Laggy Internet + Popup

mrjunkers · #1 March 6th, 2007, 06:44 AM

I read the "Please read before posting Hijack This logs/Hijack This Tutorial" thread, and here is what I've done.

1 & 2: I do not remember my problems coinciding with the installation of anything.

3: I ran ATF cleaner two days ago, and the problem still exists.

4. Done.

5. The other computers in the house DO NOT have these problems.

6. Done, not the problem.

7. I stopped what I know I didn't need, but the link didn't work for me so I'm not sure what else I could stop.

My first problem is a popup. Every time I turn on or restart my computer, Mozilla Firefox always opens by itself and go to this page: http://galerias2.lne.es/ratepic.php?pic=5602&rate=5 . I'm guessing that's an easy thing to solve, but I have no idea how. I sure would like that problem to go away. And sometimes "IEXPLORER.EXE" will show up on start up, but most of the times it doesn't. Not sure if that has anything to do with it.

My second problem is slow Internet. There are three other computers in the house, and their connection does not slow down like on this computer. The connection is not always slow, but it comes and goes (it even happens when the other computers are turned off). There are no pop-ups or anything, the connection is just slow sometimes.

Here's a link to my Windows XP thread, because this problem may be related to that one. http://www.cybertechhelp.com/forums/...846#post815846

Logfile of HijackThis v1.99.1
Scan saved at 9:25:19 PM, on 3/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\windows\msnmsngr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 220.77.129.183:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\MYPROG~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [Fncarvzw] C:\Program Files\Qgzmdla\Rqyd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [svcmon] C:\WINDOWS\system32\PIN\svcmon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Firewall] c:\windows\windll.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [reg=Msock32¢¢¢] C:\WINDOWS\system32\svr=Winfirewall.exe¢¢¢¢¢
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: msmsgs.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Acrobaze · #2 March 6th, 2007, 06:55 PM

Hi,

Yes indeed, this computer is infected.

First :

Download SmitfraudFix.

Double-click SmitfraudFix.exe

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually the C drive), and launch from there.
NOTE: Do not run any other options from SmitfraudFix until I tell you to do so!

mrjunkers · #3 March 6th, 2007, 07:30 PM

SmitFraudFix v2.147

Scan done at 10:26:11.08, Tue 03/06/2007
Run from C:\Documents and Settings\samurice\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 download.bleepingcomputer.com
127.0.0.1 www.bleepingcomputer.com
127.0.0.1 bleepingcomputer.com
127.0.0.1 www.castlecops.com
127.0.0.1 castlecops.com
127.0.0.1 www.compu-docs.com
127.0.0.1 compu-docs.com
127.0.0.1 www.depannetonpc.net
127.0.0.1 depannetonpc.net
127.0.0.1 www.ewido.net
127.0.0.1 ewido.net
127.0.0.1 www.greyknight17.com
127.0.0.1 greyknight17.com
127.0.0.1 help.lockergnome.com
127.0.0.1 siri.urz.free.fr
127.0.0.1 cleanup.stevengould.org
127.0.0.1 stevengould.org
127.0.0.1 www.spywareinfo.dk
127.0.0.1 spywareinfo.dk
127.0.0.1 www.superantispyware.com
127.0.0.1 superantispyware.com
127.0.0.1 forums.techguy.org

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\autosys.exe FOUND !
C:\WINDOWS\system32\RegistryCleanerSetup.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\samurice

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\samurice\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\samurice\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
"SystemId"=dword:42cb8756

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

pe386 detected, use a Rootkit scanner

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Acrobaze · #4 March 6th, 2007, 07:55 PM

Ok. Then now :

- Download : HostsXpert.
Press the Restore Original Hosts button and then press the OK button.

- Reboot into Safe Mode.

Once in Safe Mode, double-click on SmitfraudFix.exe

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with a new HijackThis one in your next reply.

mrjunkers · #5 March 6th, 2007, 08:37 PM

Quote:

Originally Posted by Acrobaze

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

I wasn't asked about this, but I went ahead and did everything else anyways. Should I try this again?

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\autosys.exe Deleted
C:\WINDOWS\system32\RegistryCleanerSetup.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
"SystemId"=dword:42cb8756

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of HijackThis v1.99.1
Scan saved at 11:30:32 AM, on 3/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\samurice\Desktop\hijackthis.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 220.77.129.183:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\MYPROG~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [Fncarvzw] C:\Program Files\Qgzmdla\Rqyd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [svcmon] C:\WINDOWS\system32\PIN\svcmon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Firewall] c:\windows\windll.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [reg=Msock32¢¢¢] C:\WINDOWS\system32\svr=Winfirewall.exe¢¢¢¢¢
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Acrobaze · #6 March 6th, 2007, 08:47 PM

No, not useful to run it again : the file was not infected.

Now :
Download rustbfix.exe from here and save it to your desktop.

Double click on rustbfix.exe. If a Rustock.b-infection is found, you will be asked to reboot your computer. The reboot will probably take quite a while, and perhaps two reboots will be needed but this will happen automatically so please be patient and allow the process to complete.

After the reboot, two logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log, please.

mrjunkers · #7 March 6th, 2007, 08:59 PM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\fekucbxq

*******************

Script file located at: \??\C:\Program Files\bgcowvqf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

************************* Rustock.b-fix -- By ejvindh *************************
Tue 03/06/2007 11:47:42.74

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 72886
Total size: 72886 bytes.
Attempting to remove ADS...
system32: deleted 72886 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************************* End of Logfile ********************************

Logfile of HijackThis v1.99.1
Scan saved at 11:56:44 AM, on 3/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 220.77.129.183:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\MYPROG~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [Fncarvzw] C:\Program Files\Qgzmdla\Rqyd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [svcmon] C:\WINDOWS\system32\PIN\svcmon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Firewall] c:\windows\windll.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [reg=Msock32¢¢¢] C:\WINDOWS\system32\svr=Winfirewall.exe¢¢¢¢¢
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Acrobaze · #8 March 6th, 2007, 09:12 PM

Good work ! The rootkit is deleted.

Now :
Please download SDFix from here and save
it to your desktop.

Rightclick on the SDFix.zip folder and choose Extract All. Open the extracted folder and doubleclick on SDFix.exe.
It will install the tool in C:\SDFix.

When you have done this, please boot into Safe Mode (see here for more help if you need it).

Locate the c:\SDFix folder once in safe mode and then double click RunThis.bat to start the script.

Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt
you to press any key to Reboot. When you hit any key, your computer will reboot. Your system will take longer that
normal to restart as the fixtool will be running and removing files.

When your desktop loads, the utility will complete the removal and display Finished. Press any key again to end
the script and load your desktop icons. Finally open the SDFix folder on your desktop and copy and paste the contents
of Report.txt back in this thread.

mrjunkers · #9 March 6th, 2007, 09:46 PM

SDFix: Version 1.69

Run by samurice - Tue 03/06/2007 - 12:29:53.89

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
MsaSvc
SVKP

Path:
C:\WINDOWS\system32\msasvc.exe
\??\C:\WINDOWS\system32\SVKP.sys

MsaSvc Deleted
SVKP Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll - Deleted
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll - Deleted
C:\WINDOWS\1.exe - Deleted
C:\WINDOWS\dllhost.exe - Deleted
C:\WINDOWS\system32\kernels1118.exe - Deleted
C:\WINDOWS\system32\SVKP.SYS - Deleted

ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\My Progs\\Games\\BYOND\\bin\\dreamseeker.exe"="C:\\My Progs\\Games\\BYOND\\bin\\dreamseeker.exe:*:Enable d:dreamseeker"
"H:\\DRIVE_C\\Program Files\\Steam\\Steam.exe"="H:\\DRIVE_C\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\My Progs\\eMule\\emule.exe"="C:\\My Progs\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"H:\\DRIVE_C\\Starcraft\\starcraft.exe"="H:\\DRIVE _C\\Starcraft\\starcraft.exe:*:Enabled:Starcraft"
"C:\\My Progs\\Games\\Starcraft\\StarCraft.exe"="C:\\My Progs\\Games\\Starcraft\\StarCraft.exe:*:Enabled:S tarcraft"
"C:\\My Progs\\BitTornado\\btdownloadgui.exe"="C:\\My Progs\\BitTornado\\btdownloadgui.exe:*:Enabled:btd ownloadgui"
"I:\\DRIVE_C\\Program Files\\Steam\\Steam.exe"="I:\\DRIVE_C\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\My Progs\\mIRC\\mirc.exe"="C:\\My Progs\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\ system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btd ownloadgui"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*

isabled:Firefox"
"C:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"="C:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe:*:Enabled:Media Player Classic"
"C:\\Program Files\\Common Files\\AOL\\1135980167\\ee\\aolsoftware.exe"="C:\\ Program Files\\Common Files\\AOL\\1135980167\\ee\\aolsoftware.exe:*:Enab led:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1135980167\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1135980167\\ee\\aim6.exe:*:Enabled:AIM "
"C:\\My Progs\\Azureus\\Azureus.exe"="C:\\My Progs\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\My Progs\\RealPlayer\\realplay.exe"="C:\\My Progs\\RealPlayer\\realplay.exe:*:Enabled:RealPlay er"
"E:\\Games\\NeverwinterNights\\nwmain.exe"="E:\\Ga mes\\NeverwinterNights\\nwmain.exe:*:Enabled:Never winter Nights"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*

isabled:AOL Loader"
"C:\\Program Files\\EA Games\\Ultima Online Mondain's Legacy\\client.exe"="C:\\Program Files\\EA Games\\Ultima Online Mondain's Legacy\\client.exe:*

isabled:client"
"C:\\My Progs\\Games\\Rose Online\\TRose.exe"="C:\\My Progs\\Games\\Rose Online\\TRose.exe:*

isabled:Client"
"C:\\Program Files\\Java\\jre1.5.0_05\\bin\\javaw.exe"="C:\\Pro gram Files\\Java\\jre1.5.0_05\\bin\\javaw.exe:*

isable d:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"="C:\\Pro gram Files\\Java\\jre1.5.0_04\\bin\\javaw.exe:*

isable d:Java(TM) 2 Platform Standard Edition binary"
"C:\\WINDOWS\\msnmsngr.exe"="C:\\WINDOWS\\msnmsngr .exe:*

isabled:msnmsngr"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\WINDOWS\system32\FAEB869750.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\Temp\$_2341235.TMP

Add/Remove Programs List:

Ad-Aware SE Personal
Adobe Photoshop 7.0
Azureus
BitTorrent complete dir 1.0.1
BSPlayer
CoreAVC Pro (remove only)
Ace Ventura
Deus Ex
eMule
Fallout2
Final Fantasy VII - Ultima Edition
Microsoft GIF Animator
Gothic II
Haali Media Splitter
HijackThis 1.99.1
HijackThis 1.99.1
QuickTime
K-Lite Codec Pack 2.72 Full
LiveUpdate 2.0 (Symantec Corporation)
Macro Scheduler
mIRC
Mozilla Firefox (2.0.0.2)
NVIDIA Drivers
Port Royale 2
RealPlayer
Restorer2000 Pro
Spybot - Search & Destroy 1.4
The Edge Guild Wars Utility
Starcraft
TeamSpeak 2 RC2
Viewpoint Media Player
VideoLAN VLC media player 0.8.6
VobSub v2.23 (Remove Only)
Winamp (remove only)
WinRAR archiver
WinZip
XviD 1.2.-127 +SMP Alpha uninstall
AutoUpdate
J2SE Runtime Environment 5.0 Update 11
DAEMON Tools
RGSS-RTP Standard
Windows Genuine Advantage v1.3.0254.0
RPG Maker XP - Postality Knights Edition ENHANCED
Logitech G11 Keyboard Software 1.03
Ventrilo Client
DivX
DivX Player
Microsoft Office XP Professional with FrontPage
Project64 1.6
Microsoft Visual C++ 2005 Redistributable
Intel(R) Processor ID Utility
DivX Converter
DivX Web Player
QuickTime
Windows Resource Kit Tools
TES Construction Set

Finished

Acrobaze · #10 March 6th, 2007, 09:58 PM

Ok. Then now :

- Close all browser windows, run only HijackThis and tick :

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [Fncarvzw] C:\Program Files\Qgzmdla\Rqyd.exe
O4 - HKLM\..\Run: [Windows Firewall] c:\windows\windll.exe
O4 - HKLM\..\Run: [reg=Msock32¢¢¢] C:\WINDOWS\system32\svr=Winfirewall.exe¢¢¢¢¢

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll

Click "Fix checked" and close HijackThis.

-----

Download the attached file and save it to your C:\ drive. When saved it the file path
should be C:\Yourfile.txt

----------

Download and unzip Avenger to your desktop.
Check Load Script from File and then click the folder Icon on the right side of that section.
Then browse to C:\Yourfile.txt and click open to load it.
Then click the “green light” icon. This will begin execution of the script currently
in memory.
After you have clicked on the “green light” to begin execution of a script, The Avenger
will set itself up to run the next time you reboot your computer, and then will prompt you
to restart immediately.

After your system restarts, a log file should open with the results of Avenger’s actions.
This log file is located at C:\avenger.txt. The Avenger will also have backed up all the
files, etc., that you asked it to delete, and will have zipped them and moved the zip
archives to C:\avenger\backups.zip.

After the reboot, post a new HijackThis log, C:\avenger.txt plus this other one :
Download SilentRunners.vbs.
Run it. It generates a log, wait that the scan is complete (there is a popup at the end). Copy/paste it here, please.
(If your antivirus queries the script, allow it to run. It's not malicious.)

mrjunkers · #11 March 6th, 2007, 10:34 PM

Quote:

Originally Posted by Acrobaze

O4 - HKLM\..\Run: [Windows Firewall] c:\windows\windll.exe

I did everything else, except I couldn't find the above in the list.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\lphbkwfo

*******************

Script file located at: \??\C:\Program Files\i^cndusg.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\mszsrn32.dll deleted successfully.
File C:\WINDOWS\system32\svr=Winfirewall.exe¢¢¢¢¢ deleted successfully.
File c:\windows\windll.exe deleted successfully.

Folder C:\Program Files\Qgzmdla not found!
Deletion of folder C:\Program Files\Qgzmdla failed!

Could not process line:
C:\Program Files\Qgzmdla
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"Steam" = "(empty string)" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"IMEKRMIG6.1" = "C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [MS]
"MSPY2002" = "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"DAEMON Tools-1033" = ""C:\Program Files\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [file not found]
"svcmon" = "C:\WINDOWS\system32\PIN\svcmon.exe" [file not found]
"ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM .exe -startup" ["InstallShield Software Corporation"]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
"Launch LGDCore" = ""C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE" ["Logitech Inc."]
"Launch LCDMon" = ""C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"" [file not found]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\MYPROG~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\MYPROG~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\MYPROG~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\MYPROG~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\MYPROG~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\my progs\WinRAR\rarext.dll" [null data]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "c:\my progs\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider"
-> {HKLM...CLSID} = "Haali Column Provider"
\InProcServer32\(Default) = "C:\my progs\corevlc\MatroskaSplitter\mmfinfo.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{0561EC90-CE54-4f0c-9C55-E226110A740C}\(Default) = "Haali Column Provider"
-> {HKLM...CLSID} = "Haali Column Provider"
\InProcServer32\(Default) = "C:\my progs\corevlc\MatroskaSplitter\mmfinfo.dll" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\my progs\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\MYPROG~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\my progs\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\MYPROG~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\my progs\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\MYPROG~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

"Homepage" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|
Disable changing home page settings}

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Desktop Background.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]

Startup items in "samurice" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_11"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_11"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll" ["Sun Microsystems, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 41 seconds.
---------- (total run time: 150 seconds)

Logfile of HijackThis v1.99.1
Scan saved at 1:29:49 PM, on 3/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 220.77.129.183:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\MYPROG~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [svcmon] C:\WINDOWS\system32\PIN\svcmon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Acrobaze · #12 March 6th, 2007, 10:39 PM

That looks much better !

No problem : c:\windows\windll.exe has been deleted.

Let me know how is running the computer.

- Go here and download ATF cleaner.
Use it to remove all Temp Files, Cookies and Temp Internet Files, Java Cache and any others
that you would like to remove. If you also use Opera or Firefox, also click on the cleaning
options for each browser.

- Download the trial version of AVG Anti-Spyware from here and install it.

After installation, double-click the icon on your Desktop to launch AVG Anti-Spyware.

On the top of the main screen click Shield. Then click the word active to change it to inactive.

You will need to also update AVG Anti-Spyware to the latest definition files. On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed.

Now close AVG Anti-Spyware (don't scan just yet).

Reboot into Safe Mode. At startup tap F8 and select Safe Mode.

Make sure all windows are closed and run AVG Anti-Spyware. Click Scanner, then click on the Scan tab. Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions.

Once the scan has finished, click the Save report button, then click Save Report As. This will create a text file. Make sure you know where to find this file again.

Then reboot back to Normal Mode. Run a new scan with HijackThis and post that and the AVG Anti-Spyware log back here please.

mrjunkers · #13 March 7th, 2007, 02:54 AM

The pop-up to that website doesn't occur anymore on start up. Not sure about the Internet lag, I'll use it tonight and see how it goes. I've been running AVG this whole time, and now it's finally done.

EDIT: I usually get the Internet lag a lot when I've just restarted my computer, after three restarts there hasn't been any lag. And after a few hours of use, it's still running good with no lag.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:12:26 PM 3/6/2007

+ Scan result:

HKLM\SOFTWARE\KMiNT21 -> Adware.DesktopSpyAgent : Cleaned with backup (quarantined).
HKLM\SOFTWARE\KMiNT21\PersonalInspector -> Adware.DesktopSpyAgent : Cleaned with backup (quarantined).
HKU\S-1-5-21-839522115-1606980848-854245398-1003\Software\KMiNT21 -> Adware.DesktopSpyAgent : Cleaned with backup (quarantined).
HKU\S-1-5-21-839522115-1606980848-854245398-1003\Software\KMiNT21\PersonalInspector -> Adware.DesktopSpyAgent : Cleaned with backup (quarantined).
C:\Program Files\eMule\Incoming\Bonus Casino New York.zip/Bonus Casino New York.exe -> Adware.MDH : Cleaned with backup (quarantined).
C:\Program Files\eMule\Incoming\Bonus Casino Vegas installer.zip/Bonus Casino Vegas installer.exe -> Adware.MDH : Cleaned with backup (quarantined).
C:\Program Files\eMule\Incoming\Bonus Casino del rio installer.zip/Bonus Casino del rio installer.exe -> Adware.MDH : Cleaned with backup (quarantined).
C:\Program Files\eMule\Incoming\Bonus Europa Casino installer.zip/Bonus Europa Casino installer.exe -> Adware.MDH : Cleaned with backup (quarantined).
C:\Program Files\eMule\Incoming\Bonus Poker Room installer.zip/Bonus Poker Room installer.exe -> Adware.MDH : Cleaned with backup (quarantined).
C:\WINDOWS\2.exe -> Adware.MDH : Cleaned with backup (quarantined).
C:\WINDOWS\helpt.exe -> Adware.MDH : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall4_85.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{983698A3-9FC8-4F44-A23E-4FB728859F8F}\RP596\A0283964.exe -> Backdoor.Agent.aay : Cleaned with backup (quarantined).
C:\WINDOWS\pss\msmsgs.exeCommon Startup -> Backdoor.Agent.aay : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/dllhost.exe -> Backdoor.Assasin.11 : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{983698A3-9FC8-4F44-A23E-4FB728859F8F}\RP597\A0284118.exe -> Backdoor.Assasin.11 : Cleaned with backup (quarantined).
C:\WINDOWS\msnmsngr.exe -> Backdoor.Assasin.11 : Cleaned with backup (quarantined).
C:\WINDOWS\winnt.exe -> Backdoor.Assasin.11 : Cleaned with backup (quarantined).
C:\WINDOWS\system32\maxd641.exe -> Dialer.GBDialer.i : Cleaned with backup (quarantined).
C:\WINDOWS\system32\anonosi.dll -> Downloader.Busky : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dwjterf.dll -> Downloader.Busky : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lqiazcd.dll -> Downloader.Busky : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pjgpbfk.dll -> Downloader.Busky : Cleaned with backup (quarantined).
C:\WINDOWS\system32\yeeurbe.dll -> Downloader.Busky : Cleaned with backup (quarantined).
C:\WINDOWS\system32\yuyjdig.dll -> Downloader.Busky : Cleaned with backup (quarantined).
C:\WINDOWS\system32\znwmcnd.dll -> Downloader.Busky : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{983698A3-9FC8-4F44-A23E-4FB728859F8F}\RP590\A0281548.exe -> Downloader.Iowa.h : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{983698A3-9FC8-4F44-A23E-4FB728859F8F}\RP590\A0282547.exe -> Downloader.Iowa.h : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{983698A3-9FC8-4F44-A23E-4FB728859F8F}\RP592\A0283677.exe -> Downloader.Iowa.h : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{983698A3-9FC8-4F44-A23E-4FB728859F8F}\RP593\A0283723.exe -> Downloader.Iowa.h : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{983698A3-9FC8-4F44-A23E-4FB728859F8F}\RP594\A0283763.exe -> Downloader.Iowa.h : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{983698A3-9FC8-4F44-A23E-4FB728859F8F}\RP596\A0283919.exe -> Downloader.Iowa.h : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{983698A3-9FC8-4F44-A23E-4FB728859F8F}\RP596\A0283934.exe -> Downloader.Iowa.h : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{983698A3-9FC8-4F44-A23E-4FB728859F8F}\RP597\A0284105.exe -> Downloader.Iowa.h : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{983698A3-9FC8-4F44-A23E-4FB728859F8F}\RP597\A0284152.exe -> Downloader.Iowa.h : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/svr=Winfirewall.exe¢¢¢¢¢ -> Downloader.Iowa.h : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/windll.exe -> Downloader.Iowa.h : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/kernels1118.exe -> Downloader.Small.dgk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{983698A3-9FC8-4F44-A23E-4FB728859F8F}\RP597\A0284119.exe -> Downloader.Small.dgk : Cleaned with backup (quarantined).
C:\WINDOWS\system32\PIN\svcmon.dll -> Not-A-Virus.Monitor.Win32.InspectorSpy : Ignored.
:mozilla.90:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.15:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.16:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.17:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.18:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.19:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.94:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.95:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.96:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.97:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.13:C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.13:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.98:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.100:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.101:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.10:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.6:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.7:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.8:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.9:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.11:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.111:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.112:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.31:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.71:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.72:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.37:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.39:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.40:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.110:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.11:C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.14:C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.20:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.21:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.22:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.23:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.24:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.25:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.27:C:\Documents and Settings\samuricex\Application Data\Mozilla\Firefox\Profiles\qb98lr7v.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\system32\out.dll -> Trojan.Agent.adl : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/ibm00002.dll -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{983698A3-9FC8-4F44-A23E-4FB728859F8F}\RP597\A0284116.dll -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{983698A3-9FC8-4F44-A23E-4FB728859F8F}\RP597\A0284056.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{983698A3-9FC8-4F44-A23E-4FB728859F8F}\RP597\A0284151.dll -> Worm.Banwarum.n : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/mszsrn32.dll -> Worm.Banwarum.n : Cleaned with backup (quarantined).

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 5:46:41 PM, on 3/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 220.77.129.183:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\MYPROG~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [svcmon] C:\WINDOWS\system32\PIN\svcmon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Acrobaze · #14 March 7th, 2007, 03:30 PM

Good news !

This computer was very infected, so I prefer to have another opinion :
Run this online scan, to clean the possible remnants :
http://www.pandasoftware.com/products/activescan.htm
It doesn't delete what it finds, but at the end, you can save its report and copy/paste it here.

mrjunkers · #15 March 7th, 2007, 07:46 PM

Incident Status Location

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.fastclick.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.burstnet.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.microsoftwga.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.atdmt.com/]
Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.versiontracker.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.doubleclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.mediaplex.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.questionmarket.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.statcounter.com/]
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.tucows.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.adrevolver.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.tribalfusion.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.advertising.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.zedo.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.dist.belnk.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\samurice\Application Data\Mozilla\Firefox\Profiles\thvva764.default\coo kies.txt[.belnk.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\samurice\Desktop\SDFix\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\samurice\Desktop\SDFix.zip[SDFix.exe][SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\samurice\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix\Process.exe
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20070122-122532.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20070122-122533.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20070217-114258.backup
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Virus:trj/torpig.a Disinfected C:\WINDOWS\Temp\$_2341235.TMP

Similar Topics
Topic	Topic Starter	Forum	Replies	Last Post
Internet Explorer Laggy	PiPPi	Malware Removal	9	March 7th, 2011 04:06 AM
slow internet nd popup city	Rathric	Malware Removal	43	April 6th, 2008 02:48 AM
internet speed monitor browser popup	NDCent	Malware Removal	4	November 22nd, 2007 03:54 AM
Internet Sharing Configuration Popup	Shaelynn	Windows XP	10	January 1st, 2007 06:34 PM
popup windows in internet explorer	Tatiana	Windows NT, 2000, 2003, 2008, 2012	1	May 20th, 2003 08:48 PM