I tried to search for my problem in the threads and couldn't find anything.
When I start my computer a red circle with a white X appears by my clock. It says that Windows has detected viruses and adware on my computer. It says I should click the dialogue box and download the latest "antispyware" products. I have Trend Micro virus protection and it shows that I have approx. 30 viruses on my computer, all trojans, and all in my temporary internet files. However when I navigate to those files they don't exist.
Even worse, it does not allow me to access my task manager anymore.
If anyone could help me out I would greatly appreciate it.
Full Version: Adware/Task Manager
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive General Support Issues
QUOTE(rynesae @ Nov 29 2006, 05:26 PM) 
I tried to search for my problem in the threads and couldn't find anything.
When I start my computer a red circle with a white X appears by my clock. It says that Windows has detected viruses and adware on my computer. It says I should click the dialogue box and download the latest "antispyware" products. I have Trend Micro virus protection and it shows that I have approx. 30 viruses on my computer, all trojans, and all in my temporary internet files. However when I navigate to those files they don't exist.
Even worse, it does not allow me to access my task manager anymore.
If anyone could help me out I would greatly appreciate it.
When I start my computer a red circle with a white X appears by my clock. It says that Windows has detected viruses and adware on my computer. It says I should click the dialogue box and download the latest "antispyware" products. I have Trend Micro virus protection and it shows that I have approx. 30 viruses on my computer, all trojans, and all in my temporary internet files. However when I navigate to those files they don't exist.
Even worse, it does not allow me to access my task manager anymore.
If anyone could help me out I would greatly appreciate it.
use this tool HJT
www.merijn.org/files/hijackthis.zip
unzip it and save on your desktop
Download Smitfraudfix
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
unzip to a folder, then restart your computer, run it in safemode (instantly tapping F8 key when windows starts)
open Smitfraudfix -->double click smitfraudfix.cmd-->press enter-->type in 2-->Enter-->it will promt a mess. register clean--->type Y-->Enter
Reboot back to normal mode
run a system scan and save the log, then post it here
QUOTE(tenteen @ Nov 29 2006, 09:44 PM)
use this tool HJT
www.merijn.org/files/hijackthis.zip
unzip it and save on your desktop
Download Smitfraudfix
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
unzip to a folder, then restart your computer, run it in safemode (instantly tapping F8 key when windows starts)
open Smitfraudfix -->double click smitfraudfix.cmd-->press enter-->type in 2-->Enter-->it will promt a mess. register clean--->type Y-->Enter
Reboot back to normal mode
run a system scan and save the log, then post it here
www.merijn.org/files/hijackthis.zip
unzip it and save on your desktop
Download Smitfraudfix
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
unzip to a folder, then restart your computer, run it in safemode (instantly tapping F8 key when windows starts)
open Smitfraudfix -->double click smitfraudfix.cmd-->press enter-->type in 2-->Enter-->it will promt a mess. register clean--->type Y-->Enter
Reboot back to normal mode
run a system scan and save the log, then post it here
(Edit)
Ok I seem to have almost everything worked out. I only have two remaining problems. The first is that my antivirus picks up a virus called TROJ_DLOADER.FCJ about every ten seconds. Even in safe mode I cannot delete the file it has infected (tmp_M.dll) which is in windows>system32. It is really killing my computer speed and I think is resulting in shutdowns "due to a thermal event."
Also I cannot seem to get rid of an adware.suggestor that ad-aware finds.
Any recommendations?
I almost forgot, here is my log:
Logfile of HijackThis v1.99.1
Scan saved at 10:47:12 PM, on 12/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\nordsys.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Documents and Settings\Ryne\Desktop\HijackThis.exe
C:\WINDOWS\TEMP\IEE43C.EXE
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\TSC.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = alleg.edu
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,yyaowvr.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Jkzlbfarb Class - {754515CD-5059-4133-B6D5-3757DD84D6C0} - C:\WINDOWS\system32\s9ndzm6.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8ABCBAD8-CDF2-4199-80D1-B1EFF459CBEB} - C:\WINDOWS\system32\ddcya.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: XBTBPos00 - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - C:\PROGRA~1\MORPHE~1\MORPHE~1.DLL (file missing)
O2 - BHO: (no name) - {F7605C3E-AA35-4077-988B-7B1DBA8BAE0C} - C:\Program Files\MSN\tekowopeh.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [{E2-2A-AA-AC-ZN}] c:\windows\system32\dwdsregt.exe FI002
O4 - HKLM\..\Run: [wlgxlo] C:\WINDOWS\system32\wucgmq.exe reg_run
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Kgjg] "C:\WINDOWS\system32\rnnypbw.exe"
O4 - HKLM\..\Run: [System64] C:\WINDOWS\system32\inet.exe
O4 - HKLM\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKLM\..\RunServices: [SystemTools32] C:\WINDOWS\system32\inet.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [stratas] lockx.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [morq] C:\PROGRA~1\COMMON~1\morq\morqm.exe
O4 - HKCU\..\Run: [simyn] C:\WINDOWS\system32\wucgmq.exe reg_run
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSSoft\\RSEDNClient.exe
O4 - HKCU\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://nortonres.allegheny.edu/webinst/webinst.cab
O18 - Filter: text/html - {AE3B25B6-4C21-4038-BD35-99A05B5EF3EB} - C:\WINDOWS\system32\s9ndzm6.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\tmp_m.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: mlljk - C:\WINDOWS\system32\mlljk.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: ssqrp - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winsys2freg - c:\Settings\winsys2f.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Logfile of HijackThis v1.99.1
Scan saved at 10:47:12 PM, on 12/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\nordsys.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Documents and Settings\Ryne\Desktop\HijackThis.exe
C:\WINDOWS\TEMP\IEE43C.EXE
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\TSC.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = alleg.edu
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,yyaowvr.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Jkzlbfarb Class - {754515CD-5059-4133-B6D5-3757DD84D6C0} - C:\WINDOWS\system32\s9ndzm6.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8ABCBAD8-CDF2-4199-80D1-B1EFF459CBEB} - C:\WINDOWS\system32\ddcya.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: XBTBPos00 - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - C:\PROGRA~1\MORPHE~1\MORPHE~1.DLL (file missing)
O2 - BHO: (no name) - {F7605C3E-AA35-4077-988B-7B1DBA8BAE0C} - C:\Program Files\MSN\tekowopeh.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [{E2-2A-AA-AC-ZN}] c:\windows\system32\dwdsregt.exe FI002
O4 - HKLM\..\Run: [wlgxlo] C:\WINDOWS\system32\wucgmq.exe reg_run
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Kgjg] "C:\WINDOWS\system32\rnnypbw.exe"
O4 - HKLM\..\Run: [System64] C:\WINDOWS\system32\inet.exe
O4 - HKLM\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKLM\..\RunServices: [SystemTools32] C:\WINDOWS\system32\inet.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [stratas] lockx.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [morq] C:\PROGRA~1\COMMON~1\morq\morqm.exe
O4 - HKCU\..\Run: [simyn] C:\WINDOWS\system32\wucgmq.exe reg_run
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSSoft\\RSEDNClient.exe
O4 - HKCU\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://nortonres.allegheny.edu/webinst/webinst.cab
O18 - Filter: text/html - {AE3B25B6-4C21-4038-BD35-99A05B5EF3EB} - C:\WINDOWS\system32\s9ndzm6.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\tmp_m.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: mlljk - C:\WINDOWS\system32\mlljk.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: ssqrp - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winsys2freg - c:\Settings\winsys2f.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
I don't have good news for you.
Your PC has been hacked - seriously compromised by a number of remote access backdoor trojans
They have downloaded adware and spyware to your PC but they have also likely done serious damage in the registry and comprised it in a way to access it again and again. Do you know how you got this infection?
Were you downloading from a P2P network, downloading cracks, warez, keygens?
One of those trojan also frequently includes a rootkit which is stealth technology to hide malware on your system.
Once you've identified a rootkit on your system, the remediation options are somewhat limited. Because rootkits can hide themselves, you may not know how long they've been on the system. You also may not know what information the rootkits have compromised. The best reaction to an identified rootkit is to wipe and reinstall the system. Although drastic, this is the only proven method to completely remove rootkits.
Rootkits: The Obscure Hacker Attack
http://www.microsoft.com/technet/community...tip/st1005.mspx
What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/...o/virusrat.mspx
Basically, your system has been compromised. Anyone may have had access to anything on your system or done whatever they want to it and hidden it from you. The rootkit makes it worse as your system is no longer trustworthy.
IMHO, You need to disconnect this PC from the internet and from your network if it is on a network. Then, acceess this information from a non-compromised computer to follow the steps needed.
When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
I can identify at least these have infected your PC (descriptions in the links below)
http://www.sophos.com/virusinfo/analyses/w32newurga.html
http://www.sophos.com/virusinfo/analyses/w32sdbotaeg.html
http://www.sophos.com/virusinfo/analyses/trojdloadrael.html
The worst of which is the sdbot (link description #2)
Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx
Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx
it's a trivial matter to clean up the rootkit itself, most rootkits and all botnet clients are Remote Access Trojans (RATs).
A RAT is a program that allows a remote user to connect to the computer and issue commands.
Unless you can be sure that a remote user did not connect to the machine and run commands on it (which is almost always impossible to ascertain), you cannot know what damage the bad guy has done above and beyond installing the rootkit.
That unknown is what accounts for the recommendation to rebuild the machine.
The thing is lockxx.exe is a backdoor trojan with a rootkit.
What is a rootkit? In the simpliest of terms, it is technology to hide an attackers tools. Rootkits can prevent detection and removal and in some cases, attempting to remove a rootkit can destroy a system. You can't know what else a rootkit has done.
Once you've identified a rootkit on your system, the remediation options are somewhat limited. Because rootkits can hide themselves, you may not know how long they've been on the system. You also may not know what information the rootkits have compromised. The best reaction to an identified rootkit is to wipe and reinstall the system. Although drastic, this is the only proven method to completely remove rootkits and the damage that may have been caused by the malware installed by the attacker.
Rootkits: The Obscure Hacker Attack
http://www.microsoft.com/technet/community...tip/st1005.mspx
I can't guarantee this system is "cleanable". We can try to clean off the infected files but the compromise by a remote attacker mean they most likely made alterations to ensure the ability to get back in.
Your PC has been hacked - seriously compromised by a number of remote access backdoor trojans
They have downloaded adware and spyware to your PC but they have also likely done serious damage in the registry and comprised it in a way to access it again and again. Do you know how you got this infection?
Were you downloading from a P2P network, downloading cracks, warez, keygens?
One of those trojan also frequently includes a rootkit which is stealth technology to hide malware on your system.
Once you've identified a rootkit on your system, the remediation options are somewhat limited. Because rootkits can hide themselves, you may not know how long they've been on the system. You also may not know what information the rootkits have compromised. The best reaction to an identified rootkit is to wipe and reinstall the system. Although drastic, this is the only proven method to completely remove rootkits.
Rootkits: The Obscure Hacker Attack
http://www.microsoft.com/technet/community...tip/st1005.mspx
What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/...o/virusrat.mspx
Basically, your system has been compromised. Anyone may have had access to anything on your system or done whatever they want to it and hidden it from you. The rootkit makes it worse as your system is no longer trustworthy.
IMHO, You need to disconnect this PC from the internet and from your network if it is on a network. Then, acceess this information from a non-compromised computer to follow the steps needed.
When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
I can identify at least these have infected your PC (descriptions in the links below)
http://www.sophos.com/virusinfo/analyses/w32newurga.html
http://www.sophos.com/virusinfo/analyses/w32sdbotaeg.html
http://www.sophos.com/virusinfo/analyses/trojdloadrael.html
The worst of which is the sdbot (link description #2)
Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx
Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx
QUOTE
with a rootkit on the system that makes the system no longer trustworthy. Windows Explorer and the command line will no longer show you the files that are actually on the system. The registry editor is now lying. Account manager tools will not show you all the users. At this stage of an intrusion, you can no longer trust the system to tell you about itself.
it's a trivial matter to clean up the rootkit itself, most rootkits and all botnet clients are Remote Access Trojans (RATs).
A RAT is a program that allows a remote user to connect to the computer and issue commands.
Unless you can be sure that a remote user did not connect to the machine and run commands on it (which is almost always impossible to ascertain), you cannot know what damage the bad guy has done above and beyond installing the rootkit.
That unknown is what accounts for the recommendation to rebuild the machine.
The thing is lockxx.exe is a backdoor trojan with a rootkit.
What is a rootkit? In the simpliest of terms, it is technology to hide an attackers tools. Rootkits can prevent detection and removal and in some cases, attempting to remove a rootkit can destroy a system. You can't know what else a rootkit has done.
Once you've identified a rootkit on your system, the remediation options are somewhat limited. Because rootkits can hide themselves, you may not know how long they've been on the system. You also may not know what information the rootkits have compromised. The best reaction to an identified rootkit is to wipe and reinstall the system. Although drastic, this is the only proven method to completely remove rootkits and the damage that may have been caused by the malware installed by the attacker.
Rootkits: The Obscure Hacker Attack
http://www.microsoft.com/technet/community...tip/st1005.mspx
I can't guarantee this system is "cleanable". We can try to clean off the infected files but the compromise by a remote attacker mean they most likely made alterations to ensure the ability to get back in.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.