spyware, malware help Please

Discussion in 'adware, spyware & hijack cleaning' started by Sharon, Apr 29, 2004.

Thread Status:
Not open for further replies.
  1. Sharon

    Sharon Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    11
    Hello,
    I just joined your forum tonight. My daughter found the link to your site and sent it to me.
    I’m running Windows XP Home Edition, also Spybot, Adaware, Hijack This, Spy Sweeper and Spy Guard.
    I went to a web site that supposedly had Paint Shop Pro tutorials; instead I was bombarded with a multitude of pop up windows. A lot of stuff was dumped into my computer. I’ve been working days to get rid of this stuff and when it seems it’s gone, something else pops up. There were folders in that had to be deleted from the favorites folder. Spybot, Adaware and Spy Sweeper have found the following:
    SCAM.Enigma, VX2.BetterInternet, ShopAtHomeSelect, Gator (GAIN), PurityScan, version 1, couldnotfind.com, IstBar, PowerScan, SideSearch, TeenXXX (TinyBar), Targetsoft, version 1, Slotchbar, TeenXXX (TinyBar), WinActive, version 1 (what is this?), Allaboutsearching, searbar.html, Lopdotcom, version 1, vx2 (Transponder), version 1, and CoolWWW. This garbage really hit me hard. I downloaded ewido security suite. After running it today, it said there weren’t any infected files. As did Spy Sweeper and Spybot. Adaware found VX2.BetterInternet and SCAM.Enigma. Even though these two have been deleted with the above software, Adaware finds them. I’ve checked the registry and couldn’t find any traces. Also, when searching for IgfxTray search found IgfxTray-05859571.pf in C:\WINNT\Prefetch. Can you tell me what this is? I’m stumped. Can someone please help me out with this? Below is the Hijack This log.
    Thank you,
    Sharon

    Logfile of HijackThis v1.97.7
    Scan saved at 4:13:12 PM, on 4/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINNT\System32\Tablet.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
    C:\WINNT\SM1BG.EXE
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.exe
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINNT\system32\Wtablet\TabUserW.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINNT\System32\etfxperfn.exe
    C:\zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.my.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.my.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://charter.my.msn.com/default.armx
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\kk7rtymc.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\kk7rtymc.slt\prefs.js)
    O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
    O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\Run: [Remote wipe] C:\PROGRA~1\Nurb proc bore\DUPE MULTI BURN.exe
    O4 - HKLM\..\Run: [_28603c] C:\WINNT\System32\_28603c.exe
    O4 - HKLM\..\Run: [etfxperfn] C:\WINNT\System32\etfxperfn.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Event Reminder.lnk = ?
    O4 - Global Startup: Forget Me Not.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38046.5602893519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Sharon,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:


    O4 - HKLM\..\Run: [Remote wipe] C:\PROGRA~1\Nurb proc bore\DUPE MULTI BURN.exe
    O4 - HKLM\..\Run: [_28603c] C:\WINNT\System32\_28603c.exe
    O4 - HKLM\..\Run: [etfxperfn] C:\WINNT\System32\etfxperfn.exe

    O4 - Startup: PowerReg SchedulerV2.exe

    Then reboot into safe mode and delete:
    C:\PROGRAM FILES\Nurb proc bore <= entire folder

    Could you copy and paste the text in bold into your IE addressbar and post the results that get displayed:
    javascript:navigator.userAgent

    Regards,

    Pieter
     
  3. Sharon

    Sharon Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    11
    Hi Pieter,
    Thank you for your help. This is the result of javascript:navigator.userAgent:
    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
    Believe it or not, when I rebooted into safe mode the folder C:\PROGRAM FILES\Nurb proc bore wasn’t there for me to delete. This is the new log of Hijack this.

    Logfile of HijackThis v1.97.7
    Scan saved at 5:01:21 PM, on 4/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINNT\System32\Tablet.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
    C:\WINNT\SM1BG.EXE
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.exe
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINNT\system32\Wtablet\TabUserW.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\WINNT\System32\bcachew.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\zip\HijackThis.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.my.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.my.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://charter.my.msn.com/default.armx
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\kk7rtymc.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\kk7rtymc.slt\prefs.js)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
    O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\Run: [bcachew] C:\WINNT\System32\bcachew.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Event Reminder.lnk = ?
    O4 - Global Startup: Forget Me Not.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38046.5602893519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    I’m also including the log for Adaware. It keeps finding VX2.BetterInternet Object in
    C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1\ even though it supposedly deletes it. There are log files of Adaware in there that were created today. I find that odd, because Adaware keeps log files in its own folder. I have deleted the entire contents of this folder, but the contents are there again when I boot up.


    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :Friday, April 30, 2004 3:50:05 PM
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R300 28.04.2004
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry
    Set : Scan within archives

    Extended Ad-aware Settings
    =========================
    Set : Unload recognized processes during scanning
    Set : Include basic Ad-aware settings in logfile
    Set : Include additional Ad-aware settings in logfile
    Set : Let windows remove files in use at next reboot
    Set : Delete quarantined objects after restoring
    Set : Always back up reference file, before updating
    Set : Play sound if scan produced a result


    4-30-2004 3:50:05 PM - Scan started. (Custom mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 4-30-2004 7:03:00 PM
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINNT\system32\
    ThreadCreationTime : 4-30-2004 7:03:02 PM
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 4-30-2004 7:03:02 PM
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 4/30/2004 8:24:32 PM
    Last modified : 3/31/2003 12:00:00 PM

    #:4 [lsass.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 4-30-2004 7:03:02 PM
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 4/30/2004 8:24:32 PM
    Last modified : 3/31/2003 12:00:00 PM

    #:5 [svchost.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 4-30-2004 7:03:03 PM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 4/30/2004 8:24:32 PM
    Last modified : 3/31/2003 12:00:00 PM

    #:6 [svchost.exe]
    FilePath : C:\WINNT\System32\
    ThreadCreationTime : 4-30-2004 7:03:03 PM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 4/30/2004 8:24:32 PM
    Last modified : 3/31/2003 12:00:00 PM

    #:7 [spoolsv.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 4-30-2004 7:03:04 PM
    BasePriority : Normal
    FileSize : 50 KB
    FileVersion : 5.1.2600.0 (XPClient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    OriginalFilename : spoolsv.exe
    ProductName : Microsoft
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 4/30/2004 8:24:32 PM
    Last modified : 3/31/2003 12:00:00 PM

    #:8 [sagent2.exe]
    FilePath : C:\Program Files\Common Files\EPSON\EBAPI\
    ThreadCreationTime : 4-30-2004 7:03:12 PM
    BasePriority : Normal
    FileSize : 88 KB
    FileVersion : 2, 1, 0, 0
    ProductVersion : 1, 0, 0, 0
    Copyright : Copyright (C) SEIKO EPSON CORP. 2000-2001
    CompanyName : SEIKO EPSON CORPORATION
    FileDescription : EPSON Printer Status Agent
    InternalName : SAgent2
    OriginalFilename : SAgent2.exe
    ProductName : EPSON Bidirectional Printer
    Created on : 2/29/2004 6:21:55 PM
    Last accessed : 4/30/2004 8:24:32 PM
    Last modified : 8/9/2001 8:01:00 AM

    #:9 [tablet.exe]
    FilePath : C:\WINNT\System32\
    ThreadCreationTime : 4-30-2004 7:03:12 PM
    BasePriority : High
    FileSize : 620 KB
    FileVersion : 4.78-6
    ProductVersion : 4.78-6
    Copyright : Copyright
    CompanyName : Wacom Technology, Corp.
    FileDescription : WacomService
    InternalName : WacomService
    OriginalFilename : WacomService.exe
    ProductName : Wacom Win32 Tablet Service
    Created on : 12/4/2003 11:00:34 PM
    Last accessed : 4/30/2004 8:03:16 PM
    Last modified : 12/4/2003 11:00:34 PM

    #:10 [tmntsrv.exe]
    FilePath : C:\Program Files\Trend Micro\Internet Security\
    ThreadCreationTime : 4-30-2004 7:03:13 PM
    BasePriority : Normal
    FileSize : 236 KB
    FileVersion : 11.20.0.1311
    ProductVersion : 11.20.0
    Copyright : Copyright (C) 1995-2003 Trend Micro Incorporated. All rights reserved.
    CompanyName : Trend Micro Incorporated.
    FileDescription : Tmntsrv
    InternalName : Tmntsrv
    OriginalFilename : Tmntsrv.exe
    ProductName : Trend Pc-cillin 11
    Created on : 9/22/2003 3:53:58 AM
    Last accessed : 4/30/2004 8:24:32 PM
    Last modified : 3/24/2004 11:47:15 PM

    #:11 [tmproxy.exe]
    FilePath : C:\Program Files\Trend Micro\Internet Security\
    ThreadCreationTime : 4-30-2004 7:03:13 PM
    BasePriority : Normal
    FileSize : 200 KB
    FileVersion : 11.20.0.1311
    ProductVersion : 11.20.0
    Copyright : Copyright (C) 1995-2003 Trend Micro Incorporated. All rights reserved.
    CompanyName : Trend Micro Incorporated.
    FileDescription : TmProxy.exe
    InternalName : TmProxy.exe
    OriginalFilename : TmProxy.exe
    ProductName : Trend Pc-cillin 11
    Created on : 9/22/2003 3:55:30 AM
    Last accessed : 4/30/2004 8:24:32 PM
    Last modified : 3/24/2004 11:47:16 PM

    #:12 [explorer.exe]
    FilePath : C:\WINNT\
    ThreadCreationTime : 4-30-2004 7:03:16 PM
    BasePriority : Normal
    FileSize : 973 KB
    FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
    ProductVersion : 6.00.2800.1221
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft
    Created on : 5/12/2003 3:12:10 AM
    Last accessed : 4/30/2004 8:49:47 PM
    Last modified : 5/12/2003 3:12:10 AM

    #:13 [pccpfw.exe]
    FilePath : C:\Program Files\Trend Micro\Internet Security\
    ThreadCreationTime : 4-30-2004 7:03:20 PM
    BasePriority : Normal
    FileSize : 684 KB
    FileVersion : 11.20.0.1311
    ProductVersion : 11.20.0
    Copyright : Copyright (C) 1995-2003 Trend Micro Incorporated. All rights reserved.
    CompanyName : Trend Micro Incorporated.
    FileDescription : PCCPFW
    InternalName : PCCPFW
    OriginalFilename : PCCPFW.exe
    ProductName : Trend Pc-cillin 11
    Created on : 9/22/2003 3:50:10 AM
    Last accessed : 4/30/2004 8:24:32 PM
    Last modified : 3/24/2004 11:47:15 PM

    #:14 [hkcmd.exe]
    FilePath : C:\WINNT\System32\
    ThreadCreationTime : 4-30-2004 7:03:26 PM
    BasePriority : Normal
    FileSize : 116 KB
    FileVersion : 3.0.0.2331
    ProductVersion : 7.0.0.2331
    Copyright : Copyright 1999-2003, Intel Corporation
    CompanyName : Intel Corporation
    FileDescription : hkcmd Module
    InternalName : HKCMD
    OriginalFilename : HKCMD.EXE
    ProductName : Intel(R) Common User Interface
    Created on : 1/1/1980 6:00:00 AM
    Last accessed : 4/30/2004 8:03:46 PM
    Last modified : 11/18/2003 6:11:44 AM

    #:15 [gwinkmonitor.exe]
    FilePath : C:\Program Files\Gateway\Gateway Ink Monitor\
    ThreadCreationTime : 4-30-2004 7:03:27 PM
    BasePriority : Normal
    FileSize : 296 KB
    FileVersion : 1.2.0.0
    ProductVersion : 1.2.0.0
    Copyright : Copyright
    CompanyName : Gateway
    FileDescription : Gateway Ink Monitor
    ProductName : Gateway Online Ink Purchase Utility
    Created on : 12/18/2003 3:37:58 PM
    Last accessed : 4/30/2004 8:03:46 PM
    Last modified : 11/5/2003 6:23:28 PM

    #:16 [sm1bg.exe]
    FilePath : C:\WINNT\
    ThreadCreationTime : 4-30-2004 7:03:27 PM
    BasePriority : Normal
    FileSize : 92 KB
    FileVersion : 6.01.1000.0
    ProductVersion : 6.01.1000.0
    Copyright : Copyright (C) 1998-2003 Cypress Semiconductor
    CompanyName : Cypress Semiconductor
    FileDescription : Cypress USB Mass Storage Driver Background Application
    InternalName : SM1BG.EXE
    OriginalFilename : SM1BG.EXE
    ProductName : Cypress USB Mass Storage Adapter
    Created on : 12/18/2003 3:39:40 PM
    Last accessed : 4/30/2004 8:03:46 PM
    Last modified : 8/27/2003 8:20:00 PM

    #:17 [mmtask.exe]
    FilePath : C:\Program Files\MusicMatch\MusicMatch Jukebox\
    ThreadCreationTime : 4-30-2004 7:03:27 PM
    BasePriority : Normal
    FileSize : 52 KB
    FileVersion : 1.0.0.1
    ProductVersion : 1.0.0.1
    Copyright : TODO: (c) <Company name>. All rights reserved.
    CompanyName : TODO: <Company name>
    FileDescription : TODO: <File description>
    InternalName : mmtask.exe
    OriginalFilename : mmtask.exe
    ProductName : TODO: <Product name>
    Created on : 12/18/2003 3:43:49 PM
    Last accessed : 4/30/2004 8:03:46 PM
    Last modified : 6/26/2003 11:04:20 PM

    #:18 [pccguide.exe]
    FilePath : C:\Program Files\Trend Micro\Internet Security\
    ThreadCreationTime : 4-30-2004 7:03:27 PM
    BasePriority : Normal
    FileSize : 928 KB
    FileVersion : 11.20.0.1311
    ProductVersion : 11.20.0
    Copyright : Copyright (C) 1995-2003 Trend Micro Incorporated. All rights reserved.
    CompanyName : Trend Micro Incorporated.
    FileDescription : PCCGuide
    InternalName : PCCGuide
    OriginalFilename : PCCGuide
    ProductName : Trend Pc-cillin 11
    Created on : 9/22/2003 3:46:48 AM
    Last accessed : 4/30/2004 8:03:46 PM
    Last modified : 3/24/2004 11:47:13 PM

    #:19 [pcclient.exe]
    FilePath : C:\Program Files\Trend Micro\Internet Security\
    ThreadCreationTime : 4-30-2004 7:03:28 PM
    BasePriority : Normal
    FileSize : 620 KB
    FileVersion : 11.20.0.1311
    ProductVersion : 11.20.0
    Copyright : Copyright (C) 1995-2003 Trend Micro Incorporated. All rights reserved.
    CompanyName : Trend Micro Incorporated.
    FileDescription : PCClient
    InternalName : PCClient
    OriginalFilename : PCClient
    ProductName : Trend Pc-cillin 11
    Created on : 9/22/2003 3:46:13 AM
    Last accessed : 4/30/2004 8:03:46 PM
    Last modified : 3/24/2004 11:47:13 PM

    #:20 [tmoagent.exe]
    FilePath : C:\Program Files\Trend Micro\Internet Security\
    ThreadCreationTime : 4-30-2004 7:03:28 PM
    BasePriority : Normal
    FileSize : 284 KB
    FileVersion : 11.0.0.1253
    ProductVersion : 11.0.0
    Copyright : Copyright (C) 1995-2003 Trend Micro Incorporated. All rights reserved.
    CompanyName : Trend Micro Incorporated.
    FileDescription : TrendMicro Outbreak agent
    InternalName : TMOAgent
    OriginalFilename : TMOAgent.EXE
    ProductName : Trend Pc-cillin 11
    Created on : 9/22/2003 3:44:55 AM
    Last accessed : 4/30/2004 8:03:46 PM
    Last modified : 9/22/2003 3:44:55 AM

    #:21 [directcd.exe]
    FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\
    ThreadCreationTime : 4-30-2004 7:03:28 PM
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 5.3.0.107
    ProductVersion : 5.3.0.107
    Copyright : Copyright (c) 2001,2002, Roxio, Inc.
    CompanyName : Roxio
    FileDescription : DirectCD Application
    InternalName : DirectCD
    OriginalFilename : Directcd.exe
    ProductName : DirectCD
    Created on : 6/21/2002 5:54:08 PM
    Last accessed : 4/30/2004 8:03:46 PM
    Last modified : 6/21/2002 5:54:08 PM

    #:22 [fpdisp4.exe]
    FilePath : C:\WINNT\System32\spool\DRIVERS\W32X86\3\
    ThreadCreationTime : 4-30-2004 7:03:28 PM
    BasePriority : Normal
    FileSize : 388 KB
    FileVersion : 4.83
    ProductVersion : 4.83
    Copyright : Copyright (c) 1995-2003 FinePrint Software, LLC
    CompanyName : FinePrint Software, LLC
    FileDescription : FinePrint 2000
    ProductName : FinePrint 2000
    Created on : 4/16/2004 2:56:22 PM
    Last accessed : 4/30/2004 8:03:46 PM
    Last modified : 6/3/2003 6:13:20 PM

    #:23 [jusched.exe]
    FilePath : C:\Program Files\Java\j2re1.4.2_03\bin\
    ThreadCreationTime : 4-30-2004 7:03:29 PM
    BasePriority : Normal
    FileSize : 32 KB
    Created on : 11/19/2003 10:48:18 PM
    Last accessed : 4/30/2004 8:03:46 PM
    Last modified : 11/19/2003 10:48:14 PM

    #:24 [wwdisp.exe]
    FilePath : C:\Program Files\Webroot\Washer\
    ThreadCreationTime : 4-30-2004 7:03:31 PM
    BasePriority : Normal
    FileSize : 193 KB
    FileVersion : 5.0.0.7
    ProductVersion : 5.0
    Copyright : Copyright (c) 1999, 2003 All Rights Reserved
    CompanyName : Webroot Software
    FileDescription : Window Washer hard disk cleaning utility
    InternalName : wwDisp.exe
    OriginalFilename : wwDisp.exe
    ProductName : Window Washer 5.0
    Created on : 3/14/2004 2:01:56 PM
    Last accessed : 4/30/2004 8:35:10 PM
    Last modified : 10/8/2003 11:00:08 AM

    #:25 [spysweeper.exe]
    FilePath : C:\Program Files\Webroot\Spy Sweeper\
    ThreadCreationTime : 4-30-2004 7:03:31 PM
    BasePriority : Normal
    FileSize : 649 KB
    FileVersion : 2.6.1.45
    ProductVersion : 1.0.0.0
    Copyright : Copyright (c) 2001-2003 Webroot Software, Inc.
    CompanyName : Webroot Software, Inc.
    FileDescription : Spy Sweeper
    ProductName : Spy Sweeper
    Created on : 4/19/2004 5:22:11 PM
    Last accessed : 4/30/2004 8:03:46 PM
    Last modified : 2/25/2004 4:48:26 PM

    #:26 [psfree.exe]
    FilePath : C:\PROGRA~1\PANICW~1\POP-UP~1\
    ThreadCreationTime : 4-30-2004 7:03:31 PM
    BasePriority : Normal
    FileSize : 512 KB
    FileVersion : 3, 1, 0, 1012
    ProductVersion : 1, 0, 0, 1
    Copyright : Copyright (C) 2002-2003
    CompanyName : Panicware, Inc.
    FileDescription : Pop-Up Stopper Free Edition
    InternalName : Pop-Up Stopper Free Edition
    OriginalFilename : PSFree.exe
    ProductName : Pop-Up Stopper Free Edition
    Created on : 4/22/2004 12:13:10 PM
    Last accessed : 4/30/2004 8:03:46 PM
    Last modified : 10/29/2003 4:01:02 PM

    #:27 [tabuserw.exe]
    FilePath : C:\WINNT\system32\Wtablet\
    ThreadCreationTime : 4-30-2004 7:03:32 PM
    BasePriority : Normal
    FileSize : 76 KB
    FileVersion : 4.78-6
    ProductVersion : 4.78-6
    Copyright : Copyright
    CompanyName : Wacom Technology, Corp.
    FileDescription : TABUSERW
    InternalName : TABUSERW
    OriginalFilename : TABUSERW.EXE
    ProductName : Wacom Technology, Corp. TABUSERW
    Created on : 12/4/2003 10:48:40 PM
    Last accessed : 4/30/2004 8:03:47 PM
    Last modified : 12/4/2003 10:48:40 PM

    #:28 [indstrf.exe]
    FilePath : C:\WINNT\System32\
    ThreadCreationTime : 4-30-2004 7:03:35 PM
    BasePriority : Normal
    FileSize : 52 KB
    FileVersion : 1.00
    ProductVersion : 1.00
    InternalName : mde
    OriginalFilename : mde.exe
    ProductName : mde
    Created on : 4/30/2004 7:03:32 PM
    Last accessed : 4/30/2004 8:03:46 PM
    Last modified : 1/11/2004 6:30:54 AM

    #:29 [sgmain.exe]
    FilePath : C:\Program Files\SpywareGuard\
    ThreadCreationTime : 4-30-2004 7:03:36 PM
    BasePriority : Normal
    FileSize : 352 KB
    FileVersion : 2.02.0001
    ProductVersion : 2.02.0001
    Copyright : Copyright (C) 2002-2003 Javacool Software LLC
    FileDescription : SpywareGuard
    InternalName : sgmain
    OriginalFilename : sgmain.exe
    ProductName : SpywareGuard
    Created on : 8/30/2003 12:05:35 AM
    Last accessed : 4/30/2004 8:03:46 PM
    Last modified : 8/30/2003 12:05:35 AM

    #:30 [sgbhp.exe]
    FilePath : C:\Program Files\SpywareGuard\
    ThreadCreationTime : 4-30-2004 7:03:40 PM
    BasePriority : Normal
    FileSize : 228 KB
    FileVersion : 2.02.0001
    ProductVersion : 2.02.0001
    Copyright : Copyright (C) 2002-2003 Javacool Software LLC.
    FileDescription : SG Browser Hijacking Protection
    InternalName : sgbhp
    OriginalFilename : sgbhp.exe
    ProductName : SG Browser Hijacking Protection
    Created on : 8/29/2003 4:14:56 PM
    Last accessed : 4/30/2004 8:25:03 PM
    Last modified : 8/29/2003 4:14:56 PM

    #:31 [e_s10ic2.exe]
    FilePath : C:\WINNT\System32\spool\DRIVERS\W32X86\3\
    ThreadCreationTime : 4-30-2004 7:03:41 PM
    BasePriority : Normal
    FileSize : 67 KB
    FileVersion : 3.01
    ProductVersion : 3.01
    Copyright : Copyright (C) SEIKO EPSON CORP. 2001
    CompanyName : SEIKO EPSON CORPORATION
    FileDescription : EPSON Status Monitor 3
    InternalName : E_S10IC2
    OriginalFilename : E_S10IC2.EXE
    ProductName : EPSON Status Monitor 3
    Created on : 2/29/2004 6:21:54 PM
    Last accessed : 4/30/2004 8:25:03 PM
    Last modified : 6/14/2001 9:01:00 AM

    #:32 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
    ThreadCreationTime : 4-30-2004 8:49:56 PM
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 3/4/2004 9:10:37 PM
    Last accessed : 4/30/2004 8:49:56 PM
    Last modified : 7/13/2003 4:00:20 AM

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    VX2.BetterInternet Object recognized!
    Type : File
    Data : a0000129.dll
    Object : C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1\
    FileSize : 301 KB
    Created on : 4/30/2004 3:41:13 PM
    Last accessed : 4/30/2004 8:44:07 PM
    Last modified : 4/27/2004 8:06:43 PM



    Disk scan result for C:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 1


    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 1


    4:02:18 PM Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:12:12:484
    Objects scanned :208474
    Objects identified :1
    Objects ignored :0
    New objects :1

    Thank you,
    Sharon
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Sharon,

    When you get back online could you please post a fresh HijackThis log.
    I think you have a malware that changes its name everytime you reboot.
    So I will need to know the name it currently is using to help you get rid of it.

    Regards,

    Pieter
     
  5. Sharon

    Sharon Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    11
    Pieter,
    Here is the lastest HJT log.
    Thanks,
    Sharon

    Logfile of HijackThis v1.97.7
    Scan saved at 7:39:05 AM, on 5/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINNT\System32\Tablet.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
    C:\WINNT\SM1BG.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINNT\system32\Wtablet\TabUserW.exe
    C:\WINNT\System32\lsfuncn.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.EXE
    C:\Program Files\Trend Micro\Internet Security\PCCGUIDE.EXE
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.my.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.my.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://charter.my.msn.com/default.armx
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\kk7rtymc.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\kk7rtymc.slt\prefs.js)
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
    O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\Run: [lsfuncn] C:\WINNT\System32\lsfuncn.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"
    O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Event Reminder.lnk = ?
    O4 - Global Startup: Forget Me Not.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38046.5602893519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Sharon,

    Bring up TaskManager and stop the process called:
    lsfuncn.exe

    Then find and delete the file:
    C:\WINNT\System32\lsfuncn.exe

    Then have HijackThis fix:
    O4 - HKLM\..\Run: [lsfuncn] C:\WINNT\System32\lsfuncn.exe

    and reboot.

    Regards,

    Pieter
     
  7. Sharon

    Sharon Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    11
    Pieter,
    What is lsfuncn.exe? I'm so suprised that all this stuff got by all the protection I have on my computer. I did as you advised, here is the new HJT log.
    Thank you so much for all your help, I truly appreciate it! I would never have been able to clean this up without your help!
    Sharon

    Logfile of HijackThis v1.97.7
    Scan saved at 9:10:36 AM, on 5/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINNT\System32\Tablet.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
    C:\WINNT\SM1BG.EXE
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.exe
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINNT\system32\Wtablet\TabUserW.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.my.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.my.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://charter.my.msn.com/default.armx
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\kk7rtymc.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\kk7rtymc.slt\prefs.js)
    O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
    O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
    O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Event Reminder.lnk = ?
    O4 - Global Startup: Forget Me Not.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38046.5602893519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Good job, Sharon.

    Looks like you got rid of it. :cool:

    I think it was the malware that some detect as Revop.C

    Can you try this:
    Click Start > Run and copy&paste this command
    regedit /e c:\explorerpup.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\pup"


    Repeat the same for:
    regedit /e c:\explorercomms.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\comms"

    Find the c:\explorerpup.txt and c:\explorercomms.txt file and post the content. No panic if they don't exist. That means I was wrong about Revop.

    Regards,

    Pieter
     
  9. Sharon

    Sharon Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    11
    Pieter,
    Trend caught an email message attachment with REVOP.C. I found information on their site and check all my files manually to make sure my computer didn't get infected. I couldn't find explorercomms.txt but did find explorerpup.txt. This file is 57.4 mb. Do you still want me to post it?
    Sharon
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    are you sure it's not 57 b or even 57kb seems high
    I can't think of any registry file that would be 57 mb so try to open explorerpup.txt in notepad and copy & paste here please
     
  11. Sharon

    Sharon Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    11
    dvk01,
    I'm absolutely sure. Properties said it was 57.4mb. I didn't want to paste the entire file because of how it would be so slow to load.
     
  12. Sharon

    Sharon Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    11
    I found the explorercomms.txt file. It's as large as the explorerpup.txt. 57.4mb. I copied and pasted this into Microsoft Word. There are 14,631 pages in each of these files. So, that makes it impossible to post to this forum. Properties said both of these files were created today. I could not find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\pup in the registry.
    This is what is listed for
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\comms
    Name (Default) Type REG_SZ Data (value not set)
    Name ini Type REG_SZ Data 1
    Name ren Type REG_SZ Data 5/3/24 6:46:17 AM
    Thanks for your help,
    Sharon
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Sharon,

    Copy the part in bold below into notepad and save the file as winpup.reg

    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\comms]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\pup]


    Then doubleclick the file and confirm you want to merge it with the registry.

    Regards,

    Pieter
     
  14. Sharon

    Sharon Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    11
    Pieter,
    I did as you advised. What does this do to the registry?
    Sharon
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    It removes two entries that are made by the winpup malware.
    No other software makes or uses them, so it should never give any problems.

    Regards,

    Pieter
     
  16. Sharon

    Sharon Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    11
    Pieter,
    Is it save to delete explorerpup.txt and explorercomms.txt? The files are so large.
    Thank you,
    Sharon
     
  17. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    yes delete them
     
  18. Sharon

    Sharon Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    11
    Derek,
    Thanks for the reply. I've deleted the files.
    Sharon
     
Thread Status:
Not open for further replies.