Please Help! MANY malwares/trojans/ etc!

Hi Rorschach,

Thanks for the speedy reply. I tried my user a/c and it was fine, too.

I do have a question before you close this message thread. Recommendations or suggestions are appreciated.

Should I do a disc defrag or any sort of general system cleanup/maintenance before I create a clean
system restore and recovery discs?

You didn't ask, but I ran one more HiJackThis system scan and log for you, just in case you need it.
I think that last procedure you had me do completely removed the VundoFixSvc. I put the log below.

I am so happy I found this forum! What an incredible, valuable service.
My problems are solved, thanks to your generous time and assistance.

You have been such a great help. Your instructions have been straightforward and easy to follow.

I'll be back because this is a great resource. But, ONLY to read, NOT with problems! :-)

Makes me happy knowing that there are talented and kind people willing to help.
May you have a long and gentle life.

-gratefully,
taichi



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:30 PM, on 4/12/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7790 bytes
 
Log looks good

Should I do a disc defrag or any sort of general system cleanup/maintenance before I create a clean
system restore and recovery discs?
Click to expand...
Doesn't matter really. You can do it whenever


Anything else ?
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
 
Please help. I think SmitFraud and Virtumonde are back.

I am running SpyBot this morning and it is running right now and already shows Virtumonde 4 entires and Smitfraud-C. I am on another computer while it is running.

What should I do next? Is there a LOG for Spybot that would help you find what's going on?

Thanks in advance.
-Taichi
 
Hi,
I'm sorry to panic like this, but, I was worried when I ran Spybot.

As you said, I ran Hijackthis and log is below.

Although I couldn't find a Spybot log, I printed what was on the screen. I did NOT check it to fix anything. I just printed and closed it.

Spybot found Smitfraud-C: Settings --several lines of entries in
registry keys (plain) and also registry keys for
Browser Helper, Library, Class ID.

Also found Smitfraud-C in the following files all in the C:\Windows directory:
/base64.tmp
/zip1.tmp
/zip2.tmp
/zip3.tmp
/zipped/tmp
/Web/def.htm

I looked in MyComputer in those locations, and those files WERE there, and they were the old date when everything started going bad (4/2/2008). I have no idea about registry keys, though, as I don't mess with those.

SpyBot found Virtumonde in Settings - Registry keys in
HKEY_USERS ....lots of numbers, etc..(3 of these found)
and
HKEY_LOCALMACHINE/SOFTWARE?Microsoft?aoprndtws

Here's Hijack log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:58 PM, on 4/14/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2093760284-1564289979-1210224223-1000\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (User 'EAA')
O4 - HKUS\S-1-5-21-2093760284-1564289979-1210224223-500\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Administrator')
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8706 bytes

Thank you.
Taichi
 
Sounds like orphaned entries, I wouldn't worry too much

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    [kill explorer]
C:\Windows/base64.tmp
C:\Windows/zip1.tmp
C:\Windows/zip2.tmp
C:\Windows/zip3.tmp
C:\Windows/zipped/tmp
C:\Windows/Web/def.htm
purity 
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Then reboot and run a full scan with Spybot and save the log and post it here
 
Hello, thanks for answering.

First thing, because I keep forgetting to mention this, and it may be important -- I am still running in “system configuration” mode. When I was in the midst of running all the different programs/cleaners, during the “Terrible Trojan/Malware” days and nights, I also was looking for running processes or start up items that were causing problems. I used msconfig. Items I didn’t particularly recognize or want, I disabled (stopped) them. BUT, ever since, I left msconfig running in “Selective Startup.” I saw a notice at Microsoft’s site that we shouldn’t keep starting in this mode, that it’s not stable, or something. MS says to allow normal startup and if programs are causing problems, just remove them, or have preferences for that program NOT to run at start up.

Should I enable everything, do a normal startup and see what happens? Post a log or something?

I have been trying to get back to "normal," with this laptop, but still have not done online shopping or banking, because I'm afraid trojan/malware programs are lurking around here somewhere.

New things:

I have been having to do some “hard shut downs” off and on, again, because Windows “hangs” at shut down/restart and won’t budge.

Steps I’ve taken since I posted last:

1. I re-ran Spybot Search & Destroy again and clicked FIX on the Virtumonde (4 entries) and Smitfraud-C (31 entries) registry key and file problems it found. I rebooted and re-ran Spybot, and it did not report those files, again. I looked in c: drive and couldn’t see them, so I think they are gone. I’ve updated, immunized, and re-run Spybot several times, and it still does not find those entries. Do you still want me to run the MOVE IT by Old Timer, in case Spybot did not delete them all??

2. For programs that I no longer use, or didn’t remember I had (for example, they were put on this laptop when I used PC Mover), here’s what I did. I “enabled” a particular service/program in msconfig, THEN, went to Windows add/remove programs, and UNINSTALL the program. Sometimes this worked, more often it did not. Not sure what step I am missing on this.

3. I ran Windows Defender & Norton several times – quick and full scans, with nothing unusual reported. I also began downloading and running the following protection programs (most of which, you recommended):

--- Spyguard would not work for me. After I installed it, Windows Installer kept popping up at restart, trying to “install” a program of mine that was moved onto this laptop with PCMover ( “Amos 5.0” a Structural Equation Modeling statistical program). It would hang up the start up and had to CAD to get rid of it. So, I ended up un-installing Spyguard, which solved the Windows Installer appearing at startup problem.

--- Spyware Blaster. I’m not sure exactly what it is doing or how it is supposed to work, but I’ve run it a few times. I enabled all the protection, and checked for updates (none), and I made sure to take a “system snapshot,” as well as a “registry snapshot.”

--- IESpyad – Again, I’m not sure what it did, other than apparently put lots of restricted sites in Mozilla’s Firefox browser.

--- Adaware 2007 from Lavasoft. I installed, updated, ran & it found 3 tracking cookies, that I let it remove.

--- Malwarebyte’s Anti-Malware. Downloaded & updated & ran. It found 9 things:
Vendor Category (Some long, long, numbers here)
Adware.Coupons Registry Key
Trojan.Agent File
Malware.Trace Registry Key
Spyware.MarketScore File
Malware.Trace Registry Key
Malware.Trace Registry Key
Malware.Trace Registry Key
Trojan.Vundo Registry Key
Trojan.Agent File (C:\users\(my user name) | g2mdlhlpx.exe (?) no idea

I had Malwarebyte remove all of them, rebooted, and re-scanned, and it did not show them again.

I have a few questions, and hope you can help with answers:

1. About the “system configuration” / selective startup mentioned at beginning. Should I use Run>msconfig, and set it for a “normal” startup, then run HJT again (or Deckards System Scanner) and post a new log after everything is supposedly running/starting?

2. Is it okay to use ERUNT Registry backup program, to make a “newer/cleaner” registry copy?

3. Should I make a new Restore Point, because of the other miscellaneous things that were found / fixed since I thought I was clean last week? In VISTA Home Premium Edition, it only keeps ONE restore point, not several. If yes, would you tell me where I find that? I can’t recall how I did it, nor locate my otherwise copious notes regarding this.

4. Internet Explorer does not work at all. I think I uninstalled it, or maybe just disabled it, when all the problems started, and I didn’t care if I ever saw IE again, because I like using Mozilla’s Firefox, less vulnerability, etc. But, I thought I read somewhere in the past week on Microsoft’s site that Windows will not update through another browser, only through IE. Do you know if this is true? Do you think I should re-install or try to get IE to work, just so I can get updates (I seriously am NOT going to purposely use it again)? Also, Kaspersky’s Online Scanner would not work with Firefox for me.

5. Is there a legitimate site somewhere that lists and updates all the “fake” spyware remover tools that I can look at? When the Trojan stuff started, I did not know about all the fake remover sites/programs such as “Spy Sheriff.” Also, the fake Windows security alerts that were trying to direct me to PC-Antispyware web site – I did not know that this was a well-known trojan/malware site. I also did not know that there is a FAKE Spybot search and destroy program. Does Spybot keep a list if these fakes?

Thanks in advance for any help you can give!!
TaiChi
 
Hi again,

Sorry to be a such a pain. If the information I need is posted somewhere, just point me in the right way and I’ll go there. Thanks!

I am still running MSconfig in “selective” mode. I haven’t changed to full, normal yet.

So, I am concerned that I may not really be correctly running the Spybot or HJT. Also, not sure if my HJT logs would be showing all the services and processes that are actually still “loaded” (if that’s the correct term), but not currently “running.” As I described before, I went into MSconfig & disabled in either startup or running process several items that I was uncertain about, and have left them that way. Does it matter?

I went online to do some research and checked the files listed below at bleepingcomputer.com, what-is-exe.com, and processlibrary.com, and checked all the DLL and exe files from the HGT log to make sure that the services/registry items listed in were actually okay and not bogus. There were three items that results came back as being spyware or hijacker. I made sure when searching the items that I entered the exact spelling and capital letters as listed in my HJT log. The first two items are supposedly “Searchcentrix Hijacker” – and not the legitimate one, because of the capital letter S for sidebar, instead of lower case, and where it’s located.

O4 – HKUS\S-1-5-19\..\Run:[Sidebar]%ProgramFiles%\Windows Sidebar\Sidebar.exe/detectMem (User ‘LOCAL SERVICE’)

And the same item, but listed for “NETWORK SERVICE” instead of “LOCAL SERVICE”)

O4 – HKUS\S-1-5-19\..\Run:[Sidebar]%ProgramFiles%\Windows Sidebar\Sidebar.exe/detectMem (User ‘NETWORK SERVICE’)

Note, I am running Windows Vista, and several months ago, I disabled the new Vista sidebar “gadget” from appearing, because it was annoying and useless to me. I don’t recall how I did that, maybe it was a preference.

The third item was reported as “spyware related to DownloadWare and found in Program FilesKFH.”

O4 – HKLM\..\RunOnce: [Launcher] %WINDIR%|SMINST\launcher.exe

All 3 items are very, very similar to legitimate items, that’s why I didn’t notice them before.

By the way, the web site "what-is-exe.com" didn’t show info on launcher, and only showed the sidebar as being Vista’s. The process library web site sort of agrees with bleepingcomputer and reports that launcher.exe, is a program for windows desktop downloader software from Intercort Systems, to monitor browsing habits, and send info back to the author, and that it’s a security risk. I actually never installed anything like that purposely.

I don’t know what to think – are these items okay?

Also updated & ran Spybot again this afternoon, but it didn’t find anything. I keep getting the same error near the end of the scan “Include Error File C:\Program..Files \Spybot\...Include \TrojansC.sbi” When I look for an “include report,” I can’t locate a log or anything. I’ve looked at Spybot S & D> Mode > Advanced > Tools > View Report. Can’t seem to find an includes error report. I did see the huge report, but not much help to me! :-/

I also looked at Spybot S & D’s System Start Up tool. I don’t know what the yellow and green highlighting mean in the items, there are no legends to tell. But, the ONE “Launcher” item listed above is highlighted in RED. I didn’t touch anything, just closed Spybot. I looked over in the Spybot forum but didnt find anything about highlighting.

Is there anything I should be doing? Should I turn windows configsys back on to normal startup and let everything run? & do a new hi jack with everything on?

I feel like I’m asking really simple/dumb questions, that I probably should know these things, but I don’t. I’m clueless and frustrated, sorry. I think in the past two weeks, I've lost whatever few working neurons I had :-/

Thanks in advance for any help you can give!
TaiChi

PS I haven’t made a donation because I am NOT doing any online things related to bank/credit card/money/shopping, etc., until I think the computer is totally secure. Please know that I am incredibly grateful for your assistance.
 
Hello

Do Normal Startup if you wish, but selective startup is fine


Can you post the OTMoveIt2 and Spybot logs


Yes you can make a new registry point now that you are clean with ERUNT, same for the System Restore points



Here is a site for fake spyware programs

http://www.spywarewarrior.com/rogue_anti-spyware.htm



As for all those HJT entries you listed, they are all legitimate and shouldn't be fixed. That is why we don't use those automated scanners, they are terrible


Are you having any visible problems ?
 
Good morning,

<<As for all those HJT entries you listed, they are all legitimate and shouldn't be fixed. That is why we don't use those automated scanners, they are terrible>>

About these items:
O4 – HKUS\S-1-5-19\..\Run:[Sidebar]%ProgramFiles%\Windows Sidebar\Sidebar.exe/detectMem (User ‘LOCAL SERVICE’)

O4 – HKUS\S-1-5-19\..\Run:[Sidebar]%ProgramFiles%\Windows Sidebar\Sidebar.exe/detectMem (User ‘NETWORK SERVICE’)

O4 – HKLM\..\RunOnce: [Launcher] %WINDIR%|SMINST\launcher.exe

I actually didn’t use an online/automatic scanner, I typed the file names in those sites as a search. The information about the files came back from bleeping computer like below. When I type in sidebar.exe in the search, it shows 3 items, and the second one, with the "S" in caps both times, is the one I have.

http://www.bleepingcomputer.com/startups/

like below. I hope the table/info shows. The second listed sidebar is the way mine is capitalized (cap both times).

Name
Filename
Status
Description
sidebar
dsidebar.exe
U Related to Desktop_Sidebar provides you with instant access to the information you most desire by grabbing data from your PC and the internet. The re ... Read More

Sidebar
Sidebar.exe
X Searchcentrix hijacker

Sidebar
sidebar.exe
U The Windows Vista sidebar that allows you to add gadgets, rss feeds, and other information. ... Read More

And when I type in launcher.exe, Bleeping showed:

Launcher launcher.exe X Spyware component related to DownloadWare and found in Program FilesKFH


<<Are you having any visible problems ?>>

Slow load of firefox and starup items, and the computer has been hanging/stopping and I have to do a hard shut down.

About the logs-
Okay, when I get back from day job, I will post logs this evening.

thank you very much!
TaiChi
 
You have nothing to worry about, don't need to see those logs as your PC is clean

Just do this then we are all done


  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


That is it, all done :)
 
Hi again,

Okay, if you think all is clear, I will act on your determination that everything is fixed. Thank you!!

One last item? Can you point me in the right direction, or answer a question about using the "ERUNT" restore registry?

I was concerned about "ownership" of the folders, because I had only set up "admin" and MY user name "EAA-PC," NEVER anyone else.

But, there were 3 types of "users" showing up in C:\winders\Users that I never set up -- "administrator" "Public" and "TrustedInstallers." These also had some temporary folders and other items that I had not put there and they were dated within the day or two following my major Virtumondo Smitfraud Abebot Downloader trojan/virii problems. I made sure I had deleted everything they had in them, last week, and I thought I deleted them, but they still show up on c drive. I read on micro-soft site that I really need to "take ownership" of any users/folders, and then delete the items so they wouldn't come back. I need to stop reading, I think! :-/

Anyway, the bottom line - I "took ownership" this morning, but something sort of unusual (probably bad) happened. It took a long time to change from "TrustedInstaller" to my admin user, and around "Symantics" folder I received a popup that an error occured and was denied, did I want to cancel or proceed, so. . . I cancelled the ownership. Then I received a popup that said this was probably not a good choice and the system would not be stable. I tried immediately to change ownership to "TrustedInstaller" (that's who owned my Cdrive), but no such "person/object/built in security principal." So, the computer hung up for a long time, then stopped responding. I switched to my user account and keep getting a notice "The recycle bin on C;\ is corrupted. Do you want to empty it?" I didn't know, so I said "no." Were you able to understand what I did?

Well, my question is:

If I use the ERUNT registry restore, which I had JUST DONE last night (before the ownership thing) ...will this put ownership back to "TrustedInstaller" and fix whatever I messed up this morning? I just got home this evening and didn't want to turn the laptop off or do anything. I'm afraid if I turn it off, it will not come back again! I made sure it is not connected to internet.


Thanks in advance for ERUNT directions, etc!! Maybe the clean System Restore I made before the "ownership" thing this morning would work better?
-TaiChi


And, look ---> Instead of copy/paste, I just NOW learned how to use the "quote" feature! :-)

Rorschach112 said:
You have nothing to worry about, don't need to see those logs as your PC is clean

Just do this then we are all done


  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
That is it, all done :)
Click to expand...
 
I'd say System Restore would be your best bet

Not much advice I can give you concerning that, it is more of a tech issue

Anything else ?
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
 
I just want to say again THANKS so much for helping me remove the virus, trojan and malware and related garbage.

Norton just gave up the ghost this morning, and is reporting: "not protecting your PC." But I will call them tonight or tomorrow and see if they can fix THEIR program. After I also make sure the ownership thing on all my folders are okay and I have a working A-V I will definitely make a donation! This forum is a great resource - for all levels of computer experience. :-)

Rorschach - you were awesome!!

-TaiChi


<<Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.>>
 
You must log in or register to reply here.
Back
Top