Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fnm*.tmp Files In Temp Folder


  • This topic is locked This topic is locked
6 replies to this topic

#1 flyingslinky

flyingslinky

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:Shenzhen, China
  • Local time:08:57 PM

Posted 17 August 2006 - 03:52 PM

Help!

I've done all the recommended steps before posting my log. I've run Ad Aware and Spybot and deleted suspicious entries, I've run a complete virus scan, I've run Stinger, I've installed and enabled Zone Alarm and I've installed and run Hijack This and generated a log, which I've read and I don't know what's next.

My problem is that my Temp folder in C:\Documents and Settings\...\Local Settings\Temp is still being filled up with fnm*.tmp files and ~Df*.tmp files every several minutes. I noticed the problem when I got a low memory on Drive C notification. When I try to delete these files most will trash but a few give a "used by another program or process" message. I opened one in WordPad and there is a lot of nonsense code (to my uneducated eye) but there are a whole raft of program file listings such as

"Utility uid 114568590 qinst.c Gutachar Upload Utility uid 114568590 module.c Guptachar Upload"

Something is dropping files and possibly trying to compromise my system. Some of the entries are much less polite. Since this is my work station I can't have this going on. If you can help please advise.

Here's my Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 3:52:52 AM, on 8/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\flexlm\SolidWorks SolidNetWork License Manager\lmgrd.exe
C:\WINDOWS\system32\svchost.exe
C:\flexlm\SolidWorks SolidNetWork License Manager\SW_D.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Quantum Digital Security\Security Toolkit\QuickMount.exe
C:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Plaxo\2.8.0.43\PlaxoHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\7ck6itwk.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickMount] C:\Program Files\Quantum Digital Security\Security Toolkit\QuickMount.exe -boot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.8.0.43\PlaxoHelper.exe -a
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O12 - Plugin for .rm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\nppl3260.dll
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {9E265649-6E0E-4EEA-9F49-DAE0801440CF} (WebDigiNet Control) - http://219.134.153.124/WebDiginet.CAB
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...inematycoon.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2CCFA7C-ED3D-4764-8D32-4519630D2A5B}: NameServer = 202.96.134.173,202.96.128.68
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SolidWorks SolidNetWork License Manager - Macrovision Corporation - C:\flexlm\SolidWorks SolidNetWork License Manager\lmgrd.exe

Your assistance is greatly appreciated.

Matt

BC AdBot (Login to Remove)

 


m

#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:08:57 AM

Posted 27 August 2006 - 02:23 PM

Welcome to the Bleeping Computer forum. We are currently studying your log and will have instructions for you shortly. Thank you for your patience.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:08:57 AM

Posted 27 August 2006 - 03:28 PM

Is this your ISP?
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2CCFA7C-ED3D-4764-8D32-4519630D2A5B}: NameServer = 202.96.134.173,202.96.128.68

If you have any problems deleting .tmp files, you can use Safe Mode:
Reboot to safe mode. ( without networking support !) If you don’t know how to boot in safe mode, there is a tutorial How To Start Windows in Safe Mode .
NOTE: To avoid the risk of any of the files or folders not being found due to their having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Or items 8 & 9 from this link :
http://www.russelltexas.com/malware/faqHijackThis.htm

Step 1

Please download Spybot S&D

Using Spybot Search and Destroy To Remove Spyware From Your Computer Please check this link for instructions on how to download, install and use Spybot S&D. Run this program as soon as possible.

Step 2

Please download Ad-Aware SE

Using Ad-Aware To Remove Spyware From Your Computer Please check this link for instructions on how to download, install and use Ad-Aware. Run this program as soon as possible.

Step 3

To help prevent further infection, please download SpywareBlaster SpywareBlaster helps to:
  • Prevent the installation of ActiveX-based spyware, Ad-Aware, browser hijackers, dialers, and other potentially unwanted software.
  • Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restrict the actions of potentially unwanted sites in Internet Explorer.
Step 4

Download and Install Ewido
Please print out the following instructions as this page will be unavailable to you while you are working in Safe Mode.
Please download ewido anti-spyware
  • Install ewido anti-spyware.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu."
  • Launch ewido, there should be a big "E" icon on your desktop, double-click it.
  • The program will prompt you to update; click the "OK" button
  • The program will now go to the main screen
  • On the left hand side of the main screen click update
  • Click on Start
    The update will start and a progress bar will show the updates being installed. After the updates are installed, exit ewido.
    Note: Ewido is a free trial product for 30 days. Since Ewido is a trial version, the realtime guard and automatic update will stop functioning after 30 days (which is the reason we uncheck them during installation). You can use Ewido as an on demand scanner (recommended) but you will have to manually update the definition file each time you scan by clicking on “Update” and “Start Update”.
    If you decide to purchase Ewido, you can enable the 'Realtime Protect' and 'Automatic Update' functions by clicking on the 'Status' bar (Top left) and clicking on both items under "Your Security Status".

    IMPORTANT!:

    Once the updates are installed do the following:
  • If you have an "always on" connection to the Internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
  • Reboot into Safe Mode, you can do this by restarting your computer, then repeatedly tap F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run ewido.
  • Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
    Scan with ewido:
  • Click on scanner
  • Click on Settings
    • Under "How to scan" all boxes should be selected
    • Under "Possibly unwanted software" all boxes should be selected
    • Under "What to scan" select scan every file
    • Click OK
  • Click on Complete system scan
  • Let the program scan the machine
  • If ewido finds anything, it will pop up a notification. NOTE: We have been finding some cases of false positives with the new version of Ewido, so you need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL, pcAnywhere and the game "Risk" have been flagged. In particular, watch for alerts that have the word "Heuristic" in them - if you recognize the file name as "friendly," these may actually be false positives) select "none" as the action. DO NOT check "Perform action with all infections." If you are unsure of an entry, select "none" for the time being.
    Save and Post Your Report:
    Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
  • Click Save report
  • Save the report to your desktop
  • Exit ewido
Reboot back into normal mode
When you are ready to post your next reply, double click on the saved report to open it, then use Ctrl + A to select all text, then Ctrl + C to copy the selected text to your clipboard. Next, open a new reply to your active topic in the forum, and use Ctrl + V to paste the copied text of the ewido log from your clipboard into your reply.

Step 5

In normal mode, run an online antivirus check from at least two and preferably three of the following sites
BitDefender
Computer Associates Online Virus Scan
Panda's ActiveScan
Trend Micro Housecall
Windows Live Safety Center Free Online Scan
This scanner from Trend does not require an activeX to run.
  • Detects and removes malware ( viruses, worms, trojans, etc. )
  • Detects and removes grayware and spyware
  • Restores damage caused by malware to your system.
  • Notifies about vulnerabilities in installed programs and connected network services.
  • Multi-platform support for: Windows, Linux, Solaris.
  • Easy-to-use with the following browsers: Microsoft Internet Explorer, Mozilla Firefox
When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, please write down the filenames and locations and post that in your reply.

Step 6
Please download the ATF-Cleaner ATF-Cleaner features include:
  • Cleaning of all user temp folders, administrator only can use this feature.
  • Cleaning of the Java cache, which seems to be harbouring more and more malware.
  • Cleaning for the Opera browser, including Operas cache, cookies, history, download history, saved passwords and visited links
Do not run it yet.

Step 7

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Now we will address the HijackThis fixes.

Please run HijackThis and click "Scan." Place checks next to the following entries (make sure not to miss any):

O20 - AppInit_DLLs: interceptor.dll

You may also check the following entries to fix: These are optional fixes:

You have jusched.exe running at Startup. It checks with Sun's Java updates site to see if newer Java versions are available. This program is not required to start automatically. You can do this manually by visiting http://java.sun.com or just run the Java Plug-In Control Panel. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

You have iTunesHelper.exe running at Startup. iTunesHelper.exe is a process belonging to Itunes MP3 streaming tool by Apple which allows you to play MP3's. This process speeds up iTunes when it starts, and the program also monitors for connected iPod devices. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

You have QuickTime running at Startup. This is QuickTime's system tray icon and not necessary for the program to function properly. It is considered to be a resource hog. You will still be able to start it manually if you need it. You can fix this with HijackThis, but you will need to change the setting in QuickTime Player itself to keep it from resetting itself.. This is the item to fix in HijackThis:

O4 ‑ HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" ‑atboottime

There is a small program that will prevent QuickTime from resetting itself.
Please download Engraph-QuickTime-Killer This is a free utility from EnGraph software. For more information about EnGraph, go to www.engraph.com. This application is intended for people that use or consume Sprint Video Mail, as Sprint uses QuickTime for viewing thier movies. (or anybody that hates QuickTime) Of course, as soon as QuickTime is ran, it adds itself to startup, which is very annoying to me. This application will remove QuickTime from start up and kill any running QuickTime processes. This application runs silently at start up and closes itself as soon as it takes care of QuickTime

You have Adobe Gamma Loader.exe running at Startup. Adobe Gamma Loader.exe is installed alongside Adobe Creative Studio products and allows the color calibration of your video output device. This is a non-essential process. You will still be able to start it manually if you need it. You can fix this with HijackThis. This is the item to fix in HijackThis:

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

You have reader_sl.exe running at Startup. This is a process associated with the Adobe Reader. It is used to decrease the load time for the reader when a PDF document is selected. This is a non-essential process. You will still be able to start it manually if you need it. You can fix this with HijackThis. This is the item to fix in HijackThis:

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Close all browsers and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Step 8

Let’s run ATF-Cleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Step 9

Please run HijackThis again and post a fresh log so I can make sure that all the malware was deleted according to plan
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 flyingslinky

flyingslinky
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:Shenzhen, China
  • Local time:08:57 PM

Posted 29 August 2006 - 03:32 PM

Hello Suebaby,

Thanks for your detailed instructions. Where do you find the time for this?

Here's what I did in detail.

1. Downloaded Spybot S&D. Installed and ran. No results.

2. Already had AdAware. Ran a scan, deleted 9 cookies.

3. Downloaded and installed Spyware Blaster.

4. Downloaded and installed Ewido. (The icon isn't an E, it's a pseudo-celtic knot, but it works.)
4. b Installed according to your instructions. Updated.
4. c Unplugged my network cable.
4. d Rebooted in SAFE mode. Ran Ewido with recommended settings and nothing else running. Here's the log.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:40:12 PM 8/29/2006

+ Scan result:



C:\Documents and Settings\Administrator\Desktop\Program Files\Starware\bin\Starware.dll -> Adware.Starad : No action taken.
:mozilla.10:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.14:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.49:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.50:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.51:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.52:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.53:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.54:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.55:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.6:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\7ck6itwk.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.8:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.9:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.10:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.11:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.8:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.9:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.21:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.31:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Bfast : No action taken.
:mozilla.84:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.85:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.26:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.Centrport : No action taken.
:mozilla.57:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Centrport : No action taken.
:mozilla.25:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.Counted : No action taken.
:mozilla.28:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Counted : No action taken.
:mozilla.18:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfkysndpecp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wgkoopczalp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjkogmcpilp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjkycjajeho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjkyqmajkeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjl4qmcpweo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjl4sid5gcp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjmigmdpkeq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjmycpdpaap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjnyahdzgfo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjnyehd5gfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjnyohajmap.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjnyoic5kko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjnyojajcdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjnysiajibq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.18:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.19:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.20:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.21:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.63:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.64:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.65:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.66:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.67:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.32:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.38:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.Ivwbox : No action taken.
:mozilla.73:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Ivwbox : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@ivwbox[1].txt -> TrackingCookie.Ivwbox : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@image.masterstats[1].txt -> TrackingCookie.Masterstats : No action taken.
:mozilla.7:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : No action taken.
:mozilla.27:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.83:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.39:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.50:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@www.res99[1].txt -> TrackingCookie.Res99 : No action taken.
:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.16:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.17:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.31:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.32:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.33:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@anad.tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.45:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\d9ebi3ef.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.56:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bu9jqzc6.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@web-stat[2].txt -> TrackingCookie.Web-stat : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@yadro[2].txt -> TrackingCookie.Yadro : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.


::Report end

------------------------------------


5. Reboot in Normal mode.

Ran antivirus from BitDefender (took over 4 hours). Results - deleted AVG Vault files for Trojan.BurstedA

Ran Trend Micro Housecall (took over 2 hours). Results - 2 cookies, Adware Flashget, Spyware KEYL_ASTLOG. Deleted all.

6. Downloaded ATF Cleaner. Didn't run it yet.

7. Ran HijackThis.
Had to delete 020-AppInit_DLLs: interceptor.dll by using the "delete on reboot" option. Tried several scans but wouldn't delete any other way. It's gone now, but I also saw the file InterceptHelper.dll in the System32 folder.

7. b Deleted Jusched.exe

7. c Deleted iTunesHelpber.exe

7. d Deleted qttask.exe" -atboottime

7. e Kept Adobe Gamma Loader.exe. I use this program regularly.

7. f Kept reader_sl.exe. I use Acrobat reader several times a day.

8. Ran ATF Cleaner. I don't use Opera, so no option available. Otherwise deleted everything but Firefox passwords.

9. Ran HijackThis again. Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 4:02:17 AM, on 8/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Quantum Digital Security\Security Toolkit\QuickMount.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Plaxo\2.8.0.43\PlaxoHelper.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\flexlm\SolidWorks SolidNetWork License Manager\lmgrd.exe
C:\WINDOWS\system32\svchost.exe
C:\flexlm\SolidWorks SolidNetWork License Manager\SW_D.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\7ck6itwk.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickMount] C:\Program Files\Quantum Digital Security\Security Toolkit\QuickMount.exe -boot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.8.0.43\PlaxoHelper.exe -a
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O12 - Plugin for .rm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\nppl3260.dll
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9E265649-6E0E-4EEA-9F49-DAE0801440CF} (WebDigiNet Control) - http://219.134.153.124/WebDiginet.CAB
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...inematycoon.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2CCFA7C-ED3D-4764-8D32-4519630D2A5B}: NameServer = 202.96.134.173,202.96.128.68
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SolidWorks SolidNetWork License Manager - Macrovision Corporation - C:\flexlm\SolidWorks SolidNetWork License Manager\lmgrd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Whew!

Ok, I just checked my Local Settings\Temp folder. Files here are as follows:

~DF2A09.tmp
~DF267A.tmp
~DFA76C.tmp
~DFF03E.tmp
~DFF04B.tmp
fnm60.tmp
fnm61.tmp
SB-CLSID-cache.dat
tmp5F.tmp

These files weren't there after running ATF Cleaner. They have shown up in the last fifteen minutes.

The fnm*.tmp files are the ones that have been proliferating.

So, I opened Internet Explorer. My homepage is about.blank. Two more files popped up in the temp folder, both fnm*.tmp files. I clicked to Yahoo, then closed the window. The files disappeared.

Did it again with Google. Did a search. Opened a page from Google. Closed both pages. Files appeared, then disappeared.

I'll see what happens when I close this IE window after I send this posting.

Any suggestions?

Thanks,
Flyingslinky

#5 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:08:57 AM

Posted 31 August 2006 - 02:27 PM

Step 1

7. b Deleted Jusched.exe

7. c Deleted iTunesHelpber.exe

7. d Deleted qttask.exe" -atboottime


The above were optional fixes which means that the fixes are not required or are elective fixes. Checking and fixes these entries in HijackThis stops these programs from loading at Startup. These programs are not required to start automatically as you can start them manually if you need them.
If you deleted the files you mentioned above, you will have to reinstall those programs to get the use of the programs.
QuickTime
ITumes

The SunJavaUpdate Schedular is part of the Sun Java program.
Java Runtime Environment

Step 2

If you reinstall those programs, then scan with HijackThis, check the O4 entries.
O4 ‑ HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" ‑atboottime

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

Close all browsers and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked. The programs will not be in your Startup program.

Step 3

My problem is that my Temp folder in C:\Documents and Settings\...\Local Settings\Temp is still being filled up with fnm*.tmp files and ~Df*.tmp files every several minutes. I noticed the problem when I got a low memory on Drive C notification. When I try to delete these files most will trash but a few give a "used by another program or process" message. I opened one in WordPad and there is a lot of nonsense code (to my uneducated eye) but there are a whole raft of program file listings such as

"Utility uid 114568590 qinst.c Gutachar Upload Utility uid 114568590 module.c Guptachar Upload"

Something is dropping files and possibly trying to compromise my system. Some of the entries are much less polite. Since this is my work station I can't have this going on. If you can help please advise.

Ok, I just checked my Local Settings\Temp folder. Files here are as follows:
~DF2A09.tmp
~DF267A.tmp
~DFA76C.tmp
~DFF03E.tmp
~DFF04B.tmp
fnm60.tmp
fnm61.tmp
SB-CLSID-cache.dat
tmp5F.tmp

These files weren't there after running ATF Cleaner. They have shown up in the last fifteen minutes.

The fnm*.tmp files are the ones that have been proliferating.

So, I opened Internet Explorer. My homepage is about.blank. Two more files popped up in the temp folder, both fnm*.tmp files. I clicked to Yahoo, then closed the window. The files disappeared.


What is a temporary file?

A temporary file is a computer file used to store information for a short time; the file is then deleted after its use. They are often stored in a temporary folder and/or with the .TMP file extension.
Temporary files are usually created by applications that need to store information that is either too big for storage in RAM or that needs to be saved in non-volatile memory (such as a hard drive). An example of data requiring non-volatile storage would be any data needed after a computer reboots, since after this data would be lost if it were stored in the RAM memory.
Microsoft Windows uses many temporary files to store data about the users' web browsing history and settings. The most common files associated with Windows temporary files are index.dat and the entire "Cookies" folder under "Documents and Settings" that stores HTTP cookies.
Some programs create temporary files and then leave them behind. This can happen because the program crashed or because the developer of the program simply forgot to add the code needed to delete the temporary files after the program is done with them. The temporary files left behind by the programs accumulate over time and can take up a lot of disk space. A recent series of system utilities, called temporary file cleaners or disk cleaners, have appeared to address this issue.

Explanation of Temporary Files

More information on Temporary Files

Step 4

Your log appears to be clean. Please advise me of any problems you still have.

Please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. If you are using Windows XP then you should disable and enable system restore to make sure there are no infected files found in a restore point.
    You can find instructions on how to disable and enable system restore here:
    Windows XP System Restore Guide
  • Make your Internet Explorer more secure This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it asks you if you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use IE-SPYAD Install IE SPYAD. Add another level of protection to your Internet Explorer browser by blocking certain sites that are known to contain malware. IE SPYAD puts several thousand sites in your restricted zone so you'll be protected when you visit innocent looking sites that aren't actually innocent at all. If you happen on a site within its list, they can't hijack you or install anything. Program is free and is updated about once a month. Please follow readme instructions for install; it is a little different. Single user PC use IE Spyad1. Multi user XP PC use IE Spyad2.
    Computer Safety On line Anti Virus
  • Update your Anti Virus Software It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software, then it will not be able to catch any of the new variants that may come out.
  • Visit Microsoft's Windows Update Site Frequently It is important that you visit Microsoft Windows Update regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • You should scan your computer with Spybot S&D on a regular basis just as you would an anti- virus software. A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware from Your Computer
  • You should scan your computer with Ad-Aware as well as Spybot S&D and your anti-virus program on a regular basis. A tutorial on installing & using this product can be found here:
    Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer
  • Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti malware products with links for this program and others can be found here:
    Computer Safety on line Anti Malware
  • Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    • Click the start button on the task bar at the bottom of your screen
    • Click run
    • In the dialog box, type services.msc
    • hit enter, then locate dns client
    • Highlight it, then doubleclick it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click ok..
  • Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Please read Tony Klein's excellent article: How I got Infected in the First Place
  • Please read Understanding Spyware, Browser Hijackers, and Dialers
  • If you are using Internet Explorer, please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from HERE
  • Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  • If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
Follow these steps and your potential for being infected again will reduce dramatically.
Good luck!
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#6 flyingslinky

flyingslinky
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:Shenzhen, China
  • Local time:08:57 PM

Posted 01 September 2006 - 03:16 AM

I really appreciate your expert and detailed help. I've checked my temp folder for the files that were filling up my drive and it seems that the problem has been solved. No more files!

Thanks also for all of the great tips. I do run a regularly updated virus scanner, etc. and I never use MSN Messenger on this computer. I've followed all of your recommendations about spy ware and mala-ware blockers, etc. and I'm running zone alarm, so I think I've got things secure now. I'll add IE Spyad and I'll consider switching to Firefox.

Again, thanks for all your help.

Cheers,
Matthew

#7 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:08:57 AM

Posted 01 September 2006 - 11:38 AM

You are welcome. I am glad that we could help.

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users