View Full Version : High CPU usage by csrss.exe, winlogon, and ie_updater.exe
About two month ago my comptuer had esentially stopped working )because of malware (possibly from a virus I somehow got through the game "Garry's mod" . I thought I had removed the problem software/virus and even reformatted. Then last week I had similar problems and after running Spybot, hijack this and vundo fix they seemed to stop bothering me. This week I am having similar problems, and my computer stops and heavily stutters for about 30 seconds at a timeng it difficult even to type this paragraph. I have run spybot and vundo fix in safemode and they picked up spyware but for the life of me I cant remember which ones.
Here is my HJT log, thanks for any help:
Logfile of HijackThis v1.99.1
Scan saved at 3:55:46 PM, on 5/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\nvraidservice.exe
C:\Program Files\AIM Lite\aimlite.exe
C:\WINDOWS\dsrss.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jordan\Desktop\Hijackthis.exe
C:\WINDOWS\System32\svchost.exe
O2 - BHO: C:\WINDOWS\System32\ldfksdioduihj.dll - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINDOWS\System32\ldfksdioduihj.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [laim] "C:\Program Files\AIM Lite\aimlite.exe" -autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\System32\rpcc1.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\System32\pwovz.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\Jordan\ie_updater.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
About two month ago my comptuer had esentially stopped working )because of malware (possibly from a virus I somehow got through the game "Garry's mod" . I thought I had removed the problem software/virus and even reformatted. Then last week I had similar problems and after running Spybot, hijack this and vundo fix they seemed to stop bothering me. This week I am having similar problems, and my computer stops and heavily stutters for about 30 seconds at a timeng it difficult even to type this paragraph. I have run spybot and vundo fix in safemode and they picked up spyware but for the life of me I cant remember which ones.
Here is my HJT log, thanks for any help:
Logfile of HijackThis v1.99.1
Scan saved at 3:55:46 PM, on 5/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\nvraidservice.exe
C:\Program Files\AIM Lite\aimlite.exe
C:\WINDOWS\dsrss.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jordan\Desktop\Hijackthis.exe
C:\WINDOWS\System32\svchost.exe
O2 - BHO: C:\WINDOWS\System32\ldfksdioduihj.dll - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINDOWS\System32\ldfksdioduihj.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [laim] "C:\Program Files\AIM Lite\aimlite.exe" -autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\System32\rpcc1.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\System32\pwovz.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\Jordan\ie_updater.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
I am aware I have service pack 1 but I wanted to clean this spyware up before I installed sp 2.
pskelley
2007-05-04, 13:21
Welcome to the forum, nothing but bad news, you are very infected and with some real nasty backdoor trojans:
http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Proxy.Win32.Xorpix.Fam&threatid=44436
http://www.greatis.com/appdata/d/i/ie_updater.exe.htm
http://research.sunbelt-software.com/threatdisplay.aspx?name=Dimpy.Win32VBsy&threatid=42685
That is not all either, only what I could identify.
For your safety and security I need to post this information for you:
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
Please let us know what you have decided to do in your next post.
I would also like to request that you do not quote the information, that is just a waste of space when we can scroll to the information if we need to view it.
Thanks
Sorry, I was trying to edit while my computer wa chugging (as in completely stopping for about 10 seconds at a time every 5 or so seconds) and I thought that was the edit button.
Thanks for the info, I only use this computer to play games and do homework etc, but could the trojan infect computer on my network?
If not I'd rather hold off on the reformat as I just got everything set up the way I need it and dont have room to backup my art etc.
What would be the best way to remove these trojans other than reformatting?
pskelley
2007-05-04, 16:15
Thanks for the info, I only use this computer to play games and do homework etc, but could the trojan infect computer on my networkYes of course, if you are on a Network, I would pull the plug, though there is a good chance the damage has been done?
Not that I know of, the other PC's in the house havent been acting up at all. and I have a router from my pc, which goes to the main router.
Should I just use house call to remove the trojans you mentioned?
I'm pretty sure all of this started just because I tried to play Garry's Mod 9. Apparently a group of hackers/script kiddies thougt it would be cool to utilize the LUA scripts that the game uses to upload viruses to game servers. Then players would download the infected files as admin mods and thier computer became infected next time they rebooted. The worst part about the virii is they are (rather were, Macafee has since updated not sure about others) undetectable by nearly all anti-virus programs.
You had to use specific anti-virus/virus-removal tools to have any chance against the virii. (After doing a little research and making sure the AV tools were legit as there were plenty of other fake AV tools that were just viruses. The legit AV tools were on this website www.gmodsecurity.com/ but have been taken down as that version of Gmod is no longer supported.)
If you wanted a little more information about the infection I had here you go>
http://www.symantec.com/enterprise/security_response/weblog/2006/10/viruswriters_narrow_their_focu.html
Thought I'd give you a heads up so better know what kind of infection I have.
pskelley
2007-05-04, 23:37
To make sure we are on the same page, I assumed you posted for our help. If you want to remove the malware yourself, you are more than welcome to do that. If you want my help, it will require following my directions. I will assume you want help and start posting instructions that may take a while to complete. I strongly suggest, because this junk can download more when you are online, that you keep this computer offline except when you are troubleshooting these issues.
Please review these instructions again so we can be sure we are both on the same page: "BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
So you will know, the tool we will run first will remove some of the infections, we will use HJT and manually remove more. If the items are not there when you get to the instructions do not be concerned, just do not miss any.
1) Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm
2) Thanks to andymanchesta and anyone else who helped with the fix.
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
4) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: C:\WINDOWS\System32\ldfksdioduihj.dll - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINDOWS\System32\ldfksdioduihj.dll
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\System32\rpcc1.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\System32\pwovz.dll
O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\Jordan\ie_updater.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\dsrss.exe <<< delete that file
C:\WINDOWS\System32\rpcc1.dll <<< delete that file
C:\Documents and Settings\Jordan\ie_updater.exe <<< delete that file
C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\partnership.dll <<< delete that file
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the Report.txt from SDFix and a new HJT log.
Thanks
Sorry for taking so long to reply but my internet no longer works after following the instructions you posted 0_o. I cant post my HJT and SD fix logs because they are on the other computer and it seems it can no longer access the internet.
Now what? :/
pskelley
2007-05-10, 21:54
The stuff we removed is malware, did you read the information in the links about it? You can give this a try:
http://www.snapfiles.com/get/winsockxpfix.html
If that does not work, give your Internet Service Provider a call and see if they can help.
Thanks
The problem is only on my pc, the others on the network are fine. After running your fix my internet worked for about an hour before randomly stopping. Now it no longer connects to my network and when I try to update spybot (was hoping for some error so I could quantify my problem :P) I get socket error 11004.
Sorry for double post forgot these:
SDFix: Version 1.82
Run by Jordan - Wed 05/09/2007 - 15:57:48.23
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
kprof
Microsoft IE Updater_2
poof
ImagePath:
\??\C:\WINDOWS\System32\kprof
C:\Documents and Settings\Jordan\ie_updater.exe /start
\??\C:\WINDOWS\System32\poof
kprof - Deleted
Microsoft IE Updater_2 - Deleted
poof - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\CP1041.NLS - Deleted
C:\Documents and Settings\Jordan\ie_updater.exe - Deleted
C:\Documents and Settings\Jordan\Application Data\Install.dat - Deleted
C:\WINDOWS\dsrss.exe - Deleted
C:\WINDOWS\ieredir.exe - Deleted
C:\WINDOWS\preredir.exe - Deleted
C:\WINDOWS\system32\koos.exe - Deleted
C:\WINDOWS\system32\kprof - Deleted
C:\WINDOWS\system32\poof - Deleted
C:\WINDOWS\system32\RunOnce2.t__ - Deleted
C:\WINDOWS\system32\RunOnce2.tm_ - Deleted
C:\WINDOWS\xpupdate.exe - Deleted
Removing Temp Files
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes:
C:\WINDOWS\Sm9yZGFu\asappsrv.dll
C:\WINDOWS\system32\confdrv.dll
C:\WINDOWS\system32\drvmgr32.dll
C:\WINDOWS\system32\drvprf32.dll
C:\WINDOWS\system32\drvstat.dll
C:\WINDOWS\Sm9yZGFu\command.exe
C:\WINDOWS\system32\drvconf.exe
C:\WINDOWS\system32\drvperf.exe
C:\Documents and Settings\Jordan_Quinn\Application Data\Microsoft\Word\~WRL0012.tmp
C:\Documents and Settings\Jordan_Quinn\Application Data\Microsoft\Word\~WRL2596.tmp
C:\Documents and Settings\Jordan_Quinn\Application Data\Microsoft\Word\~WRL3483.tmp
C:\Documents and Settings\Jordan_Quinn\Application Data\Microsoft\Word\~WRL3929.tmp
C:\WINDOWS\LastGood.Tmp\INF\oem4.inf
C:\WINDOWS\LastGood.Tmp\INF\oem4.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem5.inf
C:\WINDOWS\LastGood.Tmp\INF\oem5.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem6.inf
C:\WINDOWS\LastGood.Tmp\INF\oem6.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem7.inf
C:\WINDOWS\LastGood.Tmp\INF\oem7.PNF
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG
Finished
Logfile of HijackThis v1.99.1
Scan saved at 3:53:58 PM, on 5/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Jordan\My Documents\Hijackthis.exe
O2 - BHO: C:\WINDOWS\System32\ldfksdioduihj.dll - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINDOWS\System32\ldfksdioduihj.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [laim] "C:\Program Files\AIM Lite\aimlite.exe" -autorun
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\System32\rpcc1.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\Jordan\ie_updater.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
pskelley
2007-05-11, 16:31
Have a look at this information:
http://forums.spybot.info/showthread.php?t=177
and the google:
http://www.google.com/search?hl=en&q=socket+error+11004&btnG=Google+Search
See if that information helps.
Looks to me that SDFix was run at: SDFix: Version 1.82
Run by Jordan - Wed 05/09/2007 - 15:57:48.23
and you have posted a HJT log run at:
Logfile of HijackThis v1.99.1 Scan saved at 3:53:58 PM, on 5/9/2007
I believe the HJT log was run before the SDFix. The fix removed a lot of junk as you can see. You need to reboot and post a fresh HJT log once a fix has been run.
Post a new HJT log.
Thanks
SDFix: Version 1.82
Run by Jordan - Fri 05/11/2007 - 10:43:09.90
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found...
Removing Temp Files
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Checking For Files with Hidden Attributes:
C:\WINDOWS\Sm9yZGFu\asappsrv.dll
C:\WINDOWS\system32\confdrv.dll
C:\WINDOWS\system32\drvmgr32.dll
C:\WINDOWS\system32\drvprf32.dll
C:\WINDOWS\system32\drvstat.dll
C:\WINDOWS\Sm9yZGFu\command.exe
C:\WINDOWS\system32\drvconf.exe
C:\WINDOWS\system32\drvperf.exe
C:\Documents and Settings\Jordan_Quinn\Application Data\Microsoft\Word\~WRL0012.tmp
C:\Documents and Settings\Jordan_Quinn\Application Data\Microsoft\Word\~WRL2596.tmp
C:\Documents and Settings\Jordan_Quinn\Application Data\Microsoft\Word\~WRL3483.tmp
C:\Documents and Settings\Jordan_Quinn\Application Data\Microsoft\Word\~WRL3929.tmp
C:\WINDOWS\LastGood.Tmp\INF\oem4.inf
C:\WINDOWS\LastGood.Tmp\INF\oem4.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem5.inf
C:\WINDOWS\LastGood.Tmp\INF\oem5.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem6.inf
C:\WINDOWS\LastGood.Tmp\INF\oem6.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem7.inf
C:\WINDOWS\LastGood.Tmp\INF\oem7.PNF
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG
Finished
Logfile of HijackThis v1.99.1
Scan saved at 10:51:29 AM, on 5/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Jordan\My Documents\Hijackthis.exe
O2 - BHO: C:\WINDOWS\System32\ldfksdioduihj.dll - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINDOWS\System32\ldfksdioduihj.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [laim] "C:\Program Files\AIM Lite\aimlite.exe" -autorun
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\System32\rpcc1.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
I had HJT delete the ldfksdioduihj.dll after running.
This is another HJT log I ran after using ATF cleaner and running the WinSockfix for comparison.
Logfile of HijackThis v1.99.1
Scan saved at 10:57:48 AM, on 5/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\nvraidservice.exe
C:\Program Files\AIM Lite\aimlite.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Documents and Settings\Jordan\My Documents\Hijackthis.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [laim] "C:\Program Files\AIM Lite\aimlite.exe" -autorun
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\System32\rpcc1.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
pskelley
2007-05-11, 17:14
OK thanks, looks like SDFix cleaned out all of the junk but this one:
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\System32\rpcc1.dll which does not identify, but that is not unusual, the hackers call their crap whatever they wish:
http://www.google.com/search?hl=en&q=rpcc1.dll&btnG=Google+Search
if you wish to scan to file to see what it is, here are free online scanners. I don't need to see the results, I know it's bad:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Let's try this tool on it: How to use the Delete on Reboot tool http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\rpcc1.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.
Post a new HJT log, add any comments you think will help.
Thanks
Before I do that (busy atm installing a new disposal) I thought you should know my internet does work for about 2-3 minutes after rebooting my computer.
Logfile of HijackThis v1.99.1
Scan saved at 12:14:32 PM, on 5/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\nvraidservice.exe
C:\Program Files\AIM Lite\aimlite.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\HJT\Hijackthis.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [laim] "C:\Program Files\AIM Lite\aimlite.exe" -autorun
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\System32\rpcc1.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
Internet is still having problems, should I run the WinSockFix again?
pskelley
2007-05-11, 18:38
Thanks for ths feedback, "Delete on reboot" killed the file:
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\System32\rpcc1.dll (file missing)
Use HJT to remove the line from your HJT log.
That being done, the HJT log will be clean, I do not believe we have cleaned System Restore files yet:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Internet is still having problems, should I run the WinSockFix again?I don't know that it will help. I suggest you review the information I posted about the error message: socket error 11004
Please remove SDFix totally from your computer, the bad stuff stored in the program will go with it. You can register free and post here:
http://www.bleepingcomputer.com/forums/forum14.html
Experts there may be able to help with connections issues but I would discuss it with your ISP first. You have a very bad infection and I can't say what changes may have been made by this malware. This is one of the reasons reformat is suggested in cases like this, at least you know what you are starting with.
http://www.google.com/search?hl=en&q=troubleshoot+internet+connectivity&btnG=Google+Search
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks
Thanks for the help and information.
pskelley
2007-05-14, 13:19
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks