Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Desktop PC needs help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Desktop PC needs help

Unread postby Kurt » February 6th, 2008, 10:37 pm

My desktop PC shows signs of multiple errors. Please help. This PC was the source of a recent malware virus obtained by installing windvd from a p2p file download. I've since removed the program, run some virus and spy cleaners, and cleaned the laptop that it was also installed on. I'm getting this error each time at boot up: "Error loading C:\WINNT\system32\glpplegn.dll The specified module could not be found." The computer also fails to install Windows Updates, causes IE to freeze up!

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:24, on 2008-02-06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\DeltTray.exe
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: {b698f1bc-825f-e9d8-fdf4-f56714910c51} - {15c01941-765f-4fdf-8d9e-f528cb1f896b} - C:\WINNT\system32\cinkhnkl.dll (file missing)
O2 - BHO: (no name) - {26B66D31-8578-4157-8EE2-F70E55DF266F} - C:\WINNT\system32\iiiih.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {9C24051F-B0A8-865F-89DD-E0ABDB7B059A} - C:\WINNT\system32\giuni.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [04d273ed] rundll32.exe "C:\WINNT\system32\glpplegn.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Hahh] "C:\PROGRA~1\SEMBLY~1\scanregw.exe" -vt yazb
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Suitcase Startup.lnk = C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBB234BF-636E-49EF-96D8-A3C1D2B927C9}: Domain = Earthlink
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBB234BF-636E-49EF-96D8-A3C1D2B927C9}: NameServer = 207.69.188.185,207.69.188.186,207.69.188.187
O20 - Winlogon Notify: gswzcsyy - gswzcsyy.dll (file missing)
O20 - Winlogon Notify: nnnolig - nnnolig.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINNT\PSEXESVC.EXE (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

--
End of file - 5729 bytes
Kurt
Regular Member
 
Posts: 27
Joined: February 1st, 2008, 2:48 pm
Advertisement
Register to Remove

Re: Desktop PC needs help

Unread postby Simon V. » February 9th, 2008, 8:21 am

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Step 1

Please download and install CCleaner.

Open CCleaner. On the Windows tab, leave the default options alone.

  • On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
  • Click on the Run Cleaner button at the bottom right hand corner.
  • When the cleaner has completed, click Tools in the Left Pane.
  • Verify that Uninstall is highlighted in color, or click on it.
  • In the lower right, click Save to Text File.
  • Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
  • You can leave the filename as install.txt.
  • Click Save, then exit Ccleaner.

Step 2

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofi ... e-combofix

Post the log from ComboFix (C:\Combofix.txt) when you've accomplished that, along with a new HijackThis log and the CCleaner Uninstall List (install.txt)
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Desktop PC needs help

Unread postby Kurt » February 9th, 2008, 3:40 pm

Thank you Simon. I have done everything requested with the logs posted below. Please note, I am still getting this error at boot up: "Error loading C:\WINNT\system32\glpplegn.dll. I will wait to review these logs before trying Windows Update or anything else.

ComboFix 08-02.05.3 - Kurt 2008-02-09 2:16:12.4 - NTFSx86
Running from: C:\Documents and Settings\Kurt LeBlanc\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-09 02:16 . 08-02-09 02:16 16,384 --a--c-t- C:\WINNT\system32\Perflib_Perfdata_338.dat
2008-02-09 01:20 . 08-02-09 01:20 <DIR> d----c--- C:\Program Files\CCleaner
2008-02-09 01:19 . 08-02-09 01:19 671,752 --a--c--- C:\Temp\ccsetup204_slim.exe
2008-02-06 08:56 . 08-02-06 08:56 <DIR> d----c--- C:\Program Files\Trend Micro
2008-02-05 10:02 . 08-02-05 10:02 <DIR> d----c--- C:\Documents and Settings\Kurt LeBlanc\Application Data\Grisoft
2008-02-05 10:02 . 07-05-30 07:10 10,872 --a--c--- C:\WINNT\system32\drivers\AvgAsCln.sys
2008-02-05 09:29 . 08-02-05 09:29 16,384 --a--c-t- C:\WINNT\system32\Perflib_Perfdata_35c.dat
2008-02-04 12:05 . 08-02-05 08:56 <DIR> d----c--- C:\Documents and Settings\Kurt LeBlanc\Application Data\AVG7
2008-02-04 12:05 . 08-02-04 12:05 <DIR> d----c--- C:\Documents and Settings\Default User\Application Data\AVG7
2008-02-04 12:05 . 08-02-04 12:05 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-04 12:05 . 08-02-07 08:37 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-04 12:05 . 08-02-04 12:05 499,712 --a--c--- C:\WINNT\system32\msvcp71.dll
2008-02-04 12:05 . 08-02-04 12:05 348,160 --a--c--- C:\WINNT\system32\msvcr71.dll
2008-02-04 12:05 . 08-02-04 12:05 26,944 --a--c--- C:\WINNT\system32\drivers\avg7rsnt.sys
2008-02-04 11:57 . 08-02-04 11:57 294 --ahsc--- C:\WINNT\system32\ngelpplg.ini
2008-02-04 11:39 . 07-12-14 01:59 69,632 --a--c--- C:\WINNT\system32\javacpl.cpl
2008-02-04 11:38 . 08-02-04 11:39 <DIR> d----c--- C:\Program Files\Java
2008-02-04 11:38 . 08-02-04 11:38 <DIR> d----c--- C:\Program Files\Common Files\Java
2008-02-04 11:14 . 08-02-04 11:14 16,384 --a--c-t- C:\WINNT\system32\Perflib_Perfdata_350.dat
2008-02-03 12:16 . 08-02-06 20:24 644,670 ---h-c--- C:\WINNT\ShellIconCache
2008-02-03 11:01 . 08-02-03 11:01 16,384 --a--c-t- C:\WINNT\system32\Perflib_Perfdata_358.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 00:48 --------- dc----w C:\Documents and Settings\Kurt LeBlanc\Application Data\uTorrent
2003-02-27 04:05 271 ---h--w C:\Program Files\desktop.ini
2003-02-27 04:05 21,952 -c-h--w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15c01941-765f-4fdf-8d9e-f528cb1f896b}]
C:\WINNT\system32\cinkhnkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26B66D31-8578-4157-8EE2-F70E55DF266F}]
C:\WINNT\system32\iiiih.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C24051F-B0A8-865F-89DD-E0ABDB7B059A}]
C:\WINNT\system32\giuni.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-08-03 19:24 68856]
"Hahh"="C:\PROGRA~1\SEMBLY~1\scanregw.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 C:\WINNT\system32\mobsync.exe]
"DeltTray"="DeltTray.exe" [02-12-06 15:19 56320 C:\WINNT\system32\delttray.exe]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [01-12-07 04:48 258118]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-07-07 21:35 282624]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [06-07-29 06:07 188416]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [07-12-14 03:42 144784]
"04d273ed"="C:\WINNT\system32\glpplegn.dll" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-02-04 12:10 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-02-04 12:05 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

C:\Documents and Settings\Kurt LeBlanc\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2003-03-01 17:25:46 196608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2003-03-01 17:49:22 127488]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]
Suitcase Startup.lnk - C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe [2006-12-27 00:41:30 3145728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gswzcsyy]
gswzcsyy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnolig]
nnnolig.dll

R0 amd751;AMD AGP Bus Filter;C:\WINNT\system32\DRIVERS\amd751.sys [99-09-28 10:37 ]
R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys [08-02-04 12:05 ]
R3 ati2mpaa;ati2mpaa;C:\WINNT\system32\DRIVERS\ati2mpaa.sys [99-10-27 10:11 ]
R3 DIO;Service for DIO Driver (WDM);C:\WINNT\system32\drivers\dio2448.sys [00-05-25 04:04 ]
S0 epstwnt;epstwnt;C:\WINNT\system32\Drivers\epstwnt.mpd []
S2 SHARSHTL;Shuttle Sharer;C:\WINNT\system32\Drivers\sharshtl.sys [98-03-30 02:18 ]
S3 EWAVE;EWAVE;C:\WINNT\System32\drivers\ew.sys []
S3 FILESPY;FILESPY;C:\WINNT\System32\drivers\FILESPY.sys []
S3 NSTATION;NSTATION;C:\WINNT\System32\drivers\nstation.sys []
S3 scsiscan;SCSI Scanner Driver;C:\WINNT\system32\DRIVERS\scsiscan.sys [99-09-25 10:36 ]
S3 Slnt7554;USB Soft Modem Driver;C:\WINNT\system32\DRIVERS\slnt7554.sys [00-06-28 02:29 ]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;C:\WINNT\system32\drivers\usb22ldr.sys [03-06-28 14:12 ]
S3 USBMM2X2;Midiman USB MidiSport 2x2 Midi Driver;C:\WINNT\system32\drivers\usbmm2x2.sys []
S3 USBMN2X2;M-Audio USB MidiSport 2x2;C:\WINNT\system32\drivers\usbmn2x2.sys [03-06-28 14:12 ]
S3 V90drv;v90drv;C:\WINNT\system32\DRIVERS\v90drv.sys [00-06-28 02:29 ]
S3 vsc32;Virtual Sound Canvas 3.2;C:\WINNT\system32\DRIVERS\vsc.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 02:18:29
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-02-09 2:19:59


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:31, on 2008-02-09
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\DeltTray.exe
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: {b698f1bc-825f-e9d8-fdf4-f56714910c51} - {15c01941-765f-4fdf-8d9e-f528cb1f896b} - C:\WINNT\system32\cinkhnkl.dll (file missing)
O2 - BHO: (no name) - {26B66D31-8578-4157-8EE2-F70E55DF266F} - C:\WINNT\system32\iiiih.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {9C24051F-B0A8-865F-89DD-E0ABDB7B059A} - C:\WINNT\system32\giuni.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [04d273ed] rundll32.exe "C:\WINNT\system32\glpplegn.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Hahh] "C:\PROGRA~1\SEMBLY~1\scanregw.exe" -vt yazb
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Suitcase Startup.lnk = C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBB234BF-636E-49EF-96D8-A3C1D2B927C9}: Domain = Earthlink
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBB234BF-636E-49EF-96D8-A3C1D2B927C9}: NameServer = 207.69.188.185,207.69.188.186,207.69.188.187
O20 - Winlogon Notify: gswzcsyy - gswzcsyy.dll (file missing)
O20 - Winlogon Notify: nnnolig - nnnolig.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

--
End of file - 5475 bytes


CCleaner Uninstall List:
µTorrent
3ivx D4 4.0.4 (remove only)
Adobe Acrobat 5.0
Adobe Download Manager (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Shockwave Player
AVG 7.5
AVG Anti-Spyware 7.5
Beyond Compare
CCleaner (remove only)
Dimage Scan Dual for Windows Ver.2.0.0E
Directory Printer
DVD Decrypter (Remove Only)
EditPlus 2
EPSON Printer Software
Extensis Suitcase 9.2.1
FixedLength
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for MDAC 2.53 (KB911562)
Hotfix for MDAC 2.53 (KB927779)
HP PrecisionScan and Utilities
Ink Monitor
Intel(R) PRO Network Adapters and Drivers
Internet Explorer Q903235
iolo technologies' System Mechanic
ISScript
Java(TM) 6 Update 4
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office 2000 SR-1 Premium
Microsoft Windows Journal Viewer
Midisport 2x2 1.0.1.0
Mozilla Firefox (2.0.0.2)
MSN Music Assistant
Musicnotes Player V1.22.3
Native Instruments FM7
OIN
Panda ActiveScan
PowerISO
QuickTime
Remote Desktop Connection
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows 2000 (KB904706)
Security Update for Windows 2000 (KB923689)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
SlicyDrummer Lite
SMC7004BR
Torrent Harvester
Uninstall USB V.90 FAX MODEM
Update Rollup 1 for Windows 2000 SP4
VeloMaster Lite CW
WebFldrs
Webshots!
Winamp3 (remove only)
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB867282
Windows 2000 Hotfix - KB883939
Windows 2000 Hotfix - KB887797
Windows 2000 Hotfix - KB889293
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB890923
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896688
Windows 2000 Hotfix - KB896727
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB904368
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB905915
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908523
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB916281
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917159
Windows 2000 Hotfix - KB917422
Windows 2000 Hotfix - KB917537
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB918118
Windows 2000 Hotfix - KB918899
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB920958
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB921503
Windows 2000 Hotfix - KB921883
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB922616
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB923694
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924191
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB924667
Windows 2000 Hotfix - KB925454
Windows 2000 Hotfix - KB925486
Windows 2000 Hotfix - KB925902
Windows 2000 Hotfix - KB926122
Windows 2000 Hotfix - KB926436
Windows 2000 Hotfix - KB927891
Windows 2000 Hotfix - KB928090
Windows 2000 Hotfix - KB928843
Windows 2000 Hotfix - KB929969
Windows 2000 Hotfix - KB930178
Windows 2000 Hotfix - KB931784
Windows 2000 Hotfix - KB935839
Windows 2000 Hotfix - KB935840
Windows 2000 Hotfix - KB936021
Windows 2000 Hotfix - KB937143
Windows 2000 Hotfix - KB938127
Windows 2000 Hotfix - KB938827
Windows 2000 Hotfix - KB938829
Windows 2000 Hotfix (SP5) Q818043
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See KB837272 for more information]
Windows Media Player Hotfix [See wm828026 for more information]
Windows Media Player system update (9 Series)
WinRAR archiver
WinTouch
WinZip
Kurt
Regular Member
 
Posts: 27
Joined: February 1st, 2008, 2:48 pm

Re: Desktop PC needs help

Unread postby Simon V. » February 9th, 2008, 4:01 pm

Hi :)

I understand that downloading music and other files may be important to you; however, the Peer-to-Peer programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection all over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

Here is some information that looks at the rates of infection:

http://www.benedelman.org/spyware/p2p/

With that being said, I recommend that you remove the following Peer-to-Peer program(s):

(Click on Start, then Control Panel. Double click on Add or Remove Programs)

µTorrent
Torrent Harvester


Also remove the following program:

OIN

Step 1

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

Code: Select all
File::

C:\WINNT\system32\ngelpplg.ini

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15c01941-765f-4fdf-8d9e-f528cb1f896b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26B66D31-8578-4157-8EE2-F70E55DF266F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C24051F-B0A8-865F-89DD-E0ABDB7B059A}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hahh"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"04d273ed"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gswzcsyy]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnolig]


Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 2

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:

    • Click on the Malwarebytes' Anti-Malware icon to launch the program.
    • Click on the Logs tab.
    • Click on the log at the bottom of those listed to highlight it.
    • Click Open.

Step 3

In your next reply, please post:

  • the Combofix log (C:\Combofix.txt)
  • the Malwarebytes' Anti-Malware log
  • a new HijackThis log
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Desktop PC needs help

Unread postby Kurt » February 9th, 2008, 6:02 pm

Okay done! The script looks to have solved my error loading glpplegn.dll. Please note that my system clock is still at military format. I'll wait for further instructions before trying Windows Update.

Here are the logs:

ComboFix 08-02.05.3 - Kurt 2008-02-09 3:51:04.5 - NTFSx86
Running from: C:\Documents and Settings\Kurt LeBlanc\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kurt LeBlanc\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINNT\system32\ngelpplg.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\ngelpplg.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-09 03:51 . 08-02-09 03:51 16,384 --a--c-t- C:\WINNT\system32\Perflib_Perfdata_368.dat
2008-02-09 02:49 . 08-02-09 02:49 <DIR> d----c--- C:\Temp\ComboFix Logs
2008-02-09 02:47 . 08-02-09 02:47 <DIR> d----c--- C:\Temp\CCleaner Uninstall List
2008-02-09 01:20 . 08-02-09 01:20 <DIR> d----c--- C:\Program Files\CCleaner
2008-02-09 01:19 . 08-02-09 01:19 671,752 --a--c--- C:\Temp\ccsetup204_slim.exe
2008-02-06 08:56 . 08-02-06 08:56 <DIR> d----c--- C:\Program Files\Trend Micro
2008-02-05 10:02 . 08-02-05 10:02 <DIR> d----c--- C:\Documents and Settings\Kurt LeBlanc\Application Data\Grisoft
2008-02-05 10:02 . 07-05-30 07:10 10,872 --a--c--- C:\WINNT\system32\drivers\AvgAsCln.sys
2008-02-05 09:29 . 08-02-05 09:29 16,384 --a--c-t- C:\WINNT\system32\Perflib_Perfdata_35c.dat
2008-02-04 12:05 . 08-02-05 08:56 <DIR> d----c--- C:\Documents and Settings\Kurt LeBlanc\Application Data\AVG7
2008-02-04 12:05 . 08-02-04 12:05 <DIR> d----c--- C:\Documents and Settings\Default User\Application Data\AVG7
2008-02-04 12:05 . 08-02-04 12:05 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-04 12:05 . 08-02-07 08:37 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-04 12:05 . 08-02-04 12:05 499,712 --a--c--- C:\WINNT\system32\msvcp71.dll
2008-02-04 12:05 . 08-02-04 12:05 348,160 --a--c--- C:\WINNT\system32\msvcr71.dll
2008-02-04 12:05 . 08-02-04 12:05 26,944 --a--c--- C:\WINNT\system32\drivers\avg7rsnt.sys
2008-02-04 11:39 . 07-12-14 01:59 69,632 --a--c--- C:\WINNT\system32\javacpl.cpl
2008-02-04 11:38 . 08-02-04 11:39 <DIR> d----c--- C:\Program Files\Java
2008-02-04 11:38 . 08-02-04 11:38 <DIR> d----c--- C:\Program Files\Common Files\Java
2008-02-04 11:14 . 08-02-04 11:14 16,384 --a--c-t- C:\WINNT\system32\Perflib_Perfdata_350.dat
2008-02-03 12:16 . 08-02-09 03:18 645,106 ---h-c--- C:\WINNT\ShellIconCache
2008-02-03 11:01 . 08-02-03 11:01 16,384 --a--c-t- C:\WINNT\system32\Perflib_Perfdata_358.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 00:48 --------- dc----w C:\Documents and Settings\Kurt LeBlanc\Application Data\uTorrent
2003-02-27 04:05 271 ---h--w C:\Program Files\desktop.ini
2003-02-27 04:05 21,952 -c-h--w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-08-03 19:24 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 C:\WINNT\system32\mobsync.exe]
"DeltTray"="DeltTray.exe" [02-12-06 15:19 56320 C:\WINNT\system32\delttray.exe]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [01-12-07 04:48 258118]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-07-07 21:35 282624]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [06-07-29 06:07 188416]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [07-12-14 03:42 144784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-02-04 12:10 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-02-04 12:05 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

C:\Documents and Settings\Kurt LeBlanc\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2003-03-01 17:25:46 196608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2003-03-01 17:49:22 127488]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]
Suitcase Startup.lnk - C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe [2006-12-27 00:41:30 3145728]

R0 amd751;AMD AGP Bus Filter;C:\WINNT\system32\DRIVERS\amd751.sys [99-09-28 10:37 ]
R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys [08-02-04 12:05 ]
R3 ati2mpaa;ati2mpaa;C:\WINNT\system32\DRIVERS\ati2mpaa.sys [99-10-27 10:11 ]
R3 DIO;Service for DIO Driver (WDM);C:\WINNT\system32\drivers\dio2448.sys [00-05-25 04:04 ]
S0 epstwnt;epstwnt;C:\WINNT\system32\Drivers\epstwnt.mpd []
S2 SHARSHTL;Shuttle Sharer;C:\WINNT\system32\Drivers\sharshtl.sys [98-03-30 02:18 ]
S3 EWAVE;EWAVE;C:\WINNT\System32\drivers\ew.sys []
S3 FILESPY;FILESPY;C:\WINNT\System32\drivers\FILESPY.sys []
S3 NSTATION;NSTATION;C:\WINNT\System32\drivers\nstation.sys []
S3 scsiscan;SCSI Scanner Driver;C:\WINNT\system32\DRIVERS\scsiscan.sys [99-09-25 10:36 ]
S3 Slnt7554;USB Soft Modem Driver;C:\WINNT\system32\DRIVERS\slnt7554.sys [00-06-28 02:29 ]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;C:\WINNT\system32\drivers\usb22ldr.sys [03-06-28 14:12 ]
S3 USBMM2X2;Midiman USB MidiSport 2x2 Midi Driver;C:\WINNT\system32\drivers\usbmm2x2.sys []
S3 USBMN2X2;M-Audio USB MidiSport 2x2;C:\WINNT\system32\drivers\usbmn2x2.sys [03-06-28 14:12 ]
S3 V90drv;v90drv;C:\WINNT\system32\DRIVERS\v90drv.sys [00-06-28 02:29 ]
S3 vsc32;Virtual Sound Canvas 3.2;C:\WINNT\system32\DRIVERS\vsc.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 03:53:10
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-02-09 3:54:38
ComboFix-quarantined-files.txt 2008-02-09 08:53:47


Malwarebytes' Anti-Malware 1.02
Database version: 331

Scan type: Quick Scan
Objects scanned: 21259
Time elapsed: 4 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinTouch (Adware.WinPop) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{967b2d40-8b7d-4127-9049-61ea0c2c6dce} (Trojan.Conhook) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Default User\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Default User\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\Default User\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kurt LeBlanc\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:55, on 2008-02-09
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\DeltTray.exe
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Suitcase Startup.lnk = C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBB234BF-636E-49EF-96D8-A3C1D2B927C9}: Domain = Earthlink
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBB234BF-636E-49EF-96D8-A3C1D2B927C9}: NameServer = 207.69.188.185,207.69.188.186,207.69.188.187
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

--
End of file - 4862 bytes
Kurt
Regular Member
 
Posts: 27
Joined: February 1st, 2008, 2:48 pm

Re: Desktop PC needs help

Unread postby Simon V. » February 9th, 2008, 6:43 pm

Hi :)

Open HijackThis, perform a scan and put a check next to the following item (if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

Close all programs except HijackThis and click on Fix checked.

For the time format, go to My Computer > Control Panel > Regional Options > Time tab. There you can choose whatever time format you prefer.

You can try Windows Update now.

In your next reply, please let me know how your computer is currently running.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Desktop PC needs help

Unread postby Kurt » February 9th, 2008, 11:39 pm

Okay, performed HJT work and got the time and date reconfigured. But having trouble with IE & Windows Updates.

Here are some notes: I'm currently seeing IE lock-up and freeze only upon entering the url http://windowsupdate.microsoft.com. ALL other sites appear to function okay. On previous attempts I was able to reach the Windows Update site, and upon selecting custom update option get High Priority (11) updates available. Selected Install Updates, Installing Updates window opens (Installation status: cursor blinking & waiting, Preparing for download...) and fails - causes IE to lock-up and freeze. I can click the Cancel button which turns grey then nothing happens, only able to stop the task using Task Manager - by clicking to end the task in the applications window. I tried Firefox, using the IE Tab plugin, was able to get one update to run (and possibly install - one of the early .NET Framework updates), but on another attempt failed receiving this error message: "install.exe Unable To Locate DLL. The dynamic link library gdiplus.dll could not be found in the specified path c:\temp\ext45874;.;c:\WINNT\system32;c:\system;..."

I stopped writing at this point to check back here for possible solutions / suggestions.

The rest of the computer seems to be running fine!

Thanks!
Kurt
Regular Member
 
Posts: 27
Joined: February 1st, 2008, 2:48 pm

Re: Desktop PC needs help

Unread postby Simon V. » February 10th, 2008, 5:46 am

Hi :)

Please download gdiplus.dll - http://www.dll-files.com/dllindex/dll-f ... ml?gdiplus and save it to your desktop.

Once downloaded, unzip the file. A file called gdiplus.dll should appear on your desktop.

Right-click the file, and select Cut. Open Windows Explorer, and navigate to the following folder: C:\WINNT\System32\.

Right-click anywhere, and select Paste. Then try Windows Update again and let me know how it went.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Desktop PC needs help

Unread postby Kurt » February 10th, 2008, 4:22 pm

Hi Simon,

Still no luck with Windows Update. I added the DLL from the link you provided, and was able to reach the windows update home page and begin the process by clicking the Custom button (as usual). Once again the browser locked-up at the Installing Updates window. I'm curious, is there a chance that IE has been corrupted, or are there any IE patches available? I think Windows Update runs via an ActiveX component, correct?

Thanks again for the help!
Kurt
Regular Member
 
Posts: 27
Joined: February 1st, 2008, 2:48 pm

Re: Desktop PC needs help

Unread postby Simon V. » February 10th, 2008, 4:31 pm

Kurt wrote:Hi Simon,

Still no luck with Windows Update. I added the DLL from the link you provided, and was able to reach the windows update home page and begin the process by clicking the Custom button (as usual). Once again the browser locked-up at the Installing Updates window. I'm curious, is there a chance that IE has been corrupted, or are there any IE patches available? I think Windows Update runs via an ActiveX component, correct?

Thanks again for the help!

Windows Update runs with an ActiveX component, that's correct. However, this problem is probably not malware related and I'm afraid that I won't be able to help you with it.

It would take a long time before I figure out what's wrong with your PC, there are forums that specialize in general computer problems that will probably be able to help you. You can ask help at the WhatTheTech forums: http://forums.whatthetech.com/Microsoft ... _f119.html

First register and post like you did here, explaining your problem (do not post a HijackThis log, as your malware issues should be resolved), add a link to this topic as well. There are some excellent people over there that will be able to help you better than I can.

I'm sorry that I could not be of more help to you, and I wish you the best of luck with solving your computer problems.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Desktop PC needs help

Unread postby Kurt » February 10th, 2008, 8:34 pm

Simon,

Thanks again. Much appreciated!
Kurt
Regular Member
 
Posts: 27
Joined: February 1st, 2008, 2:48 pm

Re: Desktop PC needs help

Unread postby NonSuch » February 11th, 2008, 1:28 pm

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 157 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware