Red Circle with White X in taskbar

vtru · January 10, 2007

Hello everyone. First, I'm not sure if this is the correct forum in which to start but I have been helped in this forum in the past. If I should start my post in another forum first, please let me know.

I have the dreaded "red circle with white X" in my taskbar malware/infection/trojan. Every 15 seconds or so a popup menu shows up saying "Your computer is infected! Windows has detected spyware infection! YADDA YADDA YADDA." It asks to be clicked on, which initially resulted in opening a fake, trial version of Pesttrap which began a fake scan listing fake infections and asking to be purchased in order to remove the fake, listed infections. Luckily, I was able to get rid of the Pesttrap software advert/trial version. I was able to do this through running Adaware, Spybot, CCleaner, etc. Unfortunately, the darn red circle still remains, spewing its fake popup warning about my computer being infected. If I click on the warning now, nothing occurs since the Pesttrap advert software has been removed. However, I would like to get rid of this darn red circle because it is annoying, and is probably making my computer vulnerable.

I have read a few other topics on these forums with similar problems. However, they all have extra malware symptoms and coming up with a fix is rather complex. So, I have decided to start this post/topic so that I may get personal help with this problem.

First let me state what I have done so far to try to remove this malware. I have ran Adaware (a few times) and Spybot. They both recognize a Pesttrap or Spysherrif malware and try to fix/remove them. Unfortunately, on reboot, the dreaded red circle reappears. I have also tried SmitFraudFix, from safe mode, with no success. However, I have discovered that upon reboot, just before the red circle appears, Spybot's Teatimer pops up saying that C:\winstall.exe wants to change the registry. I tell Spybot to not allow it, but the red circle still appears. I have also scanned this file (C:\winstall.exe) through JOTTI and JOTTI found it to be malware. I have also discovered that suspicious files are created in a temp folder: C:\DOCS&SETS\USERNAME\LOCALSETS\Temp. Adaware finds one of the files in there to be the Pesttrap malware. It seems to be a randomly named file (ex. zaapcoei) that simply reappears upon reboot, along with a .tpl file of the same random name. There is also a Perflib_Perfdata file that is usually undeletable (being used by another program). And there is an empty hsperfdata folder, and a couple .txt files named java_install_reg, jusched, and kb (the kb file is empty and has 0 bytes).

Also, I have figured out that when I disconnect from the internet (remove my ethernet cable) and reboot, the red circle does not appear. So it needs an internet connection to appear.

I understand that I have probably stated too much information about my malware infection, but I believe other people are probably similarly infected or will be.

So here is my malware infection problem. I am somewhat knowledgeable in knowing the basic malware removal tools. I can post an Adaware log, HiJackThis log, or even the SmitFraudFix log (I did run it in safe mode). But before I post any logs, I just wanted to explicitly state my malware problem and make sure I have posted this topic in the correct forum. If not, please let me know which forum to move to.

If this is the correct forum and if anyone can help with my problem, please reply ASAP. Once again, I can post a log or use KillBox or something else. Please let me know. Thank you.

vtru · January 11, 2007

I just wanted to bump this and note what I have done so far. I have just finished running SmitFraudFix, Adaware, Spybot, and CCleaner in safe mode (and in that order). I have the logs for each to show that SmitFraudFix and Adaware deleted infected, malware files and folders. Unfortunately, on reboot the red circle returned and so did the malware files and folders. However, the red circle appeared after I opened up a firefox browser and coincides with the java tasktray icon (not sure if that is a connection or just coincidence). Anyway, if anyone can help with this malware, I would be very grateful. Please let me know which log I should post first. And if I am in starting this post/topic in the wrong forum folder, please let me know and I will follow the correct protocal. Thank you.

{Advisor Edit: Topics merged to help in providing assistance}

Edited January 11, 2007 by spike-nz

vtru · January 11, 2007

I would like to begin with apologizing for starting this post for help in the wrong section. I now realize this is the right section in which to start. Below are my posts from the HJT log section.

{Advisor Edit: Duplicate post removed}

If this is the correct forum and if anyone can help with my problem, please reply ASAP. Once again, I can post a log or use KillBox or something else. Please let me know. Thank you.

{EDIT: Hi vtru, the Hijack This section is best for your Topic, so have merged all your posts there - and removed the posts which point to the Malware section}

Edited January 11, 2007 by spike-nz

vtru · January 11, 2007

I just wanted to bump this and note what I have done so far. I have just finished running SmitFraudFix, Adaware, Spybot, and CCleaner in safe mode (and in that order). I have the logs for each to show that SmitFraudFix and Adaware deleted infected, malware files and folders. Unfortunately, on reboot the red circle returned and so did the malware files and folders. However, the red circle appeared after I opened up a firefox browser and coincides with the java tasktray icon (not sure if that is a connection or just coincidence). Anyway, if anyone can help with this malware, I would be very grateful. Please let me know which log I should post first.

spike-nz · January 11, 2007

Hi vtru,

In order for the malware experts to analyse your problems, please post an Ad-Aware SE Full-Scan log (latest Defs: SE1R143 08.01.2007), together with a log from a program called HijackThis.

Log posting instructions are included in this Topic: Infected ??, found this

As to Hijack This (from the instructions in the link above): "Please install to a folder, not the desktop nor the Temp folder.

Then rename the Hijackthis.exe file e.g. to myhjt.exe. (Some malware target hijackthis so renaming helps get round this.) Double click on the renamed file to run HijackThis and post the log from a scan.

Including your SmitFraudFix and Spybot log files may be of additional benefit to the malware experts.

Regards,

Spike

vtru · January 11, 2007

Thank you Spike. I have just run Adaware (newest definition file and search for low-risk) and deleted about 16 files and folders. Below is the Adaware log:

Ad-Aware SE Build 1.06r1

Logfile Created on:Thursday, January 11, 2007 2:41:10 PM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R143 08.01.2007

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

0 Possible New Malware 0(TAC index:3):4 total references

Other(TAC index:5):4 total references

PestTrap(TAC index:3):2 total references

Tracking Cookie(TAC index:3):2 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings

===========================

Set : Search for low-risk threats

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

1-11-2007 2:41:10 PM - Scan started. (Full System Scan)

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 536

ThreadCreationTime : 1-11-2007 10:09:29 PM

BasePriority : Normal

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 600

ThreadCreationTime : 1-11-2007 10:09:30 PM

BasePriority : Normal

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 624

ThreadCreationTime : 1-11-2007 10:09:31 PM

BasePriority : High

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 668

ThreadCreationTime : 1-11-2007 10:09:31 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

OriginalFilename : services.exe

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 680

ThreadCreationTime : 1-11-2007 10:09:31 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

OriginalFilename : lsass.exe

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 840

ThreadCreationTime : 1-11-2007 10:09:32 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 908

ThreadCreationTime : 1-11-2007 10:09:32 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1000

ThreadCreationTime : 1-11-2007 10:09:32 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

#:9 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1048

ThreadCreationTime : 1-11-2007 10:09:32 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

#:10 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1100

ThreadCreationTime : 1-11-2007 10:09:33 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

#:11 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1392

ThreadCreationTime : 1-11-2007 10:09:35 PM

BasePriority : Normal

FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

ProductVersion : 5.1.2600.2696

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

OriginalFilename : spoolsv.exe

#:12 [cisvc.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1516

ThreadCreationTime : 1-11-2007 10:09:42 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Content Index service

InternalName : cisvc.exe

OriginalFilename : cisvc.exe

#:13 [mcvsrte.exe]

FilePath : c:\PROGRA~1\mcafee.com\vso\

ProcessID : 1548

ThreadCreationTime : 1-11-2007 10:09:42 PM

BasePriority : Normal

FileVersion : 4, 4, 0, 10

ProductVersion : 4, 4, 0, 0

ProductName : McAfee.com VirusScan Online

CompanyName : Mcafee.com Corporation

FileDescription : McAfee.com VirusScan Online Realtime Engine

InternalName : mcvsrte

OriginalFilename : mcvsrte.exe

#:14 [wdfmgr.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1728

ThreadCreationTime : 1-11-2007 10:09:43 PM

BasePriority : Normal

FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)

ProductVersion : 5.2.3790.1230

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows User Mode Driver Manager

InternalName : WdfMgr

OriginalFilename : WdfMgr.exe

#:15 [mcshield.exe]

FilePath : c:\PROGRA~1\mcafee.com\vso\

ProcessID : 2024

ThreadCreationTime : 1-11-2007 10:09:46 PM

BasePriority : High

#:16 [alg.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 276

ThreadCreationTime : 1-11-2007 10:09:47 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Application Layer Gateway Service

InternalName : ALG.exe

OriginalFilename : ALG.exe

#:17 [cidaemon.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1468

ThreadCreationTime : 1-11-2007 10:17:12 PM

BasePriority : Idle

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Indexing Service filter daemon

InternalName : cidaemon.exe

OriginalFilename : cidaemon.exe

#:18 [cidaemon.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1568

ThreadCreationTime : 1-11-2007 10:17:15 PM

BasePriority : Idle

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Indexing Service filter daemon

InternalName : cidaemon.exe

OriginalFilename : cidaemon.exe

#:19 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 1012

ThreadCreationTime : 1-11-2007 10:30:14 PM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

OriginalFilename : EXPLORER.EXE

#:20 [hkcmd.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 684

ThreadCreationTime : 1-11-2007 10:30:18 PM

BasePriority : Normal

FileVersion : 3.0.0.4342

ProductVersion : 7.0.0.4342

ProductName : Intel® Common User Interface

CompanyName : Intel Corporation

FileDescription : hkcmd Module

InternalName : HKCMD

OriginalFilename : HKCMD.EXE

#:21 [mcagent.exe]

FilePath : C:\Program Files\McAfee.com\Agent\

ProcessID : 292

ThreadCreationTime : 1-11-2007 10:30:18 PM

BasePriority : Normal

FileVersion : 4, 0, 0, 26

ProductVersion : 4, 1, 0, 0

ProductName : McAfee.com SecurityCenter

CompanyName : McAfee.com Corporation

FileDescription : McAfee.com SecurityCenter Agent

InternalName : mcagent

OriginalFilename : mcagent.exe

#:22 [directcd.exe]

FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\

ProcessID : 1288

ThreadCreationTime : 1-11-2007 10:30:18 PM

BasePriority : Normal

FileVersion : 5.3.4.21

ProductVersion : 5.3.4.21

ProductName : DirectCD

CompanyName : Roxio

FileDescription : DirectCD Application

InternalName : DirectCD

OriginalFilename : Directcd.exe

#:23 [mcvsshld.exe]

FilePath : C:\PROGRA~1\mcafee.com\vso\

ProcessID : 1292

ThreadCreationTime : 1-11-2007 10:30:19 PM

BasePriority : Normal

FileVersion : 4, 4, 0, 10

ProductVersion : 4, 4, 0, 0

ProductName : McAfee.com VirusScan Online

CompanyName : Mcafee.com Corporation

FileDescription : McAfee.com ActiveShield

InternalName : msvcshld

OriginalFilename : mcvsshld.exe

#:24 [jusched.exe]

FilePath : C:\Program Files\Java\jre1.5.0_10\bin\

ProcessID : 480

ThreadCreationTime : 1-11-2007 10:30:23 PM

BasePriority : Normal

#:25 [startfx.exe]

FilePath : C:\Program Files\Creative\Creative Live! Cam\VideoFX\

ProcessID : 832

ThreadCreationTime : 1-11-2007 10:30:23 PM

BasePriority : Normal

FileVersion : 1.80.04.00

CompanyName : Creative Technology Ltd.

FileDescription : Start Advanced Video FX Engine Application

OriginalFilename : StartFX.exe

#:26 [v0250mon.exe]

FilePath : C:\WINDOWS\

ProcessID : 1348

ThreadCreationTime : 1-11-2007 10:30:24 PM

BasePriority : Normal

FileVersion : 1.00.04.00

CompanyName : Creative Technology Ltd.

FileDescription : Live! Cam Console Auto Launcher

OriginalFilename : V0250Mon.exe

#:27 [teatimer.exe]

FilePath : C:\Program Files\Spybot - Search & Destroy\

ProcessID : 208

ThreadCreationTime : 1-11-2007 10:30:27 PM

BasePriority : Idle

FileVersion : 1, 4, 0, 2

ProductVersion : 1, 4, 0, 3

ProductName : Spybot - Search & Destroy

CompanyName : Safer Networking Limited

FileDescription : System settings protector

InternalName : TeaTimer

LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.

OriginalFilename : TeaTimer.exe

Comments : Schützt Systemeinstellungen vor ungewollten Änderungen.

#:28 [dsagnt.exe]

FilePath : C:\Program Files\Dell Support\

ProcessID : 1608

ThreadCreationTime : 1-11-2007 10:30:28 PM

BasePriority : Below Normal

FileVersion : 1, 1, 0, 73

ProductVersion : 1, 1, 0, 73

ProductName : Dell Support

CompanyName : Gteko Ltd.

FileDescription : Dell Support

InternalName : AUAgent

OriginalFilename : AUAgent.exe

#:29 [camtray.exe]

FilePath : C:\Program Files\Creative\Shared Files\

ProcessID : 392

ThreadCreationTime : 1-11-2007 10:30:31 PM

BasePriority : Normal

FileVersion : 3.60.07

ProductVersion : 3.60

ProductName : Creative Cam Detector

CompanyName : Creative Technology Ltd

FileDescription : Creative Camera Launcher Application

InternalName : Creative Camera Launcher Application

OriginalFilename : CamTray.exe

#:30 [msoffice.exe]

FilePath : C:\Program Files\Microsoft Office\Office\1033\

ProcessID : 1932

ThreadCreationTime : 1-11-2007 10:30:38 PM

BasePriority : Normal

FileVersion : 9.0.2601

ProductVersion : 9.0.2601

ProductName : Microsoft Office 2000

CompanyName : Microsoft Corporation

FileDescription : Microsoft Office 2000 component

InternalName : MSOFFICE

OriginalFilename : MSOFFICE.EXE

#:31 [kmllnkod.exe]

FilePath : C:\DOCUME~1\DAVEFA~1\LOCALS~1\Temp\

ProcessID : 2496

ThreadCreationTime : 1-11-2007 10:31:48 PM

BasePriority : Normal

PestTrap Object Recognized!

Type : Process

Data : kmllnkod.exe

TAC Rating : 3

Category : Malware

Comment : b917ffe96edb3ae8cac14d4a19787706.exe.dmp

Object : C:\DOCUME~1\DAVEFA~1\LOCALS~1\Temp\

Warning! PestTrap Object found in memory(C:\DOCUME~1\DAVEFA~1\LOCALS~1\Temp\kmllnkod.exe)

"C:\DOCUME~1\DAVEFA~1\LOCALS~1\Temp\kmllnkod.exe"Process terminated successfully

#:32 [firefox.exe]

FilePath : C:\Program Files\Mozilla Firefox\

ProcessID : 2536

ThreadCreationTime : 1-11-2007 10:32:03 PM

BasePriority : Normal

#:33 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 2884

ThreadCreationTime : 1-11-2007 10:39:43 PM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

OriginalFilename : Ad-Aware.exe

#:34 [wmiprvse.exe]

FilePath : C:\WINDOWS\System32\wbem\

ProcessID : 2932

ThreadCreationTime : 1-11-2007 10:40:33 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : WMI

InternalName : Wmiprvse.exe

OriginalFilename : Wmiprvse.exe

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 1

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 1

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 1

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : dave [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:dave [email protected]/

Expires : 1-9-2012 4:00:00 PM

LastSync : Hits:1

UseCount : 0

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : dave [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:3

Value : Cookie:dave [email protected]/

Expires : 1-9-2010 6:10:56 PM

LastSync : Hits:3

UseCount : 0

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 2

Objects found so far: 3

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

0 Possible New Malware 0 Object Recognized!

Type : File

Data : kmllnkod.exe

TAC Rating : 0

Category : Data Miner

Comment :

Object : C:\Documents and Settings\Dave Family\Local Settings\Temp\

0 Possible New Malware 0 Object Recognized!

Type : File

Data : uaelctar.exe

TAC Rating : 0

Category : Data Miner

Comment :

Object : C:\Documents and Settings\Dave Family\Local Settings\Temp\

0 Possible New Malware 0 Object Recognized!

Type : File

Data : zfvoqlyx.exe

TAC Rating : 0

Category : Data Miner

Comment :

Object : C:\Documents and Settings\Dave Family\Local Settings\Temp\

0 Possible New Malware 0 Object Recognized!

Type : File

Data : winstall.exe

TAC Rating : 0

Category : Data Miner

Comment :

Object : C:\

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 7

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 7

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

PestTrap Object Recognized!

Type : Folder

TAC Rating : 3

Category : Malware

Comment : PestTrap

Object : C:\Program Files\PestTrap

Other Object Recognized!

Type : File

Data : KMLLNKOD.EXE-0AC29F49.pf

TAC Rating : 7

Category : Malware

Comment :

Object : C:\WINDOWS\prefetch\

Other Object Recognized!

Type : File

Data : UAELCTAR.EXE-18E47926.pf

TAC Rating : 7

Category : Malware

Comment :

Object : C:\WINDOWS\prefetch\

Other Object Recognized!

Type : File

Data : ZFVOQLYX.EXE-21403AC1.pf

TAC Rating : 7

Category : Malware

Comment :

Object : C:\WINDOWS\prefetch\

Other Object Recognized!

Type : File

Data : WINSTALL.EXE-2DB376CF.pf

TAC Rating : 7

Category : Malware

Comment :

Object : C:\WINDOWS\prefetch\

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 5

Objects found so far: 12

2:53:28 PM Scan Complete

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:12:18.62

Objects scanned:146712

Objects identified:16

Objects ignored:0

New critical objects:16

vtru · January 11, 2007

And here is the HJT log:

Logfile of HijackThis v1.99.1

Scan saved at 3:05:12 PM, on 1/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

C:\WINDOWS\V0250Mon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Creative\Shared Files\CamTray.exe

C:\Program Files\Microsoft Office\Office\1033\msoffice.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\My Downloads\HJT\myHJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

O4 - HKLM\..\Run: [V0250Mon.exe] C:\WINDOWS\V0250Mon.exe

O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Arcsoft Web Uploader - http://www.cartogra.com/downloads/ReadFileApplet.cab

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...64/mcinsctl.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/29acf7ce894b8c49df03/...ip/RdxIE601.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

I will wait until they are needed before I post any SmitFraudFix or Spybot logs. So please let me know if either log is needed.

{Advisor Edit: Posts merged for convenience}

Edited January 12, 2007 by spike-nz

HJThis · January 12, 2007

Hello,vtru & Welcome

First do this for me please

Go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan" box on the top of the page:

C:\WINDOWS\V0250Mon.exe

Click on the submit button. Please post the results in your next reply.

2) Go to the Mode menu, and make sure "Advanced Mode" is selected

3) On the left hand side, choose Tools -> Resident

4) Uncheck "Resident TeaTimer" and OK any prompts

5) Restart your computer.

=============

Please print out or copy these instructions to Notepad as the internet will not be available to you at certain points of the removal process (whilst in Safe Mode). If there's anything that you don't understand, ask your question(s) before moving on with the fix.

===========

View hidden files and folders:

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

===========

Run HijackThis

Scan and when it finishes, put a check mark only next to these following items : (if present)

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/29acf7ce894b8c49df03/...ip/RdxIE601.cab

Close all browsers and any open Windows, making sure that only HijackThis is open

Click Fix Checked

Close HijackThis

===========

Restart your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe Mode.
Login on your usual account.

If you need further assistance with Safe Mode, see Symantec

===========

Next, please find and delete the following files/folders (if present):

C:\WINDOWS\system32\ntsystem.exe<---This file

==============

Clean out your Temporary Internet files.

Internet Explorer

Close Internet Explorer and close any instances of Windows Explorer.

Click Start -> Control Panel and then double-click Internet Options.

On the General tab, click Delete Files under Temporary Internet Files.

In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.

On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.

Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.

Click OK.

Firefox (In case you also have Firefox installed)

Open Firefox and go to Tools -> Options.

Click Privacy in the menu on the left side of the Options window.

Click the Clear button located to the right of each option (History, Cookies, Cache).

Click OK to close the Options window.

Alternatively, you can clear all information stored while browsing by clicking Clear All.

A confirmation dialog box will be shown before clearing the information.

Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.

2. Click once on the Security tab

3. Click once on the Internet icon so it becomes highlighted.

4. Click once on the Custom Level button.

a. Change the Download signed ActiveX controls to Prompt

b. Change the Download unsigned ActiveX controls to Disable

c . Change the Initialize and script ActiveX controls not marked as safe to Disable

d. Change the Installation of desktop items to Prompt

e. Change the Launching programs and files in an IFRAME to Prompt

f. Change the Navigate sub-frames across different domains to Prompt

g. When all these settings have been made, click on the OK button.

h. If it prompts you as to whether or not you want to save the settings, press the Yes button.

5. Next press the Apply button and then the OK to exit the Internet Properties page.

Now Restart in Normal Mode show me a new HijackThis logfile and the log of the scan i asked you to do.

Gogo

vtru · January 12, 2007

Thank you HJThis for helping me. I was suspicious of V0250Mon.exe as well. JOTTI however found nothing:

Scan taken on 12 Jan 2007 03:30:19 (GMT)

AntiVir

Found nothing

ArcaVir

Found nothing

Avast

Found nothing

AVG Antivirus

Found nothing

BitDefender

Found nothing

ClamAV

Found nothing

Dr.Web

Found nothing

F-Prot Antivirus

Found nothing

F-Secure Anti-Virus

Found nothing

Fortinet

Found nothing

Kaspersky Anti-Virus

Found nothing

NOD32

Found nothing

Norman Virus Control

Found nothing

VirusBuster

Found nothing

VBA32

Found nothing

On the properties tab of the V0250Mon.exe file it says that it is part of my Creative Webcam launcher. There is also a V0250Mon.cfg file that is related to the Webcam as well.

I will now follow the rest of your instructions and post a new HJT log. I will do this after a couple hours however, so if anyone is monitoring this topic please do not expect my follow up post until a few hours have passed.

HJThis · January 12, 2007

Hi,vtru

Thanks for the info on the file.

Gogo

vtru · January 12, 2007

I apologize. I stated I would follow the instructions and post a new HJT log in a few hours. Unfortunately, it has gotten too late. I will have to do all this tomorrow morning. Once again, my apologies for taking so long.

HJThis · January 12, 2007

Hey,vtru

No problme see you in the morning im about to goto bed

my eyes are killing me.

Gogo

vtru · January 12, 2007

Wow. I think you have fixed it. You are Da Man! (Or Da Woman!) Here's the latest HJT log:

Logfile of HijackThis v1.99.1

Scan saved at 11:45:53 AM, on 1/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

C:\WINDOWS\V0250Mon.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Creative\Shared Files\CamTray.exe

C:\Program Files\Microsoft Office\Office\1033\msoffice.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\My Downloads\HJT\myHJT.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll