Anyone interested in the UPS Bundle of Viruses

[wyrmrider]

I think we all learned a lot and you did a lot more of the heavy lifting on your own than many posters that jump straight into HJT and you learned a lot doing it yourself

What CPU -multi core?- how much memory (can we devote to antispyware)

first SpywareBlaster and a Hosts file require very little overhead
Spybot Immunize ditto
IE needs protection if it installed even if not used as some malware will activate it for you
Win Patrol is light on resources  - others recommend BOCLEAN (report back)

there are a couple of threads currently in this and in the avast 4 forum on this subject- join in

for real time anti spyware protection there are really only a few choices
Spybot t-timer
Spyware terminator
Spyware Doctor via downloding the Google toolbar and unchecking everything else

I'm running Avast and Sunbelt Counterspy ($20) and WinPatrol
I have spyware guard (old scripting tool)

we need to get a thread going on Prevex, System Safety Monitor, VMWare Sandboxie, Process Guard etc

I have the usual collection of on demand scanners and am able to burn a cd or download to a USB drive for remote malware removal

post up the list and let's see what you have and where we can lighten the load

[DavidR]

You're welcome.

There is also an adage 'too much of a good thing' and I certainly think it applies to security products or you spend your time keeping them up to date, detracting from your use of your system.

I have avast resident AV with no other on-demand AV as a back-up. I have SAS as an on-demand anti-spyware, I personally don't feel I need a resident anti-spyware (with the additional proactive measures I take). But if you have 1 Resident on-access and 1 on-demand in each category (anti-virus, anti-spyware) that really is plenty. There are many on-line scanners that can also be used for second or third opinions, etc.

[wyrmrider]

Echo what DavidR said about too much of a good thing

are you the only one using your machine?
are you running as admin or have you set yourself and guest as user accounts- much safer
have you run Secunia yet to see if you are up to date- out of date is the source of drive by downloads

what you do depends allot on your personal habits and those of others using the machine

If there are users who just have to install that codex or latest screen save or...
 

[wyrmrider]

Just when you think it was safe to go back in the water

Polonus sent me this e-mail- evidently he wants a 2ed opinion on the Spybot fix

Hi wyrmrider,

For the Win32.Agent pz infection.
Spybot cannot handle that one, that is a known fact.
Let the victim download
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Let him place it on the desktop and double click it to unpack the files
(generallyl C:SDFix)

Restart the comp in safe mode.

Open file c:SDFix and double click RunThis.bat to get the tool started.
On the screen a Y appears, click it to start the deleting process.

If asked to press a button to restart the computer do so.

After a restart the second part of the cleaning process will run. When the prompt FINISHED appears, push a random key.
A notepad txt file will open.
Let the victim add this txt to his next posting together with a new hjt logfile, that is all for the moment,

polonus aka Damian

I'm sure Polonus will take a peek at the results

[sunrisecc]

SDFix.exe fixed the problem for me on a computer which I cleaned. I had to rename the install file in order to get SDFix to instead. I renamed it SDFix2.exe.

[funke]

After taking off for the long weekend, I ran SAS & SDFix. As far as I can see, SAS did not find anything:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/04/2008 at 02:51 PM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1515

Scan type       : Complete Scan
Total Scan Time : 00:40:37

Memory items scanned      : 304
Memory threats detected   : 0
Registry items scanned    : 5936
Registry threats detected : 0
File items scanned        : 27826
File threats detected     : 0

[funke]

polonus aka Damian

SDfix was the 2nd anti-malware program I ran, after HouseCall. It found some nasties then, and it seems to have found more nasties again:


SDFix: Version 1.208
Run by Mike on 04/08/2008 at 03:45 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\Mike\LOCALS~1\Temp\.tt11.tmp - Deleted





Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 08:11:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe]

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\1\r\x201e\27ï\17ÏF\x2dc\31hv\x2030H\xb7\xb7]
"þÿ??ÿÿ\20À"=hex:82,14,68,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\N\20\xb6Mq\xa2xM`Î\f\x201eu\x00acA\xaf]
"þÿ??ÿÿ\20À"=hex:1a,8b,5e,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\x\27[B9ê\xb6G\x2019Ëâ}\xa5\x8dS’]
"þÿ??ÿÿ\20À"=hex:ce,4f,63,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\Û\34Á>\1\16ÓD\x2020Ïûë\x201eÙÞo]
"þÿ??ÿÿ\20À"=hex:1a,8b,5e,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\ç\36Ì1S}\34A\xbf\x8fI\32wy\x2030é]
"þÿ??ÿÿ\20À"=hex:28,b2,65,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\27*éæ\r\x2039ØHºW]
"þÿ??ÿÿ\20À"=hex:ce,4f,63,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\x00d7E&i’\20ãH\x2020\xa8h#ç\36\xac\24]
"þÿ??ÿÿ\20À"=hex:28,b2,65,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\xa3GÌÓ~\34\tGSDÉâ`l\xb7t]
"þÿ??ÿÿ\tÀ"=hex:4e,10,b6,4d,71,a2,9f,4d,8a,ce,0c,84,75,ac,41,af,01,00,00,00,54,..

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\x81ttô\x81HÒE\xb0?Ö\x00bfFSj]
"þÿ??ÿÿ\20À"=hex:1a,8b,5e,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\(w\x008fA\xa8\x2022=K\xb2\fÆ\a\34\vý7]
"þÿ??ÿÿ\20À"=hex:1a,8b,5e,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\]ž—ž\xe426\x2496]
"þÿ??ÿÿ\20À"=hex:ce,4f,63,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\EÒ\x2b1dû¸é\x2c58Â]
"þÿ??ÿÿ\20À"=hex:74,ed,60,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\ó²nx¿\xab2dCË]
"þÿ??ÿÿ\20À"=hex:1a,8b,5e,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\a–#Š\x2986Ø\xa79fé]
"þÿ??ÿÿ\20À"=hex:ce,4f,63,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\x9ff6!¡Ë’\x18d5\xe135\xf388]
"þÿ??ÿÿ\20À"=hex:ce,4f,63,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\a…7“‘\xf208]
"þÿ??ÿÿ\20À"=hex:1a,8b,5e,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\ì-\x30fb¤€h€6]
"þÿ??ÿÿ\20À"=hex:28,b2,65,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\xd91c\xf1ec\xa541‡Œž§·]
"þÿ??ÿÿ\20À"=hex:ce,4f,63,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\xedeb\xabf0ÁÍ\xdca2Hn0]
"þÿ??ÿÿ\20À"=hex:82,14,68,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\P¨
›\x226e\xf319\xe217]
"þÿ??ÿÿ\20À"=hex:ce,4f,63,2e,d3,99,c8,01,02,00,00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0ff\xfffe]

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0ff\xfffe\\nSÍ\xb6\xb8\x90SK\x2013\x2019Ó\xabóÊÓë]
"þÿ??ÿÿ\tÀ"=hex:3e,af,14,3d,10,01,c7,01
"þÿ??ÿÿ\nÀ"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0ff\xfffe\ý\\35~ãS0D\xb2n(ô^\27\xd7\xbc]
"þÿ??ÿÿ\17À"="
͸S–\xabd3ó\xebd3"

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0ff\xfffe\I\x3103è\xa52bß¡]
"þÿ??ÿÿ\17À"="
͸S–\xabd3ó\xebd3"

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0ff\xfffe\\xe96e\x33a0;ø°\x89bb²]
"þÿ??ÿÿ\17À"="
͸S–\xabd3ó\xebd3"

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3997A601-A5D1-09AA-1FA6-C9EAA6D34220}]
"iaoioefmhiijddbnpp"=hex:6a,61,6b,70,63,65,64,6a,6f,68,69,67,6a,69,70,6d,6b,6c,62,67,00,..
"haiiiegmbbgkolda"=hex:6a,61,6b,70,66,65,65,6a,65,67,66,6d,66,6d,64,6a,66,61,6e,62,00,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"="C:\\Program Files\\SmartFTP\\SmartFTP.exe:*:Enabled:SmartFTP Client"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Disabled:Microsoft Management Console"
"C:\\SBCToolsV3\\bin\\SBCSniffer.exe"="C:\\SBCToolsV3\\bin\\SBCSniffer.exe:*:Enabled:SBCSniffer"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

[funke]

SDfix Log, ctd...

Files with Hidden Attributes :

Sun 21 May 2006        73,728 ...H. --- "C:\Mailbox\~WRL2813.tmp"
Sun  6 Jan 2008        25,088 ...H. --- "C:\EclipseDevelopment\3.3-RF5-6Jan08\~WRL2689.tmp"
Sat 16 Sep 2006        31,744 ...H. --- "C:\Mailbox\M5208EVBe\~WRL1494.tmp"
Wed 13 Oct 2004     1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed  4 Aug 2004        60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Thu 22 Sep 2005         4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon  4 Jul 2005       417,280 ...H. --- "C:\Microcontrollers_old\Documentation\WildFire\~WRL0004.tmp"
Sun 28 Aug 2005        14,848 A.SH. --- "C:\WINDOWS\system32\drivers\aspmon.sys"
Wed  7 May 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT2.tmp"
Mon 10 Dec 2007        25,600 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0010.tmp"
Wed 26 Mar 2008        34,816 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0058.tmp"
Mon 18 Dec 2006        19,968 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0060.tmp"
Thu  5 Oct 2006       839,168 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0104.tmp"
Thu  5 Oct 2006       838,144 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0127.tmp"
Tue 10 Oct 2006       116,224 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0131.tmp"
Mon  7 Jul 2008       101,888 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0138.tmp"
Tue 10 Oct 2006       247,296 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0143.tmp"
Mon  7 Jul 2008        19,968 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0177.tmp"
Thu  5 Oct 2006     9,914,368 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0195.tmp"
Thu  5 Oct 2006       839,168 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0277.tmp"
Thu 12 Oct 2006        36,864 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0386.tmp"
Tue  8 Jul 2008       116,736 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0443.tmp"
Thu 24 Aug 2006     1,252,864 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0452.tmp"
Wed  4 Jun 2008        57,344 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0474.tmp"
Tue 10 Jun 2008       101,888 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0545.tmp"
Tue  8 Jul 2008       119,808 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0546.tmp"
Tue  8 Jul 2008       119,808 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0558.tmp"
Sat 24 May 2008        31,744 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0682.tmp"
Tue  8 Jul 2008       117,248 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0697.tmp"
Fri 13 Oct 2006        38,912 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0788.tmp"
Tue  8 Jul 2008       117,248 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0868.tmp"
Tue 10 Oct 2006        75,776 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0894.tmp"
Thu 12 Oct 2006        36,352 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL0900.tmp"
Thu 12 Oct 2006        19,456 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1050.tmp"
Tue 10 Jun 2008       101,376 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1088.tmp"
Thu  5 Oct 2006       839,680 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1187.tmp"
Mon  7 Jul 2008        19,968 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1188.tmp"
Tue 10 Oct 2006        75,776 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1214.tmp"
Mon  7 Jul 2008       113,152 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1227.tmp"
Mon 26 May 2008        35,840 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1394.tmp"
Tue 10 Oct 2006       129,536 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1419.tmp"
Sat 24 May 2008        29,696 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1430.tmp"
Thu 14 Dec 2006        19,456 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1432.tmp"
Fri 13 Oct 2006        40,448 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1495.tmp"
Tue 10 Oct 2006        90,624 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1510.tmp"
Tue 10 Jun 2008       107,008 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1523.tmp"
Sat 24 May 2008        33,280 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1562.tmp"
Thu 12 Oct 2006        19,456 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1600.tmp"
Thu 14 Sep 2006        22,016 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1636.tmp"
Sat 24 May 2008        30,208 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1653.tmp"

[funke]

SDfix log, ctd...

Mon  7 Jul 2008       111,616 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1727.tmp"
Tue 10 Jun 2008       101,376 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1742.tmp"
Wed 26 Mar 2008        35,328 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1772.tmp"
Mon  7 Jul 2008        73,216 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1794.tmp"
Thu 13 Dec 2007        55,296 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1836.tmp"
Mon 26 May 2008        35,328 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1864.tmp"
Thu 13 Dec 2007        54,784 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1908.tmp"
Wed 26 Mar 2008        38,912 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1929.tmp"
Thu  5 Oct 2006       838,144 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL1965.tmp"
Tue 11 Dec 2007     2,755,072 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2001.tmp"
Tue  8 Jul 2008       119,808 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2122.tmp"
Tue  8 Jul 2008       117,248 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2139.tmp"
Tue 10 Oct 2006       128,000 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2325.tmp"
Tue 12 Feb 2008        39,936 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2459.tmp"
Tue 10 Oct 2006        75,264 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2462.tmp"
Sat 24 May 2008        29,184 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2482.tmp"
Thu 12 Oct 2006        19,968 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2488.tmp"
Tue 10 Oct 2006        73,728 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2541.tmp"
Fri 14 Dec 2007        81,408 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2587.tmp"
Tue  8 Jul 2008       119,296 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2597.tmp"
Mon  7 Jul 2008        19,456 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2664.tmp"
Wed 23 Aug 2006     1,839,104 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2749.tmp"
Thu  5 Oct 2006       839,168 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2755.tmp"
Mon  7 Jul 2008       113,152 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2760.tmp"
Thu 13 Dec 2007        54,272 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2856.tmp"
Mon  7 Jul 2008        97,792 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2857.tmp"
Mon  7 Jul 2008       114,176 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2874.tmp"
Fri 14 Dec 2007        82,432 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2913.tmp"
Thu 13 Dec 2007        68,096 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL2933.tmp"
Wed  4 Jun 2008        79,360 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3041.tmp"
Tue 10 Oct 2006        90,624 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3141.tmp"
Fri 13 Oct 2006        39,424 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3321.tmp"
Tue 27 May 2008        37,376 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3431.tmp"
Thu  5 Oct 2006     5,753,856 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3445.tmp"
Thu 12 Oct 2006        35,840 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3450.tmp"
Fri 13 Oct 2006        40,960 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3489.tmp"
Mon  7 Jul 2008       114,688 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3510.tmp"
Tue 10 Jun 2008       106,496 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3512.tmp"
Tue  8 Jul 2008       116,736 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3513.tmp"
Tue  8 Jul 2008       119,808 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3629.tmp"
Mon  7 Jul 2008        19,968 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3661.tmp"
Fri 14 Dec 2007       149,504 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3682.tmp"
Mon 26 May 2008        36,864 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3717.tmp"
Mon  7 Jul 2008        71,680 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3767.tmp"
Mon  7 Jul 2008       113,664 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3783.tmp"
Fri 14 Dec 2007       148,992 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3871.tmp"
Fri 13 Oct 2006        38,400 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3886.tmp"
Sun  7 Jan 2007        43,008 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3932.tmp"
Tue 10 Oct 2006       115,200 ...H. --- "C:\Documents and Settings\Mike\Application Data\Microsoft\Word\~WRL3942.tmp"
Fri 16 Sep 2005        54,520 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\visualstudio\7.1\vs000223.tmp"

Finished!

[funke]

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:08 AM, on 05/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CVSNT\cvslock.exe
C:\Program Files\CVSNT\cvsservice.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Validate XML - C:\WINDOWS\web\msxmlval.htm
O8 - Extra context menu item: View XSL Output - C:\WINDOWS\web\msxmlvw.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{69752F42-1B23-4437-BB67-3E92CC00B86C}: NameServer = 192.168.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5162 bytes

[funke]

wyrmrider:

I am sorry, I never did answer some of your questions.

PC: Dell, Pentiun 4, 1.6GHz, 512MB RAM, WinXP 2002, SP 2.

The PC is not very valuable. But it has a lot of legacy s/w that takes time to reinstall and customize. While I seldom use this s/w, I may be called upon to do so. It is an issue, but not a huge issue.

Most of my time is pent on emails, surfing, writing and illustrating, and some programming to keep my mind active.

[wyrmrider]

if polonus is not around perhaps one of the other hjt experts could take a look at this

[DavidR]

No expert by any stretch of the imagination, I have taken a quick look at it and other than these, below I don't see anything obvious.

Do you know what these are:
O8 - Extra context menu item: Validate XML - C:\WINDOWS\web\msxmlval.htm
O8 - Extra context menu item: View XSL Output - C:\WINDOWS\web\msxmlvw.htm

Uod stil don't appear to have an active firewall and when you are trying to clean out any malware you need to be able to block unauthorised outbound connections.

[funke]

DavidR:
O8 - Extra context menu item: Validate XML - C:\WINDOWS\web\msxmlval.htm
O8 - Extra context menu item: View XSL Output - C:\WINDOWS\web\msxmlvw.htm
I have renamed the files to .htmx. When I reconnect my PC, I shall see if it misbehaves without these files.

May I ask how you determine that a file or a registry entry is suspicious? How do you acquire this expertise? It is all unintelligible to me.

wmryder:
Again, thanks for all your advice. There is still stuff to be done: Run secunia.

My infected PC is still pretty well disconnected from our LAN. When I connect it, I disconnect or shut down the other PCs. I have just replaced the WinXP Firewall by Comodo. Until I am certain that my PC is clean, it shall remain secluded. I am using my Wife’s PC to connect to the Internet ..which is not always convenient.

[DavidR]

Well there could well be a let use if this is a means of checking of xml, however, it seems a very strange way to go about it as xml validation is usually done at somewhere like http://validator.w3.org/check/referer as in the icons at the bottom of the forums.

There should be extra buttons on your browser (IE) and if you don't know about them or didn't put them their, I see no purpose of having them even if they are legit. So the PC shouldn't misbehave as such until you click one of the buttons and then it should just throw up an error, 'no such file' or words to that effect.

To check legitimacy is a bit of using google on file names and seeing what comes up and general experience of having used computers for a long time.