sysvxd.exe trojan

[Jax_Minnesota]

Attn: EvilFantasy --

Thanks to you and the team for offering to look at my log files. 

I use ESET as my AV program, run a pretty clean build of XP professional media center, build 2600 xpsp_sp3, with IE 8.0, Acrobat 7, and MS Office XP.   Recently rebuilt from a clean format and partition.   

I kept on getting this error message:

           Error Code 16 bit MS-DOS Subsystem
           c:\windows\s\Sysvxd.exe
           The NTVDM CPU has encountered an illegal instruction.
           CS:0dbf IP:06d0 OP:63 6f 6c 6f 72 Choose 'Close' to terminate the application.

           with Close or Ignore options. 

No noticable change to operations when I closed the 'process'. I looked up sysvxd.exe, and a Kaspersky forum and then this one said it was the result of a Trojan. 

Anyway, here are my log files. 

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/08/2009 at 05:45 PM

Application Version : 4.26.1004

Core Rules Database Version : 3929
Trace Rules Database Version: 1872

Scan type       : Complete Scan
Total Scan Time : 00:46:09

Memory items scanned      : 847
Memory threats detected   : 1
Registry items scanned    : 5233
Registry threats detected : 16
File items scanned        : 79084
File threats detected     : 7

Trojan.Unknown Origin
   C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
   C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
   [SVCHOST.EXE] C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
   C:\WINDOWS\Prefetch\SVCHOST.EXE-0EB47E31.pf

Unclassified.Unknown Origin
   HKLM\Software\Classes\CLSID\{376892AE-1825-4E5F-9F85-23F9640051CC}
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{376892AE-1825-4E5F-9F85-23F9640051CC}
   HKU\S-1-5-21-4211940775-4122393118-504975954-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{376892AE-1825-4E5F-9F85-23F9640051CC}
   HKCR\CLSID\{376892AE-1825-4E5F-9F85-23F9640051CC}
   HKCR\CLSID\{376892AE-1825-4E5F-9F85-23F9640051CC}#AppID
   HKCR\CLSID\{376892AE-1825-4E5F-9F85-23F9640051CC}\Control
   HKCR\CLSID\{376892AE-1825-4E5F-9F85-23F9640051CC}\InprocServer32
   HKCR\CLSID\{376892AE-1825-4E5F-9F85-23F9640051CC}\InprocServer32#ThreadingModel
   HKCR\CLSID\{376892AE-1825-4E5F-9F85-23F9640051CC}\MiscStatus
   HKCR\CLSID\{376892AE-1825-4E5F-9F85-23F9640051CC}\MiscStatus\1
   HKCR\CLSID\{376892AE-1825-4E5F-9F85-23F9640051CC}\ProgID
   HKCR\CLSID\{376892AE-1825-4E5F-9F85-23F9640051CC}\ToolboxBitmap32
   HKCR\CLSID\{376892AE-1825-4E5F-9F85-23F9640051CC}\TypeLib
   HKCR\CLSID\{376892AE-1825-4E5F-9F85-23F9640051CC}\Version
   HKCR\CLSID\{376892AE-1825-4E5F-9F85-23F9640051CC}\VersionIndependentProgID

Adware.Tracking Cookie
   C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt

Malwarebytes' Anti-Malware 1.37
Database version: 2249
Windows 5.1.2600 Service Pack 3

6/8/2009 6:14:03 PM
mbam-log-2009-06-08 (18-14-03).txt

Scan type: Quick Scan
Objects scanned: 82217
Time elapsed: 3 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\dnscache.dnscacheobj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dnscache.dnscacheobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Sysvxd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:49 PM, on 6/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\CyberLink Codec\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\Computerfixer1\Computerfixer1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {1FD79A59-37B1-459B-9097-09F9FAB8A523} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink Codec\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcStd7_1_0 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239386189328
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 9881 bytes

I appreciate any review.  Strange that ESET didn't catch the problem. 

-Tom

[evilfantasy]

Welcome to H2G.

It looks like the removal guide got most or all of it but we will do another scan as a double check.

Open HijackThis and select Do a system scan only

Vista users right click on HijackThis and select Run as Administrator. (you will receive a UAC prompt, please allow it)

Place a check mark next to the following entries: (if there)

- O2 - BHO: (no name) - {1FD79A59-37B1-459B-9097-09F9FAB8A523} - (no file)

This is an optional HijackThis fix

- O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

*Realtek AC97 Audio - Event Monitor. "Sypware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers. Removing this with HijackThis will not effect the performance of your Realtek AC97 Audio whatsoever.

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[Jax_Minnesota]

Here's the log from Combofix:

ComboFix 09-06-08.03 - Administrator 06/08/2009 23:54.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.541 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

(((((((((((((((((((((((((   Files Created from 2009-05-09 to 2009-06-09  )))))))))))))))))))))))))))))))
.

2009-06-09 01:00 . 2009-06-09 01:00   410984   ----a-w-   c:\windows\system32\deploytk.dll
2009-06-09 01:00 . 2009-06-09 01:00   --------   d-----w-   c:\program files\Java
2009-06-08 23:08 . 2009-06-08 23:08   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-08 23:08 . 2009-05-26 18:20   40160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-08 23:08 . 2009-06-08 23:08   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-06-08 23:08 . 2009-06-08 23:08   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-08 23:08 . 2009-05-26 18:19   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-06-08 21:55 . 2009-06-08 23:02   117760   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-08 21:54 . 2009-06-08 21:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-08 21:54 . 2009-06-08 21:54   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-06-08 21:54 . 2009-06-08 21:54   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-06-08 21:53 . 2009-06-08 21:53   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-06-08 21:38 . 2009-06-08 21:38   --------   d-----w-   c:\program files\CCleaner
2009-06-08 20:37 . 2009-06-08 21:17   --------   d-----w-   c:\program files\Trend Micro
2009-05-27 01:40 . 2009-05-27 01:40   --------   d-----w-   c:\documents and settings\Administrator\Application Data\ieSpell
2009-05-24 17:09 . 2009-05-24 17:09   --------   d-sh--w-   c:\documents and settings\Administrator\IECompatCache
2009-05-24 17:06 . 2009-05-24 17:06   --------   d-sh--w-   c:\documents and settings\Administrator\PrivacIE
2009-05-24 17:05 . 2009-05-24 17:05   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2009-05-24 17:05 . 2009-05-24 17:05   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2009-05-24 16:28 . 2009-05-30 02:08   --------   d-----w-   c:\windows\ie8updates
2009-05-24 16:28 . 2009-05-12 05:11   102912   -c----w-   c:\windows\system32\dllcache\iecompat.dll
2009-05-24 16:27 . 2009-05-24 16:27   --------   dc-h--w-   c:\windows\ie8
2009-05-24 15:25 . 2009-05-24 15:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\Chat Republic Games
2009-05-24 14:50 . 2009-05-24 14:50   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Chat Republic Games

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-30 02:06 . 2009-04-14 13:10   --------   d-----w-   c:\documents and settings\Administrator\Application Data\OfficeUpdate12
2009-05-06 04:55 . 2009-05-06 04:55   --------   d-----w-   c:\program files\MSECache
2009-04-19 21:49 . 2005-12-16 22:42   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-04-19 21:48 . 2009-04-13 21:40   0   ----a-w-   c:\windows\system32\drivers\FUJITSU_AA80N1E996000000_WXPMCE.MKR
2009-04-14 04:45 . 2009-04-13 19:28   --------   d-----w-   c:\program files\ieSpell
2009-04-14 03:28 . 2009-04-14 03:28   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Windows Search
2009-04-14 03:10 . 2009-04-14 13:10   264704   ------w-   c:\documents and settings\Administrator\Application Data\OfficeUpdate12\oudetect.dll
2009-04-13 21:17 . 2009-04-13 21:16   --------   d-----w-   c:\program files\ffdshow
2009-04-13 21:13 . 2009-04-13 20:59   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-04-13 20:59 . 2009-04-13 20:59   --------   d-----w-   c:\program files\Media Player Classic
2009-04-13 01:45 . 2009-04-12 23:40   --------   d-----w-   c:\program files\Maxtor
2009-04-13 01:44 . 2009-04-12 23:40   --------   d-----w-   c:\documents and settings\All Users\Application Data\Maxtor
2009-04-12 21:22 . 2009-04-12 03:22   --------   d-----w-   c:\documents and settings\Administrator\Application Data\AdobeUM
2009-04-12 21:18 . 2005-12-16 23:13   --------   d-----w-   c:\program files\Common Files\Adobe
2009-04-12 21:05 . 2009-04-12 21:05   --------   d-----w-   c:\documents and settings\All Users\Application Data\Adobe Systems
2009-04-12 21:05 . 2009-04-12 21:05   --------   d-----w-   c:\program files\Common Files\Adobe Systems Shared
2009-04-12 03:21 . 2009-04-12 03:21   --------   d-----w-   c:\documents and settings\All Users\Application Data\Pure Networks
2009-04-10 22:45 . 2009-04-10 22:45   --------   d-----w-   c:\program files\Microsoft ActiveSync
2009-04-10 22:43 . 2009-04-10 22:43   --------   d-----w-   c:\program files\Common Files\L&H
2009-04-10 22:41 . 2009-04-10 22:40   --------   d-----w-   c:\program files\Hewlett-Packard
2009-04-10 22:40 . 2009-04-10 22:40   --------   d--h--w-   c:\program files\Zenographics
2009-04-10 21:57 . 2009-04-10 21:57   --------   d-----w-   c:\documents and settings\Administrator\Application Data\ESET
2009-04-10 21:57 . 2009-04-10 21:57   --------   d-----w-   c:\program files\ESET
2009-04-10 21:57 . 2009-04-10 21:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\ESET
2009-04-10 21:37 . 2005-12-16 23:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\Symantec
2009-04-10 21:37 . 2005-12-16 23:19   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2009-04-10 21:26 . 2005-12-16 19:21   --------   d-----w-   c:\program files\GemMaster
2009-04-10 21:12 . 2009-04-10 21:12   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-04-10 21:11 . 2009-04-10 21:11   --------   d-----w-   c:\program files\Windows Desktop Search
2009-04-10 20:20 . 2009-04-10 20:20   --------   d-----w-   c:\program files\MSBuild
2009-04-10 20:20 . 2009-04-10 20:20   --------   d-----w-   c:\program files\Reference Assemblies
2009-04-10 18:49 . 2009-04-10 18:49   --------   d-----w-   c:\program files\MSXML 4.0
2009-04-10 18:44 . 2009-04-10 18:44   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Intel
2009-04-10 18:43 . 2009-04-10 18:43   21275   ----a-w-   c:\windows\system32\drivers\AegisP.sys
2009-04-10 18:43 . 2009-04-10 18:43   --------   d-----w-   c:\windows\system32\config\systemprofile\Application Data\Intel
2009-04-10 18:43 . 2009-04-10 18:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\Intel
2009-04-10 18:43 . 2005-12-16 19:14   --------   d-----w-   c:\program files\Intel
2009-04-10 18:42 . 2009-04-10 18:42   --------   d-----w-   c:\program files\Broadcom
2009-04-10 18:04 . 2009-04-10 18:04   --------   d-----w-   c:\program files\Windows Media Connect 2
2009-04-10 17:58 . 2009-04-10 17:58   --------   d-----w-   c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-10 17:54 . 2009-04-10 17:54   --------   d-----w-   c:\program files\Microsoft Silverlight
2009-04-10 17:27 . 2005-12-16 23:11   --------   d-----w-   c:\program files\Quicken
2009-04-10 17:20 . 2005-12-16 18:29   86811   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-31 01:01 . 2009-04-13 21:16   84480   ----a-w-   c:\windows\system32\ff_vfw.dll
2009-03-31 01:01 . 2009-04-13 21:16   60273   ----a-w-   c:\windows\system32\pthreadGC2.dll
2009-03-16 23:42 . 2009-03-16 23:42   524288   ----a-w-   c:\windows\opuc.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-07-02 163840]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-08-09 81920]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2005-06-08 69632]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2005-11-01 242688]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2005-11-01 61440]
"RemoteControl"="c:\program files\CyberLink Codec\PDVDServ.exe" [2004-07-15 32768]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-11-10 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-10 602182]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-03-18 98304]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\fjdvrupd.exe" [2006-02-17 303104]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-09 148888]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-11-17 88203]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-12-09 15691264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2009-4-12 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [12/21/2007 8:21 AM 468224]
R2 FlashDrv;FlashDrv;c:\progra~1\Fujitsu\FlashAid\FlashDrv.sys [12/16/2005 6:17 PM 7196]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [12/16/2005 1:50 PM 4864]
S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [11/18/1999 5:20 PM 3872]
S3 AVUSBPVR;AVerMedia USB MPEG-2 Capture Device;c:\windows\system32\drivers\avusbpvr.sys [12/16/2005 5:56 PM 1947264]
S3 bioschk;FPC BIOS Check Driver;c:\windows\system32\drivers\bioschk.sys [4/10/2009 1:41 PM 3909]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-08 23:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4211940775-4122393118-504975954-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f3,12,12,0f,a5,2b,2a,45,9d,66,e5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f3,12,12,0f,a5,2b,2a,45,9d,66,e5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1348)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2120)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-09 23:56
ComboFix-quarantined-files.txt  2009-06-09 04:56

Pre-Run: 56,131,862,528 bytes free
Post-Run: 56,132,554,752 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

204   --- E O F ---   2009-05-14 12:28

[evilfantasy]

Looks good. Is the computer running OK now?

Just a few things to do now.

Download Disable/Remove Windows Messenger to the Desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the Desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the Desktop.

----------

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.
.
The above procedure will:

• Delete: ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[Jax_Minnesota]

Wow.  I'll be sure to click the Thank You button in a moment, but for the benefit of the other readers I'll let you know what I discovered. 

First, the Windows Messenger you had me delete.  Had no idea, and thought it was a necessary component.  Now gone, thank you very much.  Not to be confused with MSN Messenger...  Thanks for that.

Thanks for the Combofix /u cleanup suggestion.  Did that, no issues. 

The Secunia website is terrific.  I regularly go to check Windows updates, but even so, it's a new month and there were a bunch more.  Secunia reminded me of these and several more, including Flash and several Adobe updates.  All those Microsoft updates?  Malware designers must have been busy recently.

Gotta tell you that I ran into trouble with an old version (pre-Adobe) of Flash, actually Macromedia Flash 6.0.79.0.  When I tried to upgrade to Adobe's version 10 of the program it didn't work.  Nor could I delete it in the control panel. Instead, I found a technical note about this specific version via Google, which advised where to find the Adobe Uninstaller.   A useful tool for uninstalling Adobe programs that are stubborn.  Found here: http://download.macromedia.com/pub/flashplayer/current/uninstall_flash_player.exe .

This tech tip (on Secunia) also provided a tip about another application you might want to review, called Revo Uninstaller.  --Useful for uninstalling some of the fragments that programs leave behind in the Windows Registry. Please comment on whether this is 'foolproof' enough for the general user. 

Adobe had several updates to make, progressively, on Acrobat and the Adobe Reader.  Had to run Secunia several times.  But that's typical with many update routines.  The trick is to be patient, reboot between each update, and follow the directions. 

I added Web of Trust, and will look at AntiSpywareBlaster in a moment.  Also will read the paper you wrote on improving computer speed - "It may not be malware".  Really, this has been enormously helpful.  Thanks evilfantasy...

Anything else left to do?

[evilfantasy]

Glad you found the Adobe Uninstaller. For some reason Flash refuses to remove it's leftovers when it's updated. Anyway , now ya know...


I've used and recommend Revo for a while now. I won't uninstall anything without it and it has never given me any problems whatsoever.

Anything else left to do?

As long as the computer is running OK then I think you are good to go.