View Full Version : Smithfraud-C.Toolbar888 ...
Jadesphere
2007-05-29, 05:47
:oops:
As many others have recently reported, I too have been infected with this virus/spyware since yesterday. I read some of my peer's threads and have posted the Pre VundoFix Hijackthis log. I am running VundoFix now and will post the lost and HijackThis log again soon.
Thank you guys for all your help!
Logfile of HijackThis v1.99.1
Scan saved at 8:37:33 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AIM\AIMWDI~1.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Roger Yei\Desktop\HijackThis\HijackThis.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ccreg] C:\WINDOWS\System32\explorer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\msgwqvmw.dll",realset
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Server lanmanserverSharedAccess (lanmanserverSharedAccess) - Unknown owner - C:\WINDOWS\system32\1028d.exe
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - c:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Jadesphere
2007-05-29, 05:54
VundoFix V6.4.1
Checking Java version...
Sun Java not detected
Scan started at 8:39:23 PM 5/28/2007
Listing files found while scanning....
C:\WINDOWS\system32\ggjlm.bak1
C:\WINDOWS\system32\ggjlm.ini
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\msgwqvmw.dll
C:\WINDOWS\system32\wmvqwgsm.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ggjlm.bak1
C:\WINDOWS\system32\ggjlm.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ggjlm.ini
C:\WINDOWS\system32\ggjlm.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\mljgg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\msgwqvmw.dll
C:\WINDOWS\system32\msgwqvmw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wmvqwgsm.ini
C:\WINDOWS\system32\wmvqwgsm.ini Has been deleted!
Performing Repairs to the registry.
Done!
Jadesphere
2007-05-29, 05:56
Logfile of HijackThis v1.99.1
Scan saved at 8:55:44 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AIM\AIMWDI~1.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Roger Yei\Desktop\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {083281C4-9285-41A0-B219-5D33F5411652} - C:\WINDOWS\system32\mljgg.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\jsclbkhk.dll
O2 - BHO: (no name) - {8071E65A-3F56-4426-8372-8667CD213057} - C:\WINDOWS\system32\pmnkhef.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D7678AD3-C726-469F-A663-7D61BBB5829f} - C:\WINDOWS\system32\fpdolyel.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ccreg] C:\WINDOWS\System32\explorer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: pmnkhef - pmnkhef.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Server lanmanserverSharedAccess (lanmanserverSharedAccess) - Unknown owner - C:\WINDOWS\system32\1028d.exe
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - c:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Jadesphere
2007-05-29, 12:16
-bump- Their seems to be an epidemic =(
I'll be home tomorrow 5/29 PST at 7:00 pm if anyone helper is available. thanks!
pskelley
2007-05-30, 01:58
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read the above instructions.
Note: It may take a few days for the initial response, (especially if you start a topic on the weekend or over holidays) so please take that into consideration before posting.
Bumping one's topic by posting additional comments before a volunteer responds; or asking if anyone is there, will actually push your topic back in line due to the new date of your bump.Please also understand we are volunteers and there are no "resident" helpers. All of us help at multiple forums and when we stop by here to lend a hand, we are looking for 0 responses which tell us that member has not been helped yet.
Sorry to be the bearer of bad news:sad:
Do you have any idea what this is?
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
You have some very nasty infections on this computer:
http://www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99
Which may or may not have been totally removed yet?
C:\WINDOWS\system32\jsclbkhk.dll >>> Downloader, a VirtuMonde/Vundo adware variant, also detected as Troj/LazyJohn
C:\WINDOWS\system32\fpdolyel.dll ? No idea what that one is.
O4 - HKLM\..\Run: [ipmon] ipmon.exe
http://www.castlecops.com/s1693-ipmon_exe.html
http://www.symantec.com/security_response/writeup.jsp?docid=2003-042813-0206-99
Backdoor.Recerv is a Trojan Horse that gives a hacker complete access to your computer. By default, the Trojan listens on port 9,870 and notifies the hacker through email.
C:\WINDOWS\system32\1028d.exe
http://spywarefiles.prevx.com/RRFIDG39494178/ADSLDPP.EXE.html
ADSLDPP.EXE may use 35 or more path and file names, these are the most common:
3 :%WINDIR%\SYSTEM32\1028D.EXE
and this is the one that worries me the most, through the others are bad also and the computer is seriously compromised. I suggest you pull the plug to deny hackers access and turn in on only when you must to troubleshoot.
http://www.symantec.com/security_response/writeup.jsp?docid=2003-021316-5131-99
Backdoor.IRC.Zcrew is a backdoor Trojan Horse that is similar to other backdoor IRC Trojans, such as Backdoor.IRC.Aladinz and Backdoor.IRC.Flood.
Backdoor.IRC.Zcrew is written as an IRC script and uses the mIRC client to connect to the Internet, where it notifies the attacker of its presence. The hacker can send various commands to an infected computer and take full control over it.An infected computer can also be used to launch a ping flood attack against another computer at a specified IP address.
You need to have this information:
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
Please let us know what you have decided to do in your next post.
Thanks
Jadesphere
2007-05-30, 04:29
Dear Pskelley,
Thank you for the generous time you have put into reviewing my PC's current status regarding spyware/viruses.
I have carefully read and reviewed the material and links you have sent me. Everything was informative and very interesting.
While reformating is not a huge inconvenience and is an option that I would consider if you highly recommend that route, I am also not one to back away from a challenge either :bigthumb:.
I would say I am pretty comfortable around computers, having built/upgraded mine since the 286's. Software regarding viruses on the other hand, is something unkwown to me, but also something that I would enjoy indulging in.
I do use my PC for light online banking, and mostly recreational games and video. If you are also up to the challenge of patching up my system to reasonable secure standards, I would greatly appreciate your efforts.
I will be home tonight and moniter this thread if you or any other technician happen to be available.
Many Thanks,
Jadesphere
To answer some of your questions in your post:
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
I think that is the MOD program I have for Aol Instant Messenger. It is called Dead Aim, and allows buddylist cloning, ad removal and other functionality. It could however have sneaky spyware attached to it that I am unaware of? Though I think it is a trusted program that many people use.
The other items you listed seem pretty serious. I have used AVG anti-spyware, Adaware, AVG anti-virus and AVG rootkit to perform some scans so far. Smithfraud was the one that jumped up on SpyBot and is what I attributed to the random site redirection and pop ads.
Again thanks for everything. If I can't resolve my issues by the end of this week, it's probably a good time to reformat the ol' PC anway.
Jadesphere
2007-05-30, 05:15
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
I double checked with a friend who also has Dead Aim, and he doesn't have the AIMWDI process in his task manager...
This definitely is some sort of spy ware or virus I think.
pskelley
2007-05-30, 13:18
I appreciate your feedback, while I am sorry you even have to make this decision, I can only say that if it were my computer, and I also use mine for online bill paying and other banking, I would not trust the computer to be safe if the stuff was only removed, there is just no way to be sure it is all gone. I can help you clean it, I have cleaned much worse, I just can not say the computer would be safe even then.
Thanks...Phil
Jadesphere
2007-05-31, 03:19
Let's give it a shot! I don't need any guarantees. Willing to learn and see how far we can get to normalizing my PC.
I did some personal cleaning, using some advice from friends and websites, and my spyware symptoms seem to have disappeared, at least the most obvious ones such as pop ups and google search redirects.
Also by killing all processes instead of vital windows ones in TaskManager, and running Spybot, I was able to 'remove' smitfraud from my system according to repeated SpyBot scans.
Previously, Smitfraud would instantly reappear after every Spybot cleaning. Supposedly due to the fact that it was still loaded in my memory.
We can start fresh with a new HiJackThis scan if you advise. Let me know how we should proceed next (I read other threads about renaming HIJackThis?).
pskelley
2007-05-31, 12:38
Thanks, I would be glad to help you and I do think it would be better to look at a new HJT log since you have made changes and malware can have changed also. I strongly suggest you stay offline unless you must be on to troubleshoot, the junk will download more and that will deny access to the hackers. Please delete any tools you may have downloaded, most do not update and we will want them fresh if we need them. I will ask one more thing before we start. You may keep the old version of HJT for a while, but I would like to look at a log with the new version that we have just started using.
Download Trend Micro Hijack This™
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download
Download it to your Program Files folder.
Doubleclick the HijackThis_V2.exe to start it.
Click "Do a System Scan and save a logfile"
This will create a HijackThislog.
Copy and paste the contents of the log in your next reply
Thanks
Jadesphere
2007-05-31, 21:42
Thanks for the reply! Sending your requested log as I go off to work. I will return in about 6 hours.
As requested, I placed HiJackThis_v2 in c:\program files and scanned and posted log.
(I renamed file to pskelley_v2, jsut in case)
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:39:22 PM, on 5/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\pskelley_v2.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {083281C4-9285-41A0-B219-5D33F5411652} - C:\WINDOWS\system32\mljgg.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\jsclbkhk.dll
O2 - BHO: (no name) - {8071E65A-3F56-4426-8372-8667CD213057} - C:\WINDOWS\system32\pmnkhef.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D7678AD3-C726-469F-A663-7D61BBB5829f} - C:\WINDOWS\system32\fpdolyel.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccreg] C:\WINDOWS\System32\explorer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: pmnkhef - pmnkhef.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Server lanmanserverSharedAccess (lanmanserverSharedAccess) - Unknown owner - C:\WINDOWS\system32\1028d.exe
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - c:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 6988 bytes
Jadesphere
2007-05-31, 21:49
Above is the HJT2 scan. Here is a new HJT1 scan just in case you need. I also renamed file to pskelley, located in a folder on my desktop.
Logfile of HijackThis v1.99.1
Scan saved at 12:48:18 PM, on 5/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Roger Yei\Desktop\HijackThis\pskelley.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {083281C4-9285-41A0-B219-5D33F5411652} - C:\WINDOWS\system32\mljgg.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\jsclbkhk.dll
O2 - BHO: (no name) - {8071E65A-3F56-4426-8372-8667CD213057} - C:\WINDOWS\system32\pmnkhef.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D7678AD3-C726-469F-A663-7D61BBB5829f} - C:\WINDOWS\system32\fpdolyel.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccreg] C:\WINDOWS\System32\explorer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: pmnkhef - pmnkhef.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Server lanmanserverSharedAccess (lanmanserverSharedAccess) - Unknown owner - C:\WINDOWS\system32\1028d.exe
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - c:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
pskelley
2007-05-31, 22:16
There is no need to rename HJT with that version which is why I asked you to use it. I will need to see HJT logs from ONLY this version: Logfile of Trend Micro HijackThis v2.0.0 (BETA)
I am going to give you a lot of instructions at once. I encourage you to take your time, read and follow the directions carefully. It looks like you have run Vundofix. Let's proceed like this.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
4) Disable the Service
Click Start > Run and type services.msc
Scroll down to Server lanmanserverSharedAccess and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
Thanks to andymanchesta and anyone else who helped with the fix.
5) Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new
6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(some items may be gone, removed by SDFix, don't be concerned)
O2 - BHO: (no name) - {083281C4-9285-41A0-B219-5D33F5411652} - C:\WINDOWS\system32\mljgg.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\jsclbkhk.dll
O2 - BHO: (no name) - {8071E65A-3F56-4426-8372-8667CD213057} - C:\WINDOWS\system32\pmnkhef.dll (file missing)
O2 - BHO: (no name) - {D7678AD3-C726-469F-A663-7D61BBB5829f} - C:\WINDOWS\system32\fpdolyel.dll (file missing)
O4 - HKLM\..\Run: [ccreg] C:\WINDOWS\System32\explorer.exe
O20 - Winlogon Notify: pmnkhef - pmnkhef.dll (file missing)
O23 - Service: Server lanmanserverSharedAccess (lanmanserverSharedAccess) - Unknown owner - C:\WINDOWS\system32\1028d.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
7) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\System32\explorer.exe <<< delete that file (should be gone)
C:\WINDOWS\system32\1028d.exe <<< delete that file
8) Run AVG Anti-Spyware according to the instructions in the following link. Delete or quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165
9) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the SDFix report, the scan results from AVG Anti-Spyware and a new HJT log.
Thanks
Jadesphere
2007-06-01, 05:09
Good Evening! I will be on for about 6 hours and check up on this thread again before I leave for work tomorrow.
I have renamed HiJackThis v2 back to it's original filename.
As you have noticed, I did in fact run Vundofix per instructions detailed in another thread and also as I noted with the log at the beginning of my thread.
Steps completed as follows:
1. Folder Options changed as request.
2. Downloaded ATF Cleaner.
3. Deactivated Resident Shield.
4. Disable Service: This service starus was in "Stopped" status when I checked. I changed Startup type to "Disabled". Note: C:\WINDOWS\system32\1028d.exe srv was reported under "Path to executable"
5. Downloaded and installed SDFix. Report:
SDFix: Version 1.85
Run by Roger Yei - Thu 05/31/2007 - 19:59:15.00
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\WINDOWS\system32\moo.dll - Deleted
Removing Temp Files...
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"="E:\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe:*:Enabled:PlayOnline Viewer"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"E:\\Starcraft\\StarCraft.exe"="E:\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft"
"E:\\Kali\\Kali.exe"="E:\\Kali\\Kali.exe:*:Enabled:Kali II (Ver 2.613)"
"E:\\DOSBox-0.65\\DOSBox.exe"="E:\\DOSBox-0.65\\DOSBox.exe:*:Enabled:DOSBox"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"E:\\Atari\\Neverwinter Nights 2\\nwn2main.exe"="E:\\Atari\\Neverwinter Nights 2\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"E:\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"="E:\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"E:\\Atari\\Neverwinter Nights 2\\nwupdate.exe"="E:\\Atari\\Neverwinter Nights 2\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"E:\\Atari\\Neverwinter Nights 2\\nwn2server.exe"="E:\\Atari\\Neverwinter Nights 2\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"E:\\NWN\\nwn2main.exe"="E:\\NWN\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"E:\\NWN\\nwn2main_amdxp.exe"="E:\\NWN\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"E:\\NWN\\nwupdate.exe"="E:\\NWN\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"E:\\NWN\\nwn2server.exe"="E:\\NWN\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"E:\\Sid Meier's Civilization 4\\PitBoss.exe"="E:\\Sid Meier's Civilization 4\\PitBoss.exe:*:Enabled:Sid Meier's Civilization 4"
"E:\\Sid Meier's Civilization 4\\Civilization4.exe"="E:\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"E:\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"="E:\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords"
"E:\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"="E:\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"E:\\Marvel - Ultimate Alliance\\Game.exe"="E:\\Marvel - Ultimate Alliance\\Game.exe:*:Enabled:Game"
"E:\\Sword of the Stars\\Sword of the Stars.exe"="E:\\Sword of the Stars\\Sword of the Stars.exe:*:Enabled:Sword of the Stars"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes:
C:\Documents and Settings\Roger Yei\NetHood\ftp.atari.com\Desktop.ini
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\1028d.exe
C:\WINDOWS\system32\1054l.exe
C:\WINDOWS\system32\12520437h.exe
C:\WINDOWS\system32\adsnwl.exe
C:\WINDOWS\system32\AgCPanelKoreanx.exe
C:\Documents and Settings\Roger Yei\Application Data\Microsoft\Word\~WRL2039.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Applications\~WRL0001.TMP
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Applications\~WRL2391.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Applications\~WRL3686.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 00-01\1st Semester\English 26\~WRL0005.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Economics 1\~WRL3146.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit II Music as Rhetoric\~WRL0005.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit II Music as Rhetoric\~WRL0038.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit II Music as Rhetoric\~WRL0384.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit II Music as Rhetoric\~WRL0470.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit II Music as Rhetoric\~WRL0899.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit II Music as Rhetoric\~WRL1543.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit II Music as Rhetoric\~WRL1621.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit II Music as Rhetoric\~WRL2203.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit II Music as Rhetoric\~WRL2381.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit II Music as Rhetoric\~WRL3114.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit II Music as Rhetoric\~WRL3539.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL0061.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL0097.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL0191.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL0516.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL0555.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL0618.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL0644.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL0704.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL0740.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL1021.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL1237.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL1307.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL1360.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL1383.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL1583.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL1849.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL1984.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL2117.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL2182.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL2222.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL2223.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL2359.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL2701.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL2863.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL3181.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL3365.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL3388.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL3585.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL3711.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL3758.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL3861.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL3886.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL4063.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Fall 01 Music 27\Unit V Musical Representations\~WRL4097.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Spring Film Studies R1B\~WRL2760.tmp
C:\Documents and Settings\Roger Yei\My Documents\Archived Documents\Year 01-02\Summer 02\Business Communications\~WRL0585.tmp
Finished
Jadesphere
2007-06-01, 06:19
When SDFIX completed it mentioned to run Catchme.exe in the SDFix folder. I skipped this step as you did not mention it.
6. Opened HiJackThis in my Program Files folder.
O23 - Service: Server lanmanserverSharedAccess (lanmanserverSharedAccess) - Unknown owner - C:\WINDOWS\system32\1028d.exe
The above was not listed as you mentioned it might not be. Other 6 entries were present.
7. Deleted File:
C:\WINDOWS\System32\explorer.exe <<< already gone
C:\WINDOWS\system32\1028d.exe <<< deleted this file
8. Folowed AVG Anti-Spyware link instructions.
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:02:56 PM 5/31/2007
+ Scan result:
E:\Zipped\Game Files\Stellar Realms\gmouse.exe -> Downloader.Delf.aup : No action taken.
C:\Documents and Settings\Roger Yei\Cookies\roger yei@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Roger Yei\Cookies\roger yei@m.webtrends[1].txt -> TrackingCookie.Webtrends : No action taken.
::Report end
9. Ran ATF Cleaner for Main and Firefox.
10. Ran HJT2 located in program files:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:17:21 PM, on 5/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HiJackThis_v2.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - c:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Terminal Services TermServiceMessenger (TermServiceMessenger) - Unknown owner - C:\WINDOWS\system32\adsnwl.exe
--
End of file - 6474 bytes
Followed your instruction as requested. Eagerly awaiting your evaluation and feedback.
pskelley
2007-06-01, 12:04
Thanks for returning you information and the feedback, CatchMe.exe checks for rootkit infection, we can run another tool if we think we need to. Let see how the logs look.
AVG Anti-Spyware - Scan Report
No action taken??? Instructions specified delete or quarantine? E:\Zipped\Game Files\Stellar Realms\gmouse.exe -> Downloader.Delf.aup <<< Delf is a nasty trojan, you can scan that if you want:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 9:17:21 PM, on 5/31/2007
Tell me what this is: O23 - Service: Terminal Services TermServiceMessenger (TermServiceMessenger) - Unknown owner - C:\WINDOWS\system32\adsnwl.exe
I can not find information about the service here: http://www.castlecops.com/O23.html and Google returns nothing. This service was also not running in the first HJT log. Chances are very good it is a trojan, but we need to be sure. If you do not know what it is, then use the scanners I posted. Once you are sure it is bad, disable the service first, then delete that file.
Please take the time to be sure, don't delete something valid. If the file gives you are hard time, use this tool:
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Post a new HJT log at that point and give me some feedback.
Thanks
Jadesphere
2007-06-01, 23:01
I am at work and will be home in about 5 hours to troubleshoot my PC. Here's some feedback:
AVG Anti-Spyware - Scan Report
Oh my mistake there. I posted the pre report instead of the post report. All three files had been removed.
gmouse.exe -> Downloader.Delf.aup. This was a program called Ghost Mouse that I used to automate simple takes by preprograming my mouse movements. Was there actually a hidden virus? Either way I guess I can live without that program.
O23 - Service: Terminal Services TermServiceMessenger (TermServiceMessenger) - Unknown owner - C:\WINDOWS\system32\adsnwl.exe
I do not know what this program is. Firefox did update to a new version and I downloaded an associated ad blocker plugin? Not sure if that file is related. But it being labeled as "unknown owner" is probably not a good sign.
I searched google and yahoo and came up blank as well. And double checked the castlecops entries A-Z and came up with nothing.
When I return home, I will run the 3 scanners you posted on that file and report results if they are ambiguous. If they identify it as detrimental, I will attempt to remove.
I will post the new HJT2 report in my next post. Thanks!
Jadesphere
2007-06-02, 05:42
I am home now and just wanted to report some suspicious things I noticed:
1. Window's Firewall gets disabled every time I restart my computer. I think this began yesterday, but I just confirmed it by restarting a few times. I enable it , and when I restart, the system notifier in task tray says it's off again. When I go to control panel > Firewall, a notification says "Windows Firewall setting cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service?" I think I or a program might have turned off a legit service? I'll await you confirmation before I turn this mentioned service back on.
2. I get these message when I try to upload adsnwl.exe file to the the links you provided:
A. "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"
B. Page refreshes and nothing happens.
C. 0 bytes size received / Se ha recibido un archivo vacio
3. I located adsnwl.exe in my System32 directory and also in Services through services.msc which I disabled (Is there any way to remove this entry in Services completely?)
adsnwl.exe showed some very unusual behaviors. As mentioned above, it refused to be uploaded to any of the 3 links you provided (it was about 36kb). Second, when I right click the file to delete, it would freeze my mouse and then my menu pop up would not appear. This occurred before and after I had disabled the service. I found a work around by highlighting file and pressing "File". This would also freeze my computer for 3-4 seconds ( I noticed small jump in cpu activity in task manager), but after 3-4 seconds the "File" menu would appear (cut, copy delete, etc). When I selected delete, and then confirm it would freeze again and then say someone or a program was accessing it. I was able to finally delete this file by logging into Safe Mode and simply deleting the file.
In properties, adsnwl.exe's created and modified date was 5/27 9:04 pm, I think roughly about the time I started being bombarded with spamware. Inside my system32/ directory, a couple of files share the same modified date/time as well or a few days later, which I think may be virus related listed below. I will try and search google to find more information. Let me know if you recognize any of the files as well.
xpdx.sys 60kb System file
3870003321.dat 1kb DAT File
jsclbkhk.dll 50kb Application Extension (You mentioned this file in your first post? I guess we haven't addressed it yet its date 5/27 also.)
Uploaded this file to the first link you provided just to scan it:
--------------------Scanner results------------------------------------
Scan taken on 02 Jun 2007 03:30:45 (GMT)
A-Squared
Found nothing
AntiVir
Found ADSPY/Virtumonde.KB
ArcaVir
Found Adware.Virtumonde.Kb
Avast
Found nothing
AVG Antivirus
Found Generic2.CME
BitDefender
Found Trojan.Virtumod.ALZ
ClamAV
Found nothing
Dr.Web
Found Trojan.Virtumod
F-Prot Antivirus
Found W32/Backdoor.ARKO
F-Secure Anti-Virus
Found not-a-virus:AdWare.Win32.Virtumonde.kb (4, 1, 400)
Fortinet
Found Adware/VirtuMonde
Kaspersky Anti-Virus
Found not-a-virus:AdWare.Win32.Virtumonde.kb
NOD32
Found a variant of Win32/BHO.G
Norman Virus Control
Found W32/Virtumonde.GUF
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found AdWare.Win32.Virtumonde.kb
--------------------- Scanner results------------------------------------
After review scan report, I decided to shift deleted this file.
Suspected Files:
1054l.exe 40b Application
12520437h 40b Application
AgCPanelKoreanx.exe 40kb Application (Also has a Service related to it, was located right beneath the adsnwl.exe service)
perfc009.dat 59kb Dat File
perfh009.dat 387kb Dat File
PerfstringBackup.INI 452.kb Configuration Settings
wpa.dbl 3kb DBL file
nvapps.xml 87kb XML Document
Here's the a new HJT2 report. I'm going to run those 3 links scanners on the suspect files I listed above. Let me know what your opinions are. Thanks.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:39:21 PM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HiJackThis_v2.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - c:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Terminal Services TermServiceNetlogon (TermServiceNetlogon) - Unknown owner - C:\WINDOWS\system32\AgCPanelKoreanx.exe
--
End of file - 6447 bytes
pskelley
2007-06-02, 14:15
1. Window's Firewall gets disabled every time I restart my computer.
How to turn on or turn off the firewall in Windows XP
http://support.microsoft.com/kb/283673
Using Windows Firewall
http://www.microsoft.com/windowsxp/using/networking/security/winfirewall.mspx
If the firewall is disabled in services, do this:
Enable the Service
Click Start > Run and type services.msc
Scroll down to Windows Firwall/Internet Connection Sharing (ICS) and right click on it.
Click Properties > General Tab and under Service Status click Start, then under Startup Type change it to Automatic.
Apply and OK your way out.
3. I located adsnwl.exe in my System32 directory and also in Services through services.msc which I disabled (Is there any way to remove this entry in Services completely?)Yes, since you asked, there is:
Delete the Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type (TermServiceMessenger) and press OK.
OK any prompts, close HijackThis, and restart your computer.
Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 8:39:21 PM, on 6/1/2007
We have another service running and this is getting frustrating. Something is returning these services:
O23 - Service: Terminal Services TermServiceNetlogon (O23 - Service: Terminal Services TermServiceNetlogon (TermServiceNetlogon) - Unknown owner - C:\WINDOWS\system32\AgCPanelKoreanx.exe) - Unknown owner - C:\WINDOWS\system32\AgCPanelKoreanx.exe
I am wondering if it has anything to do with this:
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
which is: http://www.castlecops.com/o20list-16.html
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/default.mspx
I can't research from this end, you need to research this item:
C:\WINDOWS\system32\AgCPanelKoreanx.exe
and find out what it is. The balance of the HJT log is clean.
Thanks
Jadesphere
2007-06-02, 16:31
Thanks for all your help.
AgCPanelKoreanx.exe started to exhibit identical characteristics of adsnwl.exe when I got rid of adsnwl.exe (right-clicking caused menu pop to freeze).
This fact plus both files were both created/modified near the same time was good enough reason for me to remove it.
As for nwprovau.dll, the google searches says its a legit windows file. Also the modified date show 10/6/2006 so has been in my computer since last year. Though the "Unknown file in Winsock LSP" report did jump out at me too.
pskelley
2007-06-02, 16:47
The nwprovau.dll is a legitimate file from O20 Type Winlogon Notify
Name nwprovau
Path/File nwprovau.dll
Status L
Description Client Service for NetWare
It is only the database being used that does not recognize the file name.
I was only wondering if it could have been associated with what we were trying to remove. Some programs (valid and well as invalid) have the ability to return files removed. How's the compter running now?
Thanks
Jadesphere
2007-06-02, 23:45
Ah thank you for the clarification. My computer seems to have recovered from the spyware attacks these past few days. I do have a small inclination that there might betrojan/backdoor programs, due to the odd behavior of adsnwl.exe and then AgCPanelKoreanx.exe (which was a seemingly normal file), until adsnwl was removed. Then AgCPanelKoreanx.exe started acting the same way, not allowing me to right click the file.
My assumption, now,that I deleted AgCPanelKoreanx.exe, is there may be another file that has been activated - just as AgCPanelKoreanx.exe has been 'turned on' when adsnl.exe was removed. Below I have posted my most recent HJT2 scan:
These 2 entries stand out, though report says file is missing/deleted already? What is also odd is these files where not listed in my last HJT scan. And also important to note, I had actually manually deleted both these files along with adsnwl.exe and AgCPanelKoreanx.exe yesterday due to their "modified/created" proximity dates from /sysyem32 to adsnl.exe
O23 - Service: Windows Management Instrumentation Driver Extensions WmiHidServ (WmiHidServ) - Unknown owner - C:\WINDOWS\system32\1054l.exe (file missing)
http://www.prevx.com/groupwaredetail.asp?SQ=IJGJ2106&g=4847600027
"Malware.Trojan.Backdoor.Gen"
O23 - Service: Network Provisioning Service xmlprovVSS (xmlprovVSS) - Unknown owner - C:\WINDOWS\system32\12520437h.exe (file missing)
This file was listed/target by a spyware troubleshooter technician in this thread: http://forum.aumha.org/viewtopic.php?p=153553&sid=01b72ff7a089a72a5de1a8fef6d64cf6
Let me know what you think is happening.
-----------------------------scan----------------------------------------
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:27:43 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis_v2.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - c:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Windows Management Instrumentation Driver Extensions WmiHidServ (WmiHidServ) - Unknown owner - C:\WINDOWS\system32\1054l.exe (file missing)
O23 - Service: Network Provisioning Service xmlprovVSS (xmlprovVSS) - Unknown owner - C:\WINDOWS\system32\12520437h.exe (file missing)
--
End of file - 6539 bytes
pskelley
2007-06-03, 01:27
Thanks for the feedback, Prevx says it will remove this stuff:
http://www.google.com/search?hl=en&q=1054l.exe+&btnG=Google+Search
Since both AVG Anti-Spyware and Prevx use a lot of resources, I suggest you either uninstall AVG Anti-Spyware first or turn it off completely so both programs are not running at the same time.
Here is a tutorial for using the free trial, make sure you review it first so you will know what you are doing.
http://info.prevx.com/tutorialp2.asp
Download link:
http://free.prevx.com/
Let me know how it goes
Thanks
Jadesphere
2007-06-05, 04:17
I removed those 2 registry entries through HJT2 functions as you detailed in an earlier post.
I downloaded Prev and ran it, it's a nice program even though its only 30 days free trial. The reboot fast scan and analyses came out clean.
I did a thorough Fullsystem scan with Prev, and it was able to find XPDX.sys quarantined (which I used a program called CombineFix to remove and quarantine) and some Adware.roguesuspect which I removed.
Overall I think everything looks pretty good. Thanks for all your help.
pskelley
2007-06-05, 14:16
Would you post a last HJT log please.
Thanks
Jadesphere
2007-06-06, 04:46
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:24:16 PM, on 6/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HiJackThis_v2.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - c:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 5858 bytes
pskelley
2007-06-06, 13:24
Thanks for the last look, unless you intend to keep Prevx, I would uninstall it. Slowed my computer big time.
C:\Program Files\Prevx2\
This is not malware but you can use HJT to remove it if you wish:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
(if you want your Start Page "blank" leave it alone)
If you have a few minutes, would you tell me what you use this for:
c:\windows\system32\nwprovau.dll
http://www.bleepingcomputer.com/startups/nwprovau.dll-13129.html
C:\Program Files\HiJackThis_v2.exe <<< I am not sure why TM does not create a folder with this download. I suggest you create one there like this:
C:\Program Files\HJT\HiJackThis_v2.exe and move the log, backups and executable safely into that folder.
Here is some information about the tool for your benefit:
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=faq
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
If you want to run a good free trial to check for hidden junk, use this one with these instruction, delete or quarantine anything it finds and post the scan results if you have questions.
http://forums.security-central.us/showthread.php?t=3165
Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Jadesphere
2007-06-07, 01:30
"If you have a few minutes, would you tell me what you use this for:
c:\windows\system32\nwprovau.dll"
I have no clue what that is for. It doesn't look familiar, but according to the link you provided it says its a necessary startup file?
I'll Google it for a bit, I'd liek to remove it if it's not necessary.
pskelley
2007-06-07, 01:49
I understand you to say you do not know why this item is running on your computer:
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
http://www.google.com/search?hl=en&q=nwprovau.dll&btnG=Google+Search
I have seen this a few times and decided to ask what it was, but from all outward signs it is a valid programs. Make sure you really want it gone, it can not be remove with HJT but with this tool:
http://www.bleepingcomputer.com/tutorials/tutorial59.html
Thanks