Contravirus, Anyone know how I can get rid of this malware? Options

[starruffian]

Hello. I've tried everything to get rid of this nasty malware called Contravirus 2.0 My Ad-Aware scan did not get rid of it. Any chance LavaSoft can work on an update to do that? Right now it exists in my tray as a red X that is over the Windows Update symbol. Occasionally a pop up will appear and say that my computer is infected with a virus. It then will hijack my browser and go to the ContraVirus webpage where I'm asked to buy their product. Aren't there laws against this kind of thing? Thanks very much.

This post has been edited by starruffian: Jun 5 2007, 06:49 PM

[LS Andy]

Hi starruffian,

Thanks for the post! We'll check it out.

Regards,

Andy
Lavasoft Research

[starruffian]

Hello. I've tried everything to get rid of this nasty malware called Contravirus 2.0 My Ad-Aware scan did not get rid of it. Any chance LavaSoft can work on an update to do that? Right now it exists in my tray as a red X that is over the Windows Update symbol. Occasionally a pop up will appear and say that my computer is infected with a virus. It then will hijack my browser and go to the ContraVirus webpage where I'm asked to buy their product. Aren't there laws against this kind of thing? Thanks very much.

[starruffian]

Thanks Andy. I look forward to hearing any advice you might have. FYI... Below is the response I received from ContraVirus. I sent them an email explaining that I couldn't get rid of their malware. This is their remedy. Curious to hear what you think of this.


You can save the file enclosed on your hard-drive, un-rar and run the
regfix.reg file, then restart your computer. This will get rid of the
unwanted
activities on your computer completely.

If you do not have the RAR software, you can download and install its
free
version from http://www.rarlab.com/ , and unpack the enclosed file
using this
program.

----------------------------------------------
ContraVirusPro.
http://www.contraviruspro.com/

[LS CalamityJane]

Pardon the interruption - I saw your post here and I think you ought to let us take a look at the file they sent before running it. ContraVirus is a known Rogue and suspect program that is listed here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

I don't think I would trust any file sent by them and letting us review it first might be a good idea.

Here is how to get the file to me and I'll also send a copy to LS Andy for him to look at.

Don't "unrar" the file and don't run it - just download it and save to your desktop

Please go here to upload a suspicious file for analysis.
http://www.uploadmalware.com/

* Enter your username from this forum as: starruffian at LS

* Copy and paste the link to this thread: http://www.lavasoftsupport.com/index.php?showtopic=9418

* Click "Browse" on the 1. field.
Browse to the file they sent called regfix.reg and click the file with your mouse, press "Open"


* In the comments, please mention that I asked you to upload this file

* Click on Send File

We'll reply to you back here in this topic after taking a look at it.

[goldang]

I too have been afflicted by this "malware". I tried creating a boot disk using pebuild (minimal Windows XP boot) and including your product and its latest definitions, and ran it to remove the malware, but it did not detect it. Once I rebooted regularly I still got the system tray / bubble problem mentioned above.

I have disabled internet access to that computer, and that seems to keep Contravirus from reinstalling itself.

If I can try/run anything to help provide you (Lavasoft) with more to work with, please don't hesitate to ask - it's not like I haven't been spending my late nights trying to get rid of this thing anyway.

Thanks!

[starruffian]

Hi Calamity Jane. You're so sweet to help out. I've done what you said and sent the file regfix.reg through the uploadmalware.com website. I look forward to your advice.
Best,
Starruffian

[LS CalamityJane]

Hi starruffian,

Thanks for sending the file. It is ok and about what I expected (sort of) from the posts I've seen recently complaining about this pest. It looks like Contravirus has gone from Rogue to malware Zlob/smitfraud. This is fairly new and you may be able to help us pin down the files needed to add to our detection database.

This is the registry fix they sent (FYI) - this may not mean anything to you but it does to me and may also benefit other spyware fighters:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Update Svc"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Updater Servc"=-

I'll want to take a closer look at your system to see if there is anything else they snuck in there so I'm going to move your topic to the "Help I think I'm infected" subforums and will request some diagnostic tools to see if we find anything else that needs fixing. I suspect there is a file there that needs removal as well.
.................
Ok, first, let's get a diagnostic log from this free tool called HijackThis
Instructions on creating a HijackThis Log
http://www.lavasoftsupport.com/index.php?showtopic=216
...................
Next, Please run this free to tool as well to generate a log:

1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

How to extract (decompress) zipped or compressed files
http://www.lvsonline.com/compresstut/index.shtml

2. Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

You can just reply to this thread with those two logs please and I'll come back and look them over.

at: goldang - you can also run the same free tools to generate logs, but instead of posting them into this topic that belongs to starruffian, post a NEW TOPIC in this subforum for assistance:
http://www.lavasoftsupport.com/index.php?showforum=36

[starruffian]

Logfile of HijackThis v1.99.1
Scan saved at 4:53:29 PM, on 6/7/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\xpuupdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\TEMP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://STARASIA01:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [msn.exe] C:\Program Files\MSN\MSNCoreFiles\msn.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Updater Servc] C:\WINNT\system32\xpuupdate.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-us\msntabres.dll/229?717d4608c3ae4ce38974789fa5dab7c8
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-us\msntabres.dll/230?717d4608c3ae4ce38974789fa5dab7c8
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1011E032-5CF3-4795-B751-3AA5E008CCA6} - http://download.verizon.net/sfp/Cabs/max_u...pdate_1-0-0.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCD5A227-8720-497B-AF5F-4403E94342E3} (CDDM Object) - https://netservices.verizon.net/portal/veri.../DSLControl.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by117fd.bay117.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = star.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = star.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = star.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Service Request Monitor - Dell Computer Corporation - C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe

[starruffian]

Hi Calamity Jane. So that link to unzip the files for the SmithfraudFix doesn't seem to work. If you can re-link me or tell me how to do it, I'll send that log on as soon as I can. Hope the other log helps. Thank you!!!!

[LS CalamityJane]

good job so far.

I do see it in Hijackthis, but there may be more that SmitfraudFix will find so I'd like to see that report before we start a fix.

I'd also like you to upload another file for me please (this is the bugger that I thought we might find and it will help us add this pest to our detections which will help everyone).

So, I'll give you two steps next to do. One to upload the file I need to examine and the next to unzip your smitfraudfix so that you can run that one to get a log.

1. Please go here to upload a suspicious file for analysis.
http://www.uploadmalware.com/

* Enter your username from this forum as: starruffian at LS

* Copy and paste the link to this thread: http://www.lavasoftsupport.com/index.php?showtopic=9418

* Click "Browse" on the 1. field.
Browse to the following file and click the file with your mouse, press "Open"
C:\WINNT\system32\xpuupdate.exe

* In the comments, please mention that I asked you to upload this file

* Click on Send File
...............
2. To unzip your smitfraudfix, I see you have winzip installed - that will do it Here's how.

Make sure that you have the smitfraudfix.zip located on your desktop. Rightclick on the file and you should see winzip listed in the dropdown menu. Choose to "extract to here" and that will put the smitfraudFix folder on your desktop so that you can proceed with my prior instruction to run it to make a log.

screenshot appears below that should help (you'll need to click on this image to enlarge it to see)

[starruffian]

SmitFraudFix v2.192

Scan done at 19:21:12.76, Thu 06/07/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\xpuupdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearchFilter.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\System32\WBEM\WinMgmt.exe


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="http://gfx2.hotmail.com/bgcolor.gif"
"SubscribedURL"="http://gfx2.hotmail.com/bgcolor.gif"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® 82559 Fast Ethernet LAN on Motherboard
DNS Server Search Order: 207.69.188.185
DNS Server Search Order: 207.69.188.186
DNS Server Search Order: 207.69.188.187

HKLM\SYSTEM\CCS\Services\Tcpip\..\{34F8272F-1592-4C46-9460-6887CFB5E035}: DhcpNameServer=207.69.188.185 207.69.188.186 207.69.188.187
HKLM\SYSTEM\CS1\Services\Tcpip\..\{34F8272F-1592-4C46-9460-6887CFB5E035}: DhcpNameServer=207.69.188.185 207.69.188.186 207.69.188.187
HKLM\SYSTEM\CS2\Services\Tcpip\..\{34F8272F-1592-4C46-9460-6887CFB5E035}: DhcpNameServer=207.69.188.185 207.69.188.186 207.69.188.187
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=207.69.188.185 207.69.188.186 207.69.188.187
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=207.69.188.185 207.69.188.186 207.69.188.187
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=207.69.188.185 207.69.188.186 207.69.188.187


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[starruffian]

Ok so I think I did it. I followed your directions exactly and you should see Smitfraudfix log on this forum. I've uploaded suspicious file you requested on uploadmalware.com I so look forward to hearing your further advice. You're amazing.

[LS CalamityJane]

Great! Let me go fetch that file to take a look at. I'll be back and write up some fix steps for you.

[LS CalamityJane]

Yep, this is a new Zlob variant - it's infected alright! I'll be sending this in to Research to add to our detections. Here are the AV scanning results (not widely detected yet) but will submit to them too.

Complete scanning result of "xpuupdate.exe", received in VirusTotal at 06.08.2007, 02:03:32 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.07.2007 no virus found
AntiVir 7.4.0.32 06.07.2007 TR/Dialer.DouaM.A.1
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.07.2007 no virus found
AVG 7.5.0.467 06.07.2007 Generic4.SMZ
BitDefender 7.2 06.08.2007 Trojan.FakeAlert.GR
CAT-QuickHeal 9.00 06.07.2007 no virus found
ClamAV devel-20070416 06.07.2007 no virus found
DrWeb 4.33 06.08.2007 no virus found
eSafe 7.0.15.0 06.06.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3701 06.07.2007 no virus found
Ewido 4.0 06.07.2007 no virus found
FileAdvisor 1 06.08.2007 no virus found
Fortinet 2.85.0.0 06.07.2007 no virus found
F-Prot 4.3.2.48 06.07.2007 no virus found
F-Secure 6.70.13030.0 06.08.2007 W32/Goldun.gen2
Ikarus T3.1.1.8 06.07.2007 DroppedWin32.Worm.Stration.EM
Kaspersky 4.0.2.24 06.08.2007 no virus found
McAfee 5048 06.07.2007 no virus found
Microsoft 1.2503 06.08.2007 no virus found
NOD32v2 2317 06.07.2007 a variant of Win32/Hoax.Renos
Norman 5.80.02 06.07.2007 W32/Goldun.gen2
Panda 9.0.0.4 06.08.2007 Application/ContraVirusPro
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.07.2007 no virus found
Symantec 10 06.08.2007 no virus found
TheHacker 6.1.6.130 06.06.2007 no virus found
VBA32 3.12.0 06.07.2007 suspected of Downloader.Zlob.6 (paranoid heuristics)
VirusBuster 4.3.23:9 06.07.2007 no virus found
Webwasher-Gateway 6.0.1 06.07.2007 Trojan.Dialer.DouaM.A.1

Aditional Information
File size: 54784 bytes
MD5: 365861b1cf95e2c4c23efe5b572ac177
SHA1: be7130ead77b8c58e3f1df4d7eb71536519d6996
packers: UPX
..................................................
Since this is new, I'd like to get one more report (log) from you from one more diagnostic tool please. The reason is, I want to check for all possible areas of infection so I can have the best chance to kill it all at once, rather than having it come back on you. We will get you fixed...don't worry. So please do one more tool and post a log

Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

[starruffian]

This is the HiJackThis log you asked for. I'll be back with the ComboFix in a minute.

Logfile of HijackThis v1.99.1
Scan saved at 4:53:29 PM, on 6/7/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\xpuupdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\TEMP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://STARASIA01:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [msn.exe] C:\Program Files\MSN\MSNCoreFiles\msn.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Updater Servc] C:\WINNT\system32\xpuupdate.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-us\msntabres.dll/229?717d4608c3ae4ce38974789fa5dab7c8
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-us\msntabres.dll/230?717d4608c3ae4ce38974789fa5dab7c8
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1011E032-5CF3-4795-B751-3AA5E008CCA6} - http://download.verizon.net/sfp/Cabs/max_u...pdate_1-0-0.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCD5A227-8720-497B-AF5F-4403E94342E3} (CDDM Object) - https://netservices.verizon.net/portal/veri.../DSLControl.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by117fd.bay117.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = star.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = star.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = star.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Service Request Monitor - Dell Computer Corporation - C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe

[starruffian]

"Administrator" - 2007-06-07 21:51:41 Service Pack 4
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Administrator\DESKTOP\"


((((((((((((((((((((((((( Files Created from 2007-05-08 to 2007-06-08 )))))))))))))))))))))))))))))))


2007-06-07 21:45 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-07 21:45 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_eb0.dat
2007-06-07 19:21 3,700 --a------ C:\WINNT\SYSTEM32\tmp.reg
2007-06-07 19:20 53,248 --a------ C:\WINNT\SYSTEM32\Process.exe
2007-06-07 19:20 51,200 --a------ C:\WINNT\SYSTEM32\dumphive.exe
2007-06-07 19:20 288,417 --a------ C:\WINNT\SYSTEM32\SrchSTS.exe
2007-06-05 14:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\WinRAR
2007-06-05 12:03 <DIR> d-------- C:\Program Files\ContraVirus
2007-06-04 22:12 <DIR> d-------- C:\WINNT\SYSTEM32\ActiveScan
2007-06-04 18:58 <DIR> d-------- C:\KAV
2007-06-04 18:09 1,060,864 --a------ C:\WINNT\SYSTEM32\MFC71.dll
2007-06-04 18:09 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-04 15:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-04 15:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-04 15:10 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-04 14:32 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-04 13:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-04 12:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-03 21:26 54,784 --a------ C:\WINNT\SYSTEM32\xpuupdate.exe
2007-05-15 08:56 <DIR> d-------- C:\Program Files\QuickTime


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 03:58:36 1,204 ----a-w C:\WINNT\system32\d3d9caps.dat
2007-05-14 03:15:34 20,992 ----a-w C:\WINNT\stub.exe
2007-04-27 22:21:42 4,212 ---h--w C:\WINNT\system32\zllictbl.dat
2007-04-27 21:00:42 16,384 ----a-w C:\WINNT\system32\Perflib_Perfdata_2d0.dat
2007-04-09 20:55:18 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Viewpoint
2007-04-05 07:17:40 2,854,400 ----a-w C:\WINNT\system32\msi.dll
2007-03-15 16:23:16 497,496 ----a-w C:\WINNT\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINNT\system32\XceedCry.dll
2007-03-13 09:44:50 245,520 ----a-w C:\WINNT\system32\WINSRV.DLL
2007-03-09 05:02:00 75,512 ----a-w C:\WINNT\zllsputility.exe
2007-03-09 05:01:42 1,087,216 ----a-w C:\WINNT\system32\zpeng24.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [06-12-18 04:16 ]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [05-05-31 01:04 ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [07-03-14 03:43 ]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [07-01-19 23:55 ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [07-05-22 14:04 ]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll [05-09-20 18:12 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [00-07-26 17:00 C:\WINNT\SYSTEM32\mobsync.exe]
"MotiveMonitor"="C:\Program Files\Motive\motmon.exe" []
"RxUser"="C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe" [00-07-30 07:06 ]
"madexe"="C:\Program Files\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe" [00-07-30 07:07 ]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [00-08-10 12:00 ]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [00-08-10 12:00 ]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [03-09-13 21:36 ]
"LoadQM"="loadqm.exe" [00-05-03 17:23 C:\WINNT\loadqm.exe]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [02-07-30 11:35 ]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [03-05-15 16:41 ]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-03-09 01:02 ]
"msn.exe"="C:\Program Files\MSN\MSNCoreFiles\msn.exe" [06-05-30 13:19 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [07-03-14 03:43 ]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [05-07-15 16:48 ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07-03-14 19:05 ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-03-09 01:02 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [00-07-19 09:00 ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-05-22 14:04 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2001-02-15 01:55:52 C:\WINNT\tasks\Symantec NetDetect.job
2007-06-05 12:19:04 C:\WINNT\tasks\AppleSoftwareUpdate.job
2007-06-02 04:41:42 C:\WINNT\tasks\Disk Cleanup.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 21:55:44
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-07 21:56:47
C:\ComboFix-quarantined-files.txt ... 07-06-07 21:56

--- E O F ---

[starruffian]

So I've posted both logs as you requested. I had a little bit of trouble with the Combofix. It kept asking me to reboot but then seemed to have done the log regardless. I hope I got it ok. Looking forward to hearing what you think. Thank you!!!!!

[starruffian]

FYI... since I ran Combofix and rebooted, the Contravirus symbol, (the red x that hung over the Microsoft update symbol) seems to have disappeared from my tray.

[LS CalamityJane]

Perfect! You did a great job

Ok, let's roll! and go for the fix (looks like it won't be very hard to remove)

1. Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. See here for specific instructions and screen shots to help:
http://russelltexas.com/malware/createhjtfolder.htm
This is to ensure it makes the necessary backups for recovery if needed.


2. Open Hijackthis and choose to a "System scan only"

when it finishes, place a checkmark next to this entry and then press the *Fix Checked* button

O4 - HKLM\..\Run: [Windows Updater Servc] C:\WINNT\system32\xpuupdate.exe

3. Make sure you pressed the Fix checked button after selecting the above entry to fix. Then delete this folder:

C:\Program Files\ContraVirus

delete this file:
C:\WINNT\SYSTEM32\xpuupdate.exe

4. Only, If you have any problem deleting the xpuupdate.exe file, then do this

Open Hijackthis again and this time choose *Open Misc tools section*

then choose *delete a file on reboot*

Copy and paste into the while box for file delete the following:
C:\WINNT\SYSTEM32\xpuupdate.exe

Then allow HijackThis to reboot your computer.

After the reboot, please scan once more with HijackThis to produce a fresh log please and post that back here

And let me know if you see any remaining symptoms at that point?