Author Topic: WinantivirusPRO, random stuff, lagging internet (Read 566 times)

Aidan · « **on:** May 13, 2007, 11:25:35 AM »

Uhm, I scanned with AVG and Ad-Aware and deleted stuff, but it was mostly just traking cookies, and there is still a problem with the computer.
To give you all the informatin I can, that automatic update thing was running in the tray and it was downlading things like malware removal tool and whatever, and it started having the same file all the time so I shut it off in the services menu of Ctrl panel, admin tools. The computer was just slow and then last night, it stopped working altogether, and this blue STOP screen showed up after loading windows(the loaing thing in the beginning with the picture of the window and the blue moving bar) it had info about BIOS and going to check for updates and other things that I didn't quite understand. I managed to start it up in safe mode and scanned it with ad aware and AVG, those are both adware scanners right, so no virus scan that means, aybe that is the problem. Anyway, after that I was able to log in, but the net is still lagging and I don't know what to do. Plus, I need more security or something because I no longer have a working router so having my computer directly connected to the modem... I have ZoneAlarm, but it takes up alot of memory, and it blocks some things in MSN messenger, and the update installer I got doesn't seem to work because of some missing dlls or something.

guestolo · « **Reply #1 on:** May 13, 2007, 11:27:46 AM »

I would like to see a Hijackthis log
In case you don't have a copy anymore

Download Hijackthis 1.99.1 from my signature below
SAVE it to your desktop

Double click on hijackthis_sfx.exe on desktop
Click the UNZIP button>>OK the prompt
This will self extract to C:\Program Files\HijackThis
Delete hijackthis_sfx.exe from desktop

Go to START>>RUN
Copy>>paste the following to the open field, then hit OK
%systemdrive%\Program Files\HijackThis
This will open the Hijackthis folder
RIGHT CLICK on Hijackthis.exe and select SEND TO>>Desktop (create shortcut)
You can now run Hijackthis.exe from the new shortcut placed on your desktop

Do a "SCAN and Save a Log file"
A log will open in Notepad
Copy and paste the WHOLE contents of the log here

Aidan · « **Reply #2 on:** May 13, 2007, 09:26:17 PM »

Okay the hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 10:20:07 PM, on 13/05/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\internat.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINNT\system32\mvrjkwiv.dll",realset
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ratchetfreak11.spaces.live.com//Pho...ad/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26b293c2673a7f...ip/RdxIE601.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab
O20 - AppInit_DLLs: C:\WINNT\system32\syst4m.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Here is some random crap that also came up today

http://www.amaena.com/vista/index.php?aid=...amp;h=0&j=0

and there was also these two annoying things called Drive Cleaner, and systemdoctor 2006. Which are both crap, some kind of spyware, or worse.

If you read what I said about the auto-update, do you think it's possible that that may have been one of the factors responsible for this issue?

Aidan · « **Reply #3 on:** May 13, 2007, 09:29:59 PM »

Oh, ad just in right after I posted that an alert box opened up which said:

Your private data is unprotected!

Your credit card details, personal and system passwords as well as your documents might be hijacked.

It is strongly recommended to install Davinci to protect your files!

Ok Cancel.

guestolo · « **Reply #4 on:** May 13, 2007, 10:55:43 PM »

Can you do the following

Download [color=\"blue\"]VundoFix.exe[/color]
to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."

I'll need to see this report from Vundofix>>C:\Vundofix.txt

Also:
Download this file - Combofix.exe and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the log from Combofix as well as the log from Vundofix

Aidan · « **Reply #5 on:** May 14, 2007, 09:24:45 PM »

Vundofix:

VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 9:23:54 PM 14/05/2007

Listing files found while scanning....

C:\WINNT\system32\cfiii.bak1
C:\WINNT\system32\cfiii.bak2
C:\WINNT\system32\cfiii.ini
C:\WINNT\system32\efcyxyw.dll
C:\WINNT\system32\iiifc.dll
C:\WINNT\system32\tuvtqnn.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\cfiii.bak1
C:\WINNT\system32\cfiii.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\cfiii.bak2
C:\WINNT\system32\cfiii.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\cfiii.ini
C:\WINNT\system32\cfiii.ini Has been deleted!

Attempting to delete C:\WINNT\system32\efcyxyw.dll
C:\WINNT\system32\efcyxyw.dll Has been deleted!

Attempting to delete C:\WINNT\system32\iiifc.dll
C:\WINNT\system32\iiifc.dll Has been deleted!

Performing Repairs to the registry.
Done!

Combofix:

"Administrator" - 14/05/2007 22:06:35 Service Pack 3
ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\Administrator\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINNT\system32\edrxkhom.dll
C:\WINNT\system32\mvrjkwiv.dll
C:\WINNT\system32\vhjlshmt.dll
C:\WINNT\system32\viwkjrvm.ini
C:\WINNT\system32\tmhsljhv.ini

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINNT\1.exe
C:\WINNT\system32\svcp.csv
C:\WINNT\system32\winsub.xml

((((((((((((((((((((((((((((((( Files Created from 14/0-01-07 to 14/05/2007 ))))))))))))))))))))))))))))))))))

No new files created in this timespan

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [03/11/03 03:17p]
{49EB07AA-B31A-48C5-A8E4-3AFD670043D5}=C:\WINNT\system32\iiifc.dll []
{4F964B98-CD12-41EC-B67D-6FA856F04818}=C:\WINNT\system32\edrxkhom.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [09/11/06 04:21p]
{bf00e119-21a3-4fd1-b178-3b8537e75c92}=C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll [11/12/06 06:46p]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"ezShieldProtector for Px"="C:\\WINNT\\System32\\ezSP_Px.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"AtiPTA"="atiptaxx.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"WindowsUpdate"="rundll32.exe \"C:\\WINNT\\system32\\mvrjkwiv.dll\",realset"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [07/12/99 08:00a C:\WINNT\system32\mobsync.exe])
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [09/07/01 11:50a]
"ezShieldProtector for Px"="C:\WINNT\System32\ezSP_Px.exe" [20/08/02 10:29a]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [09/11/06 04:07p]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [30/04/07 11:42a]
"AtiPTA"="atiptaxx.exe" [27/09/01 02:39a C:\WINNT\system32\atiptaxx.exe])
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [23/08/06 07:44p]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [25/02/07 09:32p]
"WindowsUpdate"="C:\WINNT\system32\mvrjkwiv.dll" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/03/07 01:02a]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [07/12/99 08:00a C:\WINNT\system32\internat.exe])
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [27/03/07 04:22p]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [28/09/06 10:13a]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtqnn

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\WINNT\system32\syst4m.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages   msv1_0
Security Packages   kerberosmsv1_0schannel
Notification Packages   scecli

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss   RpcSs
wugroup   wuauserv
BITSgroup   BITS

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
WmdmPmSN

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-14 22:13:29
Windows 5.0.2195 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 14/05/2007 22:13:48
C:\ComboFix-quarantined-files.txt ... 14/05/07 10:13p
C:\ComboFix2.txt ... 11/11/06 12:20a
C:\ComboFix3.txt ... 10/11/06 10:23p

guestolo · « **Reply #6 on:** May 14, 2007, 09:31:03 PM »

Can you post a fresh hijackthis log

Also
Set windows to show hidden files>>folders
Windows 2000

* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Go to either of these links
http://virusscan.jotti.org/
OR
http://www.virustotal.com/flash/index_en.html

Use the browse button and navigate to the file on your harddrive
C:\WINNT\system32\syst4m.dll <-this file

Right click on the file, and choose Select>>or double click on it
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please

Aidan · « **Reply #7 on:** May 15, 2007, 06:01:27 PM »

Here is the hijackthis log, but for some reason, although I went and did all the steps unchecking the boxes in the folder options (I did it, I made sure, that's not a possibility of error), I could not find the file anywhere on the hard drive.

Logfile of HijackThis v1.99.1
Scan saved at 6:58:05 PM, on 15/05/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\ezSP_Px.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49EB07AA-B31A-48C5-A8E4-3AFD670043D5} - C:\WINNT\system32\iiifc.dll (file missing)
O2 - BHO: (no name) - {4F964B98-CD12-41EC-B67D-6FA856F04818} - C:\WINNT\system32\edrxkhom.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINNT\system32\mvrjkwiv.dll",realset
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ratchetfreak11.spaces.live.com//Pho...ad/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26b293c2673a7f...ip/RdxIE601.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab
O20 - AppInit_DLLs: C:\WINNT\system32\syst4m.dll
O20 - Winlogon Notify: tuvtqnn - tuvtqnn.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

guestolo · « **Reply #8 on:** May 16, 2007, 12:12:44 AM »

Can you do the following

[color=\"blue\"]Your Java Runtime Environment is out of date.[/color] Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

[color=\"blue\"]Updating Java:[/color]

Download the latest version of Java(tm) SE Runtime Environment 6 Update 1.
Scroll down to where it says "Java Runtime Environment (JRE) 6u1, The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement[/i]".
The page will refresh.
Click on the link to download Windows Offline Installation, Multi-language and save it to your desktop (12.6 MB).
Close any programs you may have running - especially any web browsers.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.

This includes: And any others
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 3

Don't install the new version yet
Download [color=\"#FF0000\"]The Avenger.zip[/color] by Swandog46 to your Desktop.

* Click on Avenger.zip to open the file
* Extract avenger.exe to your desktop
LOG OFF any other users on the computer except for yourself

Copy ALL the text contained in [color=\"#0000FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard,
Make sure you include "Files to delete:"
=============================================================
[color=\"#0000FF\"]
Files to delete:
C:\WINNT\system32\syst4m.dll
C:\WINNT\system32\mvrjkwiv.dll

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | WindowsUpdate
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | TkBellExe

Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtqnn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{49EB07AA-B31A-48C5-A8E4-3AFD670043D5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4F964B98-CD12-41EC-B67D-6FA856F04818}

Registry values to replace with dummy:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | appinit_dlls[/color]

==========================================================================
Now, start The Avenger program by clicking on its icon on your desktop
OK the prompt

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the [color=\"#00FF00\"]Green Light[/color] to begin execution of the script
* Answer "Yes" twice when prompted.

Avenger should now Reboot your computer

Back in Windows
Go ahead and install the latest version of Java from the installer on desktop

Post a fresh hijackthis log
Post the log from Avenger, located here>>C:\Avenger.txt
Also: Let me know how things are running please

Aidan · « **Reply #9 on:** May 16, 2007, 10:03:50 PM »

Ok, you asked me to tell you how things were running. Well, on several occasions, the CPU or whatever is processing the actions that are being taken gets overloaded somehow and the computer simply stops responding altogether, first the taskbar, then the desktop, and if I press CTRL + ALT + DELETE and then task manager or cancel, the taskbar gets messed up and nothing responds at all and I have to reboot. If I select log out then everything loads for a few minutes and then shuts down and logs out. So if you can tell me how to fix that I'd be pretty thankful. Also, every startup now, because of one of those cleaning things you had me run, an alert with the title RUNDLL pops up saying: Error loading C:\WINNT\system32\mvrjkwiv.dll, the specified module could not be found. What's up with that...
Finally, I have a couple videogame emulators on here and they seem to work with DirectX8.1, but when I tried installing W2K SP4 a while back, they stopped working because direct X 9.0c gets installed automatically or something. So I currently am running SP3. When I installed the java 6u1-win...,it said that the software did not support my current OS, so what do I do?
Also, I ran the avenger.exe program, and it rebooted like you said, but for some reason there was no log at all, the file was blank. I don't know why that is, an alert popped up after reboot saying that the avenger.txt or something, could not be found, do you want to make a new one ? something like that, and I said OK and then I got a blank notepad. Sorry about that I guess.

Logfile of HijackThis v1.99.1
Scan saved at 10:51:48 PM, on 16/05/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINNT\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\ezSP_Px.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINNT\System32\msiexec.exe
C:\Hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49EB07AA-B31A-48C5-A8E4-3AFD670043D5} - C:\WINNT\system32\iiifc.dll (file missing)
O2 - BHO: (no name) - {4F964B98-CD12-41EC-B67D-6FA856F04818} - C:\WINNT\system32\edrxkhom.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINNT\system32\mvrjkwiv.dll",realset
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ratchetfreak11.spaces.live.com//Pho...ad/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26b293c2673a7f...ip/RdxIE601.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab
O20 - AppInit_DLLs: C:\WINNT\system32\syst4m.dll
O20 - Winlogon Notify: tuvtqnn - tuvtqnn.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

guestolo · « **Reply #10 on:** May 16, 2007, 10:07:39 PM »

Doesn't seem as Avenger worked
But for a double check, Manaully navigate to the following
Double click MyComputer>>Local Disk C:
Do you see Avenger.txt?

Aidan · « **Reply #11 on:** May 23, 2007, 08:43:07 PM »

[quote name=\'guestolo\' post=\'326803\' date=\'May 16 2007, 10:07 PM\']Doesn't seem as Avenger worked
But for a double check, Manaully navigate to the following
Double click MyComputer>>Local Disk C:
Do you see Avenger.txt?[/quote]

Yeah, the avenger.txt file is there, but it's blankm, something came up when the program stopped running and I guess it reset te log.
My computer is still messed up
so gotta check some more

guestolo · « **Reply #12 on:** May 23, 2007, 08:51:51 PM »

A week between replies doesn't help us out if your using your computer in the meantime

Can you delete your version of Vundofix.exe, it's been updated since your last visit

REDownload [color=\"blue\"]VundoFix.exe[/color]
to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."

I'll need to see this report from Vundofix>>C:\Vundofix.txt

Also, post a fresh hijackthis log

guestolo · « **Reply #13 on:** June 09, 2007, 04:51:24 PM »

As the original poster has not returned, I'll lock this topic

TheTechGuide Forum

News:

Author Topic: WinantivirusPRO, random stuff, lagging internet (Read 566 times)

Aidan

WinantivirusPRO, random stuff, lagging internet

guestolo

WinantivirusPRO, random stuff, lagging internet

Aidan

WinantivirusPRO, random stuff, lagging internet

Aidan

WinantivirusPRO, random stuff, lagging internet

guestolo

WinantivirusPRO, random stuff, lagging internet

Aidan

WinantivirusPRO, random stuff, lagging internet

guestolo

WinantivirusPRO, random stuff, lagging internet

Aidan

WinantivirusPRO, random stuff, lagging internet

guestolo

WinantivirusPRO, random stuff, lagging internet

Aidan

WinantivirusPRO, random stuff, lagging internet

guestolo

WinantivirusPRO, random stuff, lagging internet

Aidan

WinantivirusPRO, random stuff, lagging internet

guestolo

WinantivirusPRO, random stuff, lagging internet

guestolo

WinantivirusPRO, random stuff, lagging internet