PC can't connect to internet & extremely slow

E

Ehipassiko

New Member
Dear all,

Hi, I am a newbie in this forum.
Recently I've got some issue with my laptop. I am connected to internet using a Sierra Wireless modem and my GSM mobile card. Now, every time i plug in the modem, pc detects it but it takes a very long time to do so, then when i hit 'connect' button, it won't connect. In fact, it takes ages before the error messange appears. The point is, I can't connect to internet using that laptop.

However, when i plug in that modem to another pc, it works well. So i assume that my laptop is the one which is in trouble, not the modem.

And another strange behaviour is that the power light which indicates the activity of pc keeps blinking eventhough i do not touch or click anything on it. When i see the processes or applications running in the Task Manager, it's quite weird because lots of unknown programs (at least to my knowledge) are running and the total number of processes keeps changing, one second 35, another second 37, another 40, and another back to 30's.
So I assume that my laptop is kind of infected by some virus or malware or spyware. I am using AVG 7.5 Free edition and SUper Anti Spyware. Both programs have scan the pc and result in no infected files.

Please help! I am not sure whether this is the correct directory to post this thread. IF it is not, please help me move it to the correct one.

Here is the mbam log:
Malwarebytes' Anti-Malware 1.31
Database version: 1492
Windows 5.1.2600 Service Pack 1

12/12/2008 16:13:45
mbam-log-2008-12-12 (16-13-40).txt

Scan type: Quick Scan
Objects scanned: 20785
Time elapsed: 2 hour(s), 19 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0050a87f-cf26-41ae-9c0a-c32307c941cb} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0050a87f-cf26-41ae-9c0a-c32307c941cb} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{5a667275-c54e-465b-a6bb-37a7c6fc38e3} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0050a87f-cf26-41ae-9c0a-c32307c941cb} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{0050a87f-cf26-41ae-9c0a-c32307c941cb} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{0050a87f-cf26-41ae-9c0a-c32307c941cb} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\rnieplug.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.


Here is the HTJ logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:12, on 15/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\WINDOWS\system32\lcsass.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\mldmm.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\sssvcs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\mdm.exe
C:\WINDOWS\System32\llm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\TheSage\TheSage.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeart1cile.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\PROGRA~1\SOFTOM~1\TOOLBA~1\bin\tbcore3U.dll (file missing)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: FXCM Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\FXCM Toolbar\fxcm_toolbar_v1_8b.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dsgb] C:\WINDOWS\system32\lcsass.exe
O4 - HKLM\..\Run: [fhy] C:\WINDOWS\system32\sssvcs.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mmsass] mldmm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Networking Monitoring] C:\WINDOWS\System32\mdm.exe
O4 - HKLM\..\Run: [nl2plwrk] C:\WINDOWS\System32\llm.exe
O4 - HKLM\..\RunServices: [mmsass] mldmm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [EPSON Stylus D78 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE /FU "C:\WINDOWS\TEMP\E_SB1.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus C79 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGP.EXE /FU "C:\WINDOWS\TEMP\E_SFA.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [dsgb] C:\WINDOWS\system32\lcsass.exe
O4 - HKCU\..\Run: [fhy] C:\WINDOWS\system32\sssvcs.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Windows Networking Monitoring] C:\WINDOWS\System32\mdm.exe
O4 - HKCU\..\Run: [nl2plwrk] C:\WINDOWS\System32\llm.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [EPSON Stylus C79 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGP.EXE /FU "C:\WINDOWS\TEMP\E_SFA.tmp" /EF "HKCU" (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [dsgb] C:\WINDOWS\system32\lcsass.exe (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [fhy] C:\WINDOWS\system32\sssvcs.exe (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [Windows Networking Monitoring] C:\WINDOWS\System32\mdm.exe (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [nl2plwrk] C:\WINDOWS\System32\llm.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [dsgb] C:\WINDOWS\System32\dbw.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [dsgb] C:\WINDOWS\System32\dbw.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-854245398-1677128483-839522115-500 Startup: TheSage.lnk = C:\Program Files\TheSage\TheSage.exe (User '?')
O4 - Startup: TheSage.lnk = C:\Program Files\TheSage\TheSage.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: FXCM Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\FXCM Toolbar\fxcm_toolbar_v1_8b.dll (file missing)
O9 - Extra 'Tools' menuitem: FXCM Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\FXCM Toolbar\fxcm_toolbar_v1_8b.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: www.1987324.com
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{672A7404-8699-4F90-A42C-FEF0AA18CC61}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A384D45-CC91-4BFE-AFA4-286668CAF057}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F91FDBE-368D-4C9D-95CC-0CEDEEB69770}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB9798C9-9D1C-4534-B9EC-21560EBC3382}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6165536-5FD7-40ED-90F1-588F65D9C6AB}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6079610-136A-46EC-8305-D1ECF73BA505}: NameServer = 195.186.1.111
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll
O23 - Service: acw0q72kp1eikfukiwcfhrig - Unknown owner - C:\WINDOWS\system32\csrcs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 11635 bytes


Any help and/or suggestions will be much appreciated.
 
Hello:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply i will need:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
Hi Respital,

Thanks for responding.

Here is the ComboFix logfile:
ComboFix 08-12-15.04 - Administrator 2008-12-16 12:41:37.6 - NTFSx86

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\delextra.exe
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system\delnew.exe
c:\windows\system32\a.exe
c:\windows\system32\csrcs.exe
c:\windows\system32\i
c:\windows\system32\mdm.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACW0Q72KP1EIKFUKIWCFHRIG
-------\Service_acw0q72kp1eikfukiwcfhrig


((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))
.

2008-12-16 08:50 . 2008-12-16 12:53 2,560 ---hs---- c:\windows\system32\helpersvscs.exe
2008-12-12 13:39 . 2008-12-12 13:40 167,474 --a------ c:\windows\system32\llm.exe
2008-12-12 13:30 . 2008-12-12 13:30 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-12 13:30 . 2008-12-12 13:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-12 13:30 . 2008-12-12 13:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-12 13:30 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-12 13:30 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-05 12:11 . 2008-12-05 12:11 20 --a------ c:\windows\Converter.INI
2008-12-04 13:05 . 2003-06-25 16:05 266,360 --a------ c:\windows\system32\TweakUI.exe
2008-12-04 13:05 . 2002-06-21 15:09 160,217 --a------ c:\windows\system32\PowerToysLicense.rtf
2008-11-18 11:25 . 2008-11-19 11:46 10,752 --a------ c:\windows\system\del.exe
2008-11-18 11:25 . 2008-11-19 11:46 9,216 --a------ C:\winlogons.exe
2008-11-18 11:25 . 2008-11-19 11:46 6,656 --a------ c:\windows\system\helper.exe
2008-11-18 11:25 . 2008-11-19 11:46 5,632 --a------ C:\mstsc.exe
2008-11-18 08:53 . 2008-11-18 08:53 23,040 --a------ c:\windows\system32\mszsrn32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 01:57 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2008-12-04 06:26 --------- d-----w c:\documents and settings\Administrator\Application Data\SiteAdvisor
2008-12-04 06:25 143,922 ----a-w c:\windows\system32\msv.exe
2008-11-06 01:40 --------- d-----w c:\program files\ESET
2008-11-06 01:36 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-11-06 01:36 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2008-11-05 06:10 --------- d-----w c:\program files\Trainer Maker Kit
2008-11-05 03:04 --------- d-----w c:\documents and settings\Administrator\Application Data\ESET
2008-11-05 03:02 --------- d-----w c:\documents and settings\All Users\Application Data\ESET
2008-10-24 01:39 166,962 ----a-w c:\documents and settings\Administrator\fglp.exe
2008-10-24 01:39 166,962 ----a-w c:\documents and settings\Administrator\dbw.exe
2008-10-23 05:56 --------- d-----w c:\program files\EsetOnlineScanner
2008-10-23 05:35 166,962 --sh--w c:\windows\system32\sssvcs.exe
2008-10-23 05:35 166,962 --sh--w c:\windows\system32\lcsass.exe
2006-12-22 03:58 764 ----a-w c:\program files\moron.htm
2006-12-20 08:13 656 ----a-w c:\program files\UntitledFrameset-2.htm
2006-12-20 08:13 369 ----a-w c:\program files\Untitled-1.htm
2006-12-20 08:13 266 ----a-w c:\program files\UntitledFrame-3.htm
2006-12-20 08:13 266 ----a-w c:\program files\UntitledFrame-2.htm
2002-08-29 03:41 148,018 --sh--r c:\windows\system32\mldmm.exe
.

------- Sigcheck -------

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2008-10-20_12.47.29.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-02 06:50:59 11,628,544 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-10-21 02:55:34 12,541,952 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2008-07-02 06:50:59 118,784 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-10-21 02:55:34 126,976 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-21 01:19:54 39,944 ----a-w c:\windows\LastGood\System32\DRIVERS\eamon.sys
+ 2007-12-21 01:20:14 30,216 ----a-w c:\windows\LastGood\System32\DRIVERS\easdrv.sys
+ 2007-12-21 01:21:46 71,176 ----a-w c:\windows\LastGood\System32\DRIVERS\epfw.sys
+ 2007-12-21 01:21:52 30,728 ----a-w c:\windows\LastGood\System32\DRIVERS\epfwndis.sys
+ 2007-12-21 01:21:54 53,768 ----a-w c:\windows\LastGood\System32\DRIVERS\epfwtdi.sys
- 2008-10-15 02:50:14 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-04 06:26:10 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-10-15 02:50:14 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-04 06:26:10 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-10-20 05:24:38 286,720 ----a-w c:\windows\system32\config\systemprofile\ntuser.dat
+ 2008-12-16 05:41:23 286,720 ----a-w c:\windows\system32\config\systemprofile\ntuser.dat
+ 2008-11-06 01:36:41 775,680 ----a-w c:\windows\system32\drivers\avg7core.sys
+ 2008-11-06 01:36:43 4,224 ----a-w c:\windows\system32\drivers\avg7rsw.sys
+ 2008-11-06 01:36:45 27,776 ----a-w c:\windows\system32\drivers\avg7rsxp.sys
+ 2008-11-06 01:36:46 3,968 ----a-w c:\windows\system32\drivers\avgclean.sys
+ 2008-11-06 01:36:46 19,840 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2008-11-06 01:36:46 4,960 ----a-w c:\windows\system32\drivers\avgtdi.sys
- 2008-06-15 06:43:01 59,694 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-03 01:40:10 59,694 ----a-w c:\windows\system32\perfc009.dat
- 2008-06-15 06:43:01 405,054 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-03 01:40:11 405,054 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 1207080]
"EPSON Stylus D78 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE" [2006-09-22 139264]
"EPSON Stylus C79 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBGP.EXE" [2006-09-22 139264]
"dsgb"="c:\windows\system32\lcsass.exe" [2008-10-23 166962]
"fhy"="c:\windows\system32\sssvcs.exe" [2008-10-23 166962]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-07-05 4538368]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-19 1481968]
"nl2plwrk"="c:\windows\System32\llm.exe" [2008-12-12 167474]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrotray.exe" [2006-01-12 483328]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-03-25 5566464]
"dsgb"="c:\windows\system32\lcsass.exe" [2008-10-23 166962]
"fhy"="c:\windows\system32\sssvcs.exe" [2008-10-23 166962]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-08 102491]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-08 692315]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2005-03-25 86016]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-11-06 411648]
"nl2plwrk"="c:\windows\System32\llm.exe" [2008-12-12 167474]
"nwiz"="nwiz.exe" [2005-03-25 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-11-06 145920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2002-08-29 40960]
"RunNarrator"="Narrator.exe" [2001-08-23 c:\windows\system32\narrator.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
TheSage.lnk - c:\program files\TheSage\TheSage.exe [2006-09-26 159744]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-06-15 25214]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--a------ 2007-09-19 15:58 33280 c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a------ 2006-03-22 13:01 851968 c:\progra~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
--a------ 2006-10-28 08:46 1254400 c:\program files\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2002-08-29 04:38 208953 c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:56 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-04-26 07:29 237568 c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatcherHelper]
--a------ 2008-01-30 16:36 120088 c:\program files\Sierra Wireless Inc\3G Watcher\WaHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-10-25 12:37 35328 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-07-05 08:29 4538368 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-12-01 14:54 77824 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=3 (0x3)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SAVScan"=3 (0x3)
"NSCService"=3 (0x3)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"wltrysvc"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"Disk Monitor Manager"=2 (0x2)
"bmwebcfg"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"ATTRcAppSvc"=3 (0x3)
"aswUpdSv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AUtHorizedapplications\List]
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"<NO NAME>"=
"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\SwiApiMux.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2962:TCP"= 2962:TCP:Microsoft standard protector

.
Contents of the 'Scheduled Tasks' folder

2008-09-12 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe []
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-dsgb - c:\windows\System32\dbw.exe
HKU-Default-Run-fhy - c:\windows\System32\fglp.exe
HKU-Default-Run-Windows Networking Monitoring - c:\windows\System32\mdm.exe
MSConfigStartUp-avast! - c:\progra~1\ALWILS~1\Avast4\ashDisp.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: &Download with &DAP - c:\progra~1\DAP\dapextie.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download &all with DAP - c:\progra~1\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: bmnet.dll
Trusted Zone: www.1987324.com
TCP: {672A7404-8699-4F90-A42C-FEF0AA18CC61} = 195.186.1.111
TCP: {7A384D45-CC91-4BFE-AFA4-286668CAF057} = 195.186.1.111
TCP: {8F91FDBE-368D-4C9D-95CC-0CEDEEB69770} = 195.186.1.111
TCP: {BB9798C9-9D1C-4534-B9EC-21560EBC3382} = 192.168.0.1
TCP: {D6165536-5FD7-40ED-90F1-588F65D9C6AB} = 195.186.1.111
TCP: {F6079610-136A-46EC-8305-D1ECF73BA505} = 195.186.1.111
Name-Space Handler: HTTPS\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c9bor518.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJPI150_08.dll
FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPOJI610.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 12:52:51
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1068)
c:\windows\System32\ODBC32.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
c:\windows\System32\msctfime.ime
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(1124)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
c:\windows\system32\bmnet.dll
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\windows\system32\nvsvc32.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Adobe\Acrobat\acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2008-12-16 13:02:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-16 06:02:03
ComboFix2.txt 2008-10-21 02:43:27
ComboFix3.txt 2008-10-20 05:49:09
ComboFix4.txt 2008-07-06 12:45:19

Pre-Run: 7.674.601.472 bytes free
Post-Run: 7,669,714,944 bytes free

285


Here is the HJT logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:07:13, on 16/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\WINDOWS\system32\lcsass.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\sssvcs.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\llm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\TheSage\TheSage.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\PROGRA~1\SOFTOM~1\TOOLBA~1\bin\tbcore3U.dll (file missing)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: FXCM Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\FXCM Toolbar\fxcm_toolbar_v1_8b.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dsgb] C:\WINDOWS\system32\lcsass.exe
O4 - HKLM\..\Run: [fhy] C:\WINDOWS\system32\sssvcs.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nl2plwrk] C:\WINDOWS\System32\llm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [EPSON Stylus D78 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE /FU "C:\WINDOWS\TEMP\E_SB1.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus C79 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGP.EXE /FU "C:\WINDOWS\TEMP\E_SFA.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [dsgb] C:\WINDOWS\system32\lcsass.exe
O4 - HKCU\..\Run: [fhy] C:\WINDOWS\system32\sssvcs.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [nl2plwrk] C:\WINDOWS\System32\llm.exe
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [EPSON Stylus D78 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE /FU "C:\WINDOWS\TEMP\E_SB1.tmp" /EF "HKCU" (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [EPSON Stylus C79 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGP.EXE /FU "C:\WINDOWS\TEMP\E_SFA.tmp" /EF "HKCU" (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [dsgb] C:\WINDOWS\system32\lcsass.exe (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [fhy] C:\WINDOWS\system32\sssvcs.exe (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [nl2plwrk] C:\WINDOWS\System32\llm.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-854245398-1677128483-839522115-500 Startup: TheSage.lnk = C:\Program Files\TheSage\TheSage.exe (User '?')
O4 - Startup: TheSage.lnk = C:\Program Files\TheSage\TheSage.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: FXCM Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\FXCM Toolbar\fxcm_toolbar_v1_8b.dll (file missing)
O9 - Extra 'Tools' menuitem: FXCM Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\FXCM Toolbar\fxcm_toolbar_v1_8b.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: www.1987324.com
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{672A7404-8699-4F90-A42C-FEF0AA18CC61}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A384D45-CC91-4BFE-AFA4-286668CAF057}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F91FDBE-368D-4C9D-95CC-0CEDEEB69770}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB9798C9-9D1C-4534-B9EC-21560EBC3382}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6165536-5FD7-40ED-90F1-588F65D9C6AB}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6079610-136A-46EC-8305-D1ECF73BA505}: NameServer = 195.186.1.111
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 11230 bytes


My PC still behaves the same as previous.
 
This is a mess. If you have the Windows disk, I'd advise you to format. If not, it can probably be cleaned up, but may take a while..
 
Hello, open HiJackThis place a check mark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

O15 - Trusted Zone: www.1987324.com


Download ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.


In your next reply i will need:
  • The Kaspersky log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
Respital said:
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.

    Run Kaspersky Online AV Scanner
Click to expand...

I am not quite clear of how to "Select All" from the list. Is it through the "Edit" tab? But I can't find the "Empty Selected" button.

I am not sure whether or not my pc can connect to internet to run online scanner as my first issue with it is "can't connect to internet".
I'll let you know what the result is later on. Thanks.
 
Hello Respital,

Sorry I didn't read the instruction carefully that I had to question you about the "Select All" stuff. I got it clear. And to my surprise, i could perform the online scanning.

My pc now can connect to internet through the modem. However, the word "extremely slow" for my pc should now be changed into "fairly slow" cause when i open the browser and run other office programs, i feel kind of "slow" before the system responds (it was not 'this slow' before i got the issue of not being connected).

A strange behavior appears to my pc: every time I double-click "Local Disk" either C: or D: in My Computer, it points me to My Documents with explorer view. So instead of directing me to C: folder (when I double-click C: ), it directs me to My Documents folder with explorer view. The same thing applies to drive D. When I right-click the drive, the first string is "Search" instead of "Open".

Here is the Kaspersky logfile:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, December 17, 2008
Operating System: Microsoft Windows XP Professional Service Pack 1 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, December 16, 2008 23:55:04
Records in database: 1467279
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 78920
Threat name: 12
Infected objects: 20
Suspicious objects: 0
Duration of the scan: 02:03:14


File name / Threat name / Threats count
C:\WINDOWS\system32\lcsass.exe/C:\WINDOWS\system32\lcsass.exe Infected: Backdoor.Win32.Agent.tgz 1
C:\WINDOWS\system32\sssvcs.exe/C:\WINDOWS\system32\sssvcs.exe Infected: Backdoor.Win32.Agent.tgz 1
C:\WINDOWS\System32\llm.exe/C:\WINDOWS\System32\llm.exe Infected: Backdoor.Win32.Bifrose.agpd 1
C:\Documents and Settings\Administrator\dbw.exe Infected: Backdoor.Win32.Agent.tgz 1
C:\Documents and Settings\Administrator\Desktop\New Folder\aditya\buat_windows_asli\keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a 2
C:\Documents and Settings\Administrator\fglp.exe Infected: Backdoor.Win32.Agent.tgz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\a.exe.vir Infected: Backdoor.Win32.IRCBot.gnw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\csrcs.exe.vir Infected: Backdoor.Win32.DsBot.oy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\i.vir Infected: Trojan-Downloader.BAT.Ftp.ab 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mdm.exe.vir Infected: Backdoor.Win32.IRCBot.glk 1
C:\WINDOWS\system\del.exe Infected: Trojan-Clicker.Win32.VB.coq 1
C:\WINDOWS\system32\lcsass.exe Infected: Backdoor.Win32.Agent.tgz 1
C:\WINDOWS\system32\llm.exe Infected: Backdoor.Win32.Bifrose.agpd 1
C:\WINDOWS\system32\mldmm.exe Infected: Backdoor.Win32.IRCBot.gif 1
C:\WINDOWS\system32\msv.exe Infected: Trojan.Win32.Agent.asyh 1
C:\WINDOWS\system32\mszsrn32.dll Infected: Email-Worm.Win32.Banwarum.o 1
C:\WINDOWS\system32\o Infected: Trojan-Downloader.BAT.Ftp.ab 1
C:\WINDOWS\system32\sssvcs.exe Infected: Backdoor.Win32.Agent.tgz 1
C:\winlogons.exe Infected: Trojan.Win32.Inject.ldl 1

The selected area was scanned.


Here is the HJT logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:01:13, on 17/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\WINDOWS\system32\lcsass.exe
C:\WINDOWS\system32\sssvcs.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\System32\llm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\TheSage\TheSage.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\Watcher.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\SwiApiMux.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\PROGRA~1\SOFTOM~1\TOOLBA~1\bin\tbcore3U.dll (file missing)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: FXCM Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\FXCM Toolbar\fxcm_toolbar_v1_8b.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dsgb] C:\WINDOWS\system32\lcsass.exe
O4 - HKLM\..\Run: [fhy] C:\WINDOWS\system32\sssvcs.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nl2plwrk] C:\WINDOWS\System32\llm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [EPSON Stylus D78 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE /FU "C:\WINDOWS\TEMP\E_SB1.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus C79 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGP.EXE /FU "C:\WINDOWS\TEMP\E_SFA.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [dsgb] C:\WINDOWS\system32\lcsass.exe
O4 - HKCU\..\Run: [fhy] C:\WINDOWS\system32\sssvcs.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [nl2plwrk] C:\WINDOWS\System32\llm.exe
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [EPSON Stylus D78 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE /FU "C:\WINDOWS\TEMP\E_SB1.tmp" /EF "HKCU" (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [EPSON Stylus C79 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGP.EXE /FU "C:\WINDOWS\TEMP\E_SFA.tmp" /EF "HKCU" (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [dsgb] C:\WINDOWS\system32\lcsass.exe (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [fhy] C:\WINDOWS\system32\sssvcs.exe (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-21-854245398-1677128483-839522115-500\..\Run: [nl2plwrk] C:\WINDOWS\System32\llm.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-854245398-1677128483-839522115-500 Startup: TheSage.lnk = C:\Program Files\TheSage\TheSage.exe (User '?')
O4 - Startup: TheSage.lnk = C:\Program Files\TheSage\TheSage.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: FXCM Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\FXCM Toolbar\fxcm_toolbar_v1_8b.dll (file missing)
O9 - Extra 'Tools' menuitem: FXCM Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\FXCM Toolbar\fxcm_toolbar_v1_8b.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{672A7404-8699-4F90-A42C-FEF0AA18CC61}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A384D45-CC91-4BFE-AFA4-286668CAF057}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F91FDBE-368D-4C9D-95CC-0CEDEEB69770}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB9798C9-9D1C-4534-B9EC-21560EBC3382}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6165536-5FD7-40ED-90F1-588F65D9C6AB}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6079610-136A-46EC-8305-D1ECF73BA505}: NameServer = 195.186.1.111
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 11320 bytes
 
Last edited:
Hi Respital,

Bad news! I don't know why this morning my laptop couldn't connect to internet using the modem. I've been trying to connect it, but to no avail.
As far as I can remember, I did not do anything to my pc after my previous post stating that "I can now connect to the internet". Weird, isn't it?

Another strange thing is after the boot, there is occasionally a splash screen from the avg stating that Threat Found! in C:Windows/system32/helpersvscs.exe Trojan Horse Proxy.KJB . I moved it to vault, but seems like it keeps appearing at restart.

What should I do?
 
Hi Respital,

It has been quite a while since you last replied to this thread. Everything is fine?

My pc now back to the previous behaviour; can't connect to internet and fairly slow. In fact, now besides the weird thing about the 'explorer view' issue I mentioned before, my pc occasionally pops up 'SYSTEM SHUTDOWN' with one minute warning of RPC terminated (C:/Windows/System32/lsass.exe), sometimes before and after i plug/unplug the modem to the pc.

The splash screen of AVG detecting the threat 'helpersvscs.exe' now becomes a regular startup on my pc.

Please help!
 
Ehipassiko said:
Please help..................!!!
Click to expand...

Sorry for the delay, like Buzz previously stated it would be best to reformat your computer. As you are infected with multiple backdoor Trojans and some experts believe that one you're infected with a backdoor the computer can't be deemed safe unless reformatted.
 
Oh....

is that it? no other way to help me clean it than reformat it?
Please, if reformat were the first option I chose, I'd not have gone through the cleaning process you'd advised me to.

U want me to stop the cleaning process?
 
Ehipassiko said:
Oh....

is that it? no other way to help me clean it than reformat it?
Please, if reformat were the first option I chose, I'd not have gone through the cleaning process you'd advised me to.

U want me to stop the cleaning process?
Click to expand...

You could keep going through the cleaning process, but someone more skilled would have to assist you. Also i said it would be best to reformat because some experts believe that even if everything checks out you could still be infected, and the wouldn't go trusting that computer with their banking details.
 
ok then, Respital. Thanks for the suggestion.
If any 'more skilled computer expert' happened to notice this thread and would like to try guiding me through the cleaning process (or maybe you would suggest one for me), I'd be ready to do so.

Anyway, thank you very much for the help given to me so far, Respital.
You have been really helpful.


Best Regards,
Ehipassiko.
 
You must log in or register to reply here.
Back
Top