I have a blinking yellow alert triangle that keeps giving me “security alerts” and random pop-ups telling me to “download spyware protection.” Fortunately I know enough to recognize this thing as nasty and not helpful, but I can’t get rid of it. Avast didn’t find it, and no matter how many times I delete the “03-security toolbar” in hijackthis, it’s still there. System restoring to an earlier date doesn’t work because it doesn’t see any changes to the system. I’m going nuts here. Help!

Here’s my hijackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 9:41:36 AM, on 10/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\System32\xeohoaev.dll
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM..\Run: [UpdateManager] “C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [Aim6] “C:\Program Files\AIM6\aim6.exe” /d locale=en-US ee://aol/imApp
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://www.blogger.com
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

so now what?

Rename Hijackthis by right clicking the icon/file and selecting rename call it Gotcha (or anything else really I just like that)

THEN

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

Nope, still there…

combofix log:

ComboFix 07-10-12.4 - Jill 2007-10-13 10:20:14.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.221 [GMT -5:00]
Running from: C:\Documents and Settings\Jill\Desktop\ComboFix.exe

• Created a new restore point
  .

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Hammer.dll
C:\Program Files\network monitor
C:\Program Files\outlook
C:\Program Files\outlook\p.zip
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\cbxyvss.dll
C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\ccbeg.bak2
C:\WINDOWS\system32\ccbeg.bak2
C:\WINDOWS\system32\ccbeg.ini
C:\WINDOWS\system32\ccbeg.ini
C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\gebywwv.dll
C:\WINDOWS\system32\imnxdsmx.dll
C:\WINDOWS\system32\nrixaftb.dll
C:\WINDOWS\system32\qvomibvt.ini
C:\WINDOWS\system32\rev1
C:\WINDOWS\system32\rev1\gbb83122.exe
C:\WINDOWS\system32\ss9
C:\WINDOWS\system32\ss9\rw1000dr.exe
C:\WINDOWS\system32\tvbimovq.dll
C:\WINDOWS\system32\xmsdxnmi.ini
C:\WINDOWS\tsitra572.exe
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR

((((((((((((((((((((((((( Files Created from 2007-09-13 to 2007-10-13 )))))))))))))))))))))))))))))))
.

2007-10-12 15:33 339,968 --a------ C:\WINDOWS\system32\xeohoaev.dll
2007-10-12 15:32 389,184 --a------ C:\WINDOWS\system32\nmwyhgof.exe
2007-10-03 23:19 d-------- C:\WINDOWS\system32\vMW02a
2007-10-03 23:19 d-------- C:\WINDOWS\system32\ep1
2007-10-03 23:19 d-------- C:\WINDOWS\system32\abc2
2007-10-03 23:19 d-------- C:\Temp\xOe
2007-10-03 23:19 d-------- C:\Temp
2007-10-03 23:19 35,840 --a------ C:\WINDOWS\tsitra1000106.exe
2007-09-30 20:55 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-30 20:53 d-------- C:\Program Files\Alwil Software
2007-09-30 20:53 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-30 20:53 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-30 20:53 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-30 20:53 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-30 20:53 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-30 20:53 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-30 20:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-26 22:50 3,584 --a------ C:\WINDOWS\system32\drivers\ohbusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-13 06:08 --------- d-----w C:\Program Files\Common Files\Sandlot Shared
2007-10-05 04:11 --------- d-----w C:\Program Files\Symantec
2007-10-05 04:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-05 04:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-05 04:01 --------- d-----w C:\Program Files\Yahoo! Games
2007-10-01 01:23 3,584 ----a-w C:\WINDOWS\system32\drivers\ohbusb.syt
2007-01-09 05:10 22 ----a-w C:\Program Files\hijackthis.zip
2005-06-27 03:51 3,314,410 ----a-w C:\Program Files\wpm.exe
2002-12-12 00:27:32 73,728 --sha-w C:\WINDOWS\RegisteredPackages{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
2005-07-29 22:24:26 472 --sha-r C:\WINDOWS\SmlsbCBSb3NlbmJlcmc\mA5PvF1mvah5vAL5wAw.vbs
.

((((((((((((((((((((((((((((( snapshot_2007-09-30_210228.12 )))))))))))))))))))))))))))))))))))))))))
.

• 2007-07-20 05:47:22 109,056 ----a-w C:\WINDOWS\catchme.exe

• 2007-09-28 14:06:08 135,168 ----a-w C:\WINDOWS\catchme.exe
• 2007-09-28 21:29:44 294,667 ----a-w C:\WINDOWS\system32\abc2\aisven2.exe

• 2007-09-30 18:29:00 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

• 2007-10-05 02:29:11 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

• 2007-09-30 18:29:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

• 2007-10-05 02:29:11 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
• 2007-10-05 02:29:11 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

• 2007-10-01 01:55:16 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat

• 2007-10-13 15:19:56 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat

• 2007-04-12 22:12:42 54,010 ----a-w C:\WINDOWS\system32\perfc009.dat

• 2007-10-01 02:02:53 54,010 ----a-w C:\WINDOWS\system32\perfc009.dat

• 2007-04-12 22:12:42 383,822 ----a-w C:\WINDOWS\system32\perfh009.dat

• 2007-10-01 02:02:53 383,822 ----a-w C:\WINDOWS\system32\perfh009.dat

• 2007-09-30 16:48:21 26,904 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat

• 2007-10-13 14:38:43 292,680 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat

• 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe

• 2007-10-05 15:07:31 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
• 2007-09-24 02:27:26 32,768 ----a-w C:\WINDOWS\system32\vMW02a\vMW02a1065.exe
  .
  – Snapshot reset to current date –
  .
  ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
  .
  .
  Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-12 15:33 339968 --a------ C:\WINDOWS\system32\xeohoaev.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{FD6075DC-3AEA-44C6-B38D-03128972DB45}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{11A69AE4-FBED-4832-A2BF-45AF82825583}”= C:\WINDOWS\system32\xeohoaev.dll [2007-10-12 15:33 339968]

[HKEY_CLASSES_ROOT\CLSID{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“@”=“”
“Apoint”=“C:\Program Files\Apoint2K\Apoint.exe” [2003-10-07 22:40]
“nwiz”=“nwiz.exe” [2004-04-07 14:22 C:\WINDOWS\system32\nwiz.exe]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [2005-11-10 13:03]
“eabconfg.cpl”=“C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe” [2004-01-13 11:21]
“UpdateManager”=“C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” [2003-08-19 03:01]
“CamMonitor”=“C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe” [2002-10-07 02:23]
“Cpqset”=“C:\Program Files\HPQ\Default Settings\cpqset.exe” [2004-03-01 15:05]
“HPDJ Taskbar Utility”=“C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe” [2003-03-11 23:23]
“AGRSMMSG”=“AGRSMMSG.exe” [2004-01-30 11:01 C:\WINDOWS\AGRSMMSG.exe]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2006-09-25 14:54]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2006-09-24 03:24]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 05:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“RecordNow!”=“”
“Aim6”=“C:\Program Files\AIM6\aim6.exe” [2007-04-27 16:17]
“updateMgr”=“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” [2006-03-30 16:45]

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“”=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xeohoaev]
xeohoaev.dll 2007-10-12 15:33 339968 C:\WINDOWS\system32\xeohoaev.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
“Authentication Packages”= msv1_0 C:\WINDOWS\System32\gebcc.dll

S2 ohbusb;Open Host Controller Miniport USB Driver;??\C:\WINDOWS\System32\drivers\ohbusb.sys
S3 CE3;Xircom Ethernet Adapter 10/100 Service;C:\WINDOWS\System32\DRIVERS\ce3n5.sys
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\System32\DRIVERS\el575nd5.sys
S3 ICDUSB2;Sony IC Recorder (ST);C:\WINDOWS\System32\Drivers\ICDUSB2.sys

.

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-13 10:28:10
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes …

scanning hidden autostart entries …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe???p??? ???B???B? ???

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2007-10-13 10:29:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt … 2007-09-30 21:03
C:\ComboFix2.txt … 2007-09-30 21:03
.
— E O F —

I did not expect it to go on the first run, but some elements were cleared

PHASE TWO

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\xeohoaev.dll
C:\WINDOWS\system32\nmwyhgof.exe
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\ep1
C:\WINDOWS\system32\abc2
C:\Temp\xOe
C:\WINDOWS\tsitra1000106.exe
C:\WINDOWS\system32\drivers\ohbusb.sys
C:\WINDOWS\system32\drivers\ohbusb.syt
C:\WINDOWS\System32\gebcc.dll

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Did you create this VBS file C:\WINDOWS\SmlsbCBSb3NlbmJlcmc\mA5PvF1mvah5vAL5wAw.vbs if not then add the following to OTMoveit deletions C:\WINDOWS\SmlsbCBSb3NlbmJlcmc

NOW TO FIND THE REMNANTS

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

Reg - Security Settings
Reg - Session Manager Settings

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts. This will definately require multiple posts

This sounds like scam/scum/rogueware but as the combofix log and essexboy shows there are other things at work also.
I don’t know if the combofix and other tools deals with the rogueware element, but there is a tool that you could try if it doesn’t. Try this tool, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php

OTMoveIt did the trick. Thank you, wonderful helpful person.

I gave in and downloaded mozilla hoping that helps in the future, but I’m still not sure where I was that had all this crap in the first place.

Did you also run WinPFind3u.exe? As essexboy asked for it to cleanup anything left.

I would like to see it as there will be files that are not picked up by the other scans that just sit there waiting to be re-activated from a driveby

Hi all :

 AND her Sun Java is at least 7 Updates behind, a serious security risk .

You’re right.

When essexboy gives you the okay, you should download and install the lastest version.

If you still have older versions of java installed you should uninstall them. The newest probably contains exploit fixes.

Open an Internet Explorer (only) window and go to http://www.java.com/en/download/manual.jsp > In the middle of the page, click on the Download button to the right of Java Runtime Environment (JRE) 6u3 > If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u3-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar except Java TM 6 Update 3 which you just installed.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders except the subfolder jre1.6.0_03 which was just created by the installation above.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!