[andraea]

A kind person called Lorac in another forum said I might post my problem here.
I have e Trust EZ Armor virus scanner. I scan with it and it finds nothing. Yet it keeps sending me a pop-up that it finds and deletes a Conficker A infection in System32\x (signature6296)
and jpg in C:\Documents & Settings\Network Services\Local Settings\Temporary Internet Files\Content IE5\.......
I have been in and out of Safe Mode scanning...
I have run the F Secure tool for removal (it has a little DOS window)
I have scanned with MalwareBytes Anti Malware.....
I have looked for the files manually and can't find them.
I have run Hitman Pro and it found nothing.
I have run online scanners and they haven't found it.

I was recommended Combofix but am not technical enough to dare to use it.
What can I do to get rid of this infection.
I am not directly on the net but behind a Linux Server. A small PC upstairs.
Thanks for any advice.

Newbie Andraea

[Fred Flintstone]

Hi andraea.. welcome to BFC..
I am just off to work, but please follow the instructions below:

Download HJTInstall.exe to your Desktop.

• Doubleclick HJTInstall.exe to install it.
  
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
  
• Click on Install.
  
• It will create a HijackThis icon on the desktop.
  
• Once installed, it will launch Hijackthis.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Also run another scan with MalwareBytes (MBAM) Remember to updae it first and post that log as well.
I will take a look as soon as I get home tonight.

Thanks,
Fred..

[andraea]

Thank you Fred Flintsone...
I have just run MalwareBytes but there is no point in sending the log. It said, in Dutch, Congratulations no infections found.
alwarebytes' Anti-Malware 1.33
Database versie: 1674
Windows 5.1.2600 Service Pack 2

21-1-2009 20:22:50
mbam-log-2009-01-21 (20-22-50).txt

Scan type: Volledige Scan (C:\|)
Objecten gescand: 143561
Verstreken tijd: 35 minute(s), 44 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 0

I have, I repeat. scanned with most everything I know online too. ... Kaspersky.
Also SuperAntiSpyware, Registry Mechanic, Spybot Search and Destroy ...
NOTHING I have tried so far, as stated in my original post finds it and cleans it.
Yes I have looked it up on the Internet and It does have random entries in the registry... HKLM ... services? but those may change I think. I have tried to find them via Run ... Regedit... but am not sure what to look for.

It is that there seems to be something in System32 that EZ Armor keeps deleting and it regenerates itself somehow.
It sends this popup window saying so.

I already have HijackThis This is the scan log.

Logfile of HijackThis v1.99.1
Scan saved at 19:39:47, on 21-1-2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
E:\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\e trust\CAVTray.exe
E:\e trust\CAVRID.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Creative Suite2\Adobe Acrobat 7.0\Distillr\Acrotray.exe
E:\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
E:\Winamp Pro\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
E:\Webshots\Webshots.scr
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\Acrobat.exe
C:\WINDOWS\explorer.exe
E:\magnifying 1\Virtual Magnifying Glass\Magnifying Glass.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\e trust\VetMsg.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thundercloud....start/index.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Creative Suite2\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [CaAvTray] "E:\e trust\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "E:\e trust\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Creative Suite2\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [AAWTray] E:\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [EPSON Stylus DX4000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\WINDOWS\TEMP\E_SFF.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [WinampAgent] "E:\Winamp Pro\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "E:\msnplus\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OneNote 2007 Schermopname en Snel starten.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Webshots.lnk = E:\Webshots\Launcher.exe
O4 - Global Startup: Adobe Acrobat Snelle start.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Converteren naar Adobe PDF - res://E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converteren naar bestaand PDF-bestand - res://E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Verzenden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Verz&enden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus....ek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185382558843
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcp...opAntiVirus.dll
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast....ostClientIE.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us...nfo/webscan.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.co...?BundleId=26688
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter: text/html - {A8981DB9-B2B3-47D7-A890-9C9D9F4C5552} - (no file)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\SuperAntiSpywareFreeEdit\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\e trust\VetMsg.exe

Thank you anyway... Betty Rubble... aka Andraea

[Fred Flintstone]

Hi again andraea.. or Betty.. which do you prefer??..
Ok..
You are running a protection program which could interfere with the fixes needed.
We need to temporarily disable it.

Disable TeaTimer:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

We can re-enable it once your system is clean.

Next:
Run HijackThis
Click on do a system scan only
Place a check next to these lines(if still present)

O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O18 - Filter: text/html - {A8981DB9-B2B3-47D7-A890-9C9D9F4C5552} - (no file)


Then close all windows and browsers except HijackThis and click Fix Checked

Next:
Download Rooter.exe to your desktop

• Then doubleclick it to start the tool
  
• A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here

Then:
Please Download and Run SmitfraudFix
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

Please post back with the logs and we'll go from there.
As for the suggestion to use ComboFix, it might well come to that, but although it is a very powerful tool.. the developer has incorporated some very effective safeguards into it!.
You do not have to be "technical" to use it, all you have to do is follow the instructions carefully.
ComboFix is only "dangerous" if used unsupervised / carelessly.

But, let's see how these logs are first.

Thanks
Fred..

By the way:
Your version of HijackThis is SERIOUSLY out of date.
Use the link in my earlier post to update it. Once you have the new version downloaded .. get rid of the old one via "Add / Remove programs in control panel.

[andraea]

Hello Fred Flintstone... I said Betty in reply to your Alias. LOL
I have tried to do what you suggested but it is not working the darn EZ Armor window just popped up again.

Here is one of the log files.
Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2
X86-based PC ( Uniprocessor Free : AMD Opteron™ Processor 146 )
BIOS : BIOS Date: 10/26/06 18:30:08 Ver: 08.00.12
USER : Mum ( Administrator )
BOOT : Normal boot

Antivirus : eTrust EZ Antivirus 7.0.7.7 (Activated)


A:\ (USB)
C:\ (Local Disk) - NTFS - Total:19 Go (Free:6 Go)
D:\ (CD or DVD)
E:\ (Local Disk) - NTFS - Total:64 Go (Free:32 Go)
F:\ (Local Disk) - NTFS - Total:48 Go (Free:12 Go)
G:\ (Local Disk) - FAT32 - Total:56 Go (Free:36 Go)
H:\ (CD or DVD)
I:\ (CD or DVD)

do 22-01-2009| 4:54

----------------------\\ Search..

Trojan ! .. C:\Program Files\Revival\revival.exe

----------------------\\ Tasks

C:\WINDOWS\tasks\At1.job

----------------------\\ Cracks & Keygens..

C:\DOCUME~1\Mum\.housecall6.6\Quarantine\live @ winxp keygen.zip.bac_a02388


1 - "C:\Rooter$\Rooter_1.txt" - do 22-01-2009| 4:55

----------------------\\ Scan completed at 4:55

I ran HiJackThis and it fixed the items mentioned.
Here is the latest scan:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:10, on 22-1-2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
E:\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\e trust\CAVTray.exe
E:\e trust\CAVRID.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Creative Suite2\Adobe Acrobat 7.0\Distillr\Acrotray.exe
E:\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
E:\Winamp Pro\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
E:\Webshots\Webshots.scr
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\Acrobat.exe
C:\WINDOWS\explorer.exe
E:\magnifying 1\Virtual Magnifying Glass\Magnifying Glass.exe
E:\e trust\VetMsg.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thundercloud....start/index.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Creative Suite2\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [CaAvTray] "E:\e trust\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "E:\e trust\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Creative Suite2\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [AAWTray] E:\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [EPSON Stylus DX4000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\WINDOWS\TEMP\E_SFF.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [WinampAgent] "E:\Winamp Pro\Winamp\winampa.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] E:\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "E:\msnplus\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Schermopname en Snel starten.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Webshots.lnk = E:\Webshots\Launcher.exe
O4 - Global Startup: Adobe Acrobat Snelle start.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Converteren naar Adobe PDF - res://E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converteren naar bestaand PDF-bestand - res://E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://E:\Creative Suite2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Verzenden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Verz&enden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus....ek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185382558843
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcp...opAntiVirus.dll
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast....ostClientIE.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us...nfo/webscan.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.co...?BundleId=26688
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Filter hijack: text/html - {A8981DB9-B2B3-47D7-A890-9C9D9F4C5552} - (no file)
O20 - Winlogon Notify: !SASWinLogon - E:\SuperAntiSpywareFreeEdit\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\e trust\VetMsg.exe

--
End of file - 11064 bytes

The SmitFraud Fix didn't work. it wouldn't do anything but zap off / away / shut.
There was a message that Process.exe file is missing. I have no idea Maybe it wasn't in the zip. I am sending it to the recycle bin. I don't like my desktop so cluttered with things I don't understand.
Sorry.


I have worked through the night to try this to keep in your timezone, probably... but need sleeeeeeep!

Thanks for your help
Andraea

[Fred Flintstone]

Hi andraea..

Quote

Hello Fred Flintstone... I said Betty in reply to your Alias. LOL

Thought I didn't recognise you as the girl next door!!..

My timezone is GMT.. but I work weird hours anyway!...


Missed one?
Run HijackThis
Click on do a system scan only
Place a check next to these lines(if still present)

O18 - Filter hijack: text/html - {A8981DB9-B2B3-47D7-A890-9C9D9F4C5552} - (no file)

Then close all windows and browsers except HijackThis and click Fix Checked

Notice you still have TeaTimer running..

Disable TeaTimer:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

We can re-enable it once your system is clean.
If you are having problems disabling this, let me know..

Download Deljob.exe and save it on your desktop.
Doubleclick Deljob.exe

A log (logit.txt) should open afterwards. This log will be present on your desktop.
Post the contents of the log in your next reply together with a new HijackThis log.

Then:

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  • DDS.txt
    
  • Attach.txt
  
  
• Save both reports to your desktop.

-----------------------------------------------------

Please include the following logs in your thread:

• Contents of the DDS.txt posted as text in your reply
  
• Attach the Attach.txt to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on the composition page. Browse to where you saved the file, and click Upload.

Thanks..
Fred..

PS: If you get problems with EZ Armour "popping up" during any of these procedures, best to disconnect from the internet after downloading the tools and disable all your protection programs before running the tool.
Re-enable them before reconnecting to the web....

[andraea]

Hi Fred.
OK you must be in the UK .... this ex pat is in the Netherlands.
You are asking rather a lot of me. Might all seem easy to you.... but.
I now have problems starting Spybot S&D. I just get internal clicks. It doesn't seem to want to work anymore.
I will have to uninstall it.
Sorry.
I have no idea what I have done. I did find a minute box called Resident and unchecked that. And re-checked it just now.
I only had the options on the left in tools of View report, IE Tweeks, System Start up, Uninstall and Winsock.
Never liked the programme anyway.

I am going to uninstall via software if I can and get back and see what is what.
Thank you.
And I would much rather be talking ... or taking instruction on MSN. I find it easier than keeping this website / forum open.

This Betsy Rubble has... on occasions Alzheimers LITE.
will be back.

[andraea]

Hello Fred,
I am back having uninstalld Spybot S&D. I don't need it.
Here are the logs requested. I have tried to upload them but don't forget I am no expert in forums.
Hope it all works.

Next question. How do I disable any script blocker??? No idea I even had any.
Thanks...
Andraea

Attached File(s)

•  Deljob_logit.txt (4.5K)
  Number of downloads: 2
•  hijackthis_scan_3.txt (10.22K)
  Number of downloads: 3

[Fred Flintstone]

Hi again andraea..

andraea, on Jan 22 2009, 06:56 PM, said:

Here are the logs requested. I have tried to upload them but don't forget I am no expert in forums.
Hope it all works.

You're doing fine.. :D
You uploaded deljob and the HijackThis logs ok, but you didn't give me the DDS logs.
Here are the instructions again:

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  • DDS.txt
    
  • Attach.txt
  
  
• Save both reports to your desktop.

-----------------------------------------------------

Please include the following logs in your thread:

• Contents of the DDS.txt posted as text in your reply
  
• Attach the Attach.txt to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on the composition page. Browse to where you saved the file, and click Upload.

Quote

Next question. How do I disable any script blocker??? No idea I even had any.

This could be your EZ Armour (I'm not familiar with this program) if it pops up with any "complaints / warnings" when you run any of these tools you need to either "allow" them to run, or disable EZ Armour until you have finished running the tool.
This is also why I asked you to disable TeaTimer, it is designed to prevent changes to your PC and interferes with any fixes we do.
Please post back the DDS logs, if you have any problems let me know.

Thanks..
Fred..
PS: MSN would be difficult as we appear to be online at different times of day..
Also, most forums don't allow that practice as the logs and fixes can be used as a reference in the future for other problems.

[andraea]

Thank you Fred,
Here are the requested dds logs. I can make neither head nor tail of them. I don't know what you are looking for. But I do know that Conficker A does make registry entries.
It is relativily new and seems, from my net searches to have not many successful solutions. Infections are spreading.

"When executed, the worm copies itself using a random name to the %Sysdir% folder.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

It modifies the following registry key to create a randomly-named service on the affected syetem:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "Path to worm" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcsAttempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

hxxp://www.getmyip.org hxxp://getmyip.co.uk hxxp://checkip.dyndns.org hxxp://whatsmyipaddress.comAttempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)

hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe
Starts a HTTP server on a random port on the infected machine to host a copy of the worm.

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm. "

Again I am not directly on the net, but behind a LAN server in Linux which one of our son's is the Admin of. He says this worm can not do much because I am not directly net-linked. But it is a PAIN in the proverbial.
He accesses our LAN server remotely if necessary. THAT is the advantage of Linux.
Wish you could do the same for this windows PC.

It is easier to get rid of "People" worms than PC ones.

You are much appreciated even though E Trust EZ Armor says the darn thing is still there.
Andraea

Attached File(s)

•  Attach_dds_tool_log.txt (10K)
  Number of downloads: 1
•  DDS_tool_log.txt (12.98K)
  Number of downloads: 1

[Fred Flintstone]

Hi Andraea..
Apologies for the delayed response, been an awful time in work last couple of days and I have been from "bed to work"!!
I am on a flying visit to home at present, and just back out through the door again!!..


Make sure you have this patch installed:
Go HERE to download and apply the patch.

Let's see if that system32\x folder is still there and find what's in it!..

Please download DirLook by jpshortstuff from here.

• Double-click DirLook.exe to run it.
  
• Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
  
• Copy the content of the following codebox into the textfield labeled "Directory:":
  
  

  c:\windows\system32\x

  
  
  
• Click the DirLook button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (Note: The log can also be found at C:\dl_log.txt)

Then:
Please download RegQuery by Noviciate to your desktop

• Copy the following registry keypath by highlighting the RED text and pressingCTRL and C at the same time

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

• Double click RegQuery.exe to run the program
  
• Paste the text you have copied using CRTL and V, into the textbox
  
• Click the Query button
  
• A Notepad file will open. Please paste the contents in your next reply
  
• You may now close the RegQuery program

Please post back the logs and I will be back in a few hours to check..

Thanks..
Fred...

This post has been edited by Fred Flintstone: 24 January 2009 - 11:59 AM

[andraea]

Thank you Fred...
Done.

DirLook.exe v2.0 by jpshortstuff
Log created at 14:50 on 24/01/2009
==================================
Contents of "c:\windows\system32\x"

Unable to find directory.

==================================
=EOF=

I hope that this is the info you want. I am a Mum, plain and simple and no tech expert.
EZ Armor keeps popping up saying it has deleted the files and that it is still there ... System32\x deleted.
System32\x infected. In that order.

In my net searches re Conficker A, I think I read that it "cloaks" itself.. ie hides. Invisible. Like the Invisibility Cloak in Harry Potter.

I value your analytical mind. This pop-up is getting to me. Irksome and irritating.
I have no idea how it got there or how to stop it.

Andraea
Attached the other log.

Attached File(s)

•  Reg_Query_zyxqueryxyz.txt (1.36MB)
  Number of downloads: 2

[andraea]

Just a thought
I don't understand all of this but CA have this tech info...

http://www.ca.com/se...s.aspx?id=75911

It looks like the sort of info that you understand and have been looking to find in these logs.
Thanks again.
Andraea

[Fred Flintstone]

Hi andraea..
I am not finding any trace of the files / folders / registry values you mention in these logs.
I would like you to download and run ComboFix.
This tool gives a better spread of information in it's log, but also fixes / cleans as it runs!

I know you remarked that you are "not technical enough" to run this.. but I think this is now the way to proceed.
I assure you, it doesn't require any "technical" ability on your part to install or run ComboFix, just follow the instructions as you have done perfectly adequately up to now, and you will be fine...

Download ComboFix from: This Link

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[andraea]

Thank you Fred for ALL your help so far. I have read through the instructions for using Combofix here: http://www.bleepingc...to-use-combofix
As I have said my PC is in DAILY use for graphics work and Internetting with contacts for this.
The instructions are clear but I have to disconnect from the Internet and as part of a LAN which my son set up I have no idea on how to restore that should anything go wrong.

I do have a technical person I can call, who first recommended it to me. He is I believe a Dutch Network Supervisor. I would like to ring him first to see if he is available to do this. If he can spare time I will see if he can do it. I do NOT want to loose anything on this machine. It is my love and lifeline.

Please be patient. I hope to be back, a.s.a.p.
Thank you.

[Fred Flintstone]

Hi andraea..
It would be a good idea to get the important data backed up / saved before going further.
This applies to everyday use as well, you never know when a system crash will take your PC down at the best of times!
Would be worth asking this person to check out the server as well if they have that expertise?
I confess, I have ZERO knowledge about Linux in any shape or form so wouldn't know what scanners work on that system!..
(But, if needed I will read up on it)!

andraea, on Jan 25 2009, 11:02 AM, said:

Please be patient. I hope to be back, a.s.a.p.
Thank you.

No problem, take all the time you need.. I am off to work soon and will be back later this evening.
(and I am here several times a day anyway)!!...

[andraea]

Hello Fred,
It must seem very odd to you that I have not replied.
I have waited some time before answering, partly on purpose.

I have no idea what happened but since my last post that E Trust EZ Armor pop-up window about the deletion of this Conficker A has not re-appeared.

Wether the infection has gone or something else has stopped it popping up, I cannot say. In any case I am (knock-knock, touch wood) no longer bothered by it at the moment.

Maybe it was a patch I installed on your advice... who can tell.
But I want to thank you very, very much for your time and advice.

May others find as much benefit from your patient attention.

Andraea

[Fred Flintstone]

Hi andraea.. sorry for the delayed reply, moved house and it took forever to get my broadband reconnected!!

Glad to hear your issues appear to be resolved, if anything else crops up.. feel free to call back anytime... :D

Regards,
Fred..

[Fred Flintstone]

Since this issue appears to be resolved, this Topic is now closed. Should you need this thread reopened, please PM me or another Staff member, including the address of this thread and we will reopen it for you.