View Full Version : Antivermins attack
OK, so I am helping my uncle clean up his computer. He had tons of viruses and spyware and I was able to remove most using Spybot, Ad-aware and ZoneAlarm virus scan.
However, he had this antivermins nasty that would not be squashed by the standard means. So here I am. Thank you in advance for your help!
Below are the log files for SmitFraudFix, HijackThis and BitDefender On-line Scan.
SmitFraudFix Log File:
SmitFraudFix v2.132
Scan done at 23:02:25.16, 2007-01-18
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8670ee50-01f9-47da-ac1e-cf8549e9e521}"="eupeptic"
[HKEY_CLASSES_ROOT\CLSID\{8670ee50-01f9-47da-ac1e-cf8549e9e521}\InProcServer32]
@="C:\WINDOWS\system32\axlet.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8670ee50-01f9-47da-ac1e-cf8549e9e521}\InProcServer32]
@="C:\WINDOWS\system32\axlet.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
C:\WINDOWS\system32\axlet.dll -> Hoax.Win32.Renos.gen.i
C:\WINDOWS\system32\axlet.dll -> Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\MTC.ini Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 11:25:44 PM, on 2007-01-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.makemesearch.com/?said=382
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.powerquest.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: radio@netscape.lnk = C:\Program Files\Radio@Netscape Plus\Program\radio@netscape.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169078155463
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{A387BCAE-08C6-4F90-9694-3EB97CBF7AA8}: Domain = Verizon.net
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: McShield - Lucent Technologies - (no file)
O23 - Service: mcupdmgr.exe - Lucent Technologies - (no file)
O23 - Service: MCVSRte - Lucent Technologies - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
[I]See Next post for BitDefender Scan Report . . .
Here is the scan report for BitDefender On-line scan. I did this AFTER SmitfraudFix and Spybot (in safe mode) and HijackThis scan.
BitDefender Online Scanner
Scan report generated at: Fri, Jan 19, 2007 - 01:32:36
Scan path: C:\;D:\;E:\;
Statistics
Time
01:39:13
Files
279139
Folders
5094
Boot Sectors
3
Archives
11314
Packed Files
28567
Results
Identified Viruses
4
Infected Files
43
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
43
Engines Info
Virus Definitions
383887
Engine build
AVCORE v1.0 (build 2371) (i386) (Dec 13 2006 11:16:42)
Scan plugins
14
Archive plugins
38
Unpack plugins
6
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP220\A0053849.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP220\A0053849.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP220\A0053849.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP220\A0053874.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP220\A0053874.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP220\A0053874.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053899.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053899.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053899.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053904.exe=>(NSIS o)=>lzma_solid_nsis0006
Infected with: Trojan.Zlob.HO
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053904.exe=>(NSIS o)=>lzma_solid_nsis0006
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053904.exe=>(NSIS o)=>lzma_solid_nsis0006
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053904.exe=>(NSIS o)
Update failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053904.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0000
Infected with: Trojan.Zlob.IN
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053904.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0000
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053904.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0000
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053904.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)
Update failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053905.exe=>(NSIS o)=>lzma_solid_nsis0006
Infected with: Trojan.Zlob.HO
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053905.exe=>(NSIS o)=>lzma_solid_nsis0006
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053905.exe=>(NSIS o)=>lzma_solid_nsis0006
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053905.exe=>(NSIS o)
Update failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053905.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0000
Infected with: Trojan.Zlob.IN
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053905.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0000
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053905.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0000
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053905.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)
Update failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053911.exe=>(NSIS o)=>lzma_solid_nsis0006
Infected with: Trojan.Zlob.HO
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053911.exe=>(NSIS o)=>lzma_solid_nsis0006
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053911.exe=>(NSIS o)=>lzma_solid_nsis0006
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053911.exe=>(NSIS o)
Update failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053911.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0000
Infected with: Trojan.Zlob.IN
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053911.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0000
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053911.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0000
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0053911.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)
Update failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0054023.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0054023.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0054023.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0054038.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0054038.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0054038.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0054066.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0054066.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0054066.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0054076.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0054076.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP221\A0054076.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP222\A0054183.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP222\A0054183.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP222\A0054183.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP222\A0054209.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP222\A0054209.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP222\A0054209.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP222\A0054221.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP222\A0054221.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP222\A0054221.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP223\A0055219.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP223\A0055219.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP223\A0055219.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP223\A0056246.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP223\A0056246.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP223\A0056246.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP223\A0056289.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP223\A0056289.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP223\A0056289.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP223\A0056378.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP223\A0056378.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP223\A0056378.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP224\A0056406.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP224\A0056406.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP224\A0056406.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP224\A0056418.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP224\A0056418.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP224\A0056418.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP224\A0056429.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP224\A0056429.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP224\A0056429.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP225\A0056435.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP225\A0056435.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP225\A0056435.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP225\A0056457.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP225\A0056457.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP225\A0056457.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP225\A0056466.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP225\A0056466.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP225\A0056466.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP225\A0056476.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP225\A0056476.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP225\A0056476.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP225\A0056747.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP225\A0056747.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP225\A0056747.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP225\A0056773.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP225\A0056773.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP225\A0056773.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP226\A0056795.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP226\A0056795.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP226\A0056795.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP226\A0056806.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP226\A0056806.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP226\A0056806.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP226\A0056826.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP226\A0056826.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP226\A0056826.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP226\A0056838.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP226\A0056838.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP226\A0056838.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP227\A0056857.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP227\A0056857.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP227\A0056857.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP227\A0056964.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP227\A0056964.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP227\A0056964.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0056998.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0056998.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0056998.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057027.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057027.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057027.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057048.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057048.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057048.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057083.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057083.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057083.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057110.exe=>(NSIS o)=>lzma_solid_nsis0000
Infected with: Trojan.Zlob.IN
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057110.exe=>(NSIS o)=>lzma_solid_nsis0000
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057110.exe=>(NSIS o)=>lzma_solid_nsis0000
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057110.exe=>(NSIS o)
Update failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057123.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057123.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057123.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057127.exe
Infected with: Trojan.Downloader.Zlob.AHK
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057127.exe
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP228\A0057127.exe
Deleted
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP234\A0062494.dll
Infected with: Trojan.FakeAlert.AO
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP234\A0062494.dll
Disinfection failed
C:\System Volume Information\_restore{571BDD20-7733-4F81-9DFC-DA953BCF8774}\RP234\A0062494.dll
Deleted
OK, so everthing seems to be running fine now. Compuer speed and internet connection are running smoothly.
There is no longer that annoying notification in the system tray. All of the rogue programs in the Add/Remove Programs area are gone (Public messenger ver 2.03, Internet security Add-on, System Alert Pop Up, etc.)
So I rebooted and ran the BitDefender scan again and it found all of the same nasties that it said that it found and deleted in the first scan. I fear that some of the nasties may have the ability to regenerate from these files?!? Is it really clean yet?
Please advise. Thanks!
pskelley
2007-01-21, 13:39
Welcome to the forum, first let me say it looks like Smitfraudfix removed that infection. I have questions now:
I see no antivirus program actively running in this HJT log? This is just not safe, if you need a free antivirus program, here are three to choose from:
http://free.grisoft.com/freeweb.php/doc/2/
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/
I need to know what is going on in your services, see these entries:
O23 - Service: McShield - Lucent Technologies - (no file)
O23 - Service: mcupdmgr.exe - Lucent Technologies - (no file) G
O23 - Service: MCVSRte - Lucent Technologies - (no file)
The files are McAfee and the company, Lucent Technologies is a valid one:
http://www.lucent.com/wps/portal/Solutions/detail?LMSG_CABINET=Solution_Product_Catalog&LMSG_CONTENT_FILE=Solutions/Solution_Detail_000035.xml
But I have not seen them looking like this in services and I see no McAfee running anywhere in the HJT log? Please explain.
Instructions:
Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.makemesearch.com/?said=382
R3 - Default URLSearchHook is missing
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log along with the information I requested.
Thanks
I am running ZoneLabs Security Suite which I think uses the Computer Associates anti-virus package. I think that its service is isafe.exe in the Hijack this log.
I don't know if this anti-virus package is adaquate or not, but the ZoneLabs Suite is easy to use and I am farmiliar with it. My Uncle had Avast running on his computer when I first came on the scene. I did a scan with avast and it found a few things, but not a lot. I uninstalled it and installed ZoneLabs since I am more farmiliar with that product. I did a full scan and it found a bunch more stuff. ZoneLabs seems to be loading at start-up.
Here's an tangential question: ZoneLabs seems to be the last thing to load into the system tray, is there a way to bump it up to the beginning so that the computer is not exposed for the 2-3 min boot cycle?
I am not sure what the McShield, mcupdmgr.exe, and the MCVSRte services are from. He does not appear to have McAffee installed or running. The only thing that says "Lucent" anywhere in or on this machine is the modem. As I said, this is my Uncle's computer so I do not know the history of what he had installed at some point in time.
I ran ATF Cleaner and it deleted almost 1Gb of stuff! This is after I already did a Disk Cleaup a couple of days ago.
THanks for your help! You rock!
Here is the new Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 10:12:55 AM, on 2007-01-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.powerquest.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: radio@netscape.lnk = C:\Program Files\Radio@Netscape Plus\Program\radio@netscape.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169078155463
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{A387BCAE-08C6-4F90-9694-3EB97CBF7AA8}: Domain = Verizon.net
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: McShield - Lucent Technologies - (no file)
O23 - Service: mcupdmgr.exe - Lucent Technologies - (no file)
O23 - Service: MCVSRte - Lucent Technologies - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
pskelley
2007-01-21, 19:01
Thanks for the feedback, I see the Zone Alarm item, seems ZA and everyone else use the same file name:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=isafe%2eexe
I can't tell you much, I run Zone Alarm free but no other ZA product. I will post links in a moment from experts, after you review that information, if you still have questions please post them.
I have no idea how to control the load order (though there must be a way, I never considered it) Zone Alarm loads on my computer last also and I do not consider 2 - 3 minutes a long boot time. I boot McAfee, Windows Live Messenger, SpywareGuard and Zone Alarm free and that is about my boot time.
Perhaps Those McAfee items are disabled and no longer used and we are looking at lines leftover in the HJT log. Use HJT to check and remove them and see what happens:
O23 - Service: McShield - Lucent Technologies - (no file)
O23 - Service: mcupdmgr.exe - Lucent Technologies - (no file)
O23 - Service: MCVSRte - Lucent Technologies - (no file)
ATF-Cleaner is a nice tool, you may keep it, you have a load of junk in System Restore files (shown in the online scan), let's finish like this.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
This topic has been archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.