computer slow and possibly infected

[Heinz 57]

Hi

It's been a while since I last needed help from this forum. I have just come back to this computer after leving it sometime in January this year. Since then it has had nothing but Zone Alarm, Ad-Aware and AVG (with updates) cause that's all my dad ever does to it. My own security checks go through Cleanup!, HJT, Registry mechanic, Spybot S&D and online scaners such as Housecall and Panda active scan.

I have run Panda active scann which produced this log file

====================

Incident Status Location

Adware:adware/swimsuitnetwork Not disinfected c:\windows\system32\MYDLL.dll
Adware:adware/gimmy Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Spyware:Cookie/Tradedoubler Not disinfected C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/2o7 Not disinfected C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/Belnk Not disinfected C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Belnk Not disinfected C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt[.ath.belnk.com/]
Virus:Trj/ClassLoader.E Disinfected C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-523da84a-396f08e2.zip[SandBoxEscape.class]
Virus:Trj/ClassLoader.E Disinfected C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-523da84a-396f08e2.zip[SuperMSClassLoader.class]
Virus:Trj/ClassLoader.E Disinfected C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-523da84a-396f08e2.zip[NewURLClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-523da84a-396f08e2.zip[Installer.class]
Spyware:Cookie/YieldManager Not disinfected C:\Dokumente und Einstellungen\Hansueli & Adrian\Cookies\hansueli & adrian@ad.yieldmanager[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Dokumente und Einstellungen\Hansueli & Adrian\Cookies\hansueli & adrian@apmebf[1].txt
Adware:Adware/AzeSearch Not disinfected C:\HJT\backups\backup-20050622-112016-842.dll
====================

Then I tried Housecall which told me that I had no Java Runtime Environment running. I had one installed two separate things actually, which I uninstalled and then downloaded the newest update, installed this and still Housecall complained about no Java when I went further anyway it told me about an

Quote:

ASP.NET Path Validation Vulnerability

and the second time round it just closed the browser.

I also ran ewido security suite which produced this log

---------------------------------------------------------
ewido anti-malware - Scan Report
---------------------------------------------------------

+ Erstellt am: 18:44:43, 04.09.2006
+ Report-Checksumme: 70D51027

+ Scanergebnis:

:mozilla.7:C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt -> TrackingCookie.Tradedoubler : Gesäubert mit Backup
:mozilla.13:C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt -> TrackingCookie.Doubleclick : Gesäubert mit Backup
:mozilla.16:C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt -> TrackingCookie.Mediaplex : Gesäubert mit Backup
:mozilla.25:C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt -> TrackingCookie.Hitbox : Gesäubert mit Backup
:mozilla.26:C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt -> TrackingCookie.Hitbox : Gesäubert mit Backup
:mozilla.29:C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt -> TrackingCookie.2o7 : Gesäubert mit Backup
:mozilla.44:C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt -> TrackingCookie.Tribalfusion : Gesäubert mit Backup
:mozilla.59:C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt -> TrackingCookie.Yieldmanager : Gesäubert mit Backup
:mozilla.60:C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt -> TrackingCookie.Yieldmanager : Gesäubert mit Backup
:mozilla.61:C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Netscape\NSB\Profiles\39cx9wgi.default\cookies.txt -> TrackingCookie.Yieldmanager : Gesäubert mit Backup
C:\HJT\backups\backup-20050622-112016-842.dll -> Adware.Zbar : Gesäubert mit Backup


::Report Ende


====================

and after that I ran HJT (hope I found the newest version) and got this log

====================

Logfile of HijackThis v1.99.1
Scan saved at 18:45:23, on 04.09.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programme\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programme\ScanSoft\PaperPort\pptd40nt.exe
C:\Programme\Brother\ControlCenter2\brctrcen.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.swissonline.ch/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programme\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Programme\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Programme\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Programme\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programme\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programme\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1123691250468
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

====================

Now I am at the end of my own capabilities with cleanup tools and I still think there's something fishy about the way this computer's running. it's sometimes too slow and on startup does not load applications like ZoneAlarm fast enough.

I hope you can help me. I know this is not the only thing you guys do for a living so any help is much apprechiated.

cheers
Heinz

[Heinz 57]

Can anyone help me with this?

[Ried]

Hello Heinz 57,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

*************************************************

Close all open browsers.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entry:

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

Click 'Fix Checked' and close HijackThis.

-----------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

-----------------------------------

Delete the following File

c:\windows\system32\ MYDLL.dll

**If the above resists deletion, boot into Safe Mode and delete the file.

-----------------------------------

Let's see if this online scanner will reveal anything further:

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Have all the Microsoft Critical Updates been downloaded and installed?


Please include the Kaspersky results along with a new HijackThis log in your next replyl.

[Heinz 57]

Hi Ried

Thanks for helping me out here.

All the Microsoft updates have been installed as far as they were automatically prompted.

here's the Kaspersky log file:

==========================================

Monday, September 11, 2006 4:22:20 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 11/09/2006
Kaspersky Anti-Virus database records: 222395


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 53732
Number of viruses found 3
Number of infected objects 4 / 0
Number of suspicious objects 0
Duration of the scan process 00:54:46

Infected Object Name Virus Name Last Action
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\AVG7\Log\emc.log Object is locked skipped

C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-523da84a-396f08e2.zip/Installer.class Infected: Trojan-Downloader.Java.OpenStream.z skipped

C:\Dokumente und Einstellungen\Hansueli & Adrian\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-523da84a-396f08e2.zip ZIP: infected - 1 skipped

C:\Dokumente und Einstellungen\Hansueli & Adrian\Cookies\index.dat Object is locked skipped

C:\Dokumente und Einstellungen\Hansueli & Adrian\Lokale Einstellungen\Anwendungsdaten\ApplicationHistory\cli.exe.da01c7d0.ini.inuse Object is locked skipped

C:\Dokumente und Einstellungen\Hansueli & Adrian\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Dokumente und Einstellungen\Hansueli & Adrian\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Dokumente und Einstellungen\Hansueli & Adrian\Lokale Einstellungen\Temp\Perflib_Perfdata_364.dat Object is locked skipped

C:\Dokumente und Einstellungen\Hansueli & Adrian\Lokale Einstellungen\Temp\Perflib_Perfdata_a58.dat Object is locked skipped

C:\Dokumente und Einstellungen\Hansueli & Adrian\Lokale Einstellungen\Temp\~DF7F1E.tmp Object is locked skipped

C:\Dokumente und Einstellungen\Hansueli & Adrian\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Dokumente und Einstellungen\Hansueli & Adrian\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped

C:\Dokumente und Einstellungen\Hansueli & Adrian\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006091120060912\index.dat Object is locked skipped

C:\Dokumente und Einstellungen\Hansueli & Adrian\NTUSER.DAT Object is locked skipped

C:\Dokumente und Einstellungen\Hansueli & Adrian\ntuser.dat.LOG Object is locked skipped

C:\Dokumente und Einstellungen\Hansueli & Adrian\UserData\index.dat Object is locked skipped

C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Object is locked skipped

C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped

C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped

C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped

C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Programme\Morpheus\mymorpheustoolbar.exe Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{EFAE07B2-00FE-4CA7-84AF-28E94A0201C3}\RP321\A0066819.dll Infected: not-a-virus:AdWare.Win32.Zbar.d skipped

C:\System Volume Information\_restore{EFAE07B2-00FE-4CA7-84AF-28E94A0201C3}\RP328\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\Internet Logs\X-X5BER6WCWH2JB.ldb Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\ZLT07782.TMP Object is locked skipped

C:\WINDOWS\Temp\ZLT0778c.TMP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

==========================================

I hope this format is ok

Here's the HJT log

==========================================

Logfile of HijackThis v1.99.1
Scan saved at 16:24:53, on 11.09.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programme\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programme\ScanSoft\PaperPort\pptd40nt.exe
C:\Programme\Brother\ControlCenter2\brctrcen.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.swissonline.ch/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programme\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Programme\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Programme\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Programme\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programme\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programme\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1123691250468
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

==========================================

awaiting your istructions

cheers
Heinz

[Ried]

Hi,

This file is reported as being infected with MyWay, I suggest you delete it, but ultimately, it's up to you:

C:\Programme\Morpheus\mymorpheustoolbar.exe

------------------------------------

Clear Sun Java cache: (v.1.5)

Click on Start->Settings->Control Panel->Java Plug-in (If you do not see the icon, look to your left and click 'Switch to Classic View'. Click the Settings button under Internet Explorer near the bottom, and click on Delete Files and click OK and OK.


How is your system behaving--any improvement?

[Heinz 57]

erm... after a few days just seeing what goes I can say it's sort of alright. The general running of it is as smooth as can be but I still think ZoneAlarm is starting too slow

any ideas?

cheers
Heinz

[Ried]

If ZoneAlarm seems to be slow to load, it does not appear to be malware related as your scans are coming up clean. If the issue persists, I would suggest posting in the Windows XP section.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links.


Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Keep my computer up to date"
*Under Settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you do not already have them:


Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items .

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4


Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Follow this list and your potential for being infected again will reduce dramatically.

[Heinz 57]

ok

I've got all these things on my computer now and we'll just see how goes.

thanks for your help Ried

cheers
Heinz