Jump to content


Photo

Infected with Windows Allerts and Popups


  • This topic is locked This topic is locked
9 replies to this topic

#1 Darien D.

Darien D.

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 20 May 2007 - 03:13 PM

I have recently been been plagued with a ton of popups and other various problems.
I have run numerous virus scans and found things like:
Smitfraud-C, Error Safe, WinAntiSpyware, Bzub, STP68.2007, Win32.Sality.X, SillyDl.cph

My Windows taskbar constantly dissapears and then reappears. I constantly have to restart downloads because they often stall. Internet Explorer also runs into many problems and is always asking me if I want to send an error report. I also get various advertising popups which do not always seem to be the same.

I ran Ad-Aware, Spybot S&D.
I then ran eTrust EZ Antivirus and SmitfraudFix.
I tried to run Panda Active Scan but I could never get it to work.

Operating System: Windows XP SP2


HijackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:15:06 PM, on 5/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\HiJackThis\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2a69ba3e-6a6c-4868-b38d-a29555973621} - C:\WINDOWS\system32\iefone.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileop...nt/FileOpen.CAB
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: iefone - C:\WINDOWS\SYSTEM32\iefone.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4469 bytes


I would appreciate any help you could offer!

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 23 May 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 25 May 2007 - 05:49 AM

Hi Darien,

Welcome to SpywareInfo! :wave:

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, here’s what we do first.

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: (no name) - {2a69ba3e-6a6c-4868-b38d-a29555973621} - C:\WINDOWS\system32\iefone.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: iefone - C:\WINDOWS\SYSTEM32\iefone.dll



Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


    File::
    C:\WINDOWS\system32\iefone.dll
    C:\WINDOWS\system32\perfc000.dat
    

  • Save this as ComboFix-Do.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Posted Image


  • Referring to the screenshot above, drag ComboFix-Do.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The log from the ComboFix scan located at C:\ComboFix.txt.
  • A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

Edited by Sempurna, 25 May 2007 - 05:50 AM.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#4 Darien D.

Darien D.

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 25 May 2007 - 10:21 PM

Thanks a lot for your help. I really appreciate it.
There was no problems going through the steps you gave, it was all pretty easy to follow. Things seem to be running fine now, I have not experienced any more popups (though I havent givent it a lot of time yet). There still seems to be some references to the iefone.dll in the registry according to HijackThis.

Here is the ComboFix log:

"Owner" - 2007-05-25 22:33:05 Service Pack 2
ComboFix 07-05.26.3.V - Running from: "C:\Documents and Settings\Owner\"
Command switches used :: ""C:\Documents and Settings\Owner\Desktop\ComboFix-Do.txt""


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\system32\tmp9.tmp.dll"
"C:\WINDOWS\system32\tmpB.tmp.dll"
"C:\WINDOWS\system32\tmpD.tmp.dll"
"C:\WINDOWS\system32\iefone.dll"


((((((((((((((((((((((((((((((( Files Created from 2007-04-25 to 2007-05-25 ))))))))))))))))))))))))))))))))))


2007-05-24 22:31 106,808 --a------ C:\WINDOWS\gedaxx.dll
2007-05-22 21:20 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-19 23:04 <DIR> d-------- C:\Program Files\XoftSpySE
2007-05-19 16:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-19 16:43 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-05-19 16:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-19 16:38 <DIR> d-------- C:\Program Files\RogueRemover
2007-05-19 15:58 2,224 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-19 08:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-17 20:32 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-17 20:32 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-05-17 20:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-17 18:19 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-05-10 00:19 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\WinRAR
2007-05-09 21:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-05 08:31 <DIR> d--h----- C:\WINDOWS\PIF
2007-04-30 19:40 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\vlc
2007-04-30 19:29 <DIR> d-------- C:\Program Files\VideoLAN
2007-04-25 18:22 <DIR> d-------- C:\Program Files\e-Sword
2007-04-25 18:20 <DIR> d-------- C:\WINDOWS\Downloaded Installations


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-02 15:12:09 630,464 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys
2007-05-02 15:12:09 108,656 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-05-01 01:04:42 -------- d-----w C:\Program Files\DivX
2007-04-26 00:11:09 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-04-24 23:16:47 -------- d-----w C:\Program Files\QuickTime
2007-04-24 23:15:54 -------- d-----w C:\Program Files\Apple Software Update
2007-04-20 15:54:07 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-09 02:30:31 26,787 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-04-09 02:29:16 74,864 ----a-w C:\WINDOWS\system32\VetRedir.dll
2007-04-09 02:29:16 21,031 ----a-w C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-04-09 02:29:16 15,735 ----a-w C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-04-09 02:29:16 15,478 ----a-w C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-04-09 02:29:16 115,824 ----a-w C:\WINDOWS\UnVet32.exe
2007-04-09 02:29:16 111,728 ----a-w C:\WINDOWS\AVShlExt.dll
2007-04-09 02:27:00 -------- d-----w C:\Program Files\Common Files\Scanner
2007-04-09 02:26:53 -------- d-----w C:\Program Files\CA
2007-04-09 02:20:37 -------- d-----w C:\Program Files\McAfee
2007-04-08 02:02:53 -------- d-----w C:\Program Files\7-Zip
2007-04-08 01:34:15 107,977 ----a-w C:\Program Files\Common Files\3721.exe
2007-04-08 00:47:44 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\HP
2007-04-08 00:20:49 124,320 ----a-w C:\WINDOWS\HPHins12.dat
2007-04-08 00:19:48 -------- d-----w C:\Program Files\Common Files\HP
2007-04-08 00:19:46 -------- d-----w C:\Program Files\Hewlett-Packard
2007-04-08 00:15:44 -------- d-----w C:\Program Files\HP
2007-04-06 18:35:14 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\MilkShape 3D 1.x.x
2007-04-06 02:33:30 118,784 ----a-w C:\WINDOWS\dsdxirmv.exe
2007-04-06 02:33:07 -------- d-----w C:\Program Files\Cakewalk
2007-04-06 02:01:24 -------- d-----w C:\Program Files\directx
2007-04-05 04:01:34 -------- d-----w C:\Program Files\Guitar Pro 5
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-01 02:42:46 0 ----a-w C:\DOCUME~1\Owner\APPLIC~1\wklnhst.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2a69ba3e-6a6c-4868-b38d-a29555973621}=C:\WINDOWS\system32\iefone.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-19 23:55]
{CA6319C0-31B7-401E-A518-A07C3DB8F777}=c:\windows\system32\BAE.dll [2006-01-31 14:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 10:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 10:47]
"QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe" [2007-04-08 21:29]
"CaAvTray"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" [2007-04-08 21:29]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-04-08 21:29]
"Zone Labs Client"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" [2005-01-26 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-02 20:07]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iefone]
iefone.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1168108615\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Road Runner PhotoShow Media Manager]
C:\PROGRA~1\ROADRU~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]
rundll32.exe "C:\WINDOWS\qopnop.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\syswin]
C:\DOCUME~1\Owner\LOCALS~1\Temp\x2000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wltrysvc"=2 (0x2)
"PrismXL"=2 (0x2)
"ose"=3 (0x3)
"gusvc"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


Contents of the 'Scheduled Tasks' folder
2007-04-24 23:15:57 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-01-07 20:50:28 C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#7700#MY35T1310H7F.job
2007-05-25 04:49:06 C:\WINDOWS\tasks\HP Usg Daily.job
2007-05-26 03:37:29 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-05-20 04:04:17 C:\WINDOWS\tasks\XoftSpySE.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-25 22:37:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-25 22:39:26 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-25 22:39
C:\ComboFix2.txt ... 2007-05-22 22:44
C:\ComboFix3.txt ... 2007-05-22 22:23

--- E O F ---


Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:11:30 PM, on 5/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\HiJackThis\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2a69ba3e-6a6c-4868-b38d-a29555973621} - C:\WINDOWS\system32\iefone.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileop...nt/FileOpen.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: iefone - iefone.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4331 bytes

Thanks again for the help and please let me know if there is anything else that needs done.

#5 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 26 May 2007 - 02:02 AM

Hi Darien, :wave:

You’re most welcome, Darien. Glad to be of some help. I’m happy to hear that things are running better now. :)

OK, let’s pick up where we left off.

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {2a69ba3e-6a6c-4868-b38d-a29555973621} - C:\WINDOWS\system32\iefone.dll (file missing)
O20 - Winlogon Notify: iefone - iefone.dll (file missing)



Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please delete your current copy of ComboFix-Do.txt as we need to create a new one:
  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


    File::
    C:\WINDOWS\gedaxx.dll
    C:\Program Files\Common Files\3721.exe
    C:\WINDOWS\qopnop.dll
    C:\DOCUME~1\Owner\LOCALS~1\Temp\x2000.exe
    
    Registry::
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2a69ba3e-6a6c-4868-b38d-a29555973621}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iefone]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\syswin]
    

  • Save this as ComboFix-Do.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Posted Image


  • Referring to the screenshot above, drag ComboFix-Do.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please go to: VirusTotal
  • At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to next file:

    C:\WINDOWS\dsdxirmv.exe

  • Click "Open".
  • Then click the "Send" button at the top of the VirusTotal page.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.

NEXT:

Please download CCleaner (freeware) and save it to your desktop:
  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Once installed, run CCleaner and click the "Windows" tab.
  • Select the following:
    • Check everything under the "Internet Explorer" section.
    • Check everything under the "Windows Explorer" section.
    • Check everything under the "System" section.
    • Check ONLY "Old Prefetch data" under the "Advanced" section.
  • Then, click the "Applications" tab:
    • UNCHECK everything there.
  • Next, click the "Options" button in the left pane, then click the "Advanced" button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  • Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.
  • When done, please exit CCleaner.
CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.


NEXT:

Let's run an online scan to make sure we're not leaving anything behind.

Please do an online scan with Kaspersky Online Scanner using Internet Explorer (this online scanner only works with IE):
  • Click on "Kaspersky Online Scanner".
  • You will be prompted to install an ActiveX component from Kaspersky, click "Yes".
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on "Next".
  • Now click on "Scan Settings".
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click "OK".
  • Now under select a target to scan:
    • Select "My Computer".
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the "Save Report As" button.
    • In the "File name:" field, type kavscan.
    • In the "Save as type:" field, select "Text file (*.txt)".
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The log from the ComboFix scan located at C:\ComboFix.txt.
  • The log from the Kaspersky scan.
  • A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Edited by Sempurna, 26 May 2007 - 02:06 AM.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#6 Darien D.

Darien D.

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 26 May 2007 - 09:13 AM

Ok, I got through all of that without any problems.

Here is the new ComboFix log:

"Owner" - 2007-05-26 7:01:52 Service Pack 2
ComboFix 07-05.26.3.V - Running from: "C:\Documents and Settings\Owner\"
Command switches used :: ""C:\Documents and Settings\Owner\Desktop\ComboFix-Do.txt""


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\gedaxx.dll"
"C:\Program Files\Common Files\3721.exe"


((((((((((((((((((((((((((((((( Files Created from 2007-04-26 to 2007-05-26 ))))))))))))))))))))))))))))))))))


2007-05-22 21:20 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-19 23:04 <DIR> d-------- C:\Program Files\XoftSpySE
2007-05-19 16:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-19 16:43 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-05-19 16:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-19 16:38 <DIR> d-------- C:\Program Files\RogueRemover
2007-05-19 15:58 2,224 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-19 08:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-17 20:32 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-17 20:32 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-05-17 20:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-17 18:19 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-05-10 00:19 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\WinRAR
2007-05-09 21:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-05 08:31 <DIR> d--h----- C:\WINDOWS\PIF
2007-04-30 19:40 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\vlc
2007-04-30 19:29 <DIR> d-------- C:\Program Files\VideoLAN


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-18 01:02:31 -------- d-----w C:\Program Files\e-Sword
2007-05-02 15:12:09 630,464 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys
2007-05-02 15:12:09 108,656 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-05-01 01:04:42 -------- d-----w C:\Program Files\DivX
2007-04-26 00:11:09 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-04-24 23:16:47 -------- d-----w C:\Program Files\QuickTime
2007-04-24 23:15:54 -------- d-----w C:\Program Files\Apple Software Update
2007-04-20 15:54:07 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-09 02:30:31 26,787 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-04-09 02:29:16 74,864 ----a-w C:\WINDOWS\system32\VetRedir.dll
2007-04-09 02:29:16 21,031 ----a-w C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-04-09 02:29:16 15,735 ----a-w C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-04-09 02:29:16 15,478 ----a-w C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-04-09 02:29:16 115,824 ----a-w C:\WINDOWS\UnVet32.exe
2007-04-09 02:29:16 111,728 ----a-w C:\WINDOWS\AVShlExt.dll
2007-04-09 02:27:00 -------- d-----w C:\Program Files\Common Files\Scanner
2007-04-09 02:26:53 -------- d-----w C:\Program Files\CA
2007-04-09 02:20:37 -------- d-----w C:\Program Files\McAfee
2007-04-08 02:02:53 -------- d-----w C:\Program Files\7-Zip
2007-04-08 00:47:44 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\HP
2007-04-08 00:20:49 124,320 ----a-w C:\WINDOWS\HPHins12.dat
2007-04-08 00:19:48 -------- d-----w C:\Program Files\Common Files\HP
2007-04-08 00:19:46 -------- d-----w C:\Program Files\Hewlett-Packard
2007-04-08 00:15:44 -------- d-----w C:\Program Files\HP
2007-04-06 18:35:14 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\MilkShape 3D 1.x.x
2007-04-06 02:33:30 118,784 ----a-w C:\WINDOWS\dsdxirmv.exe
2007-04-06 02:33:07 -------- d-----w C:\Program Files\Cakewalk
2007-04-06 02:01:24 -------- d-----w C:\Program Files\directx
2007-04-05 04:01:34 -------- d-----w C:\Program Files\Guitar Pro 5
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-01 02:42:46 0 ----a-w C:\DOCUME~1\Owner\APPLIC~1\wklnhst.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-19 23:55]
{CA6319C0-31B7-401E-A518-A07C3DB8F777}=c:\windows\system32\BAE.dll [2006-01-31 14:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 10:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 10:47]
"QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe" [2007-04-08 21:29]
"CaAvTray"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" [2007-04-08 21:29]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-04-08 21:29]
"Zone Labs Client"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" [2005-01-26 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-02 20:07]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1168108615\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Road Runner PhotoShow Media Manager]
C:\PROGRA~1\ROADRU~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wltrysvc"=2 (0x2)
"PrismXL"=2 (0x2)
"ose"=3 (0x3)
"gusvc"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


Contents of the 'Scheduled Tasks' folder
2007-04-24 23:15:57 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-01-07 20:50:28 C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#7700#MY35T1310H7F.job
2007-05-25 04:49:06 C:\WINDOWS\tasks\HP Usg Daily.job
2007-05-26 11:54:35 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-05-20 04:04:17 C:\WINDOWS\tasks\XoftSpySE.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-26 07:05:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-26 7:06:01
C:\ComboFix-quarantined-files.txt ... 2007-05-26 07:05
C:\ComboFix2.txt ... 2007-05-25 22:39
C:\ComboFix3.txt ... 2007-05-22 22:44

--- E O F ---



Here is the KasperSky scan:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 26, 2007 9:54:11 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 26/05/2007
Kaspersky Anti-Virus database records: 330265
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 84648
Number of viruses found: 9
Number of infected objects: 38 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:17:16

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\glog.log Object is locked skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent.log Object is locked skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent_gdql_lsa.log Object is locked skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent_GTActions.log Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Downloads\Tools\Free-SpyHunter-Scanner-Install.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/1/EnigmaUpdater.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\Downloads\Tools\Free-SpyHunter-Scanner-Install.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/2/esgi_md5h.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\Downloads\Tools\Free-SpyHunter-Scanner-Install.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/7/SpyHunter.exe Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\Downloads\Tools\Free-SpyHunter-Scanner-Install.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/17/Esgiutl1.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\Downloads\Tools\Free-SpyHunter-Scanner-Install.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/18/SHSched.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\Downloads\Tools\Free-SpyHunter-Scanner-Install.exe/PRE Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\Downloads\Tools\Free-SpyHunter-Scanner-Install.exe Ghost Installer: infected - 6 skipped
C:\Downloads\Tools\Free-SpyHunter-Scanner-Install.exe UPX: infected - 6 skipped
C:\Program Files\InstallShield Installation Information\{D14E3D40-2004-11D3-BFBF-00A0248F3321}\setup.exe Infected: Trojan-Dropper.Win32.Mudrop.z skipped
C:\Program Files\TurboTax\Deluxe 2005\DlInst\Setup.exe Infected: Trojan-Dropper.Win32.Mudrop.z skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\3721.exe.vir/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.bw skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\3721.exe.vir/stream Infected: not-a-virus:AdWare.Win32.BHO.bw skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\3721.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\159x.exe.vir Infected: Trojan-Downloader.Win32.Agent.bnn skipped
C:\QooBox\Quarantine\C\WINDOWS\gedaxx.dll.vir Infected: Trojan.Win32.Agent.agv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\perfc000.dat.vir Infected: Backdoor.Win32.Small.os skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP27\A0003363.exe Infected: Trojan-Dropper.Win32.Mudrop.z skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP37\A0004797.dll Infected: not-a-virus:AdWare.Win32.BHO.av skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP46\A0005553.exe Infected: Backdoor.Win32.Small.os skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP47\A0005664.exe Infected: Backdoor.Win32.Small.os skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP59\A0008334.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP60\A0008406.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP61\A0008500.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP61\A0008501.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP61\A0008769.exe Infected: Trojan-Downloader.Win32.Agent.bnn skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP61\A0008844.exe Infected: Trojan-Downloader.Win32.Agent.bnn skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP61\A0008845.exe Infected: Trojan-Downloader.Win32.Agent.bnn skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP61\A0008981.dll Infected: Trojan.Win32.Agent.agv skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP61\A0009009.dll Infected: Trojan.Win32.Agent.agv skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP61\A0009023.dll Infected: Trojan.Win32.Agent.agv skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP61\A0009148.dll Infected: Trojan.Win32.Agent.agv skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP61\A0009149.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.bw skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP61\A0009149.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.bw skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP61\A0009149.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP61\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\TREVORSPC.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\ZLT0757a.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP61\change.log Object is locked skipped

Scan process completed.



And finally, here is the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:06:27 AM, on 5/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\HiJackThis\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileop...nt/FileOpen.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4357 bytes

#7 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 26 May 2007 - 01:23 PM

Hi Darien, :wave:

Just some leftovers to take care of. :)

Please run HijackThis and fix this next entry:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


Then please delete these FILES:

C:\Downloads\Tools\Free-SpyHunter-Scanner-Install.exe
C:\Program Files\InstallShield Installation Information\{D14E3D40-2004-11D3-BFBF-00A0248F3321}\setup.exe
C:\Program Files\TurboTax\Deluxe 2005\DlInst\Setup.exe


How are things running now? Any persistent problems or suspicious behaviour on your machine that I should know about?
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#8 Darien D.

Darien D.

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 26 May 2007 - 03:40 PM

I removed the remaining files like you suggested. Everything is running great now. I have not noticed anything out of the ordinary, it all appears to be running normally.

I'm positive that I could not have fixed this problem without your help! Thank you very much! :D

#9 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 27 May 2007 - 12:51 AM

Hi Darien, :wave:

Youíre most welcome Darien. Iím glad to hear that things are back to normal. :)

Just some loose ends to tie up, and then we can let you go home. :)

NEXT:

To create a new system restore point:
  • Go to Start Menu -> All Programs -> Accessories -> System Tools -> System Restore.
  • Click "Create A Restore Point" then click "Next". Give it a name and then click "Create".
  • When the confirmation screen shows the restore point has been created click "Close".
  • Then go to Start -> Run and type cleanmgr.
  • Disk Cleanup will open and start calculating the amount of space that can be freed.
  • Once thatís finished it will open the Disk Cleanup options screen, click the "More Options" tab.
  • Click "Clean Up" in the "System Restore" section and choose "Yes" at the confirmation window.
This will remove all previous restore points except the newly created one.


NEXT:

Your version of Sun Java is out-of-date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older Java version components and update:
  • CLICK HERE to download the offline installer.
    • Select "Java Runtime Environment (JRE) 6u1" and click the "Download" button to the right.
    • Check the box that says "Accept License Agreement".
    • Click on the link to download "Windows Offline Installation, Multi-language".
    • Save the file to your desktop.
  • Next, uninstall your currently installed version from Add/Remove Programs.
  • If you have older versions listed uninstall them also. If you simply update to the new version it leaves the older versions still installed, complete with previous vulnerabilities.
  • Examples of older versions in Add/Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2
  • Reboot your system.
  • Install the new version by double-clicking on the file you downloaded.

NEXT:

Everything looks great --- your HijackThis log appears to be clean. :)

Please take some time reading this list; it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Windows Updates (a must!)
    It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. You can either click on the link above and bookmark the updates page, or open Internet Explorer, then go to the Tools menu -> Windows Update, and follow the online instructions from there.

  • Firewall (a must!)
    It is definitely a must have. Some good FREE versions are Comodo, Outpost, or ZoneAlarm.
    Note: You must only use 1 (one) firewall at a time because if you have 2 or more firewalls running at the same time, they will conflict with each other and make your security less reliable. Please also remember to turn off Windows Firewall once you have installed a new firewall.

  • Also make sure to run your antivirus software regularly, and to keep it up-to-date.

  • SpywareBlaster
    This is a great FREE prevention tool to keep nasties from installing on your system.
    Tutorial: How to use!

  • IE-SPYAD
    This FREE tool puts over 5000 sites in your IE Restricted Zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    Tutorial: How to use!

  • Spybot - Search & Destroy
    This is a very powerful FREE tool that can search for and annihilate nasties that make it onto your system. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features for realtime protection.
    Tutorial: How to use!

  • Ad-Aware SE
    This is another very powerful FREE tool that searches for and kills nasties that infect your system. Ad-Aware SE and Spybot Search & Destroy compliment each other very well.
    Tutorial: How to use!

  • AVG Anti-Spyware
    This is an excellent FREE scanner to look for trojans and other nasties that might be residing in your system.
    User Manual: How to use!

  • SUPERAntiSpyware
    This is another excellent FREE scanner to look for nasties that might be lurking in your system. SUPERAntiSpyware and AVG Anti-Spyware compliment each other very well.
    Quick Guide: How to use!
Please also read Tony Klein's excellent article How I got Infected in the First Place and this CastleCops article Malware Prevention: Prevent Re-infection.

Hopefully this should take care of your problems! Good luck! :D
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#10 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 25 June 2007 - 05:50 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying HERE with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button