exe "effcdc.dll",DllRegisterServer (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ddababsys] rundll32.exe "effcdc.dll",DllRegisterServer (User 'Default user') O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5BCC24A7-7D3F-4CC9-AC86-4380FCD68D1E} (PCInfoOcxEN Control) - http://esupport.trendmicro.com/_layouts/1033/GetPCInfo.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab O16 - DPF: {6EBC6744-5383-4213-AD5E-66434ECA1812} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/centurylink/fs/resources/fslauncher.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - (no file) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- End of file - 9183 bytes
April 21st, 2010 1:15am

Al we have really gotta stop meeting this way. It appears from your highjack this log file that you still do not have an active antivirus program. Your computer is infected with several malware. Please open Highjack This and choose "Do a system scan only". Locate the following entries and place a check mark in the respective box. After check marks have been placed in the respective box for the entries, click on "Fix selected". Confirm all prompts to delete the entries. Next, download, update and choose a quick scan with Malwarebytes. After the scan completes, choose to remove anything found. A log file will be created. Please copy and post the log file in your reply. The link below to download Malwarebytes is a direct file download. In other words, it will not direct you to a website. It will directly download mbam set-up file. R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555 O4 - HKLM\..\Run: [AiodAdobe] c:\program files\adobe\reader 8.0\esl\adobeaiod.exe O4 - HKLM\..\Run: [AcrobatAdobe] C:\program files\adobe\reader 8.0\esl\adobeaiod.exe O4 - HKLM\..\RunServices: [AiodAcrobat] C:\program files\adobe\reader 8.0\esl\adobeaiod.exe O18 - Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - (no file) There may be other entries to delete as well. I will know more after you post the Malwarebytes log file. mbam direct dldSometimes deciding which battle to fight is the toughest battle of all.. Please visit my website @ http://repairbotsonline.weebly.com/ If I can take the time to answer you can take the time to vote to enable others to find solutions easier.
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2010 1:33am

Joel, you are right I'd rather meet for coffee or a beer but either way I appreciate you. I have the trend micro program, but I guess it is not good enough... heres the log; Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4012 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/20/2010 7:04:28 PM mbam-log-2010-04-20 (19-04-28).txt Scan type: Quick scan Objects scanned: 103572 Time elapsed: 16 minute(s), 12 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 5 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nnkljidrv (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvwxvvdrv (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddbyxxsys (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddababsys (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddababsys (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
April 21st, 2010 2:07am

Joel Thanks for your help, the boss is throwing me out so I will have to resume this in the a.m. thank you al
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2010 2:48am

Hello Joel, this a.m. I started the computer and it is a lot better although I can see it still has a problem I ran the malwarebytes again and it found more junk here is the newest log, again thanks for your help al Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4012 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/21/2010 7:55:11 AM mbam-log-2010-04-21 (07-55-11).txt Scan type: Quick scan Objects scanned: 103168 Time elapsed: 19 minute(s), 56 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 7 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yaxvtsdrv (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khgecadrv (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxxxxvdrv (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxxxxvdrv (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvwvwxsys (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxyxwusys (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxyxwusys (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Alex\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
April 21st, 2010 3:59pm

Hello Al and thanks for posting the log file. In reviewing the log files I noticed the data base for each scan remains the same. I cannot over express the importance of updating Malwarebytes prior to each scan. This is true even if you run Malwarebytes in the am with an updated data base and then decide to run it again in the pm it will need to be updated prior to the pm scan. Malwarebytes data base is updated up to four times a day and even sometimes more. Please describe to me the problems you are still experiencing with the computer so that I may advise you as to the next procedure. Regards, JoelSometimes deciding which battle to fight is the toughest battle of all.. Please visit my website @ http://repairbotsonline.weebly.com/ If I can take the time to answer you can take the time to vote to enable others to find solutions easier.
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2010 8:01pm

Hi Joel, I have run the malwarebytes several times today and each time it comes up with a set of new infections. Sorta like they just reappear. My trend micro anti virus pops up every so often saying it is blocking something...I have not been on the internet other than these sites so I don't think it is anything new, also i ran the hijack again and some of the files you told me to delete were back on - the 04 files. I deleted those again. It is a lot better but I am afraid there is something still there Thanks al I just ran the malwarebytes about a half hour ago and here is the latest log Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4012 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/21/2010 12:33:05 PM mbam-log-2010-04-21 (12-33-05).txt Scan type: Quick scan Objects scanned: 104277 Time elapsed: 20 minute(s), 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 7 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nnkhifdrv (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yaxuuvdrv (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yaxxwvdrv (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yaxxwvdrv (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sstrsssys (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssrstssys (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssrstssys (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I will run the hijack again, here it is............. Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 1:15:57 PM, on 4/21/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\S3trayp.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\program files\microsoft silverlight\3.0.50106.0\servicemodelsystem3.0.50106.0.exe C:\program files\common files\intuit\entitlement client v2\client\entitlementclientbootstrapentitlement.exe C:\program files\adobe\reader 8.0\reader\air\adobeacrobat.exe C:\program files\microsoft silverlight\3.0.50106.0\servicemodelsystem3.0.50106.0.exe C:\program files\common files\intuit\entitlement client v2\client\entitlementclientbootstrapentitlement.exe C:\program files\common files\microsoft shared\dw\1058\dwintl20application.exe C:\program files\adobe\reader 8.0\esl\adobeaiod.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\Internet Security\UfUpdUi.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\explorer.exe C:\Program Files\Malwarebytes' Anti-Malware\getrid.exe.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKLM\..\Run: [Silverlightmscorlib] c:\program files\microsoft silverlight\3.0.50106.0\servicemodelsystem3.0.50106.0.exe O4 - HKLM\..\Run: [EntitlementClientBootstrapClient] c:\program files\common files\intuit\entitlement client v2\client\entitlementclientbootstrapentitlement.exe O4 - HKLM\..\Run: [AcrobatNPPDF328.1.0.2007051000] c:\program files\adobe\reader 8.0\reader\air\adobeacrobat.exe O4 - HKLM\..\Run: [VisualBasicCore] C:\program files\microsoft silverlight\3.0.50106.0\servicemodelsystem3.0.50106.0.exe O4 - HKLM\..\Run: [ClientEntitlement] C:\program files\common files\intuit\entitlement client v2\client\entitlementclientbootstrapentitlement.exe O4 - HKLM\..\Run: [DWIntl20Reporting] c:\program files\common files\microsoft shared\dw\1058\dwintl20application.exe O4 - HKLM\..\Run: [adobeaiod] c:\program files\adobe\reader 8.0\esl\adobeaiod.exe O4 - HKLM\..\Run: [pmlmkkdrv] rundll32.exe "wvvtqr.dll",s O4 - HKLM\..\Run: [urrrrqsys] rundll32.exe "effcdc.dll",DllRegisterServer O4 - HKLM\..\RunServices: [ReportingDWIntl2012.0.4518.1014] c:\program files\common files\microsoft shared\dw\1058\dwintl20application.exe O4 - HKLM\..\RunServices: [ApplicationError] c:\program files\common files\microsoft shared\dw\1049\reportingerror.exe O4 - HKLM\..\RunServices: [Systemmscorrc] C:\program files\microsoft silverlight\3.0.50106.0\servicemodelsystem3.0.50106.0.exe O4 - HKLM\..\RunServices: [EntitlementClientBootstrapClient] C:\program files\common files\intuit\entitlement client v2\client\entitlementclientbootstrapentitlement.exe O4 - HKLM\..\RunServices: [AdobeNPPDF32] c:\program files\adobe\reader 8.0\reader\air\adobeacrobat.exe O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [rqoliidrv] rundll32.exe "wvvtqr.dll",s O4 - HKUS\S-1-5-18\..\Run: [qomjhesys] rundll32.exe "effcdc.dll",DllRegisterServer (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [qomjhesys] rundll32.exe "effcdc.dll",DllRegisterServer (User 'Default user') O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5BCC24A7-7D3F-4CC9-AC86-4380FCD68D1E} (PCInfoOcxEN Control) - http://esupport.trendmicro.com/_layouts/1033/GetPCInfo.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab O16 - DPF: {6EBC6744-5383-4213-AD5E-66434ECA1812} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/centurylink/fs/resources/fslauncher.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- End of file - 9180 bytes
April 21st, 2010 8:18pm

Hi Al. I too noticed the infections seem to have reappeared. I can only assume this is the result of using removable media or network files. I am in the process of analyzing your HighJack This log file and will post the results as soon as I am done. Please be patient as I answer on a number of forums. Again I advise you to update Malwarebytes prior to each scan. Regards, JoelSometimes deciding which battle to fight is the toughest battle of all.. Please visit my website @ http://repairbotsonline.weebly.com/ If I can take the time to answer you can take the time to vote to enable others to find solutions easier.
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2010 10:36pm

Thank you Joel I have been using the computer most of the day without any problems, I will update and run malwares and post the results best al
April 21st, 2010 10:55pm

Joel I did the update and ran mb again and still coming up with junk ...here are the two logs after this run, I have a client to see this evening so I will not be able to check on this after 6 pm. I understand your position and I really appreciate your efforts on my behalf... If I do not hear from you I will just check tomorrow, as long as I rkill it and run the mb every so often I am operational...thanks cheers al Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4016 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/21/2010 4:16:39 PM mbam-log-2010-04-21 (16-16-39).txt Scan type: Quick scan Objects scanned: 105195 Time elapsed: 18 minute(s), 59 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 5 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rqoliidrv (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmlmkkdrv (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\urrrrqsys (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qomjhesys (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qomjhesys (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) here is th hj as well Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 4:19:10 PM, on 4/21/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\S3trayp.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\program files\microsoft silverlight\3.0.50106.0\servicemodelsystem3.0.50106.0.exe C:\program files\common files\intuit\entitlement client v2\client\entitlementclientbootstrapentitlement.exe C:\program files\adobe\reader 8.0\reader\air\adobeacrobat.exe C:\program files\microsoft silverlight\3.0.50106.0\servicemodelsystem3.0.50106.0.exe C:\program files\common files\intuit\entitlement client v2\client\entitlementclientbootstrapentitlement.exe C:\program files\common files\microsoft shared\dw\1058\dwintl20application.exe C:\program files\adobe\reader 8.0\esl\adobeaiod.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\Internet Security\UfUpdUi.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKLM\..\Run: [Silverlightmscorlib] c:\program files\microsoft silverlight\3.0.50106.0\servicemodelsystem3.0.50106.0.exe O4 - HKLM\..\Run: [EntitlementClientBootstrapClient] c:\program files\common files\intuit\entitlement client v2\client\entitlementclientbootstrapentitlement.exe O4 - HKLM\..\Run: [AcrobatNPPDF328.1.0.2007051000] c:\program files\adobe\reader 8.0\reader\air\adobeacrobat.exe O4 - HKLM\..\Run: [VisualBasicCore] C:\program files\microsoft silverlight\3.0.50106.0\servicemodelsystem3.0.50106.0.exe O4 - HKLM\..\Run: [ClientEntitlement] C:\program files\common files\intuit\entitlement client v2\client\entitlementclientbootstrapentitlement.exe O4 - HKLM\..\Run: [DWIntl20Reporting] c:\program files\common files\microsoft shared\dw\1058\dwintl20application.exe O4 - HKLM\..\Run: [adobeaiod] c:\program files\adobe\reader 8.0\esl\adobeaiod.exe O4 - HKLM\..\Run: [hgfcdcsys] rundll32.exe "effcdc.dll",DllRegisterServer O4 - HKLM\..\Run: [khgddbdrv] rundll32.exe "wvvtqr.dll",s O4 - HKLM\..\RunServices: [ReportingDWIntl2012.0.4518.1014] c:\program files\common files\microsoft shared\dw\1058\dwintl20application.exe O4 - HKLM\..\RunServices: [ApplicationError] c:\program files\common files\microsoft shared\dw\1049\reportingerror.exe O4 - HKLM\..\RunServices: [Systemmscorrc] C:\program files\microsoft silverlight\3.0.50106.0\servicemodelsystem3.0.50106.0.exe O4 - HKLM\..\RunServices: [EntitlementClientBootstrapClient] C:\program files\common files\intuit\entitlement client v2\client\entitlementclientbootstrapentitlement.exe O4 - HKLM\..\RunServices: [AdobeNPPDF32] c:\program files\adobe\reader 8.0\reader\air\adobeacrobat.exe O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [nnmjgddrv] rundll32.exe "wvvtqr.dll",s O4 - HKUS\S-1-5-18\..\Run: [pmljjhsys] rundll32.exe "effcdc.dll",DllRegisterServer (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [pmljjhsys] rundll32.exe "effcdc.dll",DllRegisterServer (User 'Default user') O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5BCC24A7-7D3F-4CC9-AC86-4380FCD68D1E} (PCInfoOcxEN Control) - http://esupport.trendmicro.com/_layouts/1033/GetPCInfo.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab O16 - DPF: {6EBC6744-5383-4213-AD5E-66434ECA1812} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/centurylink/fs/resources/fslauncher.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- End of file - 9120 bytes
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2010 11:24pm

Hi Al. You have a lot of processes I am unable to locate any information on. For the time being please open HighJack This and choose Do a system scan only. Locate the following entries and place check marks in the respective boxes. Once all entries have been marked, click on Fix selected. Follow through with all prompts to confirm the deletion of the entries. You may be prompted to restart your computer to complete the removal of some of the files. Click ok and reboot. C:\program files\adobe\reader 8.0\esl\adobeaiod.exe O4 - HKLM\..\Run: [adobeaiod] c:\program files\adobe\reader 8.0\esl\adobeaiod.exe O4 - HKLM\..\Run: [hgfcdcsys] rundll32.exe "effcdc.dll",DllRegisterServer O4 - HKLM\..\Run: [khgddbdrv] rundll32.exe "wvvtqr.dll",s O4 - HKUS\S-1-5-18\..\Run: [pmljjhsys] rundll32.exe "effcdc.dll",DllRegisterServer (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [pmljjhsys] rundll32.exe "effcdc.dll",DllRegisterServer (User 'Default user') Update and run Malwarebytes again posting the log file. I would also ask you to uninstall Trend Micro and install Avast 5.0. During the installation of Avast you will have the option to schedule a boot scan. Select yes the this option. Immediately after the installation, reboot the computer and allow the scan to complete choosing to send anything found to the vault. Avast Free Antivirus - Free software downloads and software reviews - CNET Download.comSometimes deciding which battle to fight is the toughest battle of all.. Please visit my website @ http://repairbotsonline.weebly.com/ If I can take the time to answer you can take the time to vote to enable others to find solutions easier.
April 22nd, 2010 2:00am

Thank you Joel I will do this as soon as I get to the office in the morning, Have a pleasent evening al
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2010 2:17am

Al I will be out most of the day until evening EDT. Please post the log file from both the MBAM and Avast scans. Thanks, JoelSometimes deciding which battle to fight is the toughest battle of all.. Please visit my website @ http://repairbotsonline.weebly.com/ If I can take the time to answer you can take the time to vote to enable others to find solutions easier.
April 22nd, 2010 5:20pm

Hi Joel, been on this thing since early this a.m. I have done as you said micro is gone, avast is in and it found a bunch of stuff, ran mb several times and the last time it came up empty...I don't know how to get the avast logs there is no print or safe button? sorry. The only other thing is when I start the computer I am getting a couple of missing dll files don't know if it is actually a problem. heres copy of all the logs, I will be here till about 6 today, have lodge meeting tonight. I really appreciate your help, I am going to owe you more than a coffee...thanks al Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4021 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/22/2010 11:49:04 AM mbam-log-2010-04-22 (11-49-04).txt Scan type: Quick scan Objects scanned: 103672 Time elapsed: 12 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 12:02:07 PM, on 4/22/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\S3trayp.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\fxssvc.exe C:\Program Files\Malwarebytes' Anti-Malware\getrid.exe.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Java\jre6\bin\java.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5BCC24A7-7D3F-4CC9-AC86-4380FCD68D1E} (PCInfoOcxEN Control) - http://esupport.trendmicro.com/_layouts/1033/GetPCInfo.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab O16 - DPF: {6EBC6744-5383-4213-AD5E-66434ECA1812} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/centurylink/fs/resources/fslauncher.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- End of file - 6532 bytes
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2010 7:08pm

Thats great news Al. Looks like we may be getting somewhere and let me add I am very happy to see that Malwarebytes was updated prior to the scan....lol. You are absolutely correct about the Avast logs. The new version is 5.0 and is quit a bit different than 4.8 which is what I am used to. I have not had the opportunity to dive in and really check it out yet. Although it is possible the files are legitimate, the missing dll files are more than likely the result of the malware. I would need to know the name of the files. Even if they are legitimate files this can be resolved fairly simply. I am proud to say your Highjack This log file looks great with the exception of the following entry which is not an infection but nevertheless unnecessary. I can also see that you have the Avast in full motion. I'm certain you will be pleased with it's overall performance. The processes I referred to in my previous post as not being able to identify were apparently identified by Avast as they no longer appear. List the names of the missing dll files and we will go from there. In the meantime, I recommend you download and install Ccleaner from Piriform. Although some recommend using the cleaner feature but not the registry cleaner I recommend you use both. I have used Ccleaner for several years without a single incident. When running the registry cleaner you will be prompted to back up the invalid entries. Choose yes to the option and save them to My Documents. After a few days if everything seems to be ok with your software you can then delete it. You should also notice the options in the left pane of the registry cleaner. The second link below is a picture of the proper configuration. One final thing, don't be alarmed if the registry cleaner detects a large number of invalid entries. This is perfectly normal. O16 - DPF: {6EBC6744-5383-4213-AD5E-66434ECA1812} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/centurylink/fs/resources/fslauncher.cab CCleaner - Home http://img685.imageshack.us/img685/1462/ccleanerregconfig.jpg Regards, Joel Sometimes deciding which battle to fight is the toughest battle of all….. Please visit my website @ http://repairbotsonline.weebly.com/ If I can take the time to answer you can take the time to vote to enable others to find solutions easier.
April 22nd, 2010 8:21pm

Hi Joel, It looks like I am working properly now. I have the CCleaner installed and I shut it down and rebooted with no error messages, ran another scan and came up clean. I will continue to scan and check all the programs. I will let you know asap if all is well. THANK YOU very much, I owe you big time Kind Regards al
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2010 10:36pm

Thanks for letting me know Al and it has been my pleasure to help you. I am happy your computer seems to be working good now. I would advise you to turn your system restore off to delete all previous restore points then re-enable it to create a new one. If you have any more problems drop us a line. Regards, JoelSometimes deciding which battle to fight is the toughest battle of all.. Please visit my website @ http://repairbotsonline.weebly.com/ If I can take the time to answer you can take the time to vote to enable others to find solutions easier.
April 22nd, 2010 11:55pm

Hi Joel, I was scanning trying to find out what is wrong with my computer and came across this question from AlHELP. I have the same problem with the Desktop Security 2010 taking over my computer. I tried to follow what you said to do but I guess I'm more of a novice that the other person. Could you tell me how to get rid of this false secuirty program in maybe smaller or simpler stelps. Thanks James
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2010 1:11am

Hello James and thank you for posting your question. I would be happy to assist you. However, MS Answers no longer welcomes Highjack This or any other log files to be posted in the forums. As a result of this new, un-written rule, I have created by own computer question and answer forum. The forum is completely free. There is no ad-ware, spyware or third party data collection involved. Please click on the link below, take about 2 minutes to create an account (this ensures those requesting assistance are sincere about getting help and not there to post offensive material) and post your question in the Virus/Malware section. Please click on "Post new" on the forum and create a new topic. This prevents instructions from being confused by those needing help. Simply copy and paste your above post and I will follow up with you there. Thanks and I look forward to working with you on this issue. Free forum : Repair-Bots Online JoelFree computer support and diagnostics -->> http://repairbotsonline.forumotion.com/
May 9th, 2010 3:24pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics