persistent rootkit and messenger service pop-ups

[dbstone]

Hello again,

I was looking over some of the info you gave me about reformatting and i see that some virus' can survive reformatting, specifically boot virus'. do I have one of those? is there any way to know?

db

[amateur]

Hi,

Quote:

I ran the chkdsk and fix dsk program again and it found more problems. it had only been one day and I hadn't used my systme but to try to resolve these problems. I haven't been online since because I'm now worried about losing my harddrive entirely.

The errors reported by chkdisk indicate damage/corruption on the hard disk.

I have been re-reading your previous posts in other forums as well as this one. Looks like you've been having system problems/errors all along and chkdisk keeps giving more errors. There appears to be two different issues in our hands: one is a currupt hard disk which we cannot do anything about, it would be a hardware problem and I would suggest you visit the hardware forum for it; second is the malware (virus, spyware, adware, trojans, etc.) issue.
There is also a couple of points that I would like to bring up.

One is that you are and have been using an unpatched operating system, i.e. XP SP1. If you have not upgraded to Windows XP SP2 then you have been doomed to be infected. There have been hundreds of exploits used to infect your system and Microsoft issues patches monthly via Windows Update. Simply connecting to and browsing the net will get you infected if you have not kept your system patched. Not patching your system not only keeps your system infected but allows it to be used to spread infections and allows hackers to use your system for their criminal deeds. It is your duty as an internet citizen to keep your system patched. Having said all that, I would also point out that an infected system must be cleaned before updating to SP 2. Dr. WebCurit and SysClean did not find any problems, but your TrendMicro did. If you still don't want to reformat & reinstall and continue to try to clean up (which can never be guaranteed with the kind of infection you had) I would like you to download ONE of each of the following antivirus and firewall software to your desktop (using the "save" option). Then, disconnect from the internet, go to Start>Control Panel>Add/Remove Programs and remove all TrendMicro products. Next, go back to the desktop click on the setup icons of the AV and the firewall applications you've downloaded and intall them. Re-connect to the internet and update your new antivirus application. Run a full system scan and let me know if you're still receiving the virus alerts.

AVG Free here
AntiVir here
Avast here

Make sure that you have only ONE antivirus running on your computer

firewalls:
ZoneAlarm here
Sygate here
Kerio Personal Firewall here

Make sure that you have only ONE firewall running on your computer

Second issue is the fact that there is a certain key in the windows registry that is not showing in any of your logs, be it in this thread or the previous ones.

Please click HERE
(Use Internet Explorer ONLY !! Firefox or other browsers wont work)

Click on Windows Validation Assistant on left
Click on the Validate Now button.
Be patient while the ActiveX loads, do not click on any links.
Read the instructions on this page while it's loading
You will be prompted to install - click YES
Enter your Product key
To Find Key :Click Start, right-click My Computer, and then click Properties On the General tab, under Registered to, enter that number
Then click Continue
When it says "Validation Complete" please click Continue to return to your previous activity
Copy what it says and paste it here please.

Quote:

I very much appreciate all of your help here and sticking through this even though your best judgement was that I should reformat and reinstall. I take full responsibility for my decision to try to fight the virus instead. When I finally get this situation fixed, I'll be back to contribute something for all your hard work.

I am not familiar with x-cleaner. Therefore, I cannot make any comments on it. This page has some info on it. It just doesn't look like a product that would cause the kind of problems you've been having.

Quote:

I was looking over some of the info you gave me about reformatting and i see that some virus' can survive reformatting, specifically boot virus'. do I have one of those? is there any way to know?

I honestly don't know. I would like to quote my earlier statement:

Quote:

We can clean the infections. But even with doing so I, unfortunately, cannot guarantee the security of your computer afterwards as I have no way of knowing what other damage has been done by the RootKit/RAT.

[dbstone]

hello,

well, I'll try these things and get back to you. can I install these while in safe mode (I have them saved on a jump drive)....would this be the best?

and in my own defense! I had tried to update with sp2 twice when it first came out, but my computer never worked properly when I did. perhpas I already had spyware on it. it was a couple of years ago now and i was fairly ignorant of such things then. there was a lot of talk about virus' then, but not much on spyware. plus sp2 comes loaded with it's own spyware (hotbar) and this lead me to mistrust microsoft. I did update regularly with critical updates though and was in fairly good shape until I reinstalled.

I am a good citizen! just new and slightly uninformed.

it wasn't until I joined this sight that I regained some trust for sp2. so we'll see. i'll have to wait until I have my system cleared anyway.

db

[amateur]

Hello again,

Quote:

well, I'll try these things and get back to you. can I install these while in safe mode (I have them saved on a jump drive)....would this be the best?

Do you mean the Antivirus and the firewall applications? If so, you don't need to install them in Safe Mode, normal Mode will do. Make sure that the computer is disconnected from the internet first. Remove all TrendMicro products. Reboot. Install the antivirus and the firewall. Reboot again if required. Re-connect to the internet and update the antivirus before you carry out a complete system scan.

[dbstone]

Hi there.

well I choose to use avast anti virus and it did find a virus. it found a win32:vanbotj (trojan horse) in file C:\systemvolumeinformation\_restore{fb851716-8bal-4b6d-a78....and then in three more files which i didn't write down and couldn't find a way to make a log for you. the virus was deleted.

I was never asked to put my product key into the windows validation tool, but it says I have a valid copy:

Thank you for running the Windows Validation Assistant. It appears that your Windows Product Key is valid.

This is a strong indicator that your operating system is genuine, however the Windows Validation Assistant cannot make a final determination

db

[amateur]

OK.. So far so good. Did you install a firewall as well? I never got the results of the instructions in my Post #39. If you haven't carried them out yet, please do it now. If you cannot stay on line long enough to scan with Panda, you can replace it with the following scan which can be done offline once it's downloaded. It's a very thorough scan and will take a long time. It may be a good idea to run the Ccleaner prior to the scan to cut down on the scanning time.

Please download MWav eScan to a convenient location. This scan might take around 3+ hours to finish when set to scan everything. I need you to run MWav by double-clicking on mwav.exe Put a check next to the below items before scanning:

• Memory
• Startup Folders
• Drive - All Local Drives
• Folder - then click "browse" to change the directory to C: (default is C:\Windows)
• Registry
• System Folders
• Services
• Include Sub-Directory
• Scan All Files

Please make sure ALL of these are checked, then press the Scan button. *NOTE* MWav may pause and appear to be finished, but it isn't done. Just let it run until it says it's complete. On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". Once the scan is complete, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely big so there is no way to post the whole log. I just need the infected items list from that window.

Let me know how all that went and post back the results from Gmer, Panda/or mWav along with a fresh HijackThis log please.

[amateur]

Actually I just remembered that Panda and Avast don't get along. Please don't even try scanning with Panda, proceed to scan with mWav. Thanks.

[dbstone]

ok.

yes. I'm using zonelabs firewall. and it's been working very hard. i'm a little embarrassed that I didn't have a firewall. was under the impression that windows xp came with it's own...oohhh the shame of it!

avg anti-spy didn't find anything. so no log for them.

couldn't do gmer in safe mode. the page opens too large in safe mode to get to the scan button. the scan button was hidden behind the close button and I couldn't get to it to save my life. hope that's not an issue.

the mwav I did do in safe mode because I had to leave it running when I went to work and didn't feel "safe" leaving my computer on in normal mode given the situation. hope that's ok as well. I got instructions for removing the virus' from _restore and can go ahead and do that unless you had some other ideas.

here's the rest of the logs:

gmer:

GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-03-01 09:55:04
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 188 80502604 4 Bytes [ 50, 8E, EF, F4 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1A0 8050261C 4 Bytes [ 10, 58, EF, F4 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 8050262C 4 Bytes [ 70, 06, F0, F4 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1C4 80502640 12 Bytes [ E0, 91, EF, F4, 70, F4, EF, ... ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1D4 80502650 4 Bytes [ C0, 2C, F0, F4 ]
.text ...
.text ntdll.dll!NtClose 77F5B5C8 5 Bytes JMP 7203407A
.text ntdll.dll!NtCreateProcess 77F5B728 5 Bytes JMP 72034205
.text ntdll.dll!NtCreateProcessEx 77F5B738 5 Bytes JMP 720340E9
.text ntdll.dll!NtCreateSection 77F5B758 5 Bytes JMP 72034098
.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 188 80502604 4 Bytes [ 50, 8E, EF, F4 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1A0 8050261C 4 Bytes [ 10, 58, EF, F4 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 8050262C 4 Bytes [ 70, 06, F0, F4 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1C4 80502640 12 Bytes [ E0, 91, EF, F4, 70, F4, EF, ... ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1D4 80502650 4 Bytes [ C0, 2C, F0, F4 ]
.text ...

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F4F0A880] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F4F0A880] vsdatant.sys

---- EOF - GMER 1.0.12 ----


mwav:

Object "gain.gator Spyware/Adware" found in File System! Action Taken: Entries Removed.
Object "gain.gator Spyware/Adware" found in File System! Action Taken: Entries Removed.
Object "gain.gator Spyware/Adware" found in File System! Action Taken: Entries Removed.
Object "lop.com Spyware/Adware" found in File System! Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asinst.dll". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asinst.dll". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\Install.wse.exe". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\config.ini". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\templates.zip". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\msxml3a.dll". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\ZoneLabs\isafeif.dll". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\ZoneLabs\vetredir.dll". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Sophos\AutoUpdate\". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Sophos\AutoUpdate\Config\". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".bfu". Action Taken: Entries Removed.
File C:\WINDOWS\System32\i infected by "Trojan-Downloader.BAT.Ftp.ab" Virus! Action Taken: File Deleted.
File C:\WINDOWS\System32\setup_04436.exe//PE_Patch infected by "Packed.Win32.CryptExe" Virus! Action Taken: File Renamed.
File C:\SDFix\backups\backups.zip/backups/i infected by "Trojan-Downloader.BAT.Ftp.ab" Virus! Action Taken: File Deleted.
File C:\System Volume Information\_restore{FB851716-8BA1-4B6D-A786-96F34372954A}\RP30\A0012521.exe tagged as "not-a-virus:RiskTool.Win32.Starter.a". Action Taken: File Deleted.
File C:\System Volume Information\_restore{FB851716-8BA1-4B6D-A786-96F34372954A}\RP35\A0015943.exe//PE_Patch infected by "Packed.Win32.CryptExe" Virus! Action Taken: File Renamed.
File C:\System Volume Information\_restore{FB851716-8BA1-4B6D-A786-96F34372954A}\RP35\A0016033.exe//PE_Patch infected by "Packed.Win32.CryptExe" Virus! Action Taken: File Renamed.
Traces of "Welchia" found and cleaned !!!

hjt:

Logfile of HijackThis v1.99.1
Scan saved at 7:04:20 PM, on 3/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1171679163515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171679115937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

ran another chkdsk. more problems were found and more problems were fixed. logging on seems less problematic and things are moving a little more quickly. my copy of sp2 came in on cd- so let me know when it's ok to install.


thanks
db

[amateur]

Hi db,

Well done. Things are looking much better.

Quote:

yes. I'm using zonelabs firewall. and it's been working very hard. i'm a little embarrassed that I didn't have a firewall. was under the impression that windows xp came with it's own...oohhh the shame of it!

I am glad that you have the firewall installed too. Windows XP does come with a firewall but it's only good for incoming threats whereas a third party firewall protects your system both ways, incoming and outgoing.

Quote:

avg anti-spy didn't find anything

That's good. Did Avast find anything?

Quote:

couldn't do gmer in safe mode.

That's fine. Gmer works in both, Safe Mode and Normal Mode.

Quote:

the mwav I did do in safe mode

That's also OK. The viruses in the System Restore will not be harming you at the moment. We'll flush them later so that if you ever have to restore the system to an infected date, they'll will not be re-activated.

Quote:

ran another chkdsk. more problems were found and more problems were fixed.

Well, that's not too good. It may simple be the sign of a corrupt file system or a faulty hard disk. I would suggest that you post at the relevant forums and have it diagnosed. It would also be a good idea to have all your documents and pictures backed up in a removable storage to prepare yourself for any eventuality in case the hard disk turns out to be faulty.

As far as malware is concerned, I think the system is as clean as it can get. Logs are all good.

Let's flush your System Restore points now:

• Click Start | Help and Support | Undo changes to your computer with System Restore.
• Click Create A Restore Point then click Next. Give it a name and then click Create, then Close.
• Close the Help and Support Center box.
• Click Start | Run and type Cleanmgr
• Select (C: ) then click OK.
• Click the More Options tab.
• Click Clean Up in the System Restore Section.

This will remove all previous restore points except the newly created one.

Before I can give you "all clean" speech, I would like you to run mWav once more and post the results please.

[dbstone]

hello,

avast found this virus after I first installed it:
win32:vanbotj (trojan horse) in file C:\systemvolumeinformation\_restore{fb851716-8bal-4b6d-a78

I just scanned again after scanning with mwav and it found nothing. Here's the log for mwav:

Object "gain.gator Spyware/Adware" found in File System! Action Taken: Entries Removed.
Object "gain.gator Spyware/Adware" found in File System! Action Taken: Entries Removed.
Object "gain.gator Spyware/Adware" found in File System! Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asinst.dll". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asinst.dll". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\Install.wse.exe". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\config.ini". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\templates.zip". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\msxml3a.dll". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\ZoneLabs\isafeif.dll". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\ZoneLabs\vetredir.dll". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Sophos\AutoUpdate\". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Sophos\AutoUpdate\Config\". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".bfu". Action Taken: Entries Removed.

spyware guard went crazy when I was running mwav with a lot of business about changes made to my IE start up page. I had to exit the program to get it to stop. IE loaded fine, so I don't know what that was all about.

I await further instructions.....
db

[amateur]

Hi,

Quote:

avast found this virus after I first installed it:
win32:vanbotj (trojan horse) in file C:\systemvolumeinformation\_restore{fb851716-8bal-4b6d-a78

That was in the system restore. It's not there anymore because we flushed the system restore.

===========================================

Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware SE is 1.06 and Spybot 1.4. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

===========================================

Please post one more HijackThis log and let me know how the computer is running now.

[dbstone]

Hi, I'm getting all kinds of error messages at the tome coyote website, starting with the link provided....is there another way?

[amateur]

Sorry about that. I'm getting the same error. It must have changed. Try these links:

Spybot S & D

Remember to “immunize” after updating so that the latest definitions can be enabled.

Adaware SE