antibody
2007-03-03, 07:46
I have had some problems with my Windows Operating System trying to re-upgrade my Internet Explorer 6 to Internet Explorer 7. I may have installed a corrupt IE7 or one that was incompatible with my system.
I recently got a new hard drive after my 2 1/2 y/o Maxtor suddenly crashed. I have a Windows XP Pro x86 Pentium 4 with SP2 installed by professionals. I had to go to Windows Update for other updates and re-install all my programs.
For Interent protection I use ZA Pro Internet Suite firewall (which monitors the OS too...but complex!!!), Spybot, Spyblaster, and Adaware, and an antivirus program. I try to use Firefox as my primary browser. I have also been using CCleaner etc. to delete Internet cache, temp files, etc on a regular basis.
When I first went to Windows Update via the Help and Support link (I think) I tried downloading any remaining updates that the store that re-installed my Windows XP Pro SP2 might not have added. I also wanted to upgrade to the Internet Explorer 7 but the Windows Update did not give me that option.
I went directly to the Microsoft site to download it directly. I downloaded it and started the installation. Someplace in the installation it later asked some questions among which included (ie. Do you want to activate phishing filter? Y Do you want Windows to monitor sites for improvement purposes? (something to this effect.....I answered yes though I had second thoughts afterwards, then it went to a page asking for what search engine to use (Google, Yahoo etc.) I did all this but had some problems downloading and installing the MSXML 4.0 SP2 (KB927978) but it eventually may have installed.
Later, I had second thoughts about one of the later questions that was posed during the installation about allowing Windows to monitor (or something to that effect). I tried uninstalling IE7 using the Add/Remove thus reverting back to Interent Explorer 6.
I then tried going directly to the Microsoft site to download a fresh copy of Internet 7 and hopefully let it correct any bad additions from the previous install. At the screen it asked me what operating system I had but it did not give an option for Windows XP Pro x 86 SP2. I am not sure if i got the right one but I set the install for Windows XP SP2 which seemed the closest.
During this install I did not however, get any screen prompting to adjust settup configurations as before!??!
I thus installed intially Windows XP IE7 (KB8915865) ...I think!!
The IE7 download that I got after getting a new Windows Genuine Advantage authorizarion was IE 7.0 6000 16414. The properties tab noted that I had IE7 v.6.2.29.0 but listed elsewhere there it was listed as v.6.2.0029.0; also I noticed that this version was not digitally signed by Microsoft. I noted that along with this install I had an unkown program SFXCAB.EXE .
I also downloaded patches;
ActiveX (KB912812)
Security patch (KB929969)
IE Security Update (KB928090)
[My intial IE7 install gave me WIN XP (KB8915865)]
(I also downloaded the Microsoft Malicious Software Program and ran it but it found nothing.)
I have been finding that when I open Internet Explorer 7 I am getting re-directed to another page at MSN or someplace instead of the www.optonline.net that I had it set to start with.
I adjusted my Internet Options Security settings to prompt for all Active X and scripts. This is annoying as I just get a lot of dialog pop-ups saying something to the effect that "Most scripts are not bad...do you want to accept this". Unfortunately, these dialogs do not state the origin of the script or ActiveX so I really have no way of knowing what I am allowing. (I might just have had my settings to merely "enable" al scripts etc. without prompting!!!!)
On a recent visit to Windows update via either the Control Panel link or the Help and Support Link I got all these script prompt dialogs to allow/deny scripting. It eventually told me that in order to allow Windows Update access I had to place certain sites into my trusted zone...which I did.
Internet 7 Homepage redirected here: (instead of www.optonline.net)
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Trusted Zone sites - added after script block dialog said fewer alerts possible if this
"safe windows update site" had the below sites put in Trusted zone
http://*.update.microsoft.com
http://*.windowsupdate.microsoft.com
http://windowsupdate.microsoft.com
https://*.update.microsoft.com
I was instructed to add 2 other sites but I removed those.I think that some or all of these are bad sites. Somehow a script must have taken control to mis-direct me.
(I realize that it is a bad idea to put sites in the trusted zone as you actually give a website more permissions than they would have had otherwise)
I have since removed all the remaining sites that I put into the trusted zone.
At the Windows Update site I had it scan my computer and check for new updates etc.. The history showed that the MSXML 4.0 SP2 (KB927978) did not install properly. I skipped further attempts at getting this and I later deleted 2 of the sites that I put in my trusted zone. Based on a Microsoft bulletin I later checked C:\Windows\System32 for msxml4.dll to see if it was present and if so as version v.4.20.9841.0; it was present so it may have installed.
Also, I seem to have been infected by something, possibly as a result of this download. Besides getting this unusual redirect with IE7 I have found the program UNVISE32QT.EXE in my Zone Alarm program list. Research tells me that this may be a trojan from e-mails or some other source. I do not know how I might have gotton it. Perhaps I clicked on a bad URL in google or entered a wrong URL in my address bar (by mis-typing etc.) thus also possibly sending me to a bad site.
The CA Virus information Center lists UNVISE32.EXE as WIN32.Backmal.A. The Trend-Micro site notes it as SPYW_SPYAGENT.A, and the Symantec site notes it as Spyware.WebmailSpy in their bulletins. The CA Bulletin notes that this trojan makes an attempt to contact www.nymex.com; I thus put this site into my ZA Pro blocked site list. I also deleted the file UNVISE32QT.EXE. I have just found that my ZA blocked an attempted outgoing connection to www.nymex.com.
The trojan program that I have is UNVISE32QT.EXE not unvise32.exe. My infection must be a variant of the later. It has made outbound attempts to contact www.nymex.com which I have had blocked with my firewall.
Based on the bulletin from the CA site the trojan, unvise32.exe, tries to call www.nymex.com. It also adds itself to the system files by picking a name of some random file there and then adding a space (ie. regedit_.exe) etc. I thus need to search the system folder for all *_.* programs. It also is noted to delete a number of key values in the registry HKCU/software/microsoft/currentversion/run.
I have reviewed the bulletins earlier from the above antivirus sites and I could not find any of the files or registry keys that they mentioned as being indicative of this trojan.
However, I did find the following registry key that was not noted in their bulletins which I have deleted:
[HKLM\Software\Microsoft\CurrentVersion\Shared DLLs with the value C:\Windows\unvise32qt.exe listed.
Here is the link for info on the WIN32.Blackmal.a worm at CA Pestpatrol site.
http://www3.ca.com/securityadvisor/v....aspx?id=38745
The following site has info on unvise32qt.exe. They market a program called Regrun to remove things...there is a free 30d evaluation version available too.
Are you familiar with this company/product? Is this a safe program to use?
http://www.greatis.com/appdata/d/u/u...xe_Removal.htm
I sent a copy of this unvise32qt.exe to SpyBot via their bug reporting tool. I am attaching a copy of the bug report (attachments removed).
Also, CA Pestpatrol lists Win32.Swen.A and Win32.Swen.C as possibly being associated with the unvise trojan
Also, I have previously been plagued by Smitfraud trojan so some sites may know my machine as a "compromised & vulnerable" one thus increasing my risk for future attacks. These trojans send out alerts to other malware sites which end up alerting others as well as sending more junk to your machine. I just ran Smitrem by Noah Fear and it found 2 files which it deleted.
I have also ran Stinger, VE Cleaner, CW Shredder (from TrendMicro), AVG 7.5 free, and an old version of CounterSpy but nothing was found. I have gone to www.merijn.org site and I have tried using some of those programs; I have run their version of CW Shredder (from Intermute) and I have saved the log.(It may be significant)
I also seem to be getting outbound attempts to bad sites on my firewall block list from the winlogon.exe program. These are blocked by my ZA Pro firewall.
I am now having problems trying to connect to the internet with my IE7. It also still starts by trying to redirect to a site other than www.optonline.net and this is even after changing the start oage within SpyBot and adding the IE Locks. I have tried to delete the IE7 program in C:\Programs but it somehow does not delete; any programs deleted are replaced and re-appear within about 10 seconds. I have tried to re-download and re-install a good version of IE7 but I have not been able to get a version installed that connnect ok without that redirect.
I thus have at least 2 major problems that are affecting my Windows Operating System:.
1) I am not sure if I installed the proper Internet 7 versions and updates.
2) I seemed to have gotton some malware/trojan(s) on my machine somehow.
3) My IE7 does not seem to be working properly.
What do you suggest doing?
I have sent a bug report previously to SpyBot of which I am attaching. It also lists some of the updates that I have received based on their report.
I am also attaching a recent HiJackThis Log.
In addition I am attaching the CW Shredder report from Intermute.
I ran the Trend-Micro scan in JAVA from Firefox and it only found teh vulnerability MS06-005 Vulnerability in Windows Media Player (911565)- Could Allow Remote Code Execution. I downloaded and patched this.
I cannot get my IE to connect so I cannot run the ActiveX online scanners. I've been using Firefox which connects fine.
I appreciate any assistance that you can provide. Thank you.
[B]Logfile of HijackThis v1.99.1
Scan saved at 10:21:07 PM, on 3/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Administrator\My Documents\Computer Info & Utilities 2007\Malware Utilities\HiJackGeeks\hijackthis\analyzeGeek.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.optonline.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
CWShredder v2.0. scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
System Information:
Windows XP (5.01.2600 SP2)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\Administrator\Application Data
Username: Administrator
Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (848 bytes, R)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon C:\WINDOWS\system32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (1154 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (227 bytes, A)
- END OF REPORT -
[U]SpyBot Bug Report [This was sent back to me from you so you should have a copy of the full report.
I wrote....
Found C:\Windows\unvise32QT.exe on my computer after viewing the list of programs in the Zone alarm program list
I do not know much more about this. CA says it could be W32.Blackworm.A.
I will attach report if you need it
I recently got a new hard drive after my 2 1/2 y/o Maxtor suddenly crashed. I have a Windows XP Pro x86 Pentium 4 with SP2 installed by professionals. I had to go to Windows Update for other updates and re-install all my programs.
For Interent protection I use ZA Pro Internet Suite firewall (which monitors the OS too...but complex!!!), Spybot, Spyblaster, and Adaware, and an antivirus program. I try to use Firefox as my primary browser. I have also been using CCleaner etc. to delete Internet cache, temp files, etc on a regular basis.
When I first went to Windows Update via the Help and Support link (I think) I tried downloading any remaining updates that the store that re-installed my Windows XP Pro SP2 might not have added. I also wanted to upgrade to the Internet Explorer 7 but the Windows Update did not give me that option.
I went directly to the Microsoft site to download it directly. I downloaded it and started the installation. Someplace in the installation it later asked some questions among which included (ie. Do you want to activate phishing filter? Y Do you want Windows to monitor sites for improvement purposes? (something to this effect.....I answered yes though I had second thoughts afterwards, then it went to a page asking for what search engine to use (Google, Yahoo etc.) I did all this but had some problems downloading and installing the MSXML 4.0 SP2 (KB927978) but it eventually may have installed.
Later, I had second thoughts about one of the later questions that was posed during the installation about allowing Windows to monitor (or something to that effect). I tried uninstalling IE7 using the Add/Remove thus reverting back to Interent Explorer 6.
I then tried going directly to the Microsoft site to download a fresh copy of Internet 7 and hopefully let it correct any bad additions from the previous install. At the screen it asked me what operating system I had but it did not give an option for Windows XP Pro x 86 SP2. I am not sure if i got the right one but I set the install for Windows XP SP2 which seemed the closest.
During this install I did not however, get any screen prompting to adjust settup configurations as before!??!
I thus installed intially Windows XP IE7 (KB8915865) ...I think!!
The IE7 download that I got after getting a new Windows Genuine Advantage authorizarion was IE 7.0 6000 16414. The properties tab noted that I had IE7 v.6.2.29.0 but listed elsewhere there it was listed as v.6.2.0029.0; also I noticed that this version was not digitally signed by Microsoft. I noted that along with this install I had an unkown program SFXCAB.EXE .
I also downloaded patches;
ActiveX (KB912812)
Security patch (KB929969)
IE Security Update (KB928090)
[My intial IE7 install gave me WIN XP (KB8915865)]
(I also downloaded the Microsoft Malicious Software Program and ran it but it found nothing.)
I have been finding that when I open Internet Explorer 7 I am getting re-directed to another page at MSN or someplace instead of the www.optonline.net that I had it set to start with.
I adjusted my Internet Options Security settings to prompt for all Active X and scripts. This is annoying as I just get a lot of dialog pop-ups saying something to the effect that "Most scripts are not bad...do you want to accept this". Unfortunately, these dialogs do not state the origin of the script or ActiveX so I really have no way of knowing what I am allowing. (I might just have had my settings to merely "enable" al scripts etc. without prompting!!!!)
On a recent visit to Windows update via either the Control Panel link or the Help and Support Link I got all these script prompt dialogs to allow/deny scripting. It eventually told me that in order to allow Windows Update access I had to place certain sites into my trusted zone...which I did.
Internet 7 Homepage redirected here: (instead of www.optonline.net)
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Trusted Zone sites - added after script block dialog said fewer alerts possible if this
"safe windows update site" had the below sites put in Trusted zone
http://*.update.microsoft.com
http://*.windowsupdate.microsoft.com
http://windowsupdate.microsoft.com
https://*.update.microsoft.com
I was instructed to add 2 other sites but I removed those.I think that some or all of these are bad sites. Somehow a script must have taken control to mis-direct me.
(I realize that it is a bad idea to put sites in the trusted zone as you actually give a website more permissions than they would have had otherwise)
I have since removed all the remaining sites that I put into the trusted zone.
At the Windows Update site I had it scan my computer and check for new updates etc.. The history showed that the MSXML 4.0 SP2 (KB927978) did not install properly. I skipped further attempts at getting this and I later deleted 2 of the sites that I put in my trusted zone. Based on a Microsoft bulletin I later checked C:\Windows\System32 for msxml4.dll to see if it was present and if so as version v.4.20.9841.0; it was present so it may have installed.
Also, I seem to have been infected by something, possibly as a result of this download. Besides getting this unusual redirect with IE7 I have found the program UNVISE32QT.EXE in my Zone Alarm program list. Research tells me that this may be a trojan from e-mails or some other source. I do not know how I might have gotton it. Perhaps I clicked on a bad URL in google or entered a wrong URL in my address bar (by mis-typing etc.) thus also possibly sending me to a bad site.
The CA Virus information Center lists UNVISE32.EXE as WIN32.Backmal.A. The Trend-Micro site notes it as SPYW_SPYAGENT.A, and the Symantec site notes it as Spyware.WebmailSpy in their bulletins. The CA Bulletin notes that this trojan makes an attempt to contact www.nymex.com; I thus put this site into my ZA Pro blocked site list. I also deleted the file UNVISE32QT.EXE. I have just found that my ZA blocked an attempted outgoing connection to www.nymex.com.
The trojan program that I have is UNVISE32QT.EXE not unvise32.exe. My infection must be a variant of the later. It has made outbound attempts to contact www.nymex.com which I have had blocked with my firewall.
Based on the bulletin from the CA site the trojan, unvise32.exe, tries to call www.nymex.com. It also adds itself to the system files by picking a name of some random file there and then adding a space (ie. regedit_.exe) etc. I thus need to search the system folder for all *_.* programs. It also is noted to delete a number of key values in the registry HKCU/software/microsoft/currentversion/run.
I have reviewed the bulletins earlier from the above antivirus sites and I could not find any of the files or registry keys that they mentioned as being indicative of this trojan.
However, I did find the following registry key that was not noted in their bulletins which I have deleted:
[HKLM\Software\Microsoft\CurrentVersion\Shared DLLs with the value C:\Windows\unvise32qt.exe listed.
Here is the link for info on the WIN32.Blackmal.a worm at CA Pestpatrol site.
http://www3.ca.com/securityadvisor/v....aspx?id=38745
The following site has info on unvise32qt.exe. They market a program called Regrun to remove things...there is a free 30d evaluation version available too.
Are you familiar with this company/product? Is this a safe program to use?
http://www.greatis.com/appdata/d/u/u...xe_Removal.htm
I sent a copy of this unvise32qt.exe to SpyBot via their bug reporting tool. I am attaching a copy of the bug report (attachments removed).
Also, CA Pestpatrol lists Win32.Swen.A and Win32.Swen.C as possibly being associated with the unvise trojan
Also, I have previously been plagued by Smitfraud trojan so some sites may know my machine as a "compromised & vulnerable" one thus increasing my risk for future attacks. These trojans send out alerts to other malware sites which end up alerting others as well as sending more junk to your machine. I just ran Smitrem by Noah Fear and it found 2 files which it deleted.
I have also ran Stinger, VE Cleaner, CW Shredder (from TrendMicro), AVG 7.5 free, and an old version of CounterSpy but nothing was found. I have gone to www.merijn.org site and I have tried using some of those programs; I have run their version of CW Shredder (from Intermute) and I have saved the log.(It may be significant)
I also seem to be getting outbound attempts to bad sites on my firewall block list from the winlogon.exe program. These are blocked by my ZA Pro firewall.
I am now having problems trying to connect to the internet with my IE7. It also still starts by trying to redirect to a site other than www.optonline.net and this is even after changing the start oage within SpyBot and adding the IE Locks. I have tried to delete the IE7 program in C:\Programs but it somehow does not delete; any programs deleted are replaced and re-appear within about 10 seconds. I have tried to re-download and re-install a good version of IE7 but I have not been able to get a version installed that connnect ok without that redirect.
I thus have at least 2 major problems that are affecting my Windows Operating System:.
1) I am not sure if I installed the proper Internet 7 versions and updates.
2) I seemed to have gotton some malware/trojan(s) on my machine somehow.
3) My IE7 does not seem to be working properly.
What do you suggest doing?
I have sent a bug report previously to SpyBot of which I am attaching. It also lists some of the updates that I have received based on their report.
I am also attaching a recent HiJackThis Log.
In addition I am attaching the CW Shredder report from Intermute.
I ran the Trend-Micro scan in JAVA from Firefox and it only found teh vulnerability MS06-005 Vulnerability in Windows Media Player (911565)- Could Allow Remote Code Execution. I downloaded and patched this.
I cannot get my IE to connect so I cannot run the ActiveX online scanners. I've been using Firefox which connects fine.
I appreciate any assistance that you can provide. Thank you.
[B]Logfile of HijackThis v1.99.1
Scan saved at 10:21:07 PM, on 3/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Administrator\My Documents\Computer Info & Utilities 2007\Malware Utilities\HiJackGeeks\hijackthis\analyzeGeek.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.optonline.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
CWShredder v2.0. scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
System Information:
Windows XP (5.01.2600 SP2)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\Administrator\Application Data
Username: Administrator
Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (848 bytes, R)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon C:\WINDOWS\system32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (1154 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (227 bytes, A)
- END OF REPORT -
[U]SpyBot Bug Report [This was sent back to me from you so you should have a copy of the full report.
I wrote....
Found C:\Windows\unvise32QT.exe on my computer after viewing the list of programs in the Zone alarm program list
I do not know much more about this. CA says it could be W32.Blackworm.A.
I will attach report if you need it