PDA

View Full Version : Smitfraud C...please help



jadite11
2007-12-11, 06:18
Ran Spybot...and was not able to remove Smitfraud C. My computer is a mess. Stuff popping up all over the place. Please can somebody help?? Thanks for any assistance.

Here is a copy of my hijackthis log report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:09 PM, on 12-10-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\mgxqakko.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [a44fbacb] rundll32.exe "C:\WINNT\system32\nurfmqni.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196554239078
O23 - Service: DomainService - - C:\WINNT\system32\mgxqakko.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 2214 bytes

Shaba
2007-12-11, 15:05
Hi jadite11 and welcome to Safer Networking forums :)

Rename HijackThis.exe to jadite11.exe and post back a fresh HijackThis log, please.

jadite11
2007-12-11, 23:26
Not quite sure what you meant by changing the name...

I think this is what you're asking for. If not, let me know! I really appreciate your help. Thanks!!!




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:07 PM, on 12-11-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\mgxqakko.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\jadite11.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-2.dll (file missing)
O2 - BHO: (no name) - {1C178485-4413-4C1C-B4D9-008D475B0DE7} - C:\WINNT\system32\vtsts.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: {064aacae-3ad9-2f3b-11f4-20eb57ce8562} - {2658ec75-be02-4f11-b3f2-9da3eacaa460} - C:\WINNT\system32\kdjvtglk.dll
O2 - BHO: (no name) - {3A2224A0-B114-4491-9305-FD0E4B55FA1E} - C:\WINNT\system32\byxxyxu.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [a44fbacb] rundll32.exe "C:\WINNT\system32\jtrlkidi.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196554239078
O20 - Winlogon Notify: byxxyxu - C:\WINNT\SYSTEM32\byxxyxu.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 3961 bytes

Shaba
2007-12-12, 11:16
Hi

Yes, that was fine :)

1. Download combofix from one of these links and save it to Desktop:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://subs.geekstogo.com/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh HijackThis log
- combofix report

jadite11
2007-12-12, 16:02
OK...I downloaded and ran Combofix. The computer rebooted and I did not see a log at restart. This is the only text file in combo fix folder. Not sure if it's what you need...
ComboFix 07-12-12.3 - Owner 2007-12-12 6:52:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.162 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LPBCU0JS\ComboFix[1].exe
* Created a new restore point
.





Here is my new Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:46, on 2007-12-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\jadite11.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-2.dll (file missing)
O2 - BHO: (no name) - {1C178485-4413-4C1C-B4D9-008D475B0DE7} - C:\WINNT\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {3A2224A0-B114-4491-9305-FD0E4B55FA1E} - C:\WINNT\system32\byxxyxu.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [combofix] "C:\WINNT\system32\cmd.exe" /c "cd /d C:\ComboFix\ & Combobatch.bat"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196554239078
O20 - Winlogon Notify: byxxyxu - byxxyxu.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 3448 bytes

Shaba
2007-12-12, 16:23
Hi

First of all ComboFix should be located in its folder and not in IE temp folder as I instructed above:

"Download combofix from one of these links and save it to Desktop"

So save Combofix to your desktop, re-run combofix and post its log here please :)

jadite11
2007-12-13, 01:04
Hi...Thanks for your patience. I should have read your post more carefully and saved us both some time. Here are the new logs and thanks once again for you help.

Combofix log:

ComboFix 07-12-12.3 - Owner 2007-12-12 16:47:16.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.203 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.

2007-12-08 15:55 . 2007-12-09 14:12 834,700 --ahs---- C:\WINNT\system32\vlkehtwp.ini
2007-12-07 15:53 . 2007-12-08 15:53 834,640 --ahs---- C:\WINNT\system32\qkgacaaj.ini
2007-12-06 15:56 . 2007-12-07 15:24 831,735 --ahs---- C:\WINNT\system32\manxboto.ini
2007-12-05 15:56 . 2007-12-06 08:50 807,675 --ahs---- C:\WINNT\system32\xykjhdbq.ini
2007-12-04 15:52 . 2007-12-05 15:53 807,528 --ahs---- C:\WINNT\system32\dqpifetn.ini
2007-11-29 23:02 . 2007-12-01 18:35 1,206 --a------ C:\WINNT\system32\tmp.reg
2007-11-28 16:53 . 2007-11-28 16:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 21:48 . 2006-10-27 15:07 66,048 --a------ C:\WINNT\ieResetIcons.exe
2007-11-25 21:17 . 2007-12-10 07:37 887 --a------ C:\WINNT\wininit.ini
2007-11-25 16:48 . 2007-11-25 16:48 <DIR> d-------- C:\Program Files\DFX
2007-11-25 14:49 . 2007-12-01 18:38 143 --a------ C:\WINNT\system32\mcrh.tmp
2007-11-25 13:18 . 2007-11-25 13:18 147,456 --a------ C:\WINNT\system32\vbzip10.dll
2007-11-25 13:15 . 2007-11-25 13:15 166,945 --a------ C:\WINNT\system32\drivers\core.cache(5).dsk
2007-11-25 13:15 . 2007-11-25 13:15 166,945 --a------ C:\WINNT\system32\drivers\core.cache(4).dsk
2007-11-25 13:15 . 2007-11-25 13:15 166,945 --a------ C:\WINNT\system32\drivers\core.cache(3).dsk
2007-11-25 13:15 . 2007-11-25 13:15 166,945 --a------ C:\WINNT\system32\drivers\core.cache(2).dsk
2007-11-25 13:15 . 2007-11-25 13:15 120 --a------ C:\n.bat
2007-11-23 10:15 . 2007-11-23 10:15 <DIR> d-------- C:\Program Files\Barbie ® Riding Club
2007-11-20 22:19 . 2007-11-20 22:20 <DIR> d-------- C:\Program Files\Picasa2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 22:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2007-12-10 21:46 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-10 04:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-07 19:07 --------- d-----w C:\Program Files\MySpace
2007-12-02 05:57 --------- d-----w C:\Program Files\Lavasoft
2007-12-01 22:25 --------- d-----w C:\Program Files\pnotcaoh
2007-12-01 22:25 --------- d-----w C:\Program Files\iWin Games
2007-11-28 22:58 --------- d-----w C:\Program Files\QuickTime
2007-11-28 03:56 --------- d-----w C:\Program Files\Nick Jr. Arcade
2007-11-26 14:29 --------- d-----w C:\Program Files\LimeWire
2007-11-25 21:24 118,337 ----a-w C:\WINNT\Fonts\x.zip
2007-11-22 15:18 --------- d-----w C:\Program Files\ValuSoft
2007-11-21 04:19 --------- d-----w C:\Program Files\Google
2007-10-29 01:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 01:56 --------- d-----w C:\Program Files\MUSICMATCH
2007-10-29 01:55 --------- d-----w C:\Program Files\Dell
2007-10-26 03:34 8,460,288 ----a-w C:\WINNT\system32\dllcache\shell32.dll
2007-10-16 18:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2007-06-13 01:47 149,368 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-04-01 02:53 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2005-05-13 23:12 217,073 --sha-r C:\WINNT\meta4.exe
2005-10-24 17:13 66,560 --sha-r C:\WINNT\MOTA113.exe
2005-10-14 03:27 422,400 --sha-r C:\WINNT\x2.64.exe
2007-03-09 07:12 27,648 --sha-w C:\WINNT\system32\AVSredirect.dll
2005-06-26 21:32 616,448 --sha-r C:\WINNT\system32\cygwin1.dll
2005-06-22 04:37 45,568 --sha-r C:\WINNT\system32\cygz.dll
2004-01-25 06:00 70,656 --sha-r C:\WINNT\system32\i420vfw.dll
2006-04-27 16:24 2,945,024 --sha-r C:\WINNT\system32\Smab.dll
2005-02-28 19:16 240,128 --sha-r C:\WINNT\system32\x.264.exe
2004-01-25 06:00 70,656 --sha-r C:\WINNT\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]
C:\Program Files\ContextTool\ContextTool-2.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Amazing3DAquariumWallpaper"="" []
"eTrustPPAP"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe" [2006-12-22 22:23]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R2 NMSSvc;Intel(R) NMS;C:\WINNT\System32\NMSSvc.exe
R2 RioPNP;RioPNP;C:\WINNT\system32\drivers\RioPNP.sys
R3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINNT\system32\drivers\NMSCFG.SYS
S2 DVC150;DVC 150B;C:\WINNT\system32\Drivers\dvc150b.sys
S3 DSCVc;Video Capture;C:\WINNT\system32\DRIVERS\CoachVc.sys
S3 ENDETECT;ENDETECT;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\ENDETECT.SYS
S3 L2XPSR;L2XPSR;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\L2XPSR.SYS
S3 NTSTPL1;NTSTPL1;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL1.SYS
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys
S3 SilverLink;Texas Instruments SilverLink (USB GraphLink) Cable;C:\WINNT\system32\Drivers\SilvrLnk.sys
S3 TAPBIND;TAPBIND;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TAPBIND1.SYS

*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC
.
Contents of the 'Scheduled Tasks' folder
"2007-12-06 22:51:04 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-12 19:54:14 C:\WINNT\Tasks\PPv5Scan_Daily as Owner at 1 54 PM.job"
- C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\ppv5consumercl.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 16:51:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-12 16:54:34
C:\ComboFix2.txt ... 2007-12-12 15:56
.
2007-11-15 13:26:54 --- E O F ---

jadite11
2007-12-13, 01:17
and the hijackthis log:

;Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:13 PM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\jadite11.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-2.dll (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196554239078
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 3107 bytes

Shaba
2007-12-13, 11:13
Hi

That's ok :)

Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINNT\system32\vlkehtwp.ini
C:\WINNT\system32\qkgacaaj.ini
C:\WINNT\system32\manxboto.ini
C:\WINNT\system32\xykjhdbq.ini
C:\WINNT\system32\dqpifetn.ini
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\drivers\core.cache(5).dsk
C:\WINNT\system32\drivers\core.cache(4).dsk
C:\WINNT\system32\drivers\core.cache(3).dsk
C:\WINNT\system32\drivers\core.cache(2).dsk
C:\n.bat
C:\WINNT\Fonts\x.zip


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

jadite11
2007-12-14, 00:42
Thanks so much! The popups have stopped, and everthing is running more smoothly:laugh:

Here are the latest log reports:

Combofix:
ComboFix 07-12-12.3 - Owner 2007-12-13 16:28:49.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.165 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-08 15:55 . 2007-12-09 14:12 834,700 --ahs---- C:\WINNT\system32\vlkehtwp.ini
2007-12-07 15:53 . 2007-12-08 15:53 834,640 --ahs---- C:\WINNT\system32\qkgacaaj.ini
2007-12-06 15:56 . 2007-12-07 15:24 831,735 --ahs---- C:\WINNT\system32\manxboto.ini
2007-12-05 15:56 . 2007-12-06 08:50 807,675 --ahs---- C:\WINNT\system32\xykjhdbq.ini
2007-12-04 15:52 . 2007-12-05 15:53 807,528 --ahs---- C:\WINNT\system32\dqpifetn.ini
2007-11-29 23:02 . 2007-12-01 18:35 1,206 --a------ C:\WINNT\system32\tmp.reg
2007-11-28 16:53 . 2007-11-28 16:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 21:48 . 2006-10-27 15:07 66,048 --a------ C:\WINNT\ieResetIcons.exe
2007-11-25 21:17 . 2007-12-10 07:37 887 --a------ C:\WINNT\wininit.ini
2007-11-25 16:48 . 2007-11-25 16:48 <DIR> d-------- C:\Program Files\DFX
2007-11-25 14:49 . 2007-12-01 18:38 143 --a------ C:\WINNT\system32\mcrh.tmp
2007-11-25 13:18 . 2007-11-25 13:18 147,456 --a------ C:\WINNT\system32\vbzip10.dll
2007-11-25 13:15 . 2007-11-25 13:15 166,945 --a------ C:\WINNT\system32\drivers\core.cache(5).dsk
2007-11-25 13:15 . 2007-11-25 13:15 166,945 --a------ C:\WINNT\system32\drivers\core.cache(4).dsk
2007-11-25 13:15 . 2007-11-25 13:15 166,945 --a------ C:\WINNT\system32\drivers\core.cache(3).dsk
2007-11-25 13:15 . 2007-11-25 13:15 166,945 --a------ C:\WINNT\system32\drivers\core.cache(2).dsk
2007-11-25 13:15 . 2007-11-25 13:15 120 --a------ C:\n.bat
2007-11-23 10:15 . 2007-12-12 23:42 <DIR> d-------- C:\Program Files\Barbie ® Riding Club
2007-11-20 22:19 . 2007-11-20 22:20 <DIR> d-------- C:\Program Files\Picasa2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 04:44 --------- d-----w C:\Program Files\LimeWire
2007-12-12 22:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2007-12-10 21:46 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-10 04:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-07 19:07 --------- d-----w C:\Program Files\MySpace
2007-12-02 05:57 --------- d-----w C:\Program Files\Lavasoft
2007-12-01 22:25 --------- d-----w C:\Program Files\pnotcaoh
2007-12-01 22:25 --------- d-----w C:\Program Files\iWin Games
2007-11-28 22:58 --------- d-----w C:\Program Files\QuickTime
2007-11-28 03:56 --------- d-----w C:\Program Files\Nick Jr. Arcade
2007-11-25 21:24 118,337 ----a-w C:\WINNT\Fonts\x.zip
2007-11-22 15:18 --------- d-----w C:\Program Files\ValuSoft
2007-11-21 04:19 --------- d-----w C:\Program Files\Google
2007-10-29 01:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 01:56 --------- d-----w C:\Program Files\MUSICMATCH
2007-10-29 01:55 --------- d-----w C:\Program Files\Dell
2007-10-26 03:34 8,460,288 ----a-w C:\WINNT\system32\dllcache\shell32.dll
2007-10-16 18:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2007-06-13 01:47 149,368 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-04-01 02:53 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2005-05-13 23:12 217,073 --sha-r C:\WINNT\meta4.exe
2005-10-24 17:13 66,560 --sha-r C:\WINNT\MOTA113.exe
2005-10-14 03:27 422,400 --sha-r C:\WINNT\x2.64.exe
2007-03-09 07:12 27,648 --sha-w C:\WINNT\system32\AVSredirect.dll
2005-06-26 21:32 616,448 --sha-r C:\WINNT\system32\cygwin1.dll
2005-06-22 04:37 45,568 --sha-r C:\WINNT\system32\cygz.dll
2004-01-25 06:00 70,656 --sha-r C:\WINNT\system32\i420vfw.dll
2006-04-27 16:24 2,945,024 --sha-r C:\WINNT\system32\Smab.dll
2005-02-28 19:16 240,128 --sha-r C:\WINNT\system32\x.264.exe
2004-01-25 06:00 70,656 --sha-r C:\WINNT\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Amazing3DAquariumWallpaper"="" []
"eTrustPPAP"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe" [2006-12-22 22:23]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R2 RioPNP;RioPNP;C:\WINNT\system32\drivers\RioPNP.sys
S2 DVC150;DVC 150B;C:\WINNT\system32\Drivers\dvc150b.sys
S2 NMSSvc;Intel(R) NMS;C:\WINNT\System32\NMSSvc.exe
S3 DSCVc;Video Capture;C:\WINNT\system32\DRIVERS\CoachVc.sys
S3 ENDETECT;ENDETECT;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\ENDETECT.SYS
S3 L2XPSR;L2XPSR;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\L2XPSR.SYS
S3 NTSTPL1;NTSTPL1;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL1.SYS
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys
S3 SilverLink;Texas Instruments SilverLink (USB GraphLink) Cable;C:\WINNT\system32\Drivers\SilvrLnk.sys
S3 TAPBIND;TAPBIND;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TAPBIND1.SYS

*Newly Created Service* - NMSSVC
.
Contents of the 'Scheduled Tasks' folder
"2007-12-06 22:51:04 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-13 19:54:10 C:\WINNT\Tasks\PPv5Scan_Daily as Owner at 1 54 PM.job"
- C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\ppv5consumercl.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 16:33:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-13 16:35:46
C:\ComboFix2.txt ... 2007-12-12 16:54
C:\ComboFix3.txt ... 2007-12-12 15:56
.
2007-11-15 13:26:54 --- E O F ---



And Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:11 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\jadite11.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196554239078
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 2979 bytes

Shaba
2007-12-14, 10:50
Hi

That didn't work.

Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.exe).
Save it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\system32\vlkehtwp.ini
C:\WINNT\system32\qkgacaaj.ini
C:\WINNT\system32\manxboto.ini
C:\WINNT\system32\xykjhdbq.ini
C:\WINNT\system32\dqpifetn.ini
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\drivers\core.cache(5).dsk
C:\WINNT\system32\drivers\core.cache(4).dsk
C:\WINNT\system32\drivers\core.cache(3).dsk
C:\WINNT\system32\drivers\core.cache(2).dsk
C:\n.bat
C:\WINNT\Fonts\x.zip

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Re-run combofix

Post:

- a fresh HijackThis log
- combofix report

jadite11
2007-12-15, 01:12
Thank you....here are the new posts:

Combofix:
ComboFix 07-12-12.3 - Owner 2007-12-14 16:52:32.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.217 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-14 to 2007-12-14 )))))))))))))))))))))))))))))))
.

2007-11-29 23:02 . 2007-12-01 18:35 1,206 --a------ C:\WINNT\system32\tmp.reg
2007-11-28 16:53 . 2007-11-28 16:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 21:48 . 2006-10-27 15:07 66,048 --a------ C:\WINNT\ieResetIcons.exe
2007-11-25 21:17 . 2007-12-10 07:37 887 --a------ C:\WINNT\wininit.ini
2007-11-25 16:48 . 2007-11-25 16:48 <DIR> d-------- C:\Program Files\DFX
2007-11-25 13:18 . 2007-11-25 13:18 147,456 --a------ C:\WINNT\system32\vbzip10.dll
2007-11-23 10:15 . 2007-12-12 23:42 <DIR> d-------- C:\Program Files\Barbie ® Riding Club
2007-11-20 22:19 . 2007-11-20 22:20 <DIR> d-------- C:\Program Files\Picasa2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 04:44 --------- d-----w C:\Program Files\LimeWire
2007-12-12 22:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2007-12-10 21:46 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-10 04:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-07 19:07 --------- d-----w C:\Program Files\MySpace
2007-12-02 05:57 --------- d-----w C:\Program Files\Lavasoft
2007-12-01 22:25 --------- d-----w C:\Program Files\pnotcaoh
2007-12-01 22:25 --------- d-----w C:\Program Files\iWin Games
2007-11-28 22:58 --------- d-----w C:\Program Files\QuickTime
2007-11-28 03:56 --------- d-----w C:\Program Files\Nick Jr. Arcade
2007-11-22 15:18 --------- d-----w C:\Program Files\ValuSoft
2007-11-21 04:19 --------- d-----w C:\Program Files\Google
2007-10-29 01:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 01:56 --------- d-----w C:\Program Files\MUSICMATCH
2007-10-29 01:55 --------- d-----w C:\Program Files\Dell
2007-10-26 03:34 8,460,288 ----a-w C:\WINNT\system32\dllcache\shell32.dll
2007-10-16 18:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2007-06-13 01:47 149,368 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-04-01 02:53 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2005-05-13 23:12 217,073 --sha-r C:\WINNT\meta4.exe
2005-10-24 17:13 66,560 --sha-r C:\WINNT\MOTA113.exe
2005-10-14 03:27 422,400 --sha-r C:\WINNT\x2.64.exe
2007-03-09 07:12 27,648 --sha-w C:\WINNT\system32\AVSredirect.dll
2005-06-26 21:32 616,448 --sha-r C:\WINNT\system32\cygwin1.dll
2005-06-22 04:37 45,568 --sha-r C:\WINNT\system32\cygz.dll
2004-01-25 06:00 70,656 --sha-r C:\WINNT\system32\i420vfw.dll
2006-04-27 16:24 2,945,024 --sha-r C:\WINNT\system32\Smab.dll
2005-02-28 19:16 240,128 --sha-r C:\WINNT\system32\x.264.exe
2004-01-25 06:00 70,656 --sha-r C:\WINNT\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Amazing3DAquariumWallpaper"="" []
"eTrustPPAP"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe" [2006-12-22 22:23]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R2 RioPNP;RioPNP;C:\WINNT\system32\drivers\RioPNP.sys
S2 DVC150;DVC 150B;C:\WINNT\system32\Drivers\dvc150b.sys
S2 NMSSvc;Intel(R) NMS;C:\WINNT\System32\NMSSvc.exe
S3 DSCVc;Video Capture;C:\WINNT\system32\DRIVERS\CoachVc.sys
S3 ENDETECT;ENDETECT;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\ENDETECT.SYS
S3 L2XPSR;L2XPSR;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\L2XPSR.SYS
S3 NTSTPL1;NTSTPL1;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL1.SYS
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys
S3 SilverLink;Texas Instruments SilverLink (USB GraphLink) Cable;C:\WINNT\system32\Drivers\SilvrLnk.sys
S3 TAPBIND;TAPBIND;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TAPBIND1.SYS

*Newly Created Service* - NMSSVC
.
Contents of the 'Scheduled Tasks' folder
"2007-12-13 22:51:03 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-14 19:54:08 C:\WINNT\Tasks\PPv5Scan_Daily as Owner at 1 54 PM.job"
- C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\ppv5consumercl.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-14 16:57:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-14 17:00:00
C:\ComboFix2.txt ... 2007-12-13 16:35
C:\ComboFix3.txt ... 2007-12-12 16:54
.
2007-11-15 13:26:54 --- E O F ---


And Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:24 PM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\jadite11.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196554239078
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 2992 bytes

jadite11
2007-12-15, 01:14
Thank you....here are the new posts:

Combofix:
ComboFix 07-12-12.3 - Owner 2007-12-14 16:52:32.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.217 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-14 to 2007-12-14 )))))))))))))))))))))))))))))))
.

2007-11-29 23:02 . 2007-12-01 18:35 1,206 --a------ C:\WINNT\system32\tmp.reg
2007-11-28 16:53 . 2007-11-28 16:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 21:48 . 2006-10-27 15:07 66,048 --a------ C:\WINNT\ieResetIcons.exe
2007-11-25 21:17 . 2007-12-10 07:37 887 --a------ C:\WINNT\wininit.ini
2007-11-25 16:48 . 2007-11-25 16:48 <DIR> d-------- C:\Program Files\DFX
2007-11-25 13:18 . 2007-11-25 13:18 147,456 --a------ C:\WINNT\system32\vbzip10.dll
2007-11-23 10:15 . 2007-12-12 23:42 <DIR> d-------- C:\Program Files\Barbie ® Riding Club
2007-11-20 22:19 . 2007-11-20 22:20 <DIR> d-------- C:\Program Files\Picasa2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 04:44 --------- d-----w C:\Program Files\LimeWire
2007-12-12 22:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2007-12-10 21:46 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-10 04:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-07 19:07 --------- d-----w C:\Program Files\MySpace
2007-12-02 05:57 --------- d-----w C:\Program Files\Lavasoft
2007-12-01 22:25 --------- d-----w C:\Program Files\pnotcaoh
2007-12-01 22:25 --------- d-----w C:\Program Files\iWin Games
2007-11-28 22:58 --------- d-----w C:\Program Files\QuickTime
2007-11-28 03:56 --------- d-----w C:\Program Files\Nick Jr. Arcade
2007-11-22 15:18 --------- d-----w C:\Program Files\ValuSoft
2007-11-21 04:19 --------- d-----w C:\Program Files\Google
2007-10-29 01:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 01:56 --------- d-----w C:\Program Files\MUSICMATCH
2007-10-29 01:55 --------- d-----w C:\Program Files\Dell
2007-10-26 03:34 8,460,288 ----a-w C:\WINNT\system32\dllcache\shell32.dll
2007-10-16 18:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2007-06-13 01:47 149,368 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-04-01 02:53 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2005-05-13 23:12 217,073 --sha-r C:\WINNT\meta4.exe
2005-10-24 17:13 66,560 --sha-r C:\WINNT\MOTA113.exe
2005-10-14 03:27 422,400 --sha-r C:\WINNT\x2.64.exe
2007-03-09 07:12 27,648 --sha-w C:\WINNT\system32\AVSredirect.dll
2005-06-26 21:32 616,448 --sha-r C:\WINNT\system32\cygwin1.dll
2005-06-22 04:37 45,568 --sha-r C:\WINNT\system32\cygz.dll
2004-01-25 06:00 70,656 --sha-r C:\WINNT\system32\i420vfw.dll
2006-04-27 16:24 2,945,024 --sha-r C:\WINNT\system32\Smab.dll
2005-02-28 19:16 240,128 --sha-r C:\WINNT\system32\x.264.exe
2004-01-25 06:00 70,656 --sha-r C:\WINNT\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Amazing3DAquariumWallpaper"="" []
"eTrustPPAP"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe" [2006-12-22 22:23]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R2 RioPNP;RioPNP;C:\WINNT\system32\drivers\RioPNP.sys
S2 DVC150;DVC 150B;C:\WINNT\system32\Drivers\dvc150b.sys
S2 NMSSvc;Intel(R) NMS;C:\WINNT\System32\NMSSvc.exe
S3 DSCVc;Video Capture;C:\WINNT\system32\DRIVERS\CoachVc.sys
S3 ENDETECT;ENDETECT;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\ENDETECT.SYS
S3 L2XPSR;L2XPSR;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\L2XPSR.SYS
S3 NTSTPL1;NTSTPL1;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL1.SYS
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys
S3 SilverLink;Texas Instruments SilverLink (USB GraphLink) Cable;C:\WINNT\system32\Drivers\SilvrLnk.sys
S3 TAPBIND;TAPBIND;\??\C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TAPBIND1.SYS

*Newly Created Service* - NMSSVC
.
Contents of the 'Scheduled Tasks' folder
"2007-12-13 22:51:03 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-14 19:54:08 C:\WINNT\Tasks\PPv5Scan_Daily as Owner at 1 54 PM.job"
- C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\ppv5consumercl.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-14 16:57:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-14 17:00:00
C:\ComboFix2.txt ... 2007-12-13 16:35
C:\ComboFix3.txt ... 2007-12-12 16:54
.
2007-11-15 13:26:54 --- E O F ---


And Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:24 PM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\jadite11.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196554239078
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 2992 bytes

Shaba
2007-12-15, 11:57
Hi

Now they are gone :)

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

jadite11
2007-12-16, 07:24
Here's the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:49 PM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\jadite11.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196554239078
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 3144 bytes

jadite11
2007-12-16, 07:26
and the Kaspersky log I'm attaching. It is too large to post:

Shaba
2007-12-16, 12:13
Hi

You can upload it here (http://www.rapidshare.com)
and post back link, please :)

jadite11
2007-12-16, 17:38
Very interesting!! I'm sure learning a lot during this process!! Thanks!

http://rapidshare.com/files/76984159/kaspersky_log.txt.html

Shaba
2007-12-16, 17:48
Hi

Empty this folder:

C:\!KillBox

Delete these:

C:\Documents and Settings\All Users\Documents\My Music\Big Band\Rare Recording.wma
C:\Documents and Settings\Owner\My Documents\My Pictures\2findmp3free.exe
C:\Documents and Settings\Owner\Shared\Eighties classic.wma
C:\Documents and Settings\Owner\Shared\Rare Recording.wma
C:\Documents and Settings\Owner\Shared\Wicked Remix.wma
C:\Downloads\Fashion_Story-v1_0-dm[1].exe
C:\Program Files\eRightSoft\SUPER\OutPut\Music\Big Band\Rare Recording.wma

Empty Recycle Bin.

Still problems?

jadite11
2007-12-16, 18:55
Thank You...I deleted the files. Everthing seems to be running fine...faster that it has performed in a long time. The only problem I continue to have is that I am not able to access Internet Options. I click on it and it appears to begin to pop up, but then the window disappears. Thanks again for your help!

Shaba
2007-12-16, 19:38
Hi

See here (http://www.boutell.com/newfaq/browser/internetoptions.html)
and post back if that helped.

jadite11
2007-12-17, 02:45
Hi...



Went to the website you suggested, and still was not able to solve the problem
.
I checked the settings in Spybot and that isn't the problem.

I checked both HKEY_LOCAL_MACHINE & HKEY_CURRENT_USER and there is not a restrictions folder in either locatation.

Any other suggestions??? Once again, thanks for all your help.:santa:

Shaba
2007-12-17, 11:38
Hi

Have you tried accessing them this way:

Right-click IE shortcut on desktop -> properties?

jadite11
2007-12-18, 06:51
Yes...I have tried that, too, and it seems to attempt to open a window, but then nothing happends. Kind of a flash of a window, but then it never fully appears.

Shaba
2007-12-18, 14:33
Hi

Then I don't think that I can help you with that issue.

I can however re-direct you to some windows forum.

Is that ok? :)

Shaba
2007-12-25, 12:09
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it had been 10 days or more since your last post, and especially if the helper assisting you posted a response to that post to which you did not reply, the topic will not be reopened.

In that situation, if you still require help, it would be best to start a new topic and include a fresh HijackThis log with a link to your original thread.

Everyone else please begin a New Topic.