trojan infection

[c_marco]

hello! this is my first time using a help forum.

I would like some help determining if my computer is free from virus - I don't beleive it is even after I let my software delete and quarantine its findings.

my computer detected a host of infections (using Grisoft's AVG free anti-virus) which were then deleted. They were as follows:
PSW.Agent. FKD infecting the svchost.exe file,
Trojan Horse Generic3.sq infecting a file called drvfez.dll in the system 32 folder
Trojan Horse Dropper.Small.29.E
Trojan Horse Generic 4.zqi
Trojan Horse Dialer.FHG

besides the first 2, the other infections were in a temporary internet folder listed as IE5 which I could never find. I let AVG delete and quarantine them.

I still feel that my computer is compromised however for a couple of reasons:

1. iexplore.exe runs as a process even if i do not have an internet explorer window open.
2. without zone alarm enabled, a host of websites are logged be internet explorer's history (i guess showing activity that i myself did not initiate)
3. i also see an executable called msgr.exe in my task manager - a process i saw reported as malware.

i am willing to run a hijack this log if i need to (although I haven't downloaded it yet and have never used it) - anything to get this resolved.

I am looking forward to your response.

My computer specs are:
Win XP Professional
Dell 690 Precision Dual Zeon 5130
2Gb Ram

this is an edit: I just ran Spybot and found coolWWWsearch.svchost32, as well as win32.keylogger.fl, win32.agent.ECD, astakiller.azk, Virtumonde in my registry values. i let spybot clear them.

how worried should I be - esp. considering the keylogger and the dialer?

edit: even though spybot cleared the above mentioned, msgr.exe still seems to be running - i failed to mention that i am also getting a periodic stop error that crashes my machine - just had one. here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:18:50 AM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\TEMP\win2394.tmp.exe
C:\WINDOWS\mgrs.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\Monitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\HijackThis\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070502
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070502
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D46FB99-84E0-4A6A-82A6-F512C2163E09} - C:\WINDOWS\system32\pmnnmnm.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {9D21C57F-1A09-4B86-BDFF-744382F9EC50} - C:\WINDOWS\system32\vtuts.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Popup] "C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win2394.tmp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R260 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE /FU "C:\WINDOWS\TEMP\E_S41A.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\SCURIT~1\wuauboot.exe" -vt yazb
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: pmnnmnm - pmnnmnm.dll (file missing)
O20 - Winlogon Notify: vtuts - C:\WINDOWS\system32\vtuts.dll (file missing)
O20 - Winlogon Notify: windct32 - windct32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MRMonitor (MegaMonitorSrv) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\Monitor.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: SSMFramework (MSMFramework) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10129 bytes

edit: the stop error is 0x00000008E(0xC0000005, 0x804E4337, 0xB5BF5824, 0x00000000) if that is helpful - the stop error shutdown is, it seems, a frequent occurance since I detected these viruses.

 

[MFDnNC]

NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

Download this file :

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
or
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall

================
Download Superantispyware (SAS) free home version

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new HijackThis log.

This will take some time!!!!!!!!

 

[c_marco]

thank you for your prompt reply. I see you guys are highly recommended on the web, so I am really hoping this helps.

I had one error with your instructions. That stop error keeps occuring before Superspyware can finish its scan. I havn't sat through the whole thing - but see something called a "Vonde variant" found in the registry - the scan never gets to complete before these items are quarantined though. I don't think the stop error is a symptom of the scan process because it was happening at other times - seems like within an hour. I was able to carry out the others.

Also, if/when I try the Superspyware scan again - you mentioned checking a few items in the preferences which I did. However, were the other items to by actively unchecked or left in their default checked state (in other words, only configure the 3 items you pointed out)? I will keep attempting the scan (this will be the 3rd attempt) and if successful will post in an edit if I don't hear from you first.

I am of course as concerned with the stop error as I am about potential consequences from the other stuff. Thank You for your continued help.

the combofix log:

"Dante" - 2007-07-07 20:00:31 - ComboFix 07-07-07.3 - Service Pack 2


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\mgrs.exe
C:\WINDOWS\scurit~1


((((((((((((((((((((((((( Files Created from 2007-06-07 to 2007-07-07 )))))))))))))))))))))))))))))))


2007-07-07 19:59 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-07 09:45 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-07 09:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-07 09:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-07 09:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-07 07:23 <DIR> d-------- C:\DOCUME~1\MAIRIA~1\APPLIC~1\MailFrontier
2007-07-06 22:22 512 --a------ C:\ScanSectorLog.dat
2007-07-06 22:05 <DIR> d-------- C:\DOCUME~1\Dante\APPLIC~1\MailFrontier
2007-07-06 21:58 12,288 --a------ C:\WINDOWS\system32\syswin.exe
2007-07-06 21:36 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-07-06 21:36 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-07-06 21:36 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-06 21:36 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-07-06 21:36 2,429,984 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-06 21:36 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-07-06 21:36 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-07-06 21:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-07-06 21:35 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-07-06 21:35 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-07-06 19:18 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-07-06 19:18 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-07-06 19:06 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-07-06 09:46 6,369 --ahs---- C:\WINDOWS\system32\stutv.bak1
2007-07-04 10:32 1,284 --a------ C:\WINDOWS\mozver.dat
2007-07-03 10:41 54,272 --a------ C:\WINDOWS\system32\epfb3cpl.dll
2007-07-03 10:41 45,056 --a------ C:\WINDOWS\system32\essiscsi.dll
2007-07-03 10:41 36,864 --a------ C:\WINDOWS\system32\icmrt20a.dll
2007-07-03 10:41 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-07-03 10:41 <DIR> d-------- C:\WINDOWS\TWAIN
2007-07-03 10:34 <DIR> d-------- C:\EPSCAN2
2007-07-02 19:43 <DIR> d-------- C:\Program Files\iPod
2007-07-02 19:42 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-07-02 19:42 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-02 19:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-29 14:07 <DIR> d-------- C:\DOCUME~1\Dante\APPLIC~1\WinRAR
2007-06-29 14:01 <DIR> d-------- C:\Program Files\Common Files\element5 Shared
2007-06-29 14:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\element5
2007-06-29 13:41 <DIR> d--h----- C:\Program Files\Zero G Registry
2007-06-29 13:41 <DIR> d--h----- C:\DOCUME~1\Dante\InstallAnywhere
2007-06-29 13:41 <DIR> d-------- C:\Program Files\Pixologic
2007-06-28 14:10 0 --a------ C:\WINDOWS\nsreg.dat
2007-06-24 22:11 <DIR> d-------- C:\Program Files\LucasArts
2007-06-20 13:46 <DIR> d-------- C:\Program Files\QuickTime
2007-06-20 13:46 <DIR> d-------- C:\Program Files\iTunes
2007-06-20 13:46 <DIR> d-------- C:\Program Files\Apple Software Update
2007-06-20 13:46 <DIR> d-------- C:\DOCUME~1\Dante\APPLIC~1\Apple Computer
2007-06-20 13:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-06-13 03:08 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\WTablet
2007-06-12 18:10 299,520 --a------ C:\WINDOWS\uninst.exe
2007-06-12 18:10 <DIR> d-------- C:\Program Files\epsonscan
2007-06-12 18:10 <DIR> d-------- C:\DOCUME~1\Dante\WINDOWS
2007-06-11 17:35 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-08 12:56 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-06-08 12:56 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-06-08 12:56 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-06-08 12:56 <DIR> d-------- C:\5daa424beed54932be01b37af0ad
2007-06-08 12:55 <DIR> d-------- C:\03abf49164e9bcbb1fa06368


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-07 23:57:19 -------- d-----w C:\DOCUME~1\Dante\APPLIC~1\WTablet
2007-07-01 14:28:03 -------- d-----w C:\DOCUME~1\Dante\APPLIC~1\U3
2007-06-25 02:11:42 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-04 19:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 19:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-04 01:42:30 -------- d-----w C:\DOCUME~1\Dante\APPLIC~1\CyberLink
2007-05-26 04:17:50 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-05-26 03:57:07 -------- d-----w C:\Program Files\Activision
2007-05-26 01:22:16 -------- d-----w C:\DOCUME~1\Dante\APPLIC~1\Opera
2007-05-24 14:11:55 -------- d-----w C:\Program Files\Tablet
2007-05-22 02:33:31 40,960 ----a-w C:\WINDOWS\nvgffx_ss_01.exe.dll
2007-05-22 02:33:31 395,708 ----a-w C:\WINDOWS\nvgffx_ss_01.exe.scr
2007-05-22 02:33:31 18,192 ----a-w C:\WINDOWS\nvgffx_ss_01.exe.dat
2007-05-22 02:33:31 1,588,479 ----a-w C:\WINDOWS\nvgffx_ss_01.exe.exe
2007-05-21 01:01:18 -------- d-----w C:\Program Files\EPSON
2007-05-21 00:31:46 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-21 00:14:25 -------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-05-20 23:34:09 -------- d-----w C:\DOCUME~1\Dante\APPLIC~1\Microsoft Web Folders
2007-05-20 23:34:02 -------- d-----w C:\Program Files\microsoft frontpage
2007-05-20 23:26:54 -------- d-----w C:\Program Files\Common Files\Macromedia Shared
2007-05-20 22:29:55 -------- d-----w C:\Program Files\Autodesk
2007-05-20 22:29:52 -------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-05-19 15:47:50 -------- d-----w C:\Program Files\Google
2007-05-19 15:37:28 -------- d-----w C:\DOCUME~1\Dante\APPLIC~1\Google
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-02 23:06:52 10,512 ----a-w C:\dskcache1.exe
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D46FB99-84E0-4A6A-82A6-F512C2163E09}]
C:\WINDOWS\system32\pmnnmnm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9D21C57F-1A09-4B86-BDFF-744382F9EC50}]
C:\WINDOWS\system32\vtuts.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-05-19 11:37 2403392 -ra------ c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-06-19 19:29 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
2007-01-26 10:07 98304 --a------ C:\Program Files\BAE\BAE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 16:00 C:\WINDOWS\stsystra.exe]
"Popup"="C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe" [2006-04-20 17:56]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 21:29]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-02 19:10]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-06 19:18]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 19:29]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"EPSON Stylus Photo R260 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.exe" [2006-05-19 04:00]
"Tair"="C:\WINDOWS\SCURIT~1\wuauboot.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0D46FB99-84E0-4A6A-82A6-F512C2163E09}"="C:\WINDOWS\system32\pmnnmnm.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnmnm]
pmnnmnm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuts]
C:\WINDOWS\system32\vtuts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\windct32]
windct32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4fe6faf-0621-11dc-9921-0019b9309067}]
AutoRun\command- G:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2007-07-04 12:11:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-07 20:04:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-07 20:06:02
C:\ComboFix-quarantined-files.txt ... 2007-07-07 20:06

--- E O F ---


here is the new hijackthis:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:53:27 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\Monitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070502
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D46FB99-84E0-4A6A-82A6-F512C2163E09} - C:\WINDOWS\system32\pmnnmnm.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {9D21C57F-1A09-4B86-BDFF-744382F9EC50} - C:\WINDOWS\system32\vtuts.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Popup] "C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R260 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE /FU "C:\WINDOWS\TEMP\E_S41A.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\SCURIT~1\wuauboot.exe" -vt yazb
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmnnmnm - pmnnmnm.dll (file missing)
O20 - Winlogon Notify: vtuts - C:\WINDOWS\system32\vtuts.dll (file missing)
O20 - Winlogon Notify: windct32 - windct32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MRMonitor (MegaMonitorSrv) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\Monitor.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: SSMFramework (MSMFramework) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9872 bytes

 

[MFDnNC]

Fix these with HiJackThis – mark them, close IE, click fix checked

O2 - BHO: (no name) - {0D46FB99-84E0-4A6A-82A6-F512C2163E09} - C:\WINDOWS\system32\pmnnmnm.dll (file missing)

O2 - BHO: (no name) - {9D21C57F-1A09-4B86-BDFF-744382F9EC50} - C:\WINDOWS\system32\vtuts.dll (file missing)

O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\SCURIT~1\wuauboot.exe" -vt yazb

O20 - Winlogon Notify: pmnnmnm - pmnnmnm.dll (file missing)

O20 - Winlogon Notify: vtuts - C:\WINDOWS\system32\vtuts.dll (file missing)

O20 - Winlogon Notify: windct32 - windct32.dll (file missing)

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode

Try SAS again

Please give feedback on what worked/didn’t work and the current status of your system

 

[c_marco]

o.k. fixed the recommended items through hijack this.
I still cannot get through a SAS scan - the system still crashes.
This is a new computer (2months old) - the crash has to do with the infection correct?

I do not notice any other system issues. The computer was starting up and shutting down slow previous to some of the fixes we applied, but that seems to be resolved - although I notice Zonealarm starts up rather slow (is this normal?). I am also using the 15 day trial and I do not know if it is normal on startup for Zonealarm to detect a "new public network" every time (is this my computer connecting normally to the net, or someone else's 'network' connecting to mine through the net?)

Edit: I managed to get through A Zone Alarm Scan without the system crashing. ZoneAlarm found 2 new threats: Win32.Packed.Klone.g and Win 32.Trojan.Agent.qt with these as details:

File: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP77\A0005171.dll

File: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP77\A0005176.dll

I had ZA quarantine these.
It seems this compuster is still really infected!

Here is my new Hijackthis log (this was taken before the ZoneAlarm Scan).

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:50:27 AM, on 7/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\Monitor.exe
C:\Program Files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\HijackThis\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070502
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Popup] "C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R260 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE /FU "C:\WINDOWS\TEMP\E_S41A.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MRMonitor (MegaMonitorSrv) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\Monitor.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: SSMFramework (MSMFramework) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9316 bytes

 

[MFDnNC]

No those are in the restore points

Turn off restore points, boot, turn them back on – here’s how

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

This clears infected restore points and sets a new, clean one.


How much memory do you have??



Log is clean

 

[c_marco]

I set clean restore points.

I have 2GB of memory.

 

[MFDnNC]

I would be very surprised if there is not a problem with the memory

Do you have a diagnostic disk?

 

[c_marco]

yes I have Dell's standard drivers and utilities disk that shipped with my computer. There are diagnostics on it.

If there is a memory problem, is it related to the virus? Since the clear system restore points, this computer has not crashed yet.

I got SAS to work - here is what it found:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/08/2007 at 06:06 PM

Application Version : 3.9.1008

Core Rules Database Version : 3266
Trace Rules Database Version: 1277

Scan type : Complete Scan
Total Scan Time : 00:26:28

Memory items scanned : 427
Memory threats detected : 0
Registry items scanned : 5473
Registry threats detected : 0
File items scanned : 28566
File threats detected : 110

Adware.Tracking Cookie
C:\Documents and Settings\Dante\Cookies\[email protected][2].txt
C:\Documents and Settings\Dante\Cookies\[email protected][1].txt
C:\Documents and Settings\Dante\Cookies\[email protected][1].txt
C:\Documents and Settings\Dante\Cookies\[email protected][2].txt
C:\Documents and Settings\Dante\Cookies\[email protected][2].txt
C:\Documents and Settings\Dante\Cookies\[email protected][1].txt
C:\Documents and Settings\Dante\Cookies\[email protected][2].txt
C:\Documents and Settings\Dante\Cookies\[email protected][1].txt
C:\Documents and Settings\Dante\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\mair[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][3].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][3].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][3].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][3].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][5].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][6].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][5].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][6].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][1].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt
C:\Documents and Settings\Mairianne\Cookies\[email protected][2].txt

 

[MFDnNC]

I have no answer, but I'd run the Dell diagnostics on the memory

Ur clean!

 

[c_marco]

First, Thank You so much.

You never answered my questions about what kind of severity those trojan horse had - and I assume it is because you might not have an answer. So how about this:

Can I and my wife now resume things like banking or paying bills online? In other words, is it 'safe' or do I have to keep looking over my shoulder with this computer? Don't get me wrong - I respect your expertise when you say I'm clean - I just want to be sure: I dont know if a once-infected-computer still poses some kind of risk.

Also - I now have a lot of anti-spy and anti-virus applications. I heard that a person should only run one anti-virus app at one time - is this correct?

If my computer continues to crash, will you be willing to continue this thread?

Thanks Again!

 

[MFDnNC]

I don't think its a password threat but it never hurts to change them - at the very least just monitor carefully your accounts

Yes, only one active AntiVirus, but make sure its an AV vs. an antiSpyware

Your AV is AVG AV 7.5 and that all I see

 

[c_marco]

Right now I have the 15 day trial of ZoneAlarm Suite which has an antivirus scan (this is what prompted my previos question about apps). This morning, ZoneAlarm found Trojan-Downloader.Win32.Alphabet.k - the path was listed as C:WINDOWS\system32\syswin.exe - there were no other details - it was quarantined.

Is there any reason why this is still happening? Is my computer now 'targeted' because of the previous infection, or still infected, etc?

Also, I haven't run a diagnostic yet, but my system was left on all night, and has not crashed since yesterday when I cleared the system restore points.

 

[MFDnNC]

I don't know your surfing habits, but I suspect it is the root of the problem

 

[c_marco]

Since Friday, we have only checked weather, e-mail, the techguy forums.

I am an artist working on a mural - I google surf looking for images to use as references and sometimes have hit sites that are screensaver sites w/ pop-ups and such as I did yesterday. The mural is of sea turtles and fish - nothing weird. Before that, we use the machine for shopping and I sometimes surf u-tube and 3d forums, sometimes gaming mod forums.

So you are just telling me to be more careful - right?

So is the computer infected again, or did ZoneAlarm nab it before the trojan was allowed to download?