PDA

View Full Version : Spyware? Malware? Virus?



TomPabst
2006-04-08, 04:33
Hi Guys...

Got another "bug".....who writes this garbage? Can we shoot'em? LOL....

I know the drill.......here goes......

Started getting odd behavior yesterday morning. It has not escallated (yet).

Symptoms
**Hard Drive Activity: Odd and unusual activity a few times, nothing huge.
**Browser Speed: Slow at times, normal most of the time.
**Home Page Hijacking: No
**IE Launch Activity: Yes, three files are place on my desktop each time IE is launched. They are: ~jpcfg636, ~start636 and ~view636. When deleted, they return each time IE is launched....exact same files.
**Other Odd Activity: About once per hour, I get a pop-up on my desktop saying something about a "program weird name" has a problem and will be shut down. I'm asked to send to MS or not. I always send it to them since they are the root cause of all of this garbage! LOL.....just kidding. I say "no" and close.

Action Taken So Far
(1) Ran eTrust Antivirus (latest sig file update: 4/7/06): Results: 3 virus found which were, (1) Win32/Beovens!generic; (2) HTML/HelpControl!Exploit, and (3) Same as #2. Action Taken by eTrust: Deleted files. I then rebooted my computer, ran eTrust antivirus again = no virus files found.

(2) Ran Spybot, checked for latest detection rules, downloaded & installed (4/7/06): Reboot and run Spybot. Results: Nothing found.

(3) Checked for latest version of HJT (1.99.1), ran scan, copied log (post below).

(4) Nosing around my c:\windows folders I find an odd folder I don't recall with the name "ld" (in small letters). It contains a ton of entries that match those listed in the HJT log under "Running Processes" (which is how I found the "ld" folder in c:\windows). I tried renaming the folder (to: xld), reboot system, then launch IE and sure enough, the folder is replaced with one entry at the same time the "desktop" files are popping up on my desktop. I repeated that process three times, and three times there's an entry made in c:\windows\ld.

Before running HJT, I copied all those "ld" entries from my renamed folders back into the "ld" folder so they would all show up on the HJT log. But they don't, only one does (the last one).

Thank you in advance for your expert help.

Regards,

Tom

***********
HijackThis Log
***********

Logfile of HijackThis v1.99.1
Scan saved at 5:54:35 PM, on 4/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\fyt\nm32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Color n Code\Common\IconMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Color n Code\ColorWizzard\hgcctl95.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\ld\jV6fUiqAwv4SWURvtnc.exe
C:\Program Files\SpyWare Tools\HiJackThis_Ops\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ETHelper Class - {A4032A77-8876-4C3E-9655-2AE16B58692D} - C:\WINDOWS\system32\str.dll
O2 - BHO: (no name) - {C8F21DFE-B35C-4274-82EC-1E072D09025E} - C:\WINDOWS\system32\winbrume.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [ujm] C:\WINDOWS\fyt\nm32.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Color'n'Code Wizzard.lnk = C:\Program Files\Color n Code\Common\IconMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135272627828
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CAISafe - Unknown owner - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

LonnyRJones
2006-04-08, 09:11
Hi Tom

Download "Suspicious File Packer" Third one on this page >
http://www.safer-networking.org/en/tools/index.html
To your desktop, unzip the file inside
run sfp.exe copy then paste the list below into it and hit continue.

C:\WINDOWS\ld\*.*
C:\WINDOWS\fyt\*.*
C:\WINDOWS\system32\str.dll
C:\WINDOWS\system32\winbrume.dll

a xxxxxxx.cab file will have been created on your desktop
Send it to submitlonny AT subratam.org
Replace AT and spaces with @ and include a link back to this thread.

Thanks

TomPabst
2006-04-08, 17:23
Lonny,

Thanks for your assistance on this.

Done......as of 7:23am (PDST, USA).

Tom

LonnyRJones
2006-04-08, 18:39
Thanks for sending those
Its some sort of keylogger, more information later.

Start Hijackthis and place a check next to these items If there.
O2 - BHO: ETHelper Class - {A4032A77-8876-4C3E-9655-2AE16B58692D} - C:\WINDOWS\system32\str.dll
O2 - BHO: (no name) - {C8F21DFE-B35C-4274-82EC-1E072D09025E} - C:\WINDOWS\system32\winbrume.dll
O4 - HKCU\..\Run: [ujm] C:\WINDOWS\fyt\nm32.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Manualy delete these files/folders
C:\WINDOWS\ld
C:\WINDOWS\fyt
C:\WINDOWS\system32\str.dll
C:\WINDOWS\system32\winbrume.dll
c:\Program Files\Internet Explorer\update.exe
c:\Program Files\Internet Explorer\winbrume.dat

Post a fresh hijackthis log please, be sure to mention any current problems.

TomPabst
2006-04-08, 22:34
Hi Lonny,

Followed above directions......done.

Two files in "delete these" instructs not found:

(1) "update.exe"
(2) "winbrume.dll"

Just for the heck of it I did a c:\driver search for both. No "windbrume.dll" found anywhere, but two "update.exe" files were found in other folders, none dated any time recently.

Ran HJT again:

Logfile of HijackThis v1.99.1
Scan saved at 12:28:52 PM, on 4/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Color n Code\Common\IconMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Color n Code\ColorWizzard\hgcctl95.exe
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\SpyWare Tools\HiJackThis_Ops\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Color'n'Code Wizzard.lnk = C:\Program Files\Color n Code\Common\IconMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135272627828
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CAISafe - Unknown owner - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

*************end HJT paste*****************

Standing by for further instructs. I will report back if any unusual activity is detected until the next instructs from you.

Regards,

Tom

LonnyRJones
2006-04-09, 03:45
Make and merge this registry file to delete its entries

Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


REGEDIT4

[-HKEY_CLASSES_ROOT\AppID\{8F9387E0-8BD1-48CA-A4D5-81D9DF733DC4}]
[-HKEY_CLASSES_ROOT\AppID\U_ET.DLL]
[-HKEY_CLASSES_ROOT\CLSID\{11BE56FB-AC69-4704-B6E6-B0B7BFBF31A7}]
[-HKEY_CLASSES_ROOT\CLSID\{196B9CB5-4C83-46F7-9B06-9672ECD9D99B}]
[-HKEY_CLASSES_ROOT\CLSID\{A4032A77-8876-4C3E-9655-2AE16B58692D}]
[-HKEY_CLASSES_ROOT\CLSID\{C8F21DFE-B35C-4274-82EC-1E072D09025E}]
[-HKEY_CLASSES_ROOT\Interface\{04E82602-655A-492C-8104-40BC57AD40FA}]
[-HKEY_CLASSES_ROOT\Interface\{7CCABB90-7477-4C68-8E86-6F64CCB5B86D}]
[-HKEY_CLASSES_ROOT\TypeLib\{E8748F07-F18D-4110-B00B-0AD3C226AE99}]
[-HKEY_CLASSES_ROOT\U_ET.ETHelper]
[-HKEY_CLASSES_ROOT\U_ET.ETHelper.1]
[-HKEY_CLASSES_ROOT\U_ET.FormHelper]
[-HKEY_LOCAL_MACHINE\SOFTWARE\DBZBHO]
[-HKEY_LOCAL_MACHINE\SOFTWARE\ZEROSOFT]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
"InstallDate"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
"InstallPath"=-

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

TomPabst
2006-04-09, 05:32
Make and merge this registry file to delete its entries

Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


REGEDIT4

[-HKEY_CLASSES_ROOT\AppID\{8F9387E0-8BD1-48CA-A4D5-81D9DF733DC4}]
[-HKEY_CLASSES_ROOT\AppID\U_ET.DLL]
[-HKEY_CLASSES_ROOT\CLSID\{11BE56FB-AC69-4704-B6E6-B0B7BFBF31A7}]
[-HKEY_CLASSES_ROOT\CLSID\{196B9CB5-4C83-46F7-9B06-9672ECD9D99B}]
[-HKEY_CLASSES_ROOT\CLSID\{A4032A77-8876-4C3E-9655-2AE16B58692D}]
[-HKEY_CLASSES_ROOT\CLSID\{C8F21DFE-B35C-4274-82EC-1E072D09025E}]
[-HKEY_CLASSES_ROOT\Interface\{04E82602-655A-492C-8104-40BC57AD40FA}]
[-HKEY_CLASSES_ROOT\Interface\{7CCABB90-7477-4C68-8E86-6F64CCB5B86D}]
[-HKEY_CLASSES_ROOT\TypeLib\{E8748F07-F18D-4110-B00B-0AD3C226AE99}]
[-HKEY_CLASSES_ROOT\U_ET.ETHelper]
[-HKEY_CLASSES_ROOT\U_ET.ETHelper.1]
[-HKEY_CLASSES_ROOT\U_ET.FormHelper]
[-HKEY_LOCAL_MACHINE\SOFTWARE\DBZBHO]
[-HKEY_LOCAL_MACHINE\SOFTWARE\ZEROSOFT]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
"InstallDate"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
"InstallPath"=-

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.


Lonny.....are these instructs meant for me?

Hard to tell since you make no reference to me or anything we've done, nor do you ask for another HJT log......or say anything about "what's next?" The fact that another person is posting in this thread gives me reason to question this post from you, as well. Just thought I should check to make sure your post is meant for me.

Tom

LonnyRJones
2006-04-09, 06:15
Yes Tom the reg file is for your PC, Ive removed cckeating's posts.

Still no problems ?

TomPabst
2006-04-11, 19:18
Oh man, Lonny.......sorry but I had to take off for two days on an emergency (one of my friends got hurt pretty bad in the Long Beach Grand Prix this last weekend). I've just gotten back late last night.

Booting my computer this morning has eTrust detecting two viruses/trojans (deleted them).....but these are the same ones that it detected on primary scan the first time all of this started.

Just for grins......they are:

Win32/Alureon!generic
Win32/SecBlock!generic

Checked the CA Virus Encyclopedia just before coming here.......the first one is listed and has a big page of information.....but nothing about "how to cleans system" of it. The second one is not listed.

I'm wondering if it wouldn't be wise for me to start over from the top (above) with your instructions.....getting back to the point where I questioned you about the instructions "being for me." And then report here and take it from there. I guess that's what I will do as most likely you are off and busy with others. I'm amazed how many posts were written in just the two days I've been gone.....geeez! Somebody needs to pay you guys! Where's your "PayPal Donate" button? -:)

I have a couple hours of things to do before I can get to this. I'll check back here first, before getting started......just in case you have logged in and don't want me to start from the top again.

Sorry again, about having to jet out.....last minute.

Regards,

Tom

LonnyRJones
2006-04-11, 19:33
Just for grins......they are:
Win32/Alureon!generic
Win32/SecBlock!generic

Ok but does it show on the next scans ? if so what are the file names and exact locations ?

TomPabst
2006-04-11, 22:10
Hey Lonny....

Here is a completely "virgin" HJT log. Have not done anything yet.....computer is as we left it plus booting up today and using it for email (no Internet except to this site).

Logfile of HijackThis v1.99.1
Scan saved at 12:03:26 PM, on 4/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Color n Code\Common\IconMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Color n Code\ColorWizzard\hgcctl95.exe
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\SpyWare Tools\HiJackThis_Ops\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [vthi] C:\WINDOWS\system32\z935z.exe dummy
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Color'n'Code Wizzard.lnk = C:\Program Files\Color n Code\Common\IconMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135272627828
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CAISafe - Unknown owner - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

*************end HJT Log*************

Lonny, I think it would be wise for me not to do anything until I hear from you this HJT log. So, I'll just sit tight....

Regards,

Tom

LonnyRJones
2006-04-12, 01:09
Did you see the question in my last post ?

Have hijackthis fix >
O4 - HKLM\..\Run: [vthi] C:\WINDOWS\system32\z935z.exe dummy
==========
Restart your PC for the change to take effect.

TomPabst
2006-04-12, 05:19
Lonny,

Decided I'd better not wait too much longer as I was getting a lot of unusual hard drive activity.

Here's what I did:

(1) Shut system down and rebooted into safe mode.
(2) Used "sys restore" to return the day before you and I started on this thread.
(3) Ran HJT.....confirmed that it looked exactly like the first one in this thread.
(4) Re-performed each "instruction" from you.....including the one I did not first understand.
(5) Ran another HJT.......posted below.

I hope I didn't screw you up? But heck, the hd was going pretty crazy!

What next?

Regards,

Tom

*********************
Logfile of HijackThis v1.99.1
Scan saved at 7:07:06 PM, on 4/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Color n Code\Common\IconMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Color n Code\ColorWizzard\hgcctl95.exe
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\SpyWare Tools\HiJackThis_Ops\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Color'n'Code Wizzard.lnk = C:\Program Files\Color n Code\Common\IconMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135272627828
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CAISafe - Unknown owner - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

LonnyRJones
2006-04-12, 06:53
Let us know how your PC is in a few day's

TomPabst
2006-04-12, 08:13
Let us know how your PC is in a few day's

Lonny,

Does that mean you think this HJT log is okay now? Any suspicians? Just wondering.

Tom

LonnyRJones
2006-04-12, 08:49
It looks fine, write down locations and file names if your av alerts again, then let it attempt to take care of it.

TomPabst
2006-04-13, 00:56
It looks fine, write down locations and file names if your av alerts again, then let it attempt to take care of it.

Lonny,

Got the first one of these an hour ago. It was for: win32/alureon!generic
The Location: was windows restore cab files. Of course, the EzTrust AV program can't access those files.

Action I took:
I figured there was a ton of stuff in those "restore file" cabs I didn't want to mistakenly put back on my computer. So, I decided to turn off "system restore" - reboot and then put it back on (that is supposed to clear all the previous restore points).

I'll continue to monitor/log anything odd that happens and report back here instantly that it does. Otherwise, I'll report back in max five days and we can clear this problem string. For some reason, I'm just not totally comfortable with the idea that we got rid of these trojans/viruses. Can't explain why....just a gut feeling, though.

Thanks for all your help......past, present and future. You guys do a great service for the Internet and you don't get recognized for it. Not like you should at least!

Sincere regards,

Tom Pabst

TomPabst
2006-04-17, 18:57
Hi Lonny,

Well, it's been about a week and -all is well- with my computer (at least for the problems from this key-logger)........

I did get another "Win32/Aleuron!generic" AV alert this morning. But, I think this was a "new acquire" as it was only the "hhm.exe" (actual file, not a "shortcut") dummy-click-it file. I deleted it (from Win Explorer), rebooted and ran HJT and it looks fine to me.

But just for fun, here's a copy of this HJT log in case I missed something:

Logfile of HijackThis v1.99.1
Scan saved at 8:27:32 AM, on 4/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Color n Code\Common\IconMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Color n Code\ColorWizzard\hgcctl95.exe
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\SpyWare Tools\HiJackThis_Ops\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Color'n'Code Wizzard.lnk = C:\Program Files\Color n Code\Common\IconMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135272627828
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CAISafe - Unknown owner - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

My guess is that by now maybe you guys have seen this a lot? Anyway, I did a bunch of net-search surfing yesterday looking for pictures (google/image search) of the LeMans-2005 race and probably clicked on a few too many "alternative interests photos" (usually blonde or brunette...LOL....) than I should have. I think I should go to "IE Safe Test" site and again and run a check on my IE browser settings and see why I'm getting these auto-downloads (I thought I had IE set to ask me if I really want to download something).

I'll report back here in two days or so if nothing happens, and we can close this thread?

Looks like you guys had a busy weekend......

Regards,

Tom

LonnyRJones
2006-04-18, 04:14
Looks fine

Im Afraid no matter how updated and secure the PC is you will keep getting infected from those "alternative interests photos".

tashi
2006-04-22, 06:31
As the problem appears to be resolved this topic will be archived.

If you need it re-opened please send me a pm and provide a link to the thread.

Cheers.