Free Malware Removal Forum

[ImpulseGuy]

I am running Windows 2000, Build: 2195: Service Pack 4 and I am up to date on all security updates for Win2K and IE 6.0.
Overnight my computer rebooted and now is displaying the typical Renos "Your computer is infected" system tray message. I run Zone Alarm, NOD32, and connect to the Internet through a router and a PPOE host program called WinPoet. I routinely run Search & Destroy and Adaware. Usually I am completely free from these invasions and this is most annoying. Despite my Google searches on this issue no claimed solutions have worked. Most especially distracting was the idiotic advice from BullGuard.com. Stay away from them. Here's my HijackThis report. I would greatly appreciate any help and will happily fill in blanks I've left out in this post. Thank you much.

-Pete

HJ output:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:09 PM, on 11/2/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\system32\CTsvcCDA.exe
E:\WINNT\System32\svchost.exe
e:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
L:\SQLDATAMSSQL$SQL01\Binn\sqlservr.exe
E:\Program Files\Eset\nod32krn.exe
E:\WINNT\system32\nvsvc32.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\Program Files\WinPoET Broadband Connection\WrOS.EXE
E:\WINNT\system32\MsPMSPSv.exe
E:\WINNT\system32\svchost.exe
L:\SQLDATAMSSQL$SQL01\Binn\sqlagent.EXE
E:\WINNT\Explorer.EXE
E:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe
E:\WINNT\system32\RUNDLL32.EXE
E:\Program Files\Eset\nod32kui.exe
E:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
E:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
E:\WINNT\system32\CTHELPER.EXE
E:\Program Files\QuickTime\qttask.exe
E:\WINNT\system32\LVCOMSX.EXE
E:\Program Files\Logitech\Video\CameraAssistant.exe
E:\WINNT\system32\ElkCtrl.exe
E:\Program Files\Picasa2\PicasaMediaDetector.exe
E:\Program Files\WinPoET Broadband Connection\WrDialer.exe
E:\Program Files\PestPatrol\PPControl.exe
E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
E:\Program Files\Google\Google Talk\googletalk.exe
H:\Program Files\Google\Gmail Notifier\gnotify.exe
E:\WINNT\system32\brastk.exe
E:\Program Files\Quicken\bagent.exe
E:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CM_camera.exe
E:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
E:\WINNT\system32\taskmgr.exe
E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
i:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
i:\PROGRA~1\AVG\AVG8\avgam.exe
i:\PROGRA~1\AVG\AVG8\avgrsx.exe
i:\PROGRA~1\AVG\AVG8\avgnsx.exe
I:\Program Files\AVG\AVG8\avgtray.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
I:\PROGRA~1\AVG\AVG8\aAvgApi.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
L:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
L:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = E:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = E:\windows\system32\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - i:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - i:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - i:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [a-winpoet-service] "E:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "E:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] E:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] E:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] E:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] E:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] E:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] E:\WINNT\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [Picasa Media Detector] E:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [z-WrDialer] E:\Program Files\WinPoET Broadband Connection\WrDialer.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] E:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [googletalk] E:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] h:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [brastk] E:\WINNT\system32\brastk.exe
O4 - HKLM\..\Run: [AVG8_TRAY] i:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "E:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Mozilla Quick Launch] "E:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [QuickenScheduledUpdates] E:\Program Files\Quicken\bagent.exe
O4 - HKCU\..\Run: [updateMgr] E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [brastk] E:\WINNT\system32\brastk.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] E:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CAMEDIA Master.lnk = E:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CM_camera.exe
O4 - Global Startup: Service Manager.lnk = E:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://L:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - L:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6662.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5509E5DF-3A08-4897-9438-7D3F6245F34E}: NameServer = 207.69.188.186,207.69.188.185
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - i:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: E:\WINNT\system32\wmfhotfix.dll,avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - i:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINNT\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - e:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - E:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - E:\Program Files\WinPoET Broadband Connection\WrOS.EXE

--
End of file - 9537 bytes

[Carolyn]

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.


If you follow these instructions, everything should go smoothly.


Please download Malwarebytes' Anti-Malware and save it to a convenient location.

1. Double click on mbam-setup.exe to install it.
   
2. Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
   Update Malwarebytes' Anti-Malware
   Launch Malwarebytes' Anti-Malware
3. Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
   
4. Select the Scanner tab. Click on Perform full scan, then click on Scan.
   
5. Leave the default options as it is and click on Start Scan.
   
6. When done, you will be prompted. Click OK, then click on Show Results.
   
7. Checked (ticked) all items and click on Remove Selected.
   
8. After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

Next,

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  
• Double click on RSIT.exe to run RSIT.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please post the following:

1. The Malwarebyte's Anti-Malware log
2. The contents of log.txt
3. The contents of info.txt

[ImpulseGuy]

Hi Carolyn,

Thank you for your great post and offer to help.
It is with no small embarrassment that I would ask you not to spend any more time on the HiJack anaysis in this post until you read my response. I was doing multiple searches on the net about eradicating this malware and just recently found a post about using a sequence of tools to remove this pesk.
http://www.bullguard.com/support/tech-guides/how-to-remove-trojanrenos-programwinfixer-and-other-rogue-antivirusantispyware-programs.aspx

It was successful in at least eliminating the annoying little tray popup. The sequence also unfortunately disabled my MSN Messenger's ability to log in. I walked through the sequence of downloading the exact same Messenger version, repointed the 2 registry keys that defined an incorrect path to the msnmsgs.msi file, but to no avail. It still can't login.

I have downloaded malwareremoval tool and run it.

I'm afraid I've complicated the original situation by adding onto it another layer. Unfortunately, I just acted on my own before I got your response. I will be happy to shut down all other running monitors and follow your instructions, if you think I have not already made this too complicated.

My apologies and thank you for your thoroughness. If you still think it's worth my going through your instructions I will do so (and nothing more in the meantime). Otherwise, we can close this topic and chalk it up to impatience on my part.

Thanks, Carolyn

[Carolyn]

Hello ImpulseGuy,

No worries. Can you post the logs that were produced when you ran SmitRem, SmitfraudFix and RogueRemover? It would be helpful for me to see those. Also, post the Malwarebytes log. Go ahead and follow the instructions for running RSIT and post those logs as well please.

[NonSuch]

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.