My SpyBot S&D detects this trojan spyware called Vanbot and everytime SpyBot deletes it, the spyware keeps coming back right after its deleted. Please help! Also my McAfee anti virus detects this virus everytime my PC restarts. Its called something like ZapChast.reg and it's in my registry. Or atleast thats where McAfee found the virus. I don't know what do do about this. And i'm not a computer expert either, i pretty much don't know anything about them. PLEASE someone help me remove them!

HiJackThis Logfile
--------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:34 PM, on 9/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\avfpmh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\My Documents\My Stuff\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Microsoft Update Machine] avfpmh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Microsoft Update Machine] avfpmh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 6434 bytes

Hi Icedrake, Welcome to the forum

You do have a backdoor infection showing there which is a serious threat as it allow the attacker to have access to your system using IRC channels, once we get things cleaned up you will have to change passwords for any sites you have recently accessed and if you do any banking or paying for goods online it would also be wise to contact the bank to notify them of your situation so they can monitor your account,

Run HijackThis and choose Do A System Scan then place a check next to these entries

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Microsoft Update Machine] avfpmh.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] avfpmh.exe

Close all open browser and other windows except for HijackThis and press the Fix Checked button

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally generate a report of the Add/Remove screen entries using HijackThis:
Open Hijackthis, and click the Misc Tools button.
Then click the Open Uninstall Manager... button.
The Add/Remove Programs Manager panel should appear.
In this panel click the Save list button.
Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.

Please then post back the SDFix log, Uninstall list and a new HijackThis log, let us know if you have any problems

Cheers

Andy

Hello Andy,
Before i do the removing process, can you please tell me what these files are?:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Microsoft Update Machine] avfpmh.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] avfpmh.exe

Also, I just looked up what ALCXMNTR.EXE is and i found that it's a part of your computers sound. And i also found some people saying its a good file and some people saying its bad!

Hi,

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Browser Helper Object related to Windows Live Messenger, its missing the path to the file (no file) so its fine to fix as its a leftover registry entry from a previously installed program


O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

Added by Realtek to collect data from customers, not required to start with Windows

http://www.castlecops.com/s180-Alcxmntr_exe.html


O4 - HKLM\..\Run: [Microsoft Update Machine] avfpmh.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] avfpmh.exe

Backdoor Infection from the RBot family of trojans

http://www.ca.com/us/securityadvisor/virus...s.aspx?id=39437

Ok so is ALCXMNTR.EXE a bad program? And do i have to remove it? because i don't want to lose my sound.
Im really sorry about asking you so much questions, its just that i've broken 2 computers trying to remove spyware so i don't want to mess up my new computer. (The one i'm using right now)

Its really open to debate, its added by a legit company so it isnt a trojan but it's also not required to start with Windows, the Castlecops link explains it's use in more detail and I'm not suggesting you delete the file itself, you are just fixing its registry run value so it doesnt start with Windows but if you wish to leave it then please do and move onto the other steps

EDIT: I just noticed the extra comments you added to the last post, fixing that entry will not make you lose your sound and everything that is fixed with HijackThis is backed up so you could easily restore it if you wanted to at a later stage using the HijackThis > Misc Tools > Backups feature, if you'd rather not fix it then that is fine as its not added by malware but getting rid of that backdoor trojan that is running on your system is important so please complete the other steps

Cheers

I just extracted SDFix to the C drive and my McAfee Virus Found dialog came up. It said that SDFix was a Potentially Unwanted Program, and removed it! What do i do now? Hellp!

::::EDIT::::

Actually McAfee deleted part of SDFix because the SDFix folder with RunThis.bat is there, with catchme.exe and SDFIX_ReadMe_Online.

I like the way McAfee detects a legit tool but doesnt have issues with a backdoor trojan running on your system

Delete the SDFix.exe and C:\SDFix folder incase its now been damaged by McAfee, please then turn off McAfee while you download and run SDFix so it doesnt interfere and then download SDFix again and continue with the safe mode steps, SDFix is my tool so I can assure you its 100% clean, McAfee will be detecting a file in it named process.exe which is used to stop any trojan files before the fixtool starts the repairs, if process.exe was added by a trojan then it could be a threat which is why its being flagged as a potentially unwanted program but in this case its fine to ignore.

If you still have problems let me know

Cheers

Hello Andy,

I can't fix the computer right now because my parents are going to start using it pretty soon because they just came home from work, so i'm going to have to fix my computer tomorrow. I will reply to you tomorrow about this!

Also, my McAfee always detects this Trojan called ZapChast.reg and deletes it; but the Trojan always comes back when my computer restarts! I don't know what to do about this.

Ice

No problems Ice, we can continue when your able to,

At least fix those two Microsoft Update Machine 04 entries as that will stop the backdoor running as its a serious threat with it allowing the attacker to have access and control of your system via IRC Channels, although SDFix may not get the file it will repair any damage the trojan may of caused such as adding restrictions to prevent you using Windows updates or disabling services like the Firewall and Security Center so its worth a run to restore settings to Microsoft's default,

Regarding the McAfee detection for the Zapchast, Its likely related to the active backdoor trojan thats running so once we get that cleared up the detections from McAfee should stop but getting information about where its detecting the file would help if it finds it again

Cheers

Hi! If i remove those 2 Windows Update Machine 04 backdoors, will it stop them from coming back if i restart my computer?

Also, i just found out where the ZapChast.reg virus is. Here it is:

Name: C:\a.bat
Detected As: ZapChast.reg

Oh and when ever my computer starts and loads up everything and after the virus detection message comes up, McAfee starts blocking all these port actions right after my computer starts. And it keeps increasing. Maybe thats McAfee is blocking the backdoor from accessing the internet? Also in my task manager, theres this process running thats called avfpmh.exe Is that the backdoor?

Yeah, removing the run values for the trojan will stop it running next time you start the pc, it will not remove the trojan file though or repair any of the damage it may of caused in other area's which is where sdfix will come in useful, after that then you will need to run a online scan to check for remaining problems but its easier to just take it one step at a time for now so if you can run sdfix and post back its log and also post back the uninstall list as I mentioned in the earlier post then we can move onto the next step.

Rather than edit your posts to add more info just add another if there's something extra you wish to add as it makes it alot easier for me to follow, the batch file is related to the rbot variant so its not added by zapchast, it will stop coming back when you complete the steps I put in my first reply but if you'd rather not follow the steps then just delete the 04 entries for Microsoft Update Machine, delete the trojan file C:\WINDOWS\system32\avfpmh.exe, delete the C:\a.bat and then run a online scan at Kaspersky http://www.kaspersky.com/virusscanner and save the scan log if you need more help so we can see what it found,

Cheers

Ok i cant do the Safe Mode stuff right now, but im doing a SpyBot S&D scan to see if the backdoor file is still on my computer. If it is, then im going to remove it and run SpyBot again to see if the backdoor is still replacing itself. Is that alright?

Hello Andy,
Just ran a spybot s&d scan and it said that SpyBot found no spyware on my computer!!!! Before, it kept finding the backdoor called Vanbot! But now its not finding Vanbot anymore! (Thanks to you of course) Does that mean that the backdoor is not on my computer anymore?

----EDIT----
Searched my computer for the file avfpmh.exe and i only found 1 file. Here is is:

Name: AVFPMH.EXE-1D836EE7
In Folder: C:\WINDOWS\Prefetch
Size: 27 KB
Type: PF File
Date Modified: 9/19/07

Hi Ice,

Its difficult for me to comment or help any more on this topic as Ive not seen any logs from your system except for a HijackThis log so Ive no idea if Spybot was finding the same RBot that was showing in your HJT log, it should of really been able to remove it earlier if that was the case rather than constantly show the same detections each time it was used.

Maybe it was able to delete it after you fixed the 04 entries and stopped it running but as you didnt post the Sdfix log or Kaspersky log I really cannot say if your system is currently clean or not. The prefetch file you found in the search is harmless and will not contain any malicious code so its fine to ignore but If you cannot find the actual .exe file in system32 then maybe its been removed by Spybot or maybe its set with hidden and system attributes so you can check for it manually if you want

Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.

Click Yes to confirm then OK

Set this back once you have checked for the file by opening the same page and pressing the Restore Defaults button then click Apply and OK.

As you posted asking for help but then decided not to follow any of the advise given there's really nothing more I can do here except repeat the suggestion that you atleast run the kaspersky scanner to check for remaining problems and post back the log if it finds any infected items as well as a new HijackThis log

Cheers

Andy

Hello Andy!

Just ran a Kaspersky online scan and here's the report. Btw, i did the My Computer scan type.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, September 22, 2007 11:50:28 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 22/09/2007
Kaspersky Anti-Virus database records: 422171
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: false
Scan Mail Bases: false

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 63130
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:40:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_CHULA.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_CHULA.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\NAILogs\UpdaterUI_CHULA.log Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Compaq_Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{55AD45FB-8993-4F27-867B-0B74F04FFF84}\RP157\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{AA84956D-EE06-425E-B4B1-2631A19CA78C}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\avfpmh.exe Infected: Backdoor.Win32.Ciadoor.gn skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Just did what you said above and i found a file called avfpmh.exe in the system32 folder. Should i delete it?

Yes it needs removing, before you do delete it though please visit the below link

http://www.bleepingcomputer.com/submit-mal....php?channel=27

In the Link to topic where this file was requested: area copy and paste this

http://forum.piriform.com/index.php?showtopic=12355

In the Browse to the file you want to submit: area, copy and paste this

C:\WINDOWS\system32\avfpmh.exe

Then click Send File. Once it shows

Then close the Bleeping Computer link,

Then delete the file and also delete the a.bat on C:\ if it still exists, once you have done that set windows back to hide hidden and system files as explained earlier by pressing the restore defaults button,

The a.bat that is created by the IRCBot on C:\ which McAfee kept finding will create a registry file named 1.reg in your temp folder when its run, it then merges the reg file to make changes to your system so it could of disabled protection software or it could of disabled Windows services or even added restrictions in other area's of the registry, sdfix would of repaired those changes but you may as well just delete SDFix now and upload a sample of the file and I'll check it abit later, also run CCleaner to clear the contents of the temp folders.

Andy

Hello Andy!
Just submitted the info on Bleeping Computer. Deleted avfpmh.exe. But i don't get this part though "upload a sample of the file and I'll check it abit later" what do you mean by that? What sample do i have to upload.

Also, i can't delete the a.bat file because McAfee already deleted it when i started my computer this morning. So what do i do about that?

No need to do anything else at the moment, the link I gave is my upload channel at Bleeping Computer so if you have already sent the file there then I will download it and test it to see what changes it made, its also fine if McAfee removed the a.bat, I just meant delete the file if it still exists

I'll post back in abit once Ive checked the file

Cheers

Just in case here's a new HiJackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:01 PM, on 9/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\My Documents\My Stuff\Setups\Security\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 6365 bytes

Thanks again Andy!

Can you also follow the part at the end of my first reply about creating an uninstall list using HijackThis so I can make sure there's nothing listed that needs updating or removing. I'll be off for awhile now but I'll check that file you sent soon and reply again

Cheers

Ok Andy heres the uninstall list:


Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.0
Adobe Shockwave Player
Apple Software Update
AusLogics Disk Defrag
CC_ccProxyMSI
CC_ccStart
ccCommon
CCleaner (remove only)
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
GOM Player
Help and Support Additions
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
InterActual Player
InterVideo WinDVD Player
Java 2 Runtime Environment, SE v1.4.2_03
Kaspersky Online Scanner
KBD
LiveReg (Symantec Corporation)
Magic DVD Ripper V5.0.1
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Motorola SM56 Speakerphone Modem
Mozilla Firefox (2.0.0.7)
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Personal Firewall
Norton Personal Firewall (Symantec Corporation)
PC-Doctor for Windows
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
RealPlayer
Rhapsody Player Engine
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinMPG VideoConvert 6.6.2
WinRAR archiver

Hello Andy,
I'm having another problem now. It was on my computer for a while now. This is the problem: Automatic Updates, (the update thing on the computer) kept finding no updates for my computer for a while now. But when i search for updates for my computer manually on Microsoft theres 11 updates for my computer! And my automatic updates said that there were no updates for my computer! Hellp! How do i fix this? Is this problem from the backdoor? Should i still run SDFix?

Hi Ice,

Ive not had a chance yet to test that file you uploaded as Ive been out since I made that last post but I'll check it soon, if you are noticing problems though its worth running sdfix as that will remove any restrictions that may of been added by the backdoor trojan so even if it doesnt find any files it can restore services and settings to Microsofts default which may help solve the problem.

For the updates it really depends what they are and if you have chose not to install them in the past, if they are all high priority updates then they should be automatically installed but software and hardware (optional) updates are not installed unless you visit the update site

Regarding the Add/Remove list your version of Java is well out of date and vulnerable to some infections as some malware can exploit weaknesses in older versions of Java to get their files on the system so it needs removing, goto the Add/Remove screen (Start > Control Panel > Add or Remove programs) and remove

Java 2 Runtime Environment, SE v1.4.2_03

Once it's removed get the latest version from Sun's website here

http://www.java.com/en/download/index.jsp

Can you also let me know if you currently have Norton installed as its listed on the Add/Remove screen but only has a couple of entries in the HJT log so Im not sure if they are leftover entries or if its still running on the system.

Thanks

Ok ill install the new version of Java. And no i don't have Norton installed though it came with the computer when i first got it. Then my brother uninstalled it and installed McAfee instead.

---EDIT---
Wait! i just looked at my Add/Remove list and there was Norton Personal Firewall installed on my computer.

Give the Norton remover a run then as its not uninstalled correctly on your system

http://service1.symantec.com/SUPPORT/tsgen...v=&osv_lvl=

I'll post back abit later when Ive checked the file you sent

Cheers

As I mentioned earlier if you have extra comments to make then add a new reply rather than editing earlier posts as its alot easier, do not follow my last post then if you still have Norton products installed as they will be removed

Ok but i don't know what type of Norton Firewall I have and what i mean by that is that i don't know if my Norton Firewall is 2003, 2004, 2005, 2006, 2007 or 2008.

Hi Ice,

If your still using software by Norton then we can skip that part as the Norton remover I linked to will remove all versions of their software no matter what year its from,

I checked the file you uploaded earlier and it is a modded version of rbot although its detected by some AV's as Backdoor.Ciadoor but thats only due to it being packed with Themida which makes it difficult for AV's to detect what the file really is.

Its capable of doing these things

Listing and Stopping processes related to security software or security tools
Creating/running batch files
Monitoring network traffic to steal confidential info from sites such as paypal and hotmail
Performings denial of service (DoS) attacks against websites
Scanning IP's looking for vulnerable systems and using a variety of exploits if it finds one to get on the system
Stealing CDKeys/Serial numbers for installed games
Modifying the registry
Downloading and running additional files
Keylogging
Screen and Webcam Capturing
Sending e-mail

So you'll have to change passwords for any confidential sites you or any other users may of accessed while it was active. It also adds alot of restrictions to the registry and disables services so we can fix that below

Open notepad (Start Menu > Run > type notepad and press ok) then copy and paste the contents of the code box into Notepad making REGEDIT4 the top line.


Goto File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it fix.reg and save it to your desktop, double click fix.reg(or right click and choose Merge) and allow it to be merged into the registry which will remove the malicious entries and restore others to Microsofts default settings.

Apart from that things look fine but please read Tony Klein's article below to help prevent more infections

So how did I get Infected in the First Place?

Let us know if you have any remaining problems

Cheers

Hello Andy!

Can you tell me what those registry entries do?

Uh oh another problem! Now i get this error message whenever i try to do Apple Software update. Here's a picture of the error message i'm getting:

Added by the IRCBot, it's not a default key so its being removed


The Worm/IRCbot disables the DCOM protocol and restricts anonymous access to the system by changing the above value to N, the default value of this entry is "Y" so its being restored.


The keys do not exist by default and are added by the worm to add restrictions related to the Windows Updates site such as adding a DoNotAllowXPSP2 value to prevent users updating their system, the keys are being removed


This key doesn't exist on a default install, it adds restrictions to disable the Windows Firewall, again the key is being removed


Restricts anonymous users from displaying lists of users and from viewing security permissions. The value can be defined by the user but the default value is dword:00000000 so its being restored to the way it was before you got infected


Added with a dword:00000001 value by the infection to disable Administrative shares on the machine, the values are being removed as the default behavior is to automatically create the administrative shares if they do not exist.


Automatic Updates Service which has been disabled by the infection, its being restored so it automatically starts with Windows


On XP SP2 its the Windows Firewall service, again disabled by the infection and the above change restores it to Automatically start with Windows


Windows Security Center service, disabled by the infection and restored to automatically start with Windows


These values effect the way the Security Center notifications behave if your AV or Firewall is disabled or if Windows Updates is disabled, the default values above will display a pop up in the system tray to notify you if there's a problem and allow you to open the Security Center but the infection changes the values to disable all notifications, they are being restored to the default settings

That's not related to the infection you had, Id suggest either reinstalling the program thats having a problem or posting on the Apple discussion forum for advise

http://discussions.apple.com/index.jspa?categoryID=1

Ok i did the registry change thing. Do i have to do anything else now?

Arghhhhhh!!!!!!!!!! I installed the new version of java but after i installed it, i tried playing a java game on Miniclip called Radical Aces and when the game loaded up, it was all messed up! This didn't happen before when i used the old version of java! Hellp! Btw i use Firefox. The weird thing is though, the game works fine in Internet Explorer.

No, All done, just read the 'So How Did I Get Infected' link I posted earlier to help you avoid getting more trojans


Try uninstalling Java again from the Add/Remove screen, after its been removed open the miniclip Radical Aces page and it will then show that it needs to install a plugin to play the game, allow the plugin to be installed then once its finished close the browser then reopen it and revisit the minigame page, it should then display fine, if it doesnt then you can easily restore to an earlier version but as they are vulnerable to some trojans, long term that could do more harm than good

Let us know if you still have problems though

Andy

Yess! Thanks Andy, your suggestion worked! Yay no more Trojans! Just in case, should i post a new HiJackThis log?

Yes , you can do if you want but I doubt its changed from the last time I looked , I deleted your new topic on this area asking for the HijackThis check as you already have this topic open so its easier if you stick to this one

Cheers

I have a question about the "How did i get infected in the first place" page. Does IE-SPYAD support Internet Explorer 7? And what is the HOSTS file thingy? Could you please tell me what those are?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:13 PM, on 9/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\My Documents\My Stuff\Setups\Security\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 6558 bytes






Also, can i delete that registry file called fix.reg that you told me to make from notepad? Or do i still need it?

Yes you can delete the fix.reg as its not needed now, your HijackThis log looks fine, just the ALCXMNTR.EXE O4 entry which is open to debate and isnt needed to start with Windows but I mentioned that earlier so its fine if you want to leave it, then a couple of optional fixes below but again its up to you if you want to fix them or ignore them.


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
QuickTime tray icon which doesnt need to start with Windows, Quicktime movies will still play automatically when they are run. To stop it coming back right click the blue Quicktime Icon in the system tray if its there then click Quicktime Preferences or access Quicktimes options on the Control Panel. Goto the Advanced tab and Uncheck the 'Install Quicktime Icon In System Tray' box then press Apply and OK and fix the above entry in Hijack This if it still remains in the log

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Application Scheduler installed along with Real Player. Once installed, it runs independently and doesnt need to start up automatically with Windows. To disable this after fixing the entry so it doesnt return, goto Start Menu > All Programs > Real Player > Click Tools then Preferences. Goto The Automatic Services and uncheck all boxes. Do the same for the AutoUpdate & Message Center tabs and press OK then exit


O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
Checks for Java updates but doesnt need to start with Windows. You can still update Java after fixing this entry by using the Control Panel's Java icon (Start Menu > Control Panel > Java) or by visiting Sun's website Here.

Apart from that it looks fine, nice work



I'm really not sure about IE-SPYAD as I do not use it or IE7 so you maybe best posting in the lounge area or software area about that incase other members here use them both together, alternatively you could register and post on the IE-SPYAD developers forum which is here http://spywarewarrior.com/index.php and Im sure one of the members there can answer any questions you have about it.

For MVPS HOSTS the tutorial by Winhelp2002 will explain how it works here

http://www.mvps.org/winhelp2002/hosts.htm

Basically your hosts file is located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS and if you add a website name with a 127.0.0.1 next to it then it will not be possible to connect to that site as the 127.0.0.1 refers to your own machine so instead of contacting the website Windows first checks the hosts file and then attempts to connect to 127.0.0.1 instead, this can be very useful for blocking Ad's, tracking cookies as well as malicious websites as explained in the tutorial above

Andy

Ok! Thanks for all your help Andy! Btw, can i post HJT logs once in a while to see if there's any suspicious stuff?

Your Welcome Ice, Im glad I could help,

You can post logs whenever you want if you feel there's problems, follow the advise on the 'How Did I Get Infected' link and it will hopefully reduce the chances of you getting reinfected and also avoid sites such as warez, cracks, serials etc... because that's where most malware is present, don't click on any links inside popups, spam email messages or Instant Messenger programs and try to only download free software from sites you know and trust as files from unknown sites or through filesharing type programs can easily be bundled with spyware or other trojans

Now the HijackThis log is clear you could run another scan and then place a check next to every entry listed and press the 'Add checked to ignore list' button, so then they will not show up when you scan again unless they change as that will make it alot easier for you to spot anything new that may get added (just make sure to click the ignore button if you use that option and not the fix checked button)

Happy Surfing

Andy

Ok thanks Andy!

Also can i uninstall Kaspersky online scanner from my computer now?