• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
vtru

Red Circle with White X in taskbar

19 posts in this topic

Hello everyone. First, I'm not sure if this is the correct forum in which to start but I have been helped in this forum in the past. If I should start my post in another forum first, please let me know.

 

I have the dreaded "red circle with white X" in my taskbar malware/infection/trojan. Every 15 seconds or so a popup menu shows up saying "Your computer is infected! Windows has detected spyware infection! YADDA YADDA YADDA." It asks to be clicked on, which initially resulted in opening a fake, trial version of Pesttrap which began a fake scan listing fake infections and asking to be purchased in order to remove the fake, listed infections. Luckily, I was able to get rid of the Pesttrap software advert/trial version. I was able to do this through running Adaware, Spybot, CCleaner, etc. Unfortunately, the darn red circle still remains, spewing its fake popup warning about my computer being infected. If I click on the warning now, nothing occurs since the Pesttrap advert software has been removed. However, I would like to get rid of this darn red circle because it is annoying, and is probably making my computer vulnerable.

 

I have read a few other topics on these forums with similar problems. However, they all have extra malware symptoms and coming up with a fix is rather complex. So, I have decided to start this post/topic so that I may get personal help with this problem.

 

First let me state what I have done so far to try to remove this malware. I have ran Adaware (a few times) and Spybot. They both recognize a Pesttrap or Spysherrif malware and try to fix/remove them. Unfortunately, on reboot, the dreaded red circle reappears. I have also tried SmitFraudFix, from safe mode, with no success. However, I have discovered that upon reboot, just before the red circle appears, Spybot's Teatimer pops up saying that C:\winstall.exe wants to change the registry. I tell Spybot to not allow it, but the red circle still appears. I have also scanned this file (C:\winstall.exe) through JOTTI and JOTTI found it to be malware. I have also discovered that suspicious files are created in a temp folder: C:\DOCS&SETS\USERNAME\LOCALSETS\Temp. Adaware finds one of the files in there to be the Pesttrap malware. It seems to be a randomly named file (ex. zaapcoei) that simply reappears upon reboot, along with a .tpl file of the same random name. There is also a Perflib_Perfdata file that is usually undeletable (being used by another program). And there is an empty hsperfdata folder, and a couple .txt files named java_install_reg, jusched, and kb (the kb file is empty and has 0 bytes).

 

Also, I have figured out that when I disconnect from the internet (remove my ethernet cable) and reboot, the red circle does not appear. So it needs an internet connection to appear.

 

I understand that I have probably stated too much information about my malware infection, but I believe other people are probably similarly infected or will be.

 

So here is my malware infection problem. I am somewhat knowledgeable in knowing the basic malware removal tools. I can post an Adaware log, HiJackThis log, or even the SmitFraudFix log (I did run it in safe mode). But before I post any logs, I just wanted to explicitly state my malware problem and make sure I have posted this topic in the correct forum. If not, please let me know which forum to move to.

 

If this is the correct forum and if anyone can help with my problem, please reply ASAP. Once again, I can post a log or use KillBox or something else. Please let me know. Thank you.

Share this post


Link to post
Share on other sites

I just wanted to bump this and note what I have done so far. I have just finished running SmitFraudFix, Adaware, Spybot, and CCleaner in safe mode (and in that order). I have the logs for each to show that SmitFraudFix and Adaware deleted infected, malware files and folders. Unfortunately, on reboot the red circle returned and so did the malware files and folders. However, the red circle appeared after I opened up a firefox browser and coincides with the java tasktray icon (not sure if that is a connection or just coincidence). Anyway, if anyone can help with this malware, I would be very grateful. Please let me know which log I should post first. And if I am in starting this post/topic in the wrong forum folder, please let me know and I will follow the correct protocal. Thank you.

 

{Advisor Edit: Topics merged to help in providing assistance}

Edited by spike-nz

Share this post


Link to post
Share on other sites

I would like to begin with apologizing for starting this post for help in the wrong section. I now realize this is the right section in which to start. Below are my posts from the HJT log section.

 

{Advisor Edit: Duplicate post removed}

 

If this is the correct forum and if anyone can help with my problem, please reply ASAP. Once again, I can post a log or use KillBox or something else. Please let me know. Thank you.

 

 

{EDIT: Hi vtru, the Hijack This section is best for your Topic, so have merged all your posts there - and removed the posts which point to the Malware section}

Edited by spike-nz

Share this post


Link to post
Share on other sites

I just wanted to bump this and note what I have done so far. I have just finished running SmitFraudFix, Adaware, Spybot, and CCleaner in safe mode (and in that order). I have the logs for each to show that SmitFraudFix and Adaware deleted infected, malware files and folders. Unfortunately, on reboot the red circle returned and so did the malware files and folders. However, the red circle appeared after I opened up a firefox browser and coincides with the java tasktray icon (not sure if that is a connection or just coincidence). Anyway, if anyone can help with this malware, I would be very grateful. Please let me know which log I should post first.

Share this post


Link to post
Share on other sites

Hi vtru,

 

In order for the malware experts to analyse your problems, please post an Ad-Aware SE Full-Scan log (latest Defs: SE1R143 08.01.2007), together with a log from a program called HijackThis.

 

Log posting instructions are included in this Topic: Infected ??, found this

 

As to Hijack This (from the instructions in the link above): "Please install to a folder, not the desktop nor the Temp folder.

 

Then rename the Hijackthis.exe file e.g. to myhjt.exe. (Some malware target hijackthis so renaming helps get round this.) Double click on the renamed file to run HijackThis and post the log from a scan.

 

Including your SmitFraudFix and Spybot log files may be of additional benefit to the malware experts.

 

Regards,

 

Spike

Share this post


Link to post
Share on other sites

Thank you Spike. I have just run Adaware (newest definition file and search for low-risk) and deleted about 16 files and folders. Below is the Adaware log:

 

 

Ad-Aware SE Build 1.06r1

Logfile Created on:Thursday, January 11, 2007 2:41:10 PM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R143 08.01.2007

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

0 Possible New Malware 0(TAC index:3):4 total references

Other(TAC index:5):4 total references

PestTrap(TAC index:3):2 total references

Tracking Cookie(TAC index:3):2 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for low-risk threats

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

1-11-2007 2:41:10 PM - Scan started. (Full System Scan)

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 536

ThreadCreationTime : 1-11-2007 10:09:29 PM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 600

ThreadCreationTime : 1-11-2007 10:09:30 PM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 624

ThreadCreationTime : 1-11-2007 10:09:31 PM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 668

ThreadCreationTime : 1-11-2007 10:09:31 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 680

ThreadCreationTime : 1-11-2007 10:09:31 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 840

ThreadCreationTime : 1-11-2007 10:09:32 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 908

ThreadCreationTime : 1-11-2007 10:09:32 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1000

ThreadCreationTime : 1-11-2007 10:09:32 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1048

ThreadCreationTime : 1-11-2007 10:09:32 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1100

ThreadCreationTime : 1-11-2007 10:09:33 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:11 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1392

ThreadCreationTime : 1-11-2007 10:09:35 PM

BasePriority : Normal

FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

ProductVersion : 5.1.2600.2696

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:12 [cisvc.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1516

ThreadCreationTime : 1-11-2007 10:09:42 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Content Index service

InternalName : cisvc.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : cisvc.exe

 

#:13 [mcvsrte.exe]

FilePath : c:\PROGRA~1\mcafee.com\vso\

ProcessID : 1548

ThreadCreationTime : 1-11-2007 10:09:42 PM

BasePriority : Normal

FileVersion : 4, 4, 0, 10

ProductVersion : 4, 4, 0, 0

ProductName : McAfee.com VirusScan Online

CompanyName : Mcafee.com Corporation

FileDescription : McAfee.com VirusScan Online Realtime Engine

InternalName : mcvsrte

LegalCopyright : Copyright © 1998-2002 McAfee.com Corporation

OriginalFilename : mcvsrte.exe

 

#:14 [wdfmgr.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1728

ThreadCreationTime : 1-11-2007 10:09:43 PM

BasePriority : Normal

FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)

ProductVersion : 5.2.3790.1230

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows User Mode Driver Manager

InternalName : WdfMgr

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : WdfMgr.exe

 

#:15 [mcshield.exe]

FilePath : c:\PROGRA~1\mcafee.com\vso\

ProcessID : 2024

ThreadCreationTime : 1-11-2007 10:09:46 PM

BasePriority : High

 

 

#:16 [alg.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 276

ThreadCreationTime : 1-11-2007 10:09:47 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Application Layer Gateway Service

InternalName : ALG.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : ALG.exe

 

#:17 [cidaemon.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1468

ThreadCreationTime : 1-11-2007 10:17:12 PM

BasePriority : Idle

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Indexing Service filter daemon

InternalName : cidaemon.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : cidaemon.exe

 

#:18 [cidaemon.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1568

ThreadCreationTime : 1-11-2007 10:17:15 PM

BasePriority : Idle

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Indexing Service filter daemon

InternalName : cidaemon.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : cidaemon.exe

 

#:19 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 1012

ThreadCreationTime : 1-11-2007 10:30:14 PM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:20 [hkcmd.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 684

ThreadCreationTime : 1-11-2007 10:30:18 PM

BasePriority : Normal

FileVersion : 3.0.0.4342

ProductVersion : 7.0.0.4342

ProductName : Intel® Common User Interface

CompanyName : Intel Corporation

FileDescription : hkcmd Module

InternalName : HKCMD

LegalCopyright : Copyright 1999-2004, Intel Corporation

OriginalFilename : HKCMD.EXE

 

#:21 [mcagent.exe]

FilePath : C:\Program Files\McAfee.com\Agent\

ProcessID : 292

ThreadCreationTime : 1-11-2007 10:30:18 PM

BasePriority : Normal

FileVersion : 4, 0, 0, 26

ProductVersion : 4, 1, 0, 0

ProductName : McAfee.com SecurityCenter

CompanyName : McAfee.com Corporation

FileDescription : McAfee.com SecurityCenter Agent

InternalName : mcagent

LegalCopyright : Copyright © 1998-2002 McAfee.com Corporation

OriginalFilename : mcagent.exe

 

#:22 [directcd.exe]

FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\

ProcessID : 1288

ThreadCreationTime : 1-11-2007 10:30:18 PM

BasePriority : Normal

FileVersion : 5.3.4.21

ProductVersion : 5.3.4.21

ProductName : DirectCD

CompanyName : Roxio

FileDescription : DirectCD Application

InternalName : DirectCD

LegalCopyright : Copyright © 2001,2002, Roxio, Inc.

OriginalFilename : Directcd.exe

 

#:23 [mcvsshld.exe]

FilePath : C:\PROGRA~1\mcafee.com\vso\

ProcessID : 1292

ThreadCreationTime : 1-11-2007 10:30:19 PM

BasePriority : Normal

FileVersion : 4, 4, 0, 10

ProductVersion : 4, 4, 0, 0

ProductName : McAfee.com VirusScan Online

CompanyName : Mcafee.com Corporation

FileDescription : McAfee.com ActiveShield

InternalName : msvcshld

LegalCopyright : Copyright © 1998-2002 McAfee.com Corporation

OriginalFilename : mcvsshld.exe

 

#:24 [jusched.exe]

FilePath : C:\Program Files\Java\jre1.5.0_10\bin\

ProcessID : 480

ThreadCreationTime : 1-11-2007 10:30:23 PM

BasePriority : Normal

 

 

#:25 [startfx.exe]

FilePath : C:\Program Files\Creative\Creative Live! Cam\VideoFX\

ProcessID : 832

ThreadCreationTime : 1-11-2007 10:30:23 PM

BasePriority : Normal

FileVersion : 1.80.04.00

CompanyName : Creative Technology Ltd.

FileDescription : Start Advanced Video FX Engine Application

LegalCopyright : Copyright © Creative Technology Ltd., 2006

OriginalFilename : StartFX.exe

 

#:26 [v0250mon.exe]

FilePath : C:\WINDOWS\

ProcessID : 1348

ThreadCreationTime : 1-11-2007 10:30:24 PM

BasePriority : Normal

FileVersion : 1.00.04.00

CompanyName : Creative Technology Ltd.

FileDescription : Live! Cam Console Auto Launcher

LegalCopyright : Copyright © Creative Technology Ltd., 2006

OriginalFilename : V0250Mon.exe

 

#:27 [teatimer.exe]

FilePath : C:\Program Files\Spybot - Search & Destroy\

ProcessID : 208

ThreadCreationTime : 1-11-2007 10:30:27 PM

BasePriority : Idle

FileVersion : 1, 4, 0, 2

ProductVersion : 1, 4, 0, 3

ProductName : Spybot - Search & Destroy

CompanyName : Safer Networking Limited

FileDescription : System settings protector

InternalName : TeaTimer

LegalCopyright : © 2000-2005 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.

LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.

OriginalFilename : TeaTimer.exe

Comments : Schützt Systemeinstellungen vor ungewollten Änderungen.

 

#:28 [dsagnt.exe]

FilePath : C:\Program Files\Dell Support\

ProcessID : 1608

ThreadCreationTime : 1-11-2007 10:30:28 PM

BasePriority : Below Normal

FileVersion : 1, 1, 0, 73

ProductVersion : 1, 1, 0, 73

ProductName : Dell Support

CompanyName : Gteko Ltd.

FileDescription : Dell Support

InternalName : AUAgent

LegalCopyright : Copyright © 2000 - 2004 Gteko Ltd.

OriginalFilename : AUAgent.exe

 

#:29 [camtray.exe]

FilePath : C:\Program Files\Creative\Shared Files\

ProcessID : 392

ThreadCreationTime : 1-11-2007 10:30:31 PM

BasePriority : Normal

FileVersion : 3.60.07

ProductVersion : 3.60

ProductName : Creative Cam Detector

CompanyName : Creative Technology Ltd

FileDescription : Creative Camera Launcher Application

InternalName : Creative Camera Launcher Application

LegalCopyright : Copyright © Creative Technology Ltd., 2002-2004. All rights reserved.

OriginalFilename : CamTray.exe

 

#:30 [msoffice.exe]

FilePath : C:\Program Files\Microsoft Office\Office\1033\

ProcessID : 1932

ThreadCreationTime : 1-11-2007 10:30:38 PM

BasePriority : Normal

FileVersion : 9.0.2601

ProductVersion : 9.0.2601

ProductName : Microsoft Office 2000

CompanyName : Microsoft Corporation

FileDescription : Microsoft Office 2000 component

InternalName : MSOFFICE

LegalCopyright : Copyright© Microsoft Corporation 1994-1999. All rights reserved.

OriginalFilename : MSOFFICE.EXE

 

#:31 [kmllnkod.exe]

FilePath : C:\DOCUME~1\DAVEFA~1\LOCALS~1\Temp\

ProcessID : 2496

ThreadCreationTime : 1-11-2007 10:31:48 PM

BasePriority : Normal

 

 

PestTrap Object Recognized!

Type : Process

Data : kmllnkod.exe

TAC Rating : 3

Category : Malware

Comment : b917ffe96edb3ae8cac14d4a19787706.exe.dmp

Object : C:\DOCUME~1\DAVEFA~1\LOCALS~1\Temp\

 

 

Warning! PestTrap Object found in memory(C:\DOCUME~1\DAVEFA~1\LOCALS~1\Temp\kmllnkod.exe)

 

"C:\DOCUME~1\DAVEFA~1\LOCALS~1\Temp\kmllnkod.exe"Process terminated successfully

"C:\DOCUME~1\DAVEFA~1\LOCALS~1\Temp\kmllnkod.exe"Process terminated successfully

 

#:32 [firefox.exe]

FilePath : C:\Program Files\Mozilla Firefox\

ProcessID : 2536

ThreadCreationTime : 1-11-2007 10:32:03 PM

BasePriority : Normal

 

 

#:33 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 2884

ThreadCreationTime : 1-11-2007 10:39:43 PM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

#:34 [wmiprvse.exe]

FilePath : C:\WINDOWS\System32\wbem\

ProcessID : 2932

ThreadCreationTime : 1-11-2007 10:40:33 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : WMI

InternalName : Wmiprvse.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : Wmiprvse.exe

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 1

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 1

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 1

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : dave [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:dave [email protected]/

Expires : 1-9-2012 4:00:00 PM

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : dave [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:3

Value : Cookie:dave [email protected]/

Expires : 1-9-2010 6:10:56 PM

LastSync : Hits:3

UseCount : 0

Hits : 3

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 2

Objects found so far: 3

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

0 Possible New Malware 0 Object Recognized!

Type : File

Data : kmllnkod.exe

TAC Rating : 0

Category : Data Miner

Comment :

Object : C:\Documents and Settings\Dave Family\Local Settings\Temp\

 

 

 

0 Possible New Malware 0 Object Recognized!

Type : File

Data : uaelctar.exe

TAC Rating : 0

Category : Data Miner

Comment :

Object : C:\Documents and Settings\Dave Family\Local Settings\Temp\

 

 

 

0 Possible New Malware 0 Object Recognized!

Type : File

Data : zfvoqlyx.exe

TAC Rating : 0

Category : Data Miner

Comment :

Object : C:\Documents and Settings\Dave Family\Local Settings\Temp\

 

 

 

0 Possible New Malware 0 Object Recognized!

Type : File

Data : winstall.exe

TAC Rating : 0

Category : Data Miner

Comment :

Object : C:\

 

 

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 7

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 7

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

PestTrap Object Recognized!

Type : Folder

TAC Rating : 3

Category : Malware

Comment : PestTrap

Object : C:\Program Files\PestTrap

 

Other Object Recognized!

Type : File

Data : KMLLNKOD.EXE-0AC29F49.pf

TAC Rating : 7

Category : Malware

Comment :

Object : C:\WINDOWS\prefetch\

 

 

 

Other Object Recognized!

Type : File

Data : UAELCTAR.EXE-18E47926.pf

TAC Rating : 7

Category : Malware

Comment :

Object : C:\WINDOWS\prefetch\

 

 

 

Other Object Recognized!

Type : File

Data : ZFVOQLYX.EXE-21403AC1.pf

TAC Rating : 7

Category : Malware

Comment :

Object : C:\WINDOWS\prefetch\

 

 

 

Other Object Recognized!

Type : File

Data : WINSTALL.EXE-2DB376CF.pf

TAC Rating : 7

Category : Malware

Comment :

Object : C:\WINDOWS\prefetch\

 

 

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 5

Objects found so far: 12

 

2:53:28 PM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:12:18.62

Objects scanned:146712

Objects identified:16

Objects ignored:0

New critical objects:16

Share this post


Link to post
Share on other sites

And here is the HJT log:

 

Logfile of HijackThis v1.99.1

Scan saved at 3:05:12 PM, on 1/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

C:\WINDOWS\V0250Mon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Creative\Shared Files\CamTray.exe

C:\Program Files\Microsoft Office\Office\1033\msoffice.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\My Downloads\HJT\myHJT.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

O4 - HKLM\..\Run: [V0250Mon.exe] C:\WINDOWS\V0250Mon.exe

O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Arcsoft Web Uploader - http://www.cartogra.com/downloads/ReadFileApplet.cab

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...64/mcinsctl.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/29acf7ce894b8c49df03/...ip/RdxIE601.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

 

 

 

I will wait until they are needed before I post any SmitFraudFix or Spybot logs. So please let me know if either log is needed.

 

 

 

{Advisor Edit: Posts merged for convenience}

Edited by spike-nz

Share this post


Link to post
Share on other sites

Hello,vtru & Welcome

 

 

First do this for me please

 

Go to Jotti's malware scan

 

Copy and paste the following file path into the "File to upload & scan" box on the top of the page:

 

C:\WINDOWS\V0250Mon.exe

 

Click on the submit button. Please post the results in your next reply.

 

Next

 

 

1) Run Spybot-S&D

2) Go to the Mode menu, and make sure "Advanced Mode" is selected

3) On the left hand side, choose Tools -> Resident

4) Uncheck "Resident TeaTimer" and OK any prompts

5) Restart your computer.

 

 

=============

 

Please print out or copy these instructions to Notepad as the internet will not be available to you at certain points of the removal process (whilst in Safe Mode). If there's anything that you don't understand, ask your question(s) before moving on with the fix.

 

 

===========

 

View hidden files and folders:

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

===========

 

Run HijackThis

Scan and when it finishes, put a check mark only next to these following items : (if present)

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

 

O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/29acf7ce894b8c49df03/...ip/RdxIE601.cab

 

 

Close all browsers and any open Windows, making sure that only HijackThis is open

Click Fix Checked

Close HijackThis

 

===========

 

Restart your computer in Safe Mode.

  1. If the computer is running, shut down Windows, and then turn off the power.
  2. Wait 30 seconds, and then turn the computer on.
  3. Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  4. Ensure that the Safe Mode option is selected.
  5. Press Enter. The computer then begins to start in Safe Mode.
  6. Login on your usual account.

If you need further assistance with Safe Mode, see Symantec

 

===========

 

Next, please find and delete the following files/folders (if present):

C:\WINDOWS\system32\ntsystem.exe<---This file

 

 

==============

 

Clean out your Temporary Internet files.

Internet Explorer

Close Internet Explorer and close any instances of Windows Explorer.

Click Start -> Control Panel and then double-click Internet Options.

On the General tab, click Delete Files under Temporary Internet Files.

In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.

On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.

Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.

Click OK.

 

Firefox (In case you also have Firefox installed)

Open Firefox and go to Tools -> Options.

Click Privacy in the menu on the left side of the Options window.

Click the Clear button located to the right of each option (History, Cookies, Cache).

Click OK to close the Options window.

Alternatively, you can clear all information stored while browsing by clicking Clear All.

A confirmation dialog box will be shown before clearing the information.

 

 

Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.

2. Click once on the Security tab

3. Click once on the Internet icon so it becomes highlighted.

4. Click once on the Custom Level button.

a. Change the Download signed ActiveX controls to Prompt

b. Change the Download unsigned ActiveX controls to Disable

c . Change the Initialize and script ActiveX controls not marked as safe to Disable

d. Change the Installation of desktop items to Prompt

e. Change the Launching programs and files in an IFRAME to Prompt

f. Change the Navigate sub-frames across different domains to Prompt

g. When all these settings have been made, click on the OK button.

h. If it prompts you as to whether or not you want to save the settings, press the Yes button.

5. Next press the Apply button and then the OK to exit the Internet Properties page.

 

Now Restart in Normal Mode show me a new HijackThis logfile and the log of the scan i asked you to do.

 

 

Gogo :(

Share this post


Link to post
Share on other sites

Thank you HJThis for helping me. I was suspicious of V0250Mon.exe as well. JOTTI however found nothing:

 

Scan taken on 12 Jan 2007 03:30:19 (GMT)

AntiVir

Found nothing

ArcaVir

Found nothing

Avast

Found nothing

AVG Antivirus

Found nothing

BitDefender

Found nothing

ClamAV

Found nothing

Dr.Web

Found nothing

F-Prot Antivirus

Found nothing

F-Secure Anti-Virus

Found nothing

Fortinet

Found nothing

Kaspersky Anti-Virus

Found nothing

NOD32

Found nothing

Norman Virus Control

Found nothing

VirusBuster

Found nothing

VBA32

Found nothing

 

On the properties tab of the V0250Mon.exe file it says that it is part of my Creative Webcam launcher. There is also a V0250Mon.cfg file that is related to the Webcam as well.

 

I will now follow the rest of your instructions and post a new HJT log. I will do this after a couple hours however, so if anyone is monitoring this topic please do not expect my follow up post until a few hours have passed.

Share this post


Link to post
Share on other sites

Hi,vtru

 

Thanks for the info on the file.

 

Gogo :(

Share this post


Link to post
Share on other sites

I apologize. I stated I would follow the instructions and post a new HJT log in a few hours. Unfortunately, it has gotten too late. I will have to do all this tomorrow morning. Once again, my apologies for taking so long.

Share this post


Link to post
Share on other sites

Hey,vtru

 

No problme see you in the morning im about to goto bed

my eyes are killing me. ;)

 

Gogo ;)

Share this post


Link to post
Share on other sites

Wow. I think you have fixed it. You are Da Man! (Or Da Woman!) Here's the latest HJT log:

 

Logfile of HijackThis v1.99.1

Scan saved at 11:45:53 AM, on 1/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

C:\WINDOWS\V0250Mon.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Creative\Shared Files\CamTray.exe

C:\Program Files\Microsoft Office\Office\1033\msoffice.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\My Downloads\HJT\myHJT.exe

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

O4 - HKLM\..\Run: [V0250Mon.exe] C:\WINDOWS\V0250Mon.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Arcsoft Web Uploader - http://www.cartogra.com/downloads/ReadFileApplet.cab

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...64/mcinsctl.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

 

I am now going to check for some of those suspicious files (winstall.exe) and folders (in the temp) that I mentioned earlier. But so far the red circle has not returned and I believe you have fixed this malware problem. I am forever grateful.

Share this post


Link to post
Share on other sites

Hi,vtru

 

Hmm i don't like the idea of that file running on the PC but it came up clean

so don't do anything to it for now. do these steps for me now some of this you did

the first time that's cool.

 

 

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

 

 

Next, let's clean your restore points and set a new one

 

 

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

 

1. Turn off System Restore.

* On the Desktop, right-click My Computer.

* Click Properties.

* Click the System Restore tab.

* CHECK Turn off System Restore.

* Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.

* On the Desktop, right-click My Computer.

* Click Properties.

* Click the System Restore tab.

* UN-Check Turn off System Restore.

* Click Apply, and then click OK.

 

System Restore will now be active again.

 

 

Then create a new restore point once you have System Restore back on.

To create a new System Restore Point, click Start -> All Programs -> Accessories -> System Tools -> System Restore.

When the System Restore Utility opens, click "Create a Restore Point" then click Next.

Enter a name for this Restore Point, and click Create.

 

 

 

Clean out your Temporary Internet files.

Internet Explorer

Close Internet Explorer and close any instances of Windows Explorer.

Click Start -> Control Panel and then double-click Internet Options.

On the General tab, click Delete Files under Temporary Internet Files.

In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.

On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.

Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.

Click OK.

 

Firefox (In case you also have Firefox installed)

Open Firefox and go to Tools -> Options.

Click Privacy in the menu on the left side of the Options window.

Click the Clear button located to the right of each option (History, Cookies, Cache).

Click OK to close the Options window.

Alternatively, you can clear all information stored while browsing by clicking Clear All.

A confirmation dialog box will be shown before clearing the information.

 

 

Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.

2. Click once on the Security tab

3. Click once on the Internet icon so it becomes highlighted.

4. Click once on the Custom Level button.

a. Change the Download signed ActiveX controls to Prompt

b. Change the Download unsigned ActiveX controls to Disable

c . Change the Initialize and script ActiveX controls not marked as safe to Disable

d. Change the Installation of desktop items to Prompt

e. Change the Launching programs and files in an IFRAME to Prompt

f. Change the Navigate sub-frames across different domains to Prompt

g. When all these settings have been made, click on the OK button.

h. If it prompts you as to whether or not you want to save the settings, press the Yes button.

5. Next press the Apply button and then the OK to exit the Internet Properties page.

 

And please have a look at the great info by Mr,TK

So how did I get infected in the first place

 

 

Gogo :)

Share this post


Link to post
Share on other sites

Okay, I will do the above shortly. I also wanted to mention a couple things:

 

Yup. I just restarted and the red circle is no more. I also checked for the suspicious winstall.exe file and did not find it. I then checked the Temp folder I mentioned earlier (C:\DOCS&SETS\USERNAME\LOCSETS\Temp) and did not find the suspicious files I found earlier. However, I still found 2 files. The first is a .txt file named jusched.txt. I believe it is connected to Java somehow. Here is the file's content:

 

Fri Jan 12 11:46:48 2007

:: nextSched=Sun Feb 04 16:00:00 2007

; sleeptime (sec=2002392, hours=556), actual sleep=2003722000 msecs

lastSchedTime=Thu Jan 04 16:00:00 2007

 

Fri Jan 12 12:05:28 2007

:: nextSched=Sun Feb 04 16:00:00 2007

; sleeptime (sec=2001272, hours=555), actual sleep=2002602000 msecs

lastSchedTime=Thu Jan 04 16:00:00 2007

 

There is also a more suspicious .dat file named Perflib_Perfdata_###.dat (where the ### = 3 random numbers). I tried to upload this 16kb file to JOTTI but when I try to, JOTTI says the file is 0kb and that either a firewall or malware is prohibiting the uploading.

 

And as for the V0250Mon.exe file, under its properties tab it says it is related to my Creative Webcam Launcher.

 

Anyway, I will follow the system restore points instructions and post back shortly.

 

PS - I use Firefox. I was wondering if there is anyway to make Firefox more secure, a la the instructions under "Make your Internet Explorer more secure"?

Share this post


Link to post
Share on other sites

I just found out I have had system restore turned off all this time. It was most likely turned off when I was dealing with a previous malware problem on this computer. Should I turn it back on and create a new restore point?

Share this post


Link to post
Share on other sites

Hey,vtru

 

Yes please and have it on at all times it can keep you from a ton of pain.

now there is an option to Adjust System Restore Disk Usage when you install

WinXP. it starts at say 12% but when i use xp i set mine at say 2 or 3%

 

but that's just me i don't see a need for more then that and i turn it off

on all other hard drives again i don't see a need to have it running on all drives.

 

and yes they look like there from Java.

 

Gogo :)

Share this post


Link to post
Share on other sites

Yes, thank you so very much. I have enabled system restore and a new restore point. The red circle malware has been fixed. I have also installed ZA firewall and AntiVir Guard and SpywareBlaster. I hope my computer is now fairly well protected. Thank you so much Gogo, Spike, and Lavasoft Forums for the excellent expertise and help.

 

And for anyone who becomes infected with this dreaded red circle with white X malware. Please follow the great instructions in this topic and your malware problem will be solved. I hope this topic helps others out there.

Share this post


Link to post
Share on other sites

Hi,vtru

 

Glad to hear all is good if you should have anymore problmes

please lit us know.

 

 

Since this issue appears resolved ... this topic is closed.

 

If you need this topic reopened, please request this by sending the moderating team

a PM with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a new topic.

 

 

Gogo ;)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0