Major Infection...Please Help

Hello. I am writing this from a laptop connected to my wireless network, but the computer that is in question is my desktop computer that i use all the time.

As of yesterday, my computer has been almost rendered nonfunctional. My internet is connected, but my browsers do not load anything, just a blank page.
I get periodic popups asking me to buy certain anti-spyware software and every couple minutes, i get a little notification on my bottom taskbar that reads...

Windows has detected an Internet attack attempt...
Somebody's trying to infect your PC with spyware or harmful viruses.

OR

Warning! Your security and privacy are at risk!
Spyware has been detected on your computer. Click here to run a FULL SYSTEM SCAN to protect your data. (Windows Security Center message)

Your computer is working slowly!
Slow operation speed might have been caused by malicious spyware.

Etc. etc.

I ran ad-aware and it cleaned everything it could, but the problem persists. My computer is now REALLY slow, and the worst part is every time i try to open task manager, it gives me a message that "Task Manager has been disabled by your adminstrator" When i went into my registry, i found a registry key called "DisableTskMngr" or something like that, i deleted it, but everytime i delete it, it just keeps re-appearing on its own.

PLEASE HELP! I depend on this computer for daily tasks and i would appreciate any feedback/assistance in dealing with this problem.

Thanks in advance.

~WS0702

 

Hello and welcome to WindowsBBS Forums.

If, you have already run AdAware SE and\or Spybot Search Destroy, with updated definitions, and are still having problems, next, we move onto HiJackThis v:1.99.1. This scan will give us a 'base point' to begin an in depth detailed analysis.

Please download HijackThis! SetUp from here. Save the file to your desktop.

Double-click the HijackThis! SetUp icon to begin the installation. Follow the prompts for the default install location of:'C:\Program Files\HijackThis'. Tick the 'Create a desktop' button when the option appears. Select next, then allow HijackThis! to start.

Then press the [Scan] button. You will notice the [Scan] button will turn into a [Save Log] button. Click the [Save Log] button and notepad will open up with the contents of the scan. Right-click in the saved log, and select 'copy'. Then proceed to your original thread, unless otherwise instructed and click the '[Reply]' button and paste the saved contents to be reviewed. Do not make any modifications to the log or perform any 'fixes' until told to do so.

 

Hey. Here is my HJT Log. I had to go to another XP-Username since my main username is inaccessible for some reason.


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:36:54 PM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Shekhar\ie_updater.exe
C:\WINDOWS\system32\tmrsrv32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\idleserv.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINDOWS\updater.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\Explorer.exe
C:\WINDOWS\system32\Explorer.exe
C:\WINDOWS\NOTEDAD.EXE
C:\Documents and Settings\Ipod\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\tmp17.tmp.dll
O2 - BHO: (no name) - {1CC28A64-17D2-1022-A641-6FE34BE2FFEA} - C:\WINDOWS\system32\cyplsjuf.dll
O2 - BHO: (no name) - {230ca6a8-791c-4d43-82c5-de3d1977e219} - C:\WINDOWS\system32\mqrlan.dll
O2 - BHO: (no name) - {39ABDA02-8988-94E2-18C9-60CF43C9334C} - C:\DOCUME~1\Shekhar\APPLIC~1\GplBits\CoolPoke.exe (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {B9697716-61E6-4FBC-89FD-EAC504D9EFE3} - C:\WINDOWS\system32\ssqppoo.dll
O2 - BHO: (no name) - {C7B68A18-7BD4-4455-9C99-C4BC73CDEAE3} - C:\WINDOWS\system32\ddayy.dll
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: 0 - {F4D0A3F8-D476-4987-8F85-DF9FC95F1E32} - C:\Program Files\MSN Gaming Zone\qukavola.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810329B385576F901F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\rqopmm.dll ",realset
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\icxgs.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101340124357
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: ddayy - C:\WINDOWS\system32\ddayy.dll
O20 - Winlogon Notify: mqrlan - C:\WINDOWS\SYSTEM32\mqrlan.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\n2r2lc9o1f.dll (file missing)
O20 - Winlogon Notify: ssqppoo - C:\WINDOWS\SYSTEM32\ssqppoo.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: General Socket Service - Unknown owner - C:\WINDOWS\SVCHOST.EXE (file missing)
O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\Documents and Settings\Shekhar\ie_updater.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

--
End of file - 10119 bytes

 

Also, another development. Periodically i get a "sysrlb32.exe" in a fake cmd window and a loadlibrary error thing....

 

OK, first things first, you did not download HJT from the link I provided, please do so and discard the Trend Micro HJT version, thanks.

Secondly you have a nasty little infection going on here, it has installed a back door on your system, maybe two.

If you do any online financial business which requires any password entries and such, I would contact the relative institutions to alert them that your computer has been compromised and your private information may have been acquired.

These infections can be difficult to remove and in some cases users are advised to reformat and reinstall Windows after saving any important data. I can do the best I can to remove the infection but cannot guarantee with 100% certainty that your system will be secure afterwards.

The decision is of course up to you. I can only advise.

If you elect to continue with clean up, please do as instructed below in the order presented.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log