Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

arrjl.dll (Dropper.Agent.ahr) HELP!!!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

arrjl.dll (Dropper.Agent.ahr) HELP!!!!

Unread postby FrostyC » August 17th, 2007, 11:17 am

God this thing is driving me crazy & I can't find anything out about it. It stored itself in C:\WINDOWS\system32\ (Arrjl.dll that is...) but when I go to the folder it's not visible even with hidden/system files shown. If I try to place a file there with the same name it says it cannot find the specified file. I going to provide as much info as possible, let me know if anything else is needed. I really wanna get rid of this crap.

Programs that have detected and attempted (and failed to remove it completely):
Spybot S&D
BitDefender 10
AVG Anti-Spyware (HERE is a link to what AVG's Virus Scanner recently removed.)
Trojan Remover

Programs that I scanned with that failed to detect it:
AdAware
Bazooka

HijackThis gives this info on the specific item, saying it's a BHO that attaches to IE, and I do not have IE at all (completely gutted out of the OS using nLite). I use Firefox, K-Meleon & OffByOne but I won't touch IE...

So here's a basic rundown of how tricked out my system is:
nLite'd Install of Widows XP Corporate SP2
Running WezDesk's Evil Shell (not explorer.exe), but I can switch back & forth with a simple restart.
This a Laptop, View Specs HERE
I am using WindowBlinds & ObjectBar as well.

Without further ado, here is my HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:09:06 AM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\dbatp.exe
C:\Program Files\Stardock\Object Desktop\ObjectBar\objectbar.exe
C:\Program Files\Common Files\stardock\TrayServer.exe
C:\EvilDesk-0.9.0.217\wezdesk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\system32\arrjl.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\stardock\TrayServer.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Vistadrv] C:\Program Files\VistaDrives\vsdrv.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\system32\msconfig.exe /auto
O4 - HKLM\..\RunOnce: [Trojan Remover] "C:\Program Files\Trojan Remover\RMVTRJAN.EXE" /restart
O4 - HKCU\..\Run: [Actual Window Manager] "C:\Program Files\Actual Window Manager\ActualWindowManagerCenter.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: Battery Doubler.lnk = C:\Program Files\Dachshund Software\Battery Doubler\Battery Doubler.exe
O4 - Startup: Disk Temperature.lnk = C:\Program Files\HDD Temperature\DTemp.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Stardock ObjectBar.lnk = C:\Program Files\Stardock\Object Desktop\ObjectBar\ObjectBar.exe
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Enqueue in Star Downloader - C:\Program Files\Star Downloader\sdieenq.htm
O8 - Extra context menu item: Leech with Star Downloader - C:\Program Files\Star Downloader\leechie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O20 - Winlogon Notify: arrjl - C:\WINDOWS\SYSTEM32\arrjl.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Agere Systems - (no file)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: dbatp - Warranty Corporation of America - C:\WINDOWS\dbatp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
FrostyC
Active Member
 
Posts: 7
Joined: August 16th, 2007, 10:13 pm
Location: Louisville, KY
Advertisement
Register to Remove

Unread postby ndmmxiaomayi » August 17th, 2007, 12:06 pm

Hello FrostyC. :)

Welcome to Malware Removal Forum. My name is mayi and I will be helping you. As I am an undergraduate, I will need my fixes checked before posting back to you. Thank you for your patience.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby FrostyC » August 17th, 2007, 12:31 pm

Thank you Mayi for taking the time to help. This is a great thing you are doing for all PC users.:thumbright:
thumbright I patiently await your help & suggestions. :)
FrostyC
Active Member
 
Posts: 7
Joined: August 16th, 2007, 10:13 pm
Location: Louisville, KY

Unread postby ndmmxiaomayi » August 18th, 2007, 9:37 am

Hello FrostyC,

Step 1

  1. Please navigate to C:\Program Files\HijackThis\HijackThis.exe.
  2. Right click on HijackThis.exe and select Rename.
  3. Type in dumb and press Enter.
  4. Double click on dumb to run it.
  5. Select Do a system scan and save a logfile. Please post back this log in your next reply.
Don't exit HijackThis yet.

Step 2

  1. Click on the Config... button at the bottom right hand corner.
  2. At the top, click on the Misc Tools button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  7. Notepad will open. Please post this list in your next reply.

Step 3

Show hidden files and folders
  1. Open My Computer.
  2. Go to Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to Hidden files and folders.
  5. Select Show hidden files and folders.
  6. Uncheck (untick) Hide extensions of known file types.
  7. Uncheck (untick) Hide protected operating system files (Recommended).
  8. Click Yes when prompted.
  9. Click OK.
  10. Close My Computer.

Step 4

  1. Navigate to C:\WINDOWS\system32 folder.
  2. Locate this file: msconfig.exe
  3. Right click on msconfig.exe and select Properties.
  4. Select the Version tab.
  5. Please post the Description, File Version and Copyright details of this file.

In your next reply, please post:

  1. A new HijackThis log
  2. The Uninstall list
  3. The details of C:\WINDOWS\system32\msconfig.exe file
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby FrostyC » August 18th, 2007, 12:25 pm

I must apologize, I downloaded and ran this tool called "A-Squared" and it seems to have removed the arrjl.dll file I was having trouble with. It actually found a few things that many programs overlooked. It also picked up everything put on my system by Ares (p2p program), but I did not remove any of those entries as everyone says it's safe.
I do however want to make sure I'm perfectly clean and the infection doesn't come back. I have locked my system down pretty good too (Firewall, Cookiesafe extension, NoScript extension.) If I am 100% clean at least there will be a resource for people run into this problem later. Please examine my logs & see how they look. Once again I apologize for running the A-Squared tool before hearing your advice, I hope I did not complicate matters.

HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 12:00:04 PM, on 8/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\EvilDesk-0.9.0.217\wezdesk.exe
C:\Program Files\Common Files\stardock\TrayServer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\A-Squared\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\dbatp.exe
C:\Program Files\Stardock\Object Desktop\ObjectBar\ObjectBar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\HDD Temperature\DTemp.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\dumb.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\stardock\TrayServer.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Vistadrv] C:\Program Files\VistaDrives\vsdrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: Battery Doubler.lnk = C:\Program Files\Dachshund Software\Battery Doubler\Battery Doubler.exe
O4 - Startup: Disk Temperature.lnk = C:\Program Files\HDD Temperature\DTemp.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Stardock ObjectBar.lnk = C:\Program Files\Stardock\Object Desktop\ObjectBar\ObjectBar.exe
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Enqueue in Star Downloader - C:\Program Files\Star Downloader\sdieenq.htm
O8 - Extra context menu item: Leech with Star Downloader - C:\Program Files\Star Downloader\leechie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O20 - Winlogon Notify: arrjl - arrjl.dll (file missing)
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\A-Squared\a2service.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Agere Systems - (no file)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: dbatp - Warranty Corporation of America - C:\WINDOWS\dbatp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Uninstall List
µTorrent
Acronis True Image Home
Actual Window Manager 4.5
Adobe Flash Player Plugin
ArcSoft MediaConverter
Ares 2.0.8
AsfTools 3.1 (remove only)
a-squared Free 3.0
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG 7.5
AVG Anti-Rootkit Free
AVG Anti-Spyware 7.5
AVS DVD Player version 2.4
Battery Doubler 1.2.1
Bazooka Scanner
BootSkin
CCleaner (remove only)
Cool Edit Pro v1.2a
Darkstone
DivX Web Player
DVD-lab 1.3.1
eMule Shell Extension
Eusing Free Registry Cleaner
ExplorerXP (remove only)
FileASSASSIN
FLAC 1.1.4b (remove only)
GoldWave v4.26
HijackThis 1.99.1
IconPackager
Indeo® software
IrfanView (remove only)
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
K-Lite Codec Pack 3.2.5 Full
K-Meleon 1.1 en-US (remove only)
Locate32
LogonStudio
Macromedia Flash Player 8
Microsoft .NET Framework 2.0
Microsoft Kernel-Mode Driver Framework 1.0
Miranda IM 0.6.8
Mozilla Firefox (2.0.0.2)
muvee autoProducer 4.1
Native Instruments FM7
Nero 7 Demo
ObjectBar
PDF Reader 2
Picasa 2
PMP DV
PowerISO
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Riva FLV Encoder 2.0
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
sfArk
SiteHound for FireFox 1.4.3
SmartFTP
Sony Sound Forge 7.0
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SpywareGuard v2.2
Star Downloader Pro
SUPER © Version 2007.bld.23 (July 4, 2007)
Synaptics Pointing Device Driver
TMPGEnc 3.0 XPress
TOSHIBA Software Modem
Trend Micro TrendProtect for Firefox
Tweak UI
Update for Windows XP (KB908531)
Update for Windows XP (KB911280)
VideoLAN VLC media player 0.8.6c
Wez's Evil Shell Desktop 0.9.0.217
Winamp (remove only)
WindowBlinds
Windows Media Format Runtime
Windows Media Player Firefox Plugin
WinRAR archiver
XviD MPEG4 Video Codec (remove only)
ZoneAlarm

MSCONFIG.EXE Details
File Version: 5.1.2600.2180
Description: System Configuration Utility
Copyright: © Microsoft Corporation. All rights reserved.

Thank you for taking your time to examine my information & helping me out. I appreciate it very much.
FrostyC
Active Member
 
Posts: 7
Joined: August 16th, 2007, 10:13 pm
Location: Louisville, KY

Unread postby ndmmxiaomayi » August 19th, 2007, 9:51 pm

Hello FrostyC,

a-squared didn't pick up your P2P stuffs as infected for no reason. Please run a-squared again and remove the infected files.

By leaving the infected files on your system, you are risking yourself for more infections if you executed those files, whether intentionally or unintentionally.

Also, you are using P2P programs. While these programs are malware-clean, it doesn't mean your files are. As a precaution, please do not use it while we are cleaning your machine to avoid getting more infections. For more information, please visit Malware Removal Clean and Infected P2P Programs List and Spyware Info Clean and Infected P2P Programs List.

Step 1

Please open Notepad and copy and paste the following in the Code box into Notepad.

Code: Select all
regedit /e C:\peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
regedit /e C:\peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"
type C:\peek1.txt >> C:\startup.txt
type C:\peek2.txt >> C:\startup.txt
del /q peek*.txt
start C:\startup.txt


Click on File > Save As....

In the File Name field, copy and paste in peek.bat
In the Save As Type field, select All Files from the drop-down list.

Click Save.

Double click on peek.bat to run it. A Command Prompt window will open and close quickly; this is normal. Notepad will open shortly afterwards, please post the contents of this Notepad in your next reply.

Step 2

Please disable Spyware Guard temporarily as it may interfere with the fixes.

  1. Right click on the red SG icon in the system tray (next to the clock). This will open the program.
  2. Go to File > Exit. Click Yes when it prompts you.
  3. SpywareGuard will automatically restart again when you boot up the PC again.

Step 3

Please open HijackThis and select Do a system scan only.

Put a check (tick) next to these lines:

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O20 - Winlogon Notify: arrjl - arrjl.dll (file missing)


Click Fix checked. Close HijackThis.

In your next reply, please post:

  1. a-squared scan log (if you have saved one)
  2. The contents of Notepad from Step 1 (C:\startup.txt)
  3. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby FrostyC » August 20th, 2007, 6:39 pm

Ran A-Squared & removed all Entries, here's the report:
a-squared Free - Version 3.0
Last update: 8/18/2007 1:01:10 PM

Scan settings:

Objects: Memory, Traces, Cookies, C:\WINDOWS\, C:\Program Files
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 8/20/2007 5:17:43 PM

Value: HKEY_CLASSES_ROOT\arlnk --> URL Protocol detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares\bounds --> Main.Height detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares\bounds --> Main.Left detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares\bounds --> Main.Maximized detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares\bounds --> Main.Top detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares\bounds --> Main.Width detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares\Columns\Transfers --> Download detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares\Columns\Transfers --> Queue detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares\Columns\Transfers --> Upload detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares\Data --> AresNet1 detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares\Data --> JI.AresNet1 detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares\Positions\Transfers --> Download detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares\Positions\Transfers --> Queue detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares\Positions\Transfers --> Upload detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Extra.ShowActiveCaption detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> General.AutoConnect detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> General.AutoStartUp detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> General.LastLibraryMode detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> GUI.LastChatRoomBrowse detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> GUI.LastLibrary detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> GUI.LastPMBrowse detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> GUI.LastSearch detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Network.DHTID detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Personal.GUID detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Privacy.SendRegularPath detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> PrivateMessage.AllowBrowse detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> PrivateMessage.AwayMessage detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Stats.CAvgTime detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Stats.CDnSpeed detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Stats.CFRTime detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Stats.CTtUptime detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Stats.CUpSpeed detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Stats.HasLQCa detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Stats.LstCaQuery detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Stats.LstCaQueryInt detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Transfer.MaximizeUpBandOnIdle detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Transfer.ServerPort detected: Trace.Registry.Ares
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ares --> DisplayName detected: Trace.Registry.Ares
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ares --> DisplayVersion detected: Trace.Registry.Ares
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ares --> Publisher detected: Trace.Registry.Ares
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ares --> UninstallString detected: Trace.Registry.Ares
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ares --> URLInfoAbout detected: Trace.Registry.Ares
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ares --> URLUpdateInfo detected: Trace.Registry.Ares
Value: HKEY_CLASSES_ROOT\CLSID\{3E0FA044-926C-42D9-BA12-EF16E980913B}\InprocServer32 --> ThreadingModel detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> ChatRoom.AutoAddToFavorites detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> ChatRoom.AutoClose detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> ChatRoom.ShowTaskBtn detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> General.HookBitTorrentExt detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> General.Language detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> General.MSNSongNotif detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Hashing.Priority detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Playlist.PreviousASXApp detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Playlist.PreviousM3UApp detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Playlist.PreviousWAXApp detected: Trace.Registry.Ares
Value: HKEY_USERS\S-1-5-21-1085031214-963894560-725345543-500\Software\Ares --> Torrents.PreviousApp detected: Trace.Registry.Ares
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3E0FA044-926C-42D9-BA12-EF16E980913B}\InprocServer32 --> ThreadingModel detected: Trace.Registry.Ares
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nuqm6izu.default\cookies.txt:25 detected: Trace.TrackingCookie
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nuqm6izu.default\cookies.txt:26 detected: Trace.TrackingCookie
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nuqm6izu.default\cookies.txt:27 detected: Trace.TrackingCookie
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nuqm6izu.default\cookies.txt:28 detected: Trace.TrackingCookie
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nuqm6izu.default\cookies.txt:40 detected: Trace.TrackingCookie
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nuqm6izu.default\cookies.txt:71 detected: Trace.TrackingCookie
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nuqm6izu.default\cookies.txt:72 detected: Trace.TrackingCookie
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nuqm6izu.default\cookies.txt:73 detected: Trace.TrackingCookie
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nuqm6izu.default\cookies.txt:74 detected: Trace.TrackingCookie
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nuqm6izu.default\cookies.txt:75 detected: Trace.TrackingCookie
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nuqm6izu.default\cookies.txt:81 detected: Trace.TrackingCookie
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nuqm6izu.default\cookies.txt:116 detected: Trace.TrackingCookie
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nuqm6izu.default\cookies.txt:119 detected: Trace.TrackingCookie
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nuqm6izu.default\cookies.txt:120 detected: Trace.TrackingCookie
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nuqm6izu.default\cookies.txt:130 detected: Trace.TrackingCookie
C:\Program Files\ACCUXP\kv.exe detected: Riskware.PSWTool.Win32.RAS.a

Scanned

Files: 43680
Traces: 310708
Cookies: 192
Processes: 33

Found

Files: 1
Traces: 56
Cookies: 15
Processes: 0
Registry keys: 0

Scan end: 8/20/2007 5:44:11 PM
Scan time: 12:26:28 AM


startup.txt:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Hide Taskbar]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TweakShell"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Stardock\\Object Desktop\\IconPackager\\TweakShell.exe\" tbhide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RTHDCPL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RTHDCPL"
"hkey"="HKLM"
"command"="RTHDCPL.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Toshiba Hotkey Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Hotkey"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Toshiba\\Windows Utilities\\Hotkey.exe\" /lang en"
"inimapping"="0"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]


New HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 6:38:48 PM, on 8/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\EvilDesk-0.9.0.217\wezdesk.exe
C:\Program Files\Common Files\stardock\TrayServer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HDD Temperature\DTemp.exe
C:\Program Files\A-Squared\a2service.exe
C:\Program Files\Stardock\Object Desktop\ObjectBar\ObjectBar.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Integrator.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\dbatp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\stardock\TrayServer.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Vistadrv] C:\Program Files\VistaDrives\vsdrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Battery Doubler.lnk = C:\Program Files\Dachshund Software\Battery Doubler\Battery Doubler.exe
O4 - Startup: Disk Temperature.lnk = C:\Program Files\HDD Temperature\DTemp.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Stardock ObjectBar.lnk = C:\Program Files\Stardock\Object Desktop\ObjectBar\ObjectBar.exe
O4 - Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Enqueue in Star Downloader - C:\Program Files\Star Downloader\sdieenq.htm
O8 - Extra context menu item: Leech with Star Downloader - C:\Program Files\Star Downloader\leechie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\A-Squared\a2service.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: dbatp - Warranty Corporation of America - C:\WINDOWS\dbatp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
FrostyC
Active Member
 
Posts: 7
Joined: August 16th, 2007, 10:13 pm
Location: Louisville, KY

Unread postby ndmmxiaomayi » August 21st, 2007, 8:46 am

Step 1

Please disable Spyware Guard temporarily as it may interfere with the fixes.

  1. Right click on the red SG icon in the system tray (next to the clock). This will open the program.
  2. Go to File > Exit. Click Yes when it prompts you.
  3. SpywareGuard will automatically restart again when you boot up the PC again.

Step 2

Please open HijackThis and select Do a system scan only.

Put a check (tick) next to these lines:

O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:


Click Fix checked. Close HijackThis.

Step 3

  1. Please download AVG Anti-Spyware and save it to your desktop.
  2. Double click on avgas-setup-7.5.0.50.exe to install AVG Anti-Spyware. Install it in the default location.
  3. Once installed, start AVG Anti-Spyware by going to Start > All Programs > AVG Anti-Spyware 7.5 > AVG Anti-Spyware.
  4. In the main screen, you should see Your Computer's Security.
    • Next to Resident Shield, click on Change state. It should now be Inactive.
    • Next to Automatic Updates, click on Change state. It should now be Inactive.
    • Next to Last Update, click on Update now. If your firewall prompts you, tell your firewall to allow it. Should you be unable to update it, download the updates from here. Save it to your desktop. Double click to run the installation and the updates will be installed. Make sure AVG Anti-Spyware is closed during the installation.
    • Right-click the AVG Anti-Spyware icon near the clock and uncheck (untick) Start with Windows. Confirm by clicking Yes.
  5. Now click on the Scanner button at the top.
  6. Select the Settings tab.
  7. Under How to act?, click on Recommended actions and select Quarantine.
  8. Under How to scan?, check (tick) all the boxes.
  9. Under Possibly unwanted software:, check (tick) all the boxes.
  10. Under Reports:, uncheck (untick) the Only if threats were found box and select Do not automatically generate report.
  11. Under What to scan?, select Scan every file.
Do not run a scan yet. You will run a scan later.

Step 4

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All.
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All.
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All.
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Step 5

Reboot into Safe Mode by following the instructions below:

  • When you see BIOS screen, start pressing F8.
  • A boot menu will appear shortly.
  • Using the up down arrows, select Safe Mode and press the Enter key.
  • Windows will now load.
  • Log in to your usual account.

Step 6

  1. Start AVG Anti-Spyware by going to Start > All Programs > AVG Anti-Spyware 7.5 > AVG Anti-Spyware.
  2. Click on the Scanner button at the top.
  3. Select the Scan tab.
  4. Click on Complete System Scan to start the scan.
  5. When the scan has finished, follow the instructions below.
    IMPORTANT: Don't click on the Save Scan Report button before you did hit the Apply all Actions button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  6. When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  7. Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Restart your computer in Normal Mode.

Please post back a new HijackThis log as well as the AVG Antispyware scan report in your next reply.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby FrostyC » August 22nd, 2007, 11:37 am

I did everything up to step 6, then I hit a brick wall. My touchpad WILL NOT work in safe mode for some reason, and apparently you cannot control AVG Anti-Spyware without the mouse. I have no PS2 mouse port either... At first I thought it was my shell replacement, but even after resetting it to explorer.exe the touchpad still was not responding (in safe mode)... It works fine with a normal boot though. I don't know what to do... Is there a command line version of AVG Anti-Spyware or something? I'll continue working on getting the touchpad working in Safe mode though.
FrostyC
Active Member
 
Posts: 7
Joined: August 16th, 2007, 10:13 pm
Location: Louisville, KY

Unread postby ndmmxiaomayi » August 23rd, 2007, 12:55 am

Hi FrostyC,

Please proceed to work with Normal Mode instead. Or if you have a USB mouse, please plug it in and try in Safe Mode.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby FrostyC » August 23rd, 2007, 12:01 pm

I have a friend who owns a wireless usb mouse, I've asked him to let me use it later today. If it works I will proceed in safe mode, otherwise I will do the normal scan & report back.
FrostyC
Active Member
 
Posts: 7
Joined: August 16th, 2007, 10:13 pm
Location: Louisville, KY

Unread postby FrostyC » August 27th, 2007, 10:46 am

Sorry, my laptop died... I'm guessing it was the power supply, or the switch itself because it wouldn't even turn on. This had nothing to do with the malware I'm sure, & a lot to do with the abuse the thing had taken over the years. For what it's worth, I'm pretty sure I got it rid of the malware before the damn thing died on me, because I ran a Scan in AVG Anti-Virus, AVG Anti-Spyware, A-Squared, Ad-Aware, Spybot, Bazooka & a few other utilities and they all said 'No Threats Detected/Found' (Not even a tracking cookie!) Thank you immensely for your help. If I have any future problems with malware (I hope not though) I will most definitely be back and will highly recommend your forum to others facing the same predicament.
As I said before you guys are doing a wonderful thing! Keep up the good work!
FrostyC
Active Member
 
Posts: 7
Joined: August 16th, 2007, 10:13 pm
Location: Louisville, KY

Unread postby ndmmxiaomayi » August 28th, 2007, 6:25 am

Hi FrostyC,

Sorry to hear that. :(

Here are some tips to prevent it from happening again once your laptop is repaired.

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows

Go to Start > All Programs > Windows Update

To update Office

Open up any Office program.

Go to Help > Check for Updates

Alternatively, you can visit the links below to update Windows and Office products.

Windows Update
Office Update

If you are forgetful, you can change some settings so that you will be
informed of updates. Here's how:

  1. Go to Start > Control Panel > Automatic Updates
  2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Be careful when opening attachments and downloading files.

  1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
  2. Never open emails from unknown senders.
  3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
  4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Stop malicious scripts

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Make your Internet Explorer safer

For Internet Explorer 6

  1. Open Internet Explorer. Click on Tools > Options.
  2. Click on the Security tab.
  3. Click on the Internet icon.
  4. Click on the Custom Level button.
  5. Under Download signed ActiveX controls, select Prompt.
  6. Under Download unsigned ActiveX controls, select Disable.
  7. Under Initialize and script ActiveX controls not marked as safe, select Disable.
  8. Under Installation of desktop items, select Prompt.
  9. Under Launching programs and files in an IFRAME, select Prompt.
  10. Under Navigate sub-frames across different domains, select Prompt.
  11. Under Allow paste operations via script, select Disable.
  12. Click OK to apply these settings.
  13. If it prompts you as to whether or not you want to save the settings, press the Yes button.
  14. Press OK to exit the Internet Properties page.
For a pictorial guide, please refer to this article.

For Internet Explorer 7

If you intend to upgrade from Internet Explorer 6 to Internet Explorer 7, please read this article to configure Internet Explorer 7 properly.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection

  1. Spyware Blaster
    SpywareBlaster is a program that is used to secure Internet Explorer by making it harder for ActiveX programs to run on your computer. It does this by disabling known offending ActiveX programs from running at all.

    You can download SpywareBlaster from Javacool.

    If you need help in using SpywareBlaster, you can read SpywareBlaster's tutorial at Bleeping Computer.
  2. SpywareGuard
    Just as an antivirus program scans a file for viruses before opening it, SpywareGuard does the same thing, except that it scans it for spywares.

    You can download SpywareGuard from Javacool.

    If you need help in using SpywareGuard, you can SpywareGuard's tutorial at Bleeping Computer.
  3. IE-SPYAD
    IE-SPYAD adds over 5000 sites to your Internet Explorer restricted zone so that you will be protected if the website turns out to be a bad one. Sites that are in the restricted zone of Internet Explorer can't have any scripts ran, no downloads and cookies. However, you can still connect to these sites.

    You can download IE-SPYAD from Spyware Warrior. Be sure to read the whole website carefully for instructions on usage of IE-SPYAD.

    Updates for IE-SPYAD can be found at Castlecops.
  4. Hosts File
    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:

    MVPS Hosts File
    Bluetack's Hosts File
    Bluetack's Host Manager
    hpHosts

    A tutorial about Hosts File can be found at Malware Removal.

    Updates for the Hosts File can be found at Castlecops.
  5. Lavasoft Ad-Aware
    Ad-Aware is an anti-spyware program. Like your antivirus program, please run an Ad-Aware scan at least once per week.

    Ad-Aware can be downloaded from here.

    If you need help in using Ad-Aware, you can read Ad-Aware's tutorial at Bleeping Computer.
  6. Spybot Search and Destroy
    Spybot Search & Destroy is another program for scanning spywares and adwares. Not only so, it has other preventive options as well. You are strongly encouraged to run a scan at least once per week.

    Spybot Search & Destroy can be downloaded from here.

    If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.
  7. a-squared Free
    a-squared Free is also another program for scanning spywares and adwares. It doesn't have preventive features like Spybot Search & Destroy though.

    You can download a-squared Free from here.
  8. CounterSpy
    CounterSpy is pretty much like Spybot Search & Destroy, but it isn't free.
    You can try CounterSpy for 15 days.

    Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs. This will save you from a lot of trouble. If in doubt, don't ever download it.
  9. SiteHound Toolbar
    SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.
  10. Winpatrol
    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.


Use an alternative Internet Browser

Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead.

Firefox
Opera
K-Meleon

Use an alternative email client

If you are using Outlook Express as your default email client, try using Thunderbird or Pegasus Mail instead.

Here are some more things to read about:

List of clean and infected download managers
Configuring Skype
Greater email safety
Phishing - what is it?
Configuring Outlook Express
The Unofficial Cookie FAQ
Securing your home wireless network
80 Super Security Tips
The different classes of security softwares
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby NonSuch » September 2nd, 2007, 10:29 pm

As this issue appears to be resolved, this topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 497 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware