Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Problem: BHO,Agent.CK?, Check_lsa7, Etc.


  • This topic is locked This topic is locked
9 replies to this topic

#1 Kwystina

Kwystina

    Authentic Member

  • Authentic Member
  • PipPip
  • 47 posts
  • Interests:Digital Art

Posted 01 October 2007 - 02:30 PM

Hey, I've recently reformatted my computer due to some issues and now I'm infected with these things:
The Vundo stuff
The Check_LSA7 text file
My Firefox lags insanely, freezes up every while..
And all these other pop ups... Which I assume are the Vundo things..

I've googled up many solutions but none of them seem to work..
I've came upon this thread:
http://forums.whatth...way_t83040.html

But the problem is that ComboFix shows all these "Send Error Reports" for things like REG.EXE 5 times before telling me I'm not the administrator of the computer (which I am). The VundoFix wasn't able to delete all the files even after rebooting 3 times.
Well, enough chit-chat, I really want to get this fixed..
Here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:25:20 PM, on 01/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Documents and Settings\Crispitos\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\bkglfyek.dll",sitypnow
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

Thanks in advance guys.

Ah, I restarted my computer and tried ComboFix again, here's the log..

ComboFix 07-10-02.2 - Crispitos 2007-10-01 16:48:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.589 [GMT -4:00]
Running from: C:\Documents and Settings\Crispitos\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ijllm.bak2
C:\WINDOWS\system32\ijllm.ini
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\opnnkkh.dll
C:\WINDOWS\system32\winzwr32.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 )))))))))))))))))))))))))))))))
.

2007-10-01 16:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-01 16:08 87,104 --a------ C:\WINDOWS\system32\bkglfyek.dll
2007-10-01 15:32 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-30 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-09-30 22:34 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-09-30 17:55 <DIR> d-a------ C:\Program Files\SurvivalProject
2007-09-30 17:49 <DIR> d-------- C:\Program Files\Ventrilo
2007-09-30 17:38 <DIR> d-------- C:\Program Files\Ares
2007-09-30 17:25 <DIR> d-------- C:\Program Files\Microsoft Works
2007-09-30 17:24 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-09-30 17:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-09-30 17:18 <DIR> dr-h----- C:\MSOCache
2007-09-30 16:26 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-09-30 16:26 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-09-30 16:24 676,224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2007-09-30 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-30 16:11 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-09-30 16:06 <DIR> d-------- C:\Documents and Settings\Crispitos\Application Data\Ventrilo
2007-09-30 16:03 <DIR> d--h----- C:\WINDOWS\PIF
2007-09-30 16:03 <DIR> d-------- C:\Program Files\VentSrv
2007-09-30 16:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-30 16:02 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-09-30 12:05 <DIR> d-------- C:\Program Files\Steam
2007-09-30 12:00 <DIR> d-------- C:\WINDOWS\pss
2007-09-30 11:58 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-09-30 11:58 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-09-30 11:58 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-09-30 11:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
2007-09-30 11:47 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-30 11:47 <DIR> d-------- C:\Program Files\MSN Messenger
2007-09-30 11:47 <DIR> d-------- C:\Documents and Settings\Crispitos\Contacts
2007-09-30 11:45 <DIR> d---s---- C:\Documents and Settings\Crispitos\UserData
2007-09-30 11:42 <DIR> d--h----- C:\Documents and Settings\Crispitos\Application Data\Gtek
2007-09-30 11:42 <DIR> d-------- C:\Documents and Settings\Crispitos\Application Data\You've Got Pictures Screensaver
2007-09-30 11:42 <DIR> d-------- C:\Documents and Settings\Crispitos\Application Data\McAfee.com Personal Firewall
2007-09-30 11:40 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-09-30 11:39 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-09-30 11:39 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-09-30 11:33 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-09-30 11:33 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-09-30 11:33 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-30 11:31 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-09-30 11:29 <DIR> d-------- C:\Documents and Settings\Crispitos\Application Data\WinRAR
2007-09-30 11:26 1,156 --a------ C:\WINDOWS\mozver.dat
2007-09-30 11:26 <DIR> d-------- C:\Program Files\DellSupport

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-30 17:55 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-30 12:06 --------- d-------- C:\Program Files\Common Files\Real
2007-09-30 11:50 --------- d-------- C:\Program Files\Dell
2007-09-30 11:43 --------- d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-09-30 11:37 --------- d-------- C:\Documents and Settings\All Users\Application Data\GTek
2007-09-30 11:19 --------- d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-07-30 22:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 22:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 22:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 22:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 22:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 22:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 22:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 22:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 22:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 22:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 22:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 22:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 22:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 22:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 22:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 21:49]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 21:46]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 21:50]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" []
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-30 11:33]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 06:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 06:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 06:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 06:00]
"SearchIndexer"="C:\WINDOWS\system32\bkglfyek.dll" [2007-10-01 16:08]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-10-01 16:40]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 14:09]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 10:16]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

S3 IOIDDEV;IOIDDEV;\??\C:\Program Files\SurvivalProject\config\ioid.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-02 16:52:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-02 16:54:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-02 16:54
.
--- E O F ---

    Advertisements

Register to Remove


#2 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 01 October 2007 - 04:18 PM

Hi Kwystina and welcome to the forums.

My name is Dave. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can sometimes take a while to research so please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • NOTE:Before we start: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start, if possible.

-------------------------------

I need you to do a couple of things before we clean this up. One, create a permanent folder for HJT, and two, rename HJT. I gave you instructions on how to do each step but you can combine it into one if you like. ie. Just rename it right before or after it's moved.

You are running HijackThis from the desktop. I recommend that you move HJT to it's own permanent folder so any backups that HJT makes will not be accidently deleted or lost.

Please do the following:Create a new permanent folder in a convenient location that you will remember. To do this: Open Windows Explorer.
Select the drive or folder that you would like to put HJT
From the menu select File > New > Folder
Rename the folder to something you will remember (ie HJT, HijackThis, ect...)
Now move HJT to the new folder that you created.
I need you to rename Hijackthis due to the Vundo infection that can hide some entries in your log.
  • Please go to the folder where you saved Hijackthis.exe:
  • Right-click on it, then select Rename.
  • Name it something like: FindVundo.exe (or whatever you want) - Just make sure to keep the .exe part.
  • Then double-click the renamed HJT to scan and then post the new logfile.

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#3 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 01 October 2007 - 04:21 PM

rmoved....didn't see IndiGenus reply

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#4 Kwystina

Kwystina

    Authentic Member

  • Authentic Member
  • PipPip
  • 47 posts
  • Interests:Digital Art

Posted 01 October 2007 - 04:34 PM

Here's new log:
Logfile of HijackThis v1.99.1
Scan saved at 6:29:13 PM, on 02/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Steam\Steam.exe
C:\HJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\bkglfyek.dll",sitypnow
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe


Here's the new ComboFix log:
ComboFix 07-10-02.2 - Crispitos 2007-10-02 18:30:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.470 [GMT -4:00]
Running from: C:\Documents and Settings\Crispitos\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Crispitos\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\bkglfyek.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bkglfyek.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 )))))))))))))))))))))))))))))))
.

2007-10-02 18:28 <DIR> d-------- C:\HJT
2007-10-01 16:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-01 15:32 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-30 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-09-30 22:34 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-09-30 17:55 <DIR> d-a------ C:\Program Files\SurvivalProject
2007-09-30 17:49 <DIR> d-------- C:\Program Files\Ventrilo
2007-09-30 17:38 <DIR> d-------- C:\Program Files\Ares
2007-09-30 17:25 <DIR> d-------- C:\Program Files\Microsoft Works
2007-09-30 17:24 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-09-30 17:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-09-30 17:18 <DIR> dr-h----- C:\MSOCache
2007-09-30 16:26 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-09-30 16:26 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-09-30 16:24 676,224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2007-09-30 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-30 16:11 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-09-30 16:06 <DIR> d-------- C:\Documents and Settings\Crispitos\Application Data\Ventrilo
2007-09-30 16:03 <DIR> d--h----- C:\WINDOWS\PIF
2007-09-30 16:03 <DIR> d-------- C:\Program Files\VentSrv
2007-09-30 16:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-30 16:02 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-09-30 12:05 <DIR> d-------- C:\Program Files\Steam
2007-09-30 12:00 <DIR> d-------- C:\WINDOWS\pss
2007-09-30 11:58 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-09-30 11:58 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-09-30 11:58 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-09-30 11:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
2007-09-30 11:47 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-30 11:47 <DIR> d-------- C:\Program Files\MSN Messenger
2007-09-30 11:47 <DIR> d-------- C:\Documents and Settings\Crispitos\Contacts
2007-09-30 11:45 <DIR> d---s---- C:\Documents and Settings\Crispitos\UserData
2007-09-30 11:42 <DIR> d--h----- C:\Documents and Settings\Crispitos\Application Data\Gtek
2007-09-30 11:42 <DIR> d-------- C:\Documents and Settings\Crispitos\Application Data\You've Got Pictures Screensaver
2007-09-30 11:42 <DIR> d-------- C:\Documents and Settings\Crispitos\Application Data\McAfee.com Personal Firewall
2007-09-30 11:40 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-09-30 11:39 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-09-30 11:39 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-09-30 11:33 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-09-30 11:33 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-09-30 11:33 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-30 11:31 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-09-30 11:29 <DIR> d-------- C:\Documents and Settings\Crispitos\Application Data\WinRAR
2007-09-30 11:26 1,156 --a------ C:\WINDOWS\mozver.dat
2007-09-30 11:26 <DIR> d-------- C:\Program Files\DellSupport

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-30 17:55 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-30 12:06 --------- d-------- C:\Program Files\Common Files\Real
2007-09-30 11:50 --------- d-------- C:\Program Files\Dell
2007-09-30 11:43 --------- d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-09-30 11:37 --------- d-------- C:\Documents and Settings\All Users\Application Data\GTek
2007-09-30 11:19 --------- d-------- C:\Documents and Settings\All Users\Application Data\AOL
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 21:49]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 21:46]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 21:50]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" []
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-30 11:33]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 06:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 06:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 06:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 06:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-10-01 16:40]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 14:09]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 10:16]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

S3 IOIDDEV;IOIDDEV;\??\C:\Program Files\SurvivalProject\config\ioid.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-02 18:33:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-02 18:34:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-02 18:34
C:\ComboFix2.txt ... 2007-10-02 16:54
.
--- E O F ---


Oh, and another thing to add, my taskbar always resets *I set quick launch and WMP toolbars but they always disappear and I have to re-apply..* and my Windows Firewall seems to "reset" too.. The applications need to be re-unblocked..

Thanks btw for all the help ^_^

Edited by Kwystina, 01 October 2007 - 04:42 PM.


#5 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 01 October 2007 - 05:53 PM

Hi,

HijackThis looks pretty good. Let's do some updating as your Java is WAY behind on updates. Also run a Spyware scan.

Your Java Runtime Environment is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u2.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u2, The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save it to your desktop.
  • Close any programs you may have running - especially any web browsers.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windowsi586.exe to install the newest version.
Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).
Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now
    change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
  • Under How to act? - make sure that Quarantine is selected.
  • Under How to scan? - All checkboxes should be ticked.
  • Under Possibly unwanted software - All checkboxes should be ticked.
  • Under Reports - Select Do not automatically generate reports.
  • Under What to scan? - Select Scan every file.
Close all open windows.



Please download ATF Cleaner here by Atribune. This program is for XP and Windows 2000 only.
It does not require any installation and uses minimal system resources. It is set up to clean IE, FireFox and Opera, and detects the browsers you have and grays out the other(s).
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
  • Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


We Now Need To Boot Into Safemode Now

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine,
amount of memory, hard drives installed etc (BOOT SCREEEN).
At this point you should gently tap the F8 key repeatedly until you are presented with a Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Run AVG

  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button This must done before saving the report
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
      Posted Image
  • Right-click the AVG Tray Icon and select Exit.
  • Now copy the report back to this topic.

Restart into normal mode and post the AVG Log and a new HJT Log. Also how are things now
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#6 Kwystina

Kwystina

    Authentic Member

  • Authentic Member
  • PipPip
  • 47 posts
  • Interests:Digital Art

Posted 01 October 2007 - 07:42 PM

I'm very sorry, but after the AVG scan (Safe mode) I wasn't able to access the internet so I missed the AVG Log request.. I can tell you that there was only 1 item on the list, it was Agent or something.. If you want me to do it again then please tell me (took forever)

EDIT:
Here's what I got for AVG Quarantine list:

C:\System Volume Information\_restore\{a lot of numbers}\RP23\A0005260.exe
Infected with: Downloader.Agent.dlu
Risk: High

Here's my new HJT log though:
Logfile of HijackThis v1.99.1
Scan saved at 9:35:30 PM, on 01/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Steam\Steam.exe
C:\HJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

Edited by Kwystina, 01 October 2007 - 07:48 PM.


#7 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 01 October 2007 - 08:10 PM

Looks good, how is it running now?
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#8 Kwystina

Kwystina

    Authentic Member

  • Authentic Member
  • PipPip
  • 47 posts
  • Interests:Digital Art

Posted 01 October 2007 - 08:18 PM

Looks good, how is it running now?


Great! Thanks so much IndiGenus. I love you long time ^_^

#9 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 01 October 2007 - 08:39 PM

I love you long time


Thank you...:blush:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which may be infected anyway).

Click Start>Help and Support>Undo changes to your computer with System Restore
Select Create A Restore Point then click Next. Give it a name it and then click Create

Click Start>Run and type Cleanmgr
Click the More Options Tab.
Click Clean Up in the System Restore section.

In addition to updating and using what you currently have you may want to consider the following:

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some free and evalutation versions that provide
better security than the Windows Firewall.Sunbelt Personal Firewall
Outpost Firewall
For a tutorial on Firewalls and a listing of some other available ones see the link below:
Understanding and Using Firewalls

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Spybot: Search And Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Install Ad-Aware - Ad-Aware SE You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Install SpywareGuard - SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
A tutorial on installing & using this product can be found here:
Using SpywareGuard to protect your computer from Spyware and Malware

Use IESpy-Ad -
IESpy-Ad will block access to malicious websites so you cannot be redirected to them from an infected site or email. Instructions for set up and use can be found at the website.

Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.

Here is a great link to a post here on securing your PC after an attack.

http://forums.tomcoy...mp;#entry257163

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#10 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 06 October 2007 - 03:53 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users