spyware, malware help Please

Hello,
I just joined your forum tonight. My daughter found the link to your site and sent it to me.
I’m running Windows XP Home Edition, also Spybot, Adaware, Hijack This, Spy Sweeper and Spy Guard.
I went to a web site that supposedly had Paint Shop Pro tutorials; instead I was bombarded with a multitude of pop up windows. A lot of stuff was dumped into my computer. I’ve been working days to get rid of this stuff and when it seems it’s gone, something else pops up. There were folders in that had to be deleted from the favorites folder. Spybot, Adaware and Spy Sweeper have found the following:
SCAM.Enigma, VX2.BetterInternet, ShopAtHomeSelect, Gator (GAIN), PurityScan, version 1, couldnotfind.com, IstBar, PowerScan, SideSearch, TeenXXX (TinyBar), Targetsoft, version 1, Slotchbar, TeenXXX (TinyBar), WinActive, version 1 (what is this?), Allaboutsearching, searbar.html, Lopdotcom, version 1, vx2 (Transponder), version 1, and CoolWWW. This garbage really hit me hard. I downloaded ewido security suite. After running it today, it said there weren’t any infected files. As did Spy Sweeper and Spybot. Adaware found VX2.BetterInternet and SCAM.Enigma. Even though these two have been deleted with the above software, Adaware finds them. I’ve checked the registry and couldn’t find any traces. Also, when searching for IgfxTray search found IgfxTray-05859571.pf in C:\WINNT\Prefetch. Can you tell me what this is? I’m stumped. Can someone please help me out with this? Below is the Hijack This log.
Thank you,
Sharon

Logfile of HijackThis v1.97.7
Scan saved at 4:13:12 PM, on 4/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\Tablet.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\Wtablet\TabUserW.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\System32\etfxperfn.exe
C:\zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.my.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.my.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://charter.my.msn.com/default.armx
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\kk7rtymc.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\kk7rtymc.slt\prefs.js)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [Remote wipe] C:\PROGRA~1\Nurb proc bore\DUPE MULTI BURN.exe
O4 - HKLM\..\Run: [_28603c] C:\WINNT\System32\_28603c.exe
O4 - HKLM\..\Run: [etfxperfn] C:\WINNT\System32\etfxperfn.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Forget Me Not.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38046.5602893519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Hi Sharon,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:


O4 - HKLM\..\Run: [Remote wipe] C:\PROGRA~1\Nurb proc bore\DUPE MULTI BURN.exe
O4 - HKLM\..\Run: [_28603c] C:\WINNT\System32\_28603c.exe
O4 - HKLM\..\Run: [etfxperfn] C:\WINNT\System32\etfxperfn.exe

O4 - Startup: PowerReg SchedulerV2.exe

Then reboot into safe mode and delete:
C:\PROGRAM FILES\Nurb proc bore <= entire folder

Could you copy and paste the text in bold into your IE addressbar and post the results that get displayed:
javascript:navigator.userAgent

Regards,

Pieter

 

Hi Pieter,
Thank you for your help. This is the result of javascript:navigator.userAgent:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Believe it or not, when I rebooted into safe mode the folder C:\PROGRAM FILES\Nurb proc bore wasn’t there for me to delete. This is the new log of Hijack this.

Logfile of HijackThis v1.97.7
Scan saved at 5:01:21 PM, on 4/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\Tablet.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\Wtablet\TabUserW.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\System32\bcachew.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\zip\HijackThis.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.my.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.my.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://charter.my.msn.com/default.armx
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\kk7rtymc.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\kk7rtymc.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [bcachew] C:\WINNT\System32\bcachew.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Forget Me Not.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38046.5602893519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I’m also including the log for Adaware. It keeps finding VX2.BetterInternet Object in
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1\ even though it supposedly deletes it. There are log files of Adaware in there that were created today. I find that odd, because Adaware keeps log files in its own folder. I have deleted the entire contents of this folder, but the contents are there again when I boot up.


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Friday, April 30, 2004 3:50:05 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R300 28.04.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan within archives

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


4-30-2004 3:50:05 PM - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 4-30-2004 7:03:00 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ThreadCreationTime : 4-30-2004 7:03:02 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4-30-2004 7:03:02 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 4/30/2004 8:24:32 PM
Last modified : 3/31/2003 12:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4-30-2004 7:03:02 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 4/30/2004 8:24:32 PM
Last modified : 3/31/2003 12:00:00 PM

#:5 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4-30-2004 7:03:03 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 4/30/2004 8:24:32 PM
Last modified : 3/31/2003 12:00:00 PM

#:6 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 4-30-2004 7:03:03 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 4/30/2004 8:24:32 PM
Last modified : 3/31/2003 12:00:00 PM

#:7 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4-30-2004 7:03:04 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 1/1/1980 6:00:00 AM
Last accessed : 4/30/2004 8:24:32 PM
Last modified : 3/31/2003 12:00:00 PM

#:8 [sagent2.exe]
FilePath : C:\Program Files\Common Files\EPSON\EBAPI\
ThreadCreationTime : 4-30-2004 7:03:12 PM
BasePriority : Normal
FileSize : 88 KB
FileVersion : 2, 1, 0, 0
ProductVersion : 1, 0, 0, 0
Copyright : Copyright (C) SEIKO EPSON CORP. 2000-2001
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Printer Status Agent
InternalName : SAgent2
OriginalFilename : SAgent2.exe
ProductName : EPSON Bidirectional Printer
Created on : 2/29/2004 6:21:55 PM
Last accessed : 4/30/2004 8:24:32 PM
Last modified : 8/9/2001 8:01:00 AM

#:9 [tablet.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 4-30-2004 7:03:12 PM
BasePriority : High
FileSize : 620 KB
FileVersion : 4.78-6
ProductVersion : 4.78-6
Copyright : Copyright
CompanyName : Wacom Technology, Corp.
FileDescription : WacomService
InternalName : WacomService
OriginalFilename : WacomService.exe
ProductName : Wacom Win32 Tablet Service
Created on : 12/4/2003 11:00:34 PM
Last accessed : 4/30/2004 8:03:16 PM
Last modified : 12/4/2003 11:00:34 PM

#:10 [tmntsrv.exe]
FilePath : C:\Program Files\Trend Micro\Internet Security\
ThreadCreationTime : 4-30-2004 7:03:13 PM
BasePriority : Normal
FileSize : 236 KB
FileVersion : 11.20.0.1311
ProductVersion : 11.20.0
Copyright : Copyright (C) 1995-2003 Trend Micro Incorporated. All rights reserved.
CompanyName : Trend Micro Incorporated.
FileDescription : Tmntsrv
InternalName : Tmntsrv
OriginalFilename : Tmntsrv.exe
ProductName : Trend Pc-cillin 11
Created on : 9/22/2003 3:53:58 AM
Last accessed : 4/30/2004 8:24:32 PM
Last modified : 3/24/2004 11:47:15 PM

#:11 [tmproxy.exe]
FilePath : C:\Program Files\Trend Micro\Internet Security\
ThreadCreationTime : 4-30-2004 7:03:13 PM
BasePriority : Normal
FileSize : 200 KB
FileVersion : 11.20.0.1311
ProductVersion : 11.20.0
Copyright : Copyright (C) 1995-2003 Trend Micro Incorporated. All rights reserved.
CompanyName : Trend Micro Incorporated.
FileDescription : TmProxy.exe
InternalName : TmProxy.exe
OriginalFilename : TmProxy.exe
ProductName : Trend Pc-cillin 11
Created on : 9/22/2003 3:55:30 AM
Last accessed : 4/30/2004 8:24:32 PM
Last modified : 3/24/2004 11:47:16 PM

#:12 [explorer.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 4-30-2004 7:03:16 PM
BasePriority : Normal
FileSize : 973 KB
FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
ProductVersion : 6.00.2800.1221
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 5/12/2003 3:12:10 AM
Last accessed : 4/30/2004 8:49:47 PM
Last modified : 5/12/2003 3:12:10 AM

#:13 [pccpfw.exe]
FilePath : C:\Program Files\Trend Micro\Internet Security\
ThreadCreationTime : 4-30-2004 7:03:20 PM
BasePriority : Normal
FileSize : 684 KB
FileVersion : 11.20.0.1311
ProductVersion : 11.20.0
Copyright : Copyright (C) 1995-2003 Trend Micro Incorporated. All rights reserved.
CompanyName : Trend Micro Incorporated.
FileDescription : PCCPFW
InternalName : PCCPFW
OriginalFilename : PCCPFW.exe
ProductName : Trend Pc-cillin 11
Created on : 9/22/2003 3:50:10 AM
Last accessed : 4/30/2004 8:24:32 PM
Last modified : 3/24/2004 11:47:15 PM

#:14 [hkcmd.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 4-30-2004 7:03:26 PM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 3.0.0.2331
ProductVersion : 7.0.0.2331
Copyright : Copyright 1999-2003, Intel Corporation
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
OriginalFilename : HKCMD.EXE
ProductName : Intel(R) Common User Interface
Created on : 1/1/1980 6:00:00 AM
Last accessed : 4/30/2004 8:03:46 PM
Last modified : 11/18/2003 6:11:44 AM

#:15 [gwinkmonitor.exe]
FilePath : C:\Program Files\Gateway\Gateway Ink Monitor\
ThreadCreationTime : 4-30-2004 7:03:27 PM
BasePriority : Normal
FileSize : 296 KB
FileVersion : 1.2.0.0
ProductVersion : 1.2.0.0
Copyright : Copyright
CompanyName : Gateway
FileDescription : Gateway Ink Monitor
ProductName : Gateway Online Ink Purchase Utility
Created on : 12/18/2003 3:37:58 PM
Last accessed : 4/30/2004 8:03:46 PM
Last modified : 11/5/2003 6:23:28 PM

#:16 [sm1bg.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 4-30-2004 7:03:27 PM
BasePriority : Normal
FileSize : 92 KB
FileVersion : 6.01.1000.0
ProductVersion : 6.01.1000.0
Copyright : Copyright (C) 1998-2003 Cypress Semiconductor
CompanyName : Cypress Semiconductor
FileDescription : Cypress USB Mass Storage Driver Background Application
InternalName : SM1BG.EXE
OriginalFilename : SM1BG.EXE
ProductName : Cypress USB Mass Storage Adapter
Created on : 12/18/2003 3:39:40 PM
Last accessed : 4/30/2004 8:03:46 PM
Last modified : 8/27/2003 8:20:00 PM

#:17 [mmtask.exe]
FilePath : C:\Program Files\MusicMatch\MusicMatch Jukebox\
ThreadCreationTime : 4-30-2004 7:03:27 PM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
Copyright : TODO: (c) <Company name>. All rights reserved.
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
InternalName : mmtask.exe
OriginalFilename : mmtask.exe
ProductName : TODO: <Product name>
Created on : 12/18/2003 3:43:49 PM
Last accessed : 4/30/2004 8:03:46 PM
Last modified : 6/26/2003 11:04:20 PM

#:18 [pccguide.exe]
FilePath : C:\Program Files\Trend Micro\Internet Security\
ThreadCreationTime : 4-30-2004 7:03:27 PM
BasePriority : Normal
FileSize : 928 KB
FileVersion : 11.20.0.1311
ProductVersion : 11.20.0
Copyright : Copyright (C) 1995-2003 Trend Micro Incorporated. All rights reserved.
CompanyName : Trend Micro Incorporated.
FileDescription : PCCGuide
InternalName : PCCGuide
OriginalFilename : PCCGuide
ProductName : Trend Pc-cillin 11
Created on : 9/22/2003 3:46:48 AM
Last accessed : 4/30/2004 8:03:46 PM
Last modified : 3/24/2004 11:47:13 PM

#:19 [pcclient.exe]
FilePath : C:\Program Files\Trend Micro\Internet Security\
ThreadCreationTime : 4-30-2004 7:03:28 PM
BasePriority : Normal
FileSize : 620 KB
FileVersion : 11.20.0.1311
ProductVersion : 11.20.0
Copyright : Copyright (C) 1995-2003 Trend Micro Incorporated. All rights reserved.
CompanyName : Trend Micro Incorporated.
FileDescription : PCClient
InternalName : PCClient
OriginalFilename : PCClient
ProductName : Trend Pc-cillin 11
Created on : 9/22/2003 3:46:13 AM
Last accessed : 4/30/2004 8:03:46 PM
Last modified : 3/24/2004 11:47:13 PM

#:20 [tmoagent.exe]
FilePath : C:\Program Files\Trend Micro\Internet Security\
ThreadCreationTime : 4-30-2004 7:03:28 PM
BasePriority : Normal
FileSize : 284 KB
FileVersion : 11.0.0.1253
ProductVersion : 11.0.0
Copyright : Copyright (C) 1995-2003 Trend Micro Incorporated. All rights reserved.
CompanyName : Trend Micro Incorporated.
FileDescription : TrendMicro Outbreak agent
InternalName : TMOAgent
OriginalFilename : TMOAgent.EXE
ProductName : Trend Pc-cillin 11
Created on : 9/22/2003 3:44:55 AM
Last accessed : 4/30/2004 8:03:46 PM
Last modified : 9/22/2003 3:44:55 AM

#:21 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\
ThreadCreationTime : 4-30-2004 7:03:28 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 5.3.0.107
ProductVersion : 5.3.0.107
Copyright : Copyright (c) 2001,2002, Roxio, Inc.
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
OriginalFilename : Directcd.exe
ProductName : DirectCD
Created on : 6/21/2002 5:54:08 PM
Last accessed : 4/30/2004 8:03:46 PM
Last modified : 6/21/2002 5:54:08 PM

#:22 [fpdisp4.exe]
FilePath : C:\WINNT\System32\spool\DRIVERS\W32X86\3\
ThreadCreationTime : 4-30-2004 7:03:28 PM
BasePriority : Normal
FileSize : 388 KB
FileVersion : 4.83
ProductVersion : 4.83
Copyright : Copyright (c) 1995-2003 FinePrint Software, LLC
CompanyName : FinePrint Software, LLC
FileDescription : FinePrint 2000
ProductName : FinePrint 2000
Created on : 4/16/2004 2:56:22 PM
Last accessed : 4/30/2004 8:03:46 PM
Last modified : 6/3/2003 6:13:20 PM

#:23 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_03\bin\
ThreadCreationTime : 4-30-2004 7:03:29 PM
BasePriority : Normal
FileSize : 32 KB
Created on : 11/19/2003 10:48:18 PM
Last accessed : 4/30/2004 8:03:46 PM
Last modified : 11/19/2003 10:48:14 PM

#:24 [wwdisp.exe]
FilePath : C:\Program Files\Webroot\Washer\
ThreadCreationTime : 4-30-2004 7:03:31 PM
BasePriority : Normal
FileSize : 193 KB
FileVersion : 5.0.0.7
ProductVersion : 5.0
Copyright : Copyright (c) 1999, 2003 All Rights Reserved
CompanyName : Webroot Software
FileDescription : Window Washer hard disk cleaning utility
InternalName : wwDisp.exe
OriginalFilename : wwDisp.exe
ProductName : Window Washer 5.0
Created on : 3/14/2004 2:01:56 PM
Last accessed : 4/30/2004 8:35:10 PM
Last modified : 10/8/2003 11:00:08 AM

#:25 [spysweeper.exe]
FilePath : C:\Program Files\Webroot\Spy Sweeper\
ThreadCreationTime : 4-30-2004 7:03:31 PM
BasePriority : Normal
FileSize : 649 KB
FileVersion : 2.6.1.45
ProductVersion : 1.0.0.0
Copyright : Copyright (c) 2001-2003 Webroot Software, Inc.
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper
ProductName : Spy Sweeper
Created on : 4/19/2004 5:22:11 PM
Last accessed : 4/30/2004 8:03:46 PM
Last modified : 2/25/2004 4:48:26 PM

#:26 [psfree.exe]
FilePath : C:\PROGRA~1\PANICW~1\POP-UP~1\
ThreadCreationTime : 4-30-2004 7:03:31 PM
BasePriority : Normal
FileSize : 512 KB
FileVersion : 3, 1, 0, 1012
ProductVersion : 1, 0, 0, 1
Copyright : Copyright (C) 2002-2003
CompanyName : Panicware, Inc.
FileDescription : Pop-Up Stopper Free Edition
InternalName : Pop-Up Stopper Free Edition
OriginalFilename : PSFree.exe
ProductName : Pop-Up Stopper Free Edition
Created on : 4/22/2004 12:13:10 PM
Last accessed : 4/30/2004 8:03:46 PM
Last modified : 10/29/2003 4:01:02 PM

#:27 [tabuserw.exe]
FilePath : C:\WINNT\system32\Wtablet\
ThreadCreationTime : 4-30-2004 7:03:32 PM
BasePriority : Normal
FileSize : 76 KB
FileVersion : 4.78-6
ProductVersion : 4.78-6
Copyright : Copyright
CompanyName : Wacom Technology, Corp.
FileDescription : TABUSERW
InternalName : TABUSERW
OriginalFilename : TABUSERW.EXE
ProductName : Wacom Technology, Corp. TABUSERW
Created on : 12/4/2003 10:48:40 PM
Last accessed : 4/30/2004 8:03:47 PM
Last modified : 12/4/2003 10:48:40 PM

#:28 [indstrf.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 4-30-2004 7:03:35 PM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1.00
ProductVersion : 1.00
InternalName : mde
OriginalFilename : mde.exe
ProductName : mde
Created on : 4/30/2004 7:03:32 PM
Last accessed : 4/30/2004 8:03:46 PM
Last modified : 1/11/2004 6:30:54 AM

#:29 [sgmain.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 4-30-2004 7:03:36 PM
BasePriority : Normal
FileSize : 352 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright (C) 2002-2003 Javacool Software LLC
FileDescription : SpywareGuard
InternalName : sgmain
OriginalFilename : sgmain.exe
ProductName : SpywareGuard
Created on : 8/30/2003 12:05:35 AM
Last accessed : 4/30/2004 8:03:46 PM
Last modified : 8/30/2003 12:05:35 AM

#:30 [sgbhp.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 4-30-2004 7:03:40 PM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright (C) 2002-2003 Javacool Software LLC.
FileDescription : SG Browser Hijacking Protection
InternalName : sgbhp
OriginalFilename : sgbhp.exe
ProductName : SG Browser Hijacking Protection
Created on : 8/29/2003 4:14:56 PM
Last accessed : 4/30/2004 8:25:03 PM
Last modified : 8/29/2003 4:14:56 PM

#:31 [e_s10ic2.exe]
FilePath : C:\WINNT\System32\spool\DRIVERS\W32X86\3\
ThreadCreationTime : 4-30-2004 7:03:41 PM
BasePriority : Normal
FileSize : 67 KB
FileVersion : 3.01
ProductVersion : 3.01
Copyright : Copyright (C) SEIKO EPSON CORP. 2001
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Status Monitor 3
InternalName : E_S10IC2
OriginalFilename : E_S10IC2.EXE
ProductName : EPSON Status Monitor 3
Created on : 2/29/2004 6:21:54 PM
Last accessed : 4/30/2004 8:25:03 PM
Last modified : 6/14/2001 9:01:00 AM

#:32 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 4-30-2004 8:49:56 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 3/4/2004 9:10:37 PM
Last accessed : 4/30/2004 8:49:56 PM
Last modified : 7/13/2003 4:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

VX2.BetterInternet Object recognized!
Type : File
Data : a0000129.dll
Object : C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1\
FileSize : 301 KB
Created on : 4/30/2004 3:41:13 PM
Last accessed : 4/30/2004 8:44:07 PM
Last modified : 4/27/2004 8:06:43 PM



Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 1


Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 1


4:02:18 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:12:12:484
Objects scanned :208474
Objects identified :1
Objects ignored :0
New objects :1

Thank you,
Sharon

 

Hi Sharon,

When you get back online could you please post a fresh HijackThis log.
I think you have a malware that changes its name everytime you reboot.
So I will need to know the name it currently is using to help you get rid of it.

Regards,

Pieter

 

Pieter,
Here is the lastest HJT log.
Thanks,
Sharon

Logfile of HijackThis v1.97.7
Scan saved at 7:39:05 AM, on 5/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\Wtablet\TabUserW.exe
C:\WINNT\System32\lsfuncn.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.EXE
C:\Program Files\Trend Micro\Internet Security\PCCGUIDE.EXE
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.my.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.my.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://charter.my.msn.com/default.armx
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\kk7rtymc.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\kk7rtymc.slt\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [lsfuncn] C:\WINNT\System32\lsfuncn.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Forget Me Not.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38046.5602893519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Hi Sharon,

Bring up TaskManager and stop the process called:
lsfuncn.exe

Then find and delete the file:
C:\WINNT\System32\lsfuncn.exe

Then have HijackThis fix:
O4 - HKLM\..\Run: [lsfuncn] C:\WINNT\System32\lsfuncn.exe

and reboot.

Regards,

Pieter

 

Pieter,
What is lsfuncn.exe? I'm so suprised that all this stuff got by all the protection I have on my computer. I did as you advised, here is the new HJT log.
Thank you so much for all your help, I truly appreciate it! I would never have been able to clean this up without your help!
Sharon

Logfile of HijackThis v1.97.7
Scan saved at 9:10:36 AM, on 5/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\Tablet.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\Wtablet\TabUserW.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.my.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.my.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://charter.my.msn.com/default.armx
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\kk7rtymc.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\kk7rtymc.slt\prefs.js)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Forget Me Not.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38046.5602893519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Good job, Sharon.

Looks like you got rid of it.

I think it was the malware that some detect as Revop.C

Can you try this:
Click Start > Run and copy&paste this command
regedit /e c:\explorerpup.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\pup"

Repeat the same for:
regedit /e c:\explorercomms.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\comms"

Find the c:\explorerpup.txt and c:\explorercomms.txt file and post the content. No panic if they don't exist. That means I was wrong about Revop.

Regards,

Pieter

 

Pieter,
Trend caught an email message attachment with REVOP.C. I found information on their site and check all my files manually to make sure my computer didn't get infected. I couldn't find explorercomms.txt but did find explorerpup.txt. This file is 57.4 mb. Do you still want me to post it?
Sharon

 

dvk01,
I'm absolutely sure. Properties said it was 57.4mb. I didn't want to paste the entire file because of how it would be so slow to load.

 

I found the explorercomms.txt file. It's as large as the explorerpup.txt. 57.4mb. I copied and pasted this into Microsoft Word. There are 14,631 pages in each of these files. So, that makes it impossible to post to this forum. Properties said both of these files were created today. I could not find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\pup in the registry.
This is what is listed for
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\comms
Name (Default) Type REG_SZ Data (value not set)
Name ini Type REG_SZ Data 1
Name ren Type REG_SZ Data 5/3/24 6:46:17 AM
Thanks for your help,
Sharon

 

Hi Sharon,

Copy the part in bold below into notepad and save the file as winpup.reg

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\comms]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\pup]

Then doubleclick the file and confirm you want to merge it with the registry.

Regards,

Pieter

 

Pieter,
I did as you advised. What does this do to the registry?
Sharon

 

It removes two entries that are made by the winpup malware.
No other software makes or uses them, so it should never give any problems.

Regards,

Pieter

 

Pieter,
Is it save to delete explorerpup.txt and explorercomms.txt? The files are so large.
Thank you,
Sharon

 

Derek,
Thanks for the reply. I've deleted the files.
Sharon