Print

Msvlmwksn.dll has taken over my laptop

Sign in
Sign in to post messages.
Latest post 11/02/2009 10:04 AM by bamajim. 16 replies.
Back to forum | Previous | Next
 
Page 1 of 2  
Joined on 09/21/2009
Posts: 11
Points 235

Msvlmwksn.dll has taken over my laptop

21 Sep 2009 04:23PM

My spyware checker (AVG) found a trojan horse file named msvlmwksn.dll in the system32 directory.  So I let the program quarentine the file, but everytime it tries to run a program I get the pop-up warning:

            filename - Unable to locate component

            The app failed to start because msvlmvksn.dll was not found. Re-installing the app may fix

On start-up this is happens dozens of files and usualy multiple times when starting stand alone programs.  I can OK through the warnings and get the programs to work, but it seems everytime the program access the disk (or system component) the warning reappears.  If I unquarentine the dll, my spyware checker keeps alerting me to the trojan horse, and everything seems to run exceptionally slow.

I tried restoring from an old restore point, but nothing changed, then I tried checking the Registry, but there were only a few occurrances of msvlmvksn.dll  and they were all seeming to assign a simple numeric value.  I was able to remove these lines from the registry but nothing changed.

I'd be willing to resinstall XP, (and hope to leave all other application & data files intact) but the Dell reinstallation CD seems to want to put another copy in the same partition as the current version (and gives some warning about this causing potential problems) so I don't know if I should delete the Windows directories first and then try installing from the CD?
 

Below is the HijackThis log.  All help is appreciated.
 
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:56 PM, on 9/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Mindjet\MindManager 8\MMReminderService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1244510397&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://iecfg.honeywell.com\proxy\proxy.pac
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O1 - Hosts: 199.64.1.108 sdc.honeywell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: CmjBrowserHelperObject Object - {6FE6A929-59D1-4763-91AD-29B61CFFB35B} - C:\Program Files\Mindjet\MindManager 8\Mm8InternetExplorer.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 8\MMReminderService.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sametime Connect] C:\Program Files\Lotus\Sametime Client\connect.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Send to Mindjet MindManager - {2F72393D-2472-4F82-B600-ED77F354B7FF} - C:\Program Files\Mindjet\MindManager 8\Mm8InternetExplorer.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0369528B-3082-11D2-9997-00A0C9B7A242} (PlaceWare Presentation-Upload Control) - https://scpwka.ops.placeware.com/etc/place/KILO/SCKpws-b3s/5.1.7.413/placeware.aud.ieupload/UploadControl.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://communities.honeywell.com/qp2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwib.ops.placeware.com/etc/place/INDIA/SCIpws-b2/5.1.5.222/lib/quicksilver.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://pki.honeywell.com/pki/VSApps/vspta3.cab
O16 - DPF: {9B57C630-AA6E-440D-8D44-D34542E5531A} (SendMail Class) - https://www103.placeware.com/etc/static/CHLrapidweb/2005-09-16-21-24-55/MailObjects.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://glacierinteractive.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {E3372C1F-AFE6-4A3B-90F9-83B2E9B42C82} (ADTCKS.KSLauncher) - http://online.appdev.com/inline/ADTCKS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O17 - HKLM\Software\..\Telephony: DomainName = global.ds.honeywell.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = global.ds.honeywell.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter hijack: text/html - {a5c05a45-286e-4bde-8b1f-58fd1c7190b9} - C:\WINDOWS\system32\xwreg32.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Tags: ,
  • Post Points: 20

16 Replies:

Joined on 01/16/2006
Posts: 10,322
Points 15,917

Re: Msvlmwksn.dll has taken over my laptop

23 Sep 2009 08:46AM

dmoutner

1. Go HERE and download File Lister.
  • Save it to your Desktop
  • Rt Click ->> Extract all ->> And extract it to your Desktop
  • Additional help on extracting zip files can be found HERE
  • Open the File Lister Folder.
  • Note: Leave the FileLister.vbe file in the folder and run it from there.
  • Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
  • When the program is fnished it will produce a log for you C:\Files.txt

Copy and paste the contents of that log in your reply.

Consumer Security 2008- 2009

 

  • Post Points: 20
Joined on 09/21/2009
Posts: 11
Points 235

Re: Msvlmwksn.dll has taken over my laptop

26 Sep 2009 11:19AM

Bamajim,

Thanks for your reply.... I'm just getting back to my problem here.

So I downloaded FileLister.vbe like you said, but nothing seems to happen when I open it.  I do get the same type of message as with opening all files:

WScript.exe - The application failed to run because msvlmwksn.dll cannot be found

and when I say OK, nothing seems to happen (but when this happens to other programs, clicking OK let's other program continue to execute)..  I checked and there is no C:\files.txt created either.

Did I miss a step somwhere?

Thanks for your help.

dmoutner

  • Post Points: 20
Joined on 01/16/2006
Posts: 10,322
Points 15,917

Re: Msvlmwksn.dll has taken over my laptop

30 Sep 2009 12:04PM

dmoutner

Reboot Into Safe Mode and see if FileLister will run. If not then do this

Go HERE

Download XP.exe.fix
Save it to your Desktop ->> Unzip it, Open the folder double click on the exefix.reg file it to run it

The try to Rerun File lister

Consumer Security 2008- 2009

 

  • Post Points: 20
Joined on 09/21/2009
Posts: 11
Points 235

Re: Msvlmwksn.dll has taken over my laptop

01 Oct 2009 08:12AM

I ran exefix.reg and it added something to my registry, but FileLister still doesn't run. 

I have two files in the filelister directory filelister.vbe  & scvwhat.dat.     Is there anything missing?

David

  • Post Points: 20
Joined on 01/16/2006
Posts: 10,322
Points 15,917

Re: Msvlmwksn.dll has taken over my laptop

05 Oct 2009 10:38AM

dmoutner

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Consumer Security 2008- 2009

 

  • Post Points: 20
Joined on 09/21/2009
Posts: 11
Points 235

Re: Msvlmwksn.dll has taken over my laptop

19 Oct 2009 06:58PM

Bamajim,

My bad, I mailed this to myself to post from my good computer, and then I forgot to actually post it.  Here are the results from the exehelper run:

RE: Msvlmwksn.dll has taken over my laptop‏
From: David  
Sent: Mon 10/05/09 1:00 PM
To: David 
exeHelper by Raktor - 09
Build 20090925
Run at 12:59:00 on 10/05/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
  • Post Points: 20
Joined on 02/11/2006
Posts: 17,272
Points 65,992

Re: Msvlmwksn.dll has taken over my laptop

19 Oct 2009 07:23PM

David, please edit to remove your email address, so that the moderators do not delete your post. Thanks.

Microsoft MVP - Consumer Security

Member of Alliance of Security Analysis Professionals

SpywareHammer

 

Free Internet Security - WOT Web of Trust

 

  • Post Points: 20
Joined on 01/16/2006
Posts: 10,322
Points 15,917

Re: Msvlmwksn.dll has taken over my laptop

20 Oct 2009 08:31PM

dmoutner

Are you able to run FileLister now?

Consumer Security 2008- 2009

 

  • Post Points: 20
Joined on 09/21/2009
Posts: 11
Points 235

Re: Msvlmwksn.dll has taken over my laptop

22 Oct 2009 12:13PM

Bamajim,

It appears to run, but no file is generated.  I can see Filelister running in Task Manager in the application tab, and many proecesses are active for about 10 minutes.  Then process activity drops to virtually zero (excep System Idle) and nothing else happens.

So it may run, but doesn't seem to do anything.

David

  • Post Points: 20
Joined on 01/16/2006
Posts: 10,322
Points 15,917

Re: Msvlmwksn.dll has taken over my laptop

26 Oct 2009 11:40AM

dmoutner

Sorry for the delay

Please download Combofix and save to your desktop:
    Note: It is important that it is saved directly to your desktop
    Close any open browsers.
    Double click on combofix.exe and follow the prompts.
    When it's finished it will produce a log.
    Post the contents of the C:\ComboFix.txt into your next reply.
    Note: Do not mouseclick combofix's window whilst it's running.
    That may cause the program to freeze/hang.

Consumer Security 2008- 2009

 

  • Post Points: 20
Joined on 09/21/2009
Posts: 11
Points 235

Re: Msvlmwksn.dll has taken over my laptop

27 Oct 2009 08:32AM

Bamajim,

I ran Comboix and it appears to have cleaned the infection from my laptop.  It immediatley found a problem with \system32\imm32.dll.  WHen it rebooted, the error messages no longer appeared.  He is the log file from combofix.  Is there  anything I should be doing to prevent this from happening again?

Thanks again for all your help and great work fixing that problem for me!

David

ComboFix 09-10-26.03 - Dave 10/27/2009  7:49.1.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.510.160 [GMT -4:00]
Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\imm32.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\imm32.dll

.
(((((((((((((((((((((((((   Files Created from 2009-09-27 to 2009-10-27  )))))))))))))))))))))))))))))))
.

2009-10-27 11:33 . 2009-10-27 11:35 -------- d-----w- c:\windows\LastGood.Tmp
2009-10-23 17:14 . 2009-10-23 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-10-23 17:14 . 2009-10-23 17:14 -------- d-----w- c:\program files\Security Task Manager

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 11:31 . 2008-05-05 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-16 20:37 . 2004-01-21 10:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-16 20:23 . 2005-10-25 20:02 -------- d-----w- c:\program files\eProject
2009-09-21 21:33 . 2009-09-21 21:33 -------- d-----w- c:\program files\CCleaner
2009-09-17 19:17 . 2009-09-17 19:17 -------- d-----w- c:\program files\Trend Micro
2009-08-30 23:19 . 2009-06-09 02:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-30 23:19 . 2009-06-09 02:02 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-30 23:19 . 2009-06-09 02:02 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-16 17:11 . 2004-02-06 22:06 72600 ----a-w- c:\documents and settings\Dave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:24 . 2004-08-17 12:19 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-17 12:19 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2002-08-29 11:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2002-08-29 11:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-17 12:19 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2002-08-29 11:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:11 . 2004-11-02 14:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:00 . 2004-11-02 14:17 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13 . 2004-11-02 14:17 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 13:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-06-11 147456]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-09-20 114688]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-04-03 777424]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-09 29744]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-01-16 181544]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-30 2007832]
"MMReminderService"="c:\program files\Mindjet\MindManager 8\MMReminderService.exe" [2008-12-11 37656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"!CleanupNetMeetingDispDriver"="msconf.dll" - c:\windows\SYSTEM32\msconf.dll [2004-08-04 69632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-1-21 24576]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2006-8-4 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-30 23:19 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [6/8/2009 10:02 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [6/8/2009 10:02 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/29/2009 2:10 PM 297752]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 4:31 PM 161064]
R3 Eacfilt;Eacfilt Miniport;c:\windows\SYSTEM32\DRIVERS\eacfilt.sys [11/11/2005 12:55 PM 9433]
S0 black;black;c:\windows\SYSTEM32\DRIVERS\blackdrv.sys [11/23/2005 9:56 AM 227285]
S2 BlackICE;BlackICE;c:\program files\Network ICE\BlackICE\blackd.exe [11/23/2005 9:56 AM 847872]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\SYSTEM32\DRIVERS\ipsecw2k.sys [11/11/2005 12:55 PM 115680]
S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\SYSTEM32\DRIVERS\wA301b.sys [1/1/1980 2:00 AM 33847]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/15/2004 9:41 AM 29744]
S3 RapFile;RapFile;c:\windows\SYSTEM32\DRIVERS\RapFile.sys [3/8/2004 2:13 PM 36676]
S3 RapNet;RapNet;c:\windows\SYSTEM32\DRIVERS\RapNet.sys [3/8/2004 2:13 PM 24344]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [4/3/2006 6:12 PM 14032]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-05 00:19]

2009-05-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 22:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1244510397&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {0369528B-3082-11D2-9997-00A0C9B7A242} - hxxps://scpwka.ops.placeware.com/etc/place/KILO/SCKpws-b3s/5.1.7.413/placeware.aud.ieupload/UploadControl.cab
DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwib.ops.placeware.com/etc/place/INDIA/SCIpws-b2/5.1.5.222/lib/quicksilver.cab
DPF: {9B57C630-AA6E-440D-8D44-D34542E5531A} - hxxps://www103.placeware.com/etc/static/CHLrapidweb/2005-09-16-21-24-55/MailObjects.cab
DPF: {E3372C1F-AFE6-4A3B-90F9-83B2E9B42C82} - hxxp://online.appdev.com/inline/ADTCKS.CAB
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sametime Connect - c:\program files\Lotus\Sametime Client\connect.exe
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe

 

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-27 08:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1092)
c:\windows\system32\COMRes.dll

- - - - - - - > 'explorer.exe'(3168)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\combofix\CF981.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Apoint\Apntex.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\mnmsrvc.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\wdfmgr.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-27  8:14 - machine was rebooted
ComboFix-quarantined-files.txt  2009-10-27 12:14

Pre-Run: 9,085,067,264 bytes free
Post-Run: 9,168,564,224 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 7E448889688BEA49A53D730A4DDB1A91

 

  • Post Points: 20
Joined on 01/16/2006
Posts: 10,322
Points 15,917

Re: Msvlmwksn.dll has taken over my laptop

27 Oct 2009 07:59PM

 

dmoutner

You are most welcome. Let's dp one more check

Please perform a BitDefender Online Virus and Malware Scan here:
* Click Start Scanner.
* Click I Agree… and Start Here.
* An ActiveX warning box will appear; click Install.
* Options displayed are Folders to Scan and Cleaning Options; click Folders to Scan.
* Select folders to be scanned by clicking check boxes; click OK.
* Click Start Scan.
* After the scan has completed, click Click here to export the scan report.
* Save the report to your Desktop.
* In your next reply, please include the BitDefender log.

 

Consumer Security 2008- 2009

 

  • Post Points: 20
Joined on 09/21/2009
Posts: 11
Points 235

Re: Msvlmwksn.dll has taken over my laptop

29 Oct 2009 08:43AM

Bamajim,

Hmmmm...I tried running Bitdefender and after pressing Start Scan I got a pop up message saying "BitDefender failed to update virus definitions.  You can still scan but results may not be 100% accurate"  SO I continued anyway like it said, but almost immediately  a Scan Failed message appeared and I couldn't go any further.

Otherwise the laptop appears to be working fine.

David  

  • Post Points: 20
Joined on 01/16/2006
Posts: 10,322
Points 15,917

Re: Msvlmwksn.dll has taken over my laptop

30 Oct 2009 09:59AM


Hmmm.

Let's do this

1. Open NotePad (not wordpad). Copy and paste the following into Notepad

File::
C:\WINDOWS\system32\xwreg32.dll



Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

user posted image
    You will be prompted to run Combofix again, Do so
    Following the same rules as indicated in my first post
    Then post the contents of the C:\ComboFix.txt log in your reply

2. Rerun Hijackthis and post a fresh Hijackthis log as well

Consumer Security 2008- 2009

 

  • Post Points: 20
 
Page 1 of 2