Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Running Extremely Slow?!


  • This topic is locked This topic is locked
28 replies to this topic

#1 Kaleb515

Kaleb515

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 05 February 2007 - 04:26 PM

One day I just decided to go on my computer and for some reason it was running really slower than usual. So I tried rebooting it and everything I could think of and nothing helped! I don't know why it's being so slow and I scanned my computer for viruses and everything, nothing. Please help!

My HiJackThis Log:
=================================================================

Logfile of HijackThis v1.99.1
Scan saved at 4:19:55 PM, on 2/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\numair\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {875f4a29-3825-4fc1-ba4d-dc199a37a48b} - C:\WINDOWS\system32\ipsxdb.dll (file missing)
O4 - HKLM\..\Run: [RegEasy.exe] C:\Program Files\RegistryEasy\RegEasy.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = 64.233.217.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{22847D17-41EC-475A-89B4-3EF69C17E8D1}: NameServer = 64.233.217.2
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: ipsxdb - ipsxdb.dll (file missing)
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\oZkley.dll (file missing)
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\miratelc.dll (file missing)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)

BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:01:28 AM

Posted 10 February 2007 - 10:13 AM

Hello Kaleb515 and welcome to BleepingComputer!

My name is Johannes and I will be dealing with your log today.
Please note that comments are made in green, links are in red and important things are outlined by using the blue color.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
Thanks,
Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 Kaleb515

Kaleb515
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 10 February 2007 - 03:37 PM

Thanks so much!

#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:01:28 AM

Posted 10 February 2007 - 05:11 PM

Hi Kaleb515,

I noticed that you are running HijackThis from your Desktop.
Please remove your current HijackThis and lets install a current version into an easily remembered and safe location, as it is vital to have HijackThis in its own folder to make sure backups cannot get damaged or accidentally deleted:
  • Please click here to download hijackthis_sfx.exe
  • Save hijackthis_sfx.exe to your desktop.
  • Double click on the hijackthis_sfx.exe icon on your desktop then click the Unzip button. Then close the Self-Extractor window.
  • Using My Computer/Windows Explorer, navigate to C:\Program Files\Hijack This and double click on HijackThis.exe to run it.
  • If you would like to make a shortcut for your Desktop so it's more easily accessable, right click HijackThis.exe and choose Send To > Desktop (create shortcut).
  • Click "Do a system scan only". HijackThis will make a quick scan and show you a list of entries.
I noticed that you have installed Ewido Antispyware 4.0. This is now owned by AVG and there is a new Version out.

Ewido anti-spyware 4.0 has been replaced by AVG Anti-Spyware 7.5 and isn't available for sale and download anymore (under the old name). Instead, please try our new, highly improved version: AVG Anti-Spyware 7.5

Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Ewido.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both software products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Trend Micro.

It looks like Trend Micro is already corrupted, so if you decide to uninstall this one you will need to download and install one of the below Firewalls.

It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and install one of these excellent (and free) products:Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Download AVG Anti-Spyware from HERE and save that file to your desktop.
  • Once you have downloaded avg anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need to run avg and update the definition files.
  • On the main screen select the "Update" icon then click "Start Update". The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
  • Close avg anti-spyware and reboot your computer into Safemode by following these steps to boot into Safe Mode
    • Shut down the computer
    • Wait 20 seconds.
    • Turn on the computer and immediately press the F8 key on the keyboard, once every second.If you get a keyboard error, press the F1 key and continue pressing the F8 key once every second.
    • The Windows Startup Menu appears.
    • Select option #3 (Safe Mode).
    • Press the Enter key. A dialog box confirms that Windows is in Safe Mode
    • Click OK. Note: This may take longer than a normal boot.
  • Lauch AVG-anti-spyware by double-clicking the icon on your desktop.
    IMPORTANT: Do not open any other windows or programs while avg is scanning, it may interfere with the scanning proccess.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
  • avg will now begin the scanning process, be patient this may take a little time.
  • avg will list any infections found on the left hand side. When the scan has finished, it should automatically set the recommended action to Quarantine--if not click on Recommended Action and set it there. Click the Apply all actions button. Avg will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close avg.
Run HijackThis, press Scan, and put a check mark next to all these entries:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {875f4a29-3825-4fc1-ba4d-dc199a37a48b} - C:\WINDOWS\system32\ipsxdb.dll (file missing)
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: ipsxdb - ipsxdb.dll (file missing)
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\oZkley.dll (file missing)
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\miratelc.dll (file missing)


Close all other windows and browsers, and press the Fix Checked button.

Make sure that you can see hidden files.
  • Click Start.
  • Click My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Uncheck the Hide file extensions for known file types.
  • Click OK.
Please now delete the following files and folders (NB: if you cannot find a file or folder it's Ok, and you can continue):

C:\WINDOWS\system32\ipsxdb.dll
C:\WINDOWS\system32\ssn6tuu.exe
C:\WINDOWS\system32\oZkley.dll
C:\WINDOWS\system32\miratelc.dll


Please reboot in normal mode and report back with a AVG Anti-spy log, vundofix.txt and a fresh HijackThis log

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 Kaleb515

Kaleb515
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 10 February 2007 - 10:43 PM

Alright I did EVERYTHING you told me. =)

But the VundoFix.EXE Didn't find anything at all.

Also I can't find the Trend Micro to uninstall it, I tried everything. Could you please find an alternative way to remove it?

Also, my computer still seems to be running very slow, and it NEVER did this...
Now when I turn on my computer a Blue Screen Appears with white text saying something about the computer encountering a disk error and needs to be restarted, So I restarted and it took me to a black screen asking if I want to start Windows Normally or Safe Mode... =(

So here are my Two Logs:

HiJackThis Log #2:
==============================================
Logfile of HijackThis v1.99.1
Scan saved at 8:44:59 PM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RegEasy.exe] C:\Program Files\RegistryEasy\RegEasy.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZJ
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = 64.233.217.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{22847D17-41EC-475A-89B4-3EF69C17E8D1}: NameServer = 64.233.217.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)

************************************************************

AVG Anti-Spyware Log:
==============================================
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:34:48 PM 2/10/2007

+ Scan result:



C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP243\A0082633.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Ldresb\Ldresb.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Ldresb\setup.dat -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP243\A0082635.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IVQ34BCD\stub_sca3[1].exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\stub_sca3.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP243\A0082634.dll -> Adware.IEHelper : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\Mendoza1[1].exe -> Downloader.Agent.a : Cleaned with backup (quarantined).
C:\Program Files\Internet Explorer\howywyqe.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\MSN\kyzeze.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Documents and Settings\numair\Cookies\numair@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\kaleb\Cookies\kaleb@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\numair\Cookies\numair@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\numair\Cookies\numair@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\numair\Cookies\numair@ehg-melbourneit.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\numair\Cookies\numair@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\kaleb\Cookies\kaleb@searchportal.information[3].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\numair\Cookies\numair@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\numair\Cookies\numair@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\numair\Cookies\numair@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@network.realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\kaleb\Cookies\kaleb@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\kaleb\Cookies\kaleb@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\kaleb\Cookies\kaleb@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\kaleb\Cookies\kaleb@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\WINDOWS\system32\ssqpp.dll -> Trojan.Conhook.ah : Cleaned with backup (quarantined).
C:\i386\ssqpp.dll -> Trojan.Conhook.ah : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\456V83GB\teller2[1].htm -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

Edited by Kaleb515, 10 February 2007 - 10:53 PM.


#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:01:28 AM

Posted 11 February 2007 - 04:05 PM

Hi Kaleb515,

But the VundoFix.EXE Didn't find anything at all.

Was there still no logfile created? Even if it did not find anything, can you make sure you post all logs we ask for. This makes it easier for us to get the "full picture" of your pc problems. The created log is called C:\vundofix.txt.

Also I can't find the Trend Micro to uninstall it, I tried everything.

This is fine too. I just asked you to unistall it, because the HijackThis log indicated that it might still be installed.

Run HijackThis, press Scan, and put a check mark next to all these entries:

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZJ
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)


Close all other windows and browsers, and press the Fix Checked button.

Please copy and paste the following text into Notepad:

sc stop PcCtlCom
sc delete PcCtlCom
sc stop PcScnSrv
sc delete PcScnSrv
sc stop Tmntsrv
sc delete Tmntsrv
sc stop TmPfw
sc delete TmPfw
sc stop tmproxy
sc delete tmproxy
del services.bat

Save this as "services.bat" Choose to save as *all files and place it on your Desktop.
Double-click services.bat. Soon it should disappear from your Desktop; this is fine.

Please now delete the following files and folders (NB: if you cannot find a file or folder that is just fine):

C:\WINDOWS\system32\Ldresb <-- this folder

Clean out your Temporary Internet files. Proceed like this:

*For Internet Explorer 7
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete... under Browsing History.
  • Next to Temporary Internet Files, click Delete files, and then click OK.
  • Next to Cookies, click Delete cookies, and then click OK.
  • Next to History, click Delete history, and then click OK.
  • Click the Close button.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

Please do an online scan with Kaspersky Webscan

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please report back with the KAV log and the Vundofix log. Thanks Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 Kaleb515

Kaleb515
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 11 February 2007 - 07:08 PM

Please do an online scan with Kaspersky Webscan

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please report back with the KAV log and the Vundofix log. Thanks Johannes


I did everything I COULD do, the following above is what I COULDN'T do.

#1 When I went to that website I tried doing that scan and when I clicked to install that ActiveX, it redirected me to that screen (When you first click the button) where it says Accept or Decline, but it didn't have the accept or decline button, so I tried again and it still did the same thing! Please help!

#2 I looked everywhere for the VundoFix log, and I can't find it, It still comes up with nothing. So unfortunately all I have is my HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:03:49 PM, on 2/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RegEasy.exe] C:\Program Files\RegistryEasy\RegEasy.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = 64.233.217.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{22847D17-41EC-475A-89B4-3EF69C17E8D1}: NameServer = 64.233.217.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

Edited by Kaleb515, 11 February 2007 - 07:17 PM.


#8 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:01:28 AM

Posted 12 February 2007 - 04:42 PM

Hi Kaleb515,
  • Download Dr.Web CureIt to the desktop: drweb-cureit.exe
    • Reboot your computer in SAFEMODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click the icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv I need that log later.
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
Does VundoFix give you any error? Its weird that you cannot locate "C:\vundofix.txt."

Please boot back into normal mode and do the following: go Start > run > and paste the following: C:\vundofix.txt

Next, press enter. If a notepad / texteditor window opens, please copy the contents and post it, along with your DrWeb Cureit report ( DrWeb.csv ), in the next reply.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#9 Kaleb515

Kaleb515
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 12 February 2007 - 09:34 PM

Alright everything went swell! But I also added a new/fresh HijackThis log at the bottom.

VundoFix.TXT
************************************************************

VundoFix V6.3.6

Checking Java version...

Scan started at 6:22:34 PM 2/10/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.3.6

Checking Java version...

Scan started at 7:10:04 PM 2/10/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.6

Checking Java version...

Scan started at 5:29:54 PM 2/11/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...



++++++++++++++++++++++++++++++++++++++++++++++



DrWeb.CSV
************************************************************
popup[1].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\0HMBWLAJ;Trojan.Click.1394;Deleted.;
popup[1].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\7EKNV54X;Trojan.Click.1394;Deleted.;
popup[2].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\7EKNV54X;Trojan.Click.1394;Deleted.;
popup[3].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\7EKNV54X;Trojan.Click.1394;Deleted.;
popup[4].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\7EKNV54X;Trojan.Click.1394;Deleted.;
popup[1].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\80AB34E6;Trojan.Click.1394;Deleted.;
popup[2].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\80AB34E6;Trojan.Click.1394;Deleted.;
popup[3].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\80AB34E6;Trojan.Click.1394;Deleted.;
popup[1].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\8DAZ45UN;Trojan.Click.1394;Deleted.;
loveportal[1].htm\javascript.0;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\F7ZI1K3V\loveportal[1].htm;Exploit.VMLFill;;
loveportal[1].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\F7ZI1K3V;Archive contains infected objects;Moved.;
popup[1].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\F7ZI1K3V;Trojan.Click.1394;Deleted.;
popup[2].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\F7ZI1K3V;Trojan.Click.1394;Deleted.;
popup[3].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\F7ZI1K3V;Trojan.Click.1394;Deleted.;
popup[4].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\F7ZI1K3V;Trojan.Click.1394;Deleted.;
popup[1].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\FSH9750J;Trojan.Click.1394;Deleted.;
popup[1].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\G5QVWLAV;Trojan.Click.1394;Deleted.;
popup[1].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\GPSJGFOZ;Trojan.Click.1394;Deleted.;
popup[2].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\GPSJGFOZ;Trojan.Click.1394;Deleted.;
popup[1].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\KLU701AN;Trojan.Click.1394;Deleted.;
popup[2].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\KLU701AN;Trojan.Click.1394;Deleted.;
popup[3].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\KLU701AN;Trojan.Click.1394;Deleted.;
popup[1].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\WTY3OTA7;Trojan.Click.1394;Deleted.;
popup[2].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\WTY3OTA7;Trojan.Click.1394;Deleted.;
popup[1].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\XI9CD7G2;Trojan.Click.1394;Deleted.;
popup[2].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\XI9CD7G2;Trojan.Click.1394;Deleted.;
popup[3].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\XI9CD7G2;Trojan.Click.1394;Deleted.;
popup[4].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\XI9CD7G2;Trojan.Click.1394;Deleted.;
popup[1].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\YQRJK3MW;Trojan.Click.1394;Deleted.;
popup[2].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\YQRJK3MW;Trojan.Click.1394;Deleted.;
popup[3].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\YQRJK3MW;Trojan.Click.1394;Deleted.;
popup[4].htm;C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\YQRJK3MW;Trojan.Click.1394;Deleted.;
A0061077.scr;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP209;Adware.Msearch;Incurable.Moved.;
A0061078.EXE;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP209;Adware.Websearch;Incurable.Moved.;
A0061083.DLL;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP209;Adware.Msearch;Incurable.Moved.;
A0061085.DLL;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP209;Trojan.Isbar.438;Deleted.;
A0061088.SCR;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP209;Adware.Msearch;Incurable.Moved.;
A0061090.DLL;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP209;Adware.Msearch;Incurable.Moved.;
A0061091.EXE;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP209;Adware.Msearch;Incurable.Moved.;
A0061092.DLL;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP209;Trojan.DownLoader.7028;Deleted.;
A0061094.DLL;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP209;Adware.Msearch;Incurable.Moved.;
A0061097.DLL;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP209;Adware.MWS;Incurable.Moved.;
A0061101.DLL;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP209;Adware.Msearch;Incurable.Moved.;
A0061102.DLL;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP209;Adware.Msearch;Incurable.Moved.;
A0061103.DLL;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP209;Adware.Websearch;Incurable.Moved.;
A0061104.DLL;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP209;Adware.Msearch;Incurable.Moved.;
A0061114.DLL;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP210;Adware.MWS;Incurable.Moved.;
A0061117.DLL;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP210;Adware.Msearch;Incurable.Moved.;
A0061118.EXE;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP210;Adware.Websearch;Incurable.Moved.;
A0061129.dll;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP210;Adware.Msearch;Incurable.Moved.;
A0082781.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP250;Trojan.DownLoader.10588;Deleted.;
A0082782.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP250;Adware.Effbar;Incurable.Moved.;



++++++++++++++++++++++++++++++++++++++++++++++


Hijackthis.LOG
************************************************************
Logfile of HijackThis v1.99.1
Scan saved at 9:28:56 PM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RegEasy.exe] C:\Program Files\RegistryEasy\RegEasy.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = 64.233.217.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{22847D17-41EC-475A-89B4-3EF69C17E8D1}: NameServer = 64.233.217.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

#10 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:01:28 AM

Posted 13 February 2007 - 03:29 PM

Hi Kaleb515,

Also, my computer still seems to be running very slow, and it NEVER did this...
Now when I turn on my computer a Blue Screen Appears with white text saying something about the computer encountering a disk error and needs to be restarted, So I restarted and it took me to a black screen asking if I want to start Windows Normally or Safe Mode... =(

Are you still having such problems?

Please navigate to Start > run > and type: C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\ > hit enter.
Please now hit your "Ctrl" key and "a" at same time. Alternatively you can go "edit" > "select all." Please now press the "delete" button.

Please navigate to the following folder and delete everything that it contains:

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine

Now we need to reset System Restore and Clear out all the old infected restore points.
  • Click Start
  • Right-Click "My Computer" and Select Properties.
  • Click on the "System Restore" tab.
  • Place a checkmark in the box for "Turn off System Restore" and Click "Apply."
  • Restart the Computer.
  • Return to System Restore and Uncheck the box for "Turn off System Restore" and Click "Apply."
  • A fresh Restore Point will be created.
Hide System Files
  • Click Start.
  • Open My Computer.
  • Select Tools menu
  • Click Folder Options.
  • Select the View Tab.
  • Uncheck Show hidden files and folders in the Hidden files and folders section.
  • Select Hide protected operating system files (recommended) option.
  • Check the Hide file extensions for known file types option.
  • Click Yes.
  • Click OK.
Please report back and answer my question at the beginning of this post and let me know how you are doing. If all is going well, I will give you some final tipps for safer surfing.

Thanks

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#11 Kaleb515

Kaleb515
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 13 February 2007 - 04:59 PM

My computer is STILL performing slow performance. By the way I did everything you told me to in the above post.

Please navigate to Start > run > and type: C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\ > hit enter.
Please now hit your "Ctrl" key and "a" at same time. Alternatively you can go "edit" > "select all." Please now press the "delete" button.


This I COULDN'T do, When I typed it in RUN, it gave me an error message:

"Windows cannot find 'C:\Documents' Make sure you typed the name correctly, and then try again. To search for a file, click the Start button and then click search."

So I tried doing it manually by clicking My Computer and clicking Local Disk (C:), then I clicked Documents and Settings, then clicked the folder "unlimited" I got an erorr message:

"C:\Documents and Settings\unlimited is not acccessible.

Access is denied."

Hopefully my computer will be running fast and smooth again. =(


Logfile of HijackThis v1.99.1
Scan saved at 5:28:41 PM, on 2/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RegEasy.exe] C:\Program Files\RegistryEasy\RegEasy.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = 64.233.217.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{22847D17-41EC-475A-89B4-3EF69C17E8D1}: NameServer = 64.233.217.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

Edited by Kaleb515, 13 February 2007 - 05:33 PM.


#12 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:01:28 AM

Posted 14 February 2007 - 03:53 AM

Hi,

sorry my fault: Please copy the following instead into the textbox of the "run" command: "C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\"
Thanks

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#13 Kaleb515

Kaleb515
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 14 February 2007 - 02:14 PM

I'm still getting the SAME Error Message.

#14 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:01:28 AM

Posted 14 February 2007 - 05:05 PM

Hi Kaleb515,

Please navigate to Start > run > and type:

"C:\Documents and Settings\unlimited\Local Settings\Temporary Internet Files\Content.IE5\"

hit enter.

Please now hit your "Ctrl" key and "a" at same time. Alternatively you can go "edit" > "select all." Please now press the "delete" button.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#15 Kaleb515

Kaleb515
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 14 February 2007 - 05:44 PM

I don't think you get it (Not trying to sound rude) I told you twice I'm getting an error message, below is a screencap.

Posted Image

Edited by Kaleb515, 14 February 2007 - 05:45 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users