Greetings =)

[BalrogRoke]

Hey there people =) I'm new here(cred to drusepth for the reference) and just wanted to say you got a nice little forums here. We need more of these communities out there =) I'm in college studying software engineering and networking/web design, doing my first year exams atm.

Well, I'll get to the point now I guess. Somehow I picked up some sort of spyware/malware that is giving me a little trouble. I don't know too much about this type of threat(though I have spent over a week googling tuts and queries trying to figure it out) so I have decided to increase my chances of understanding it by asking the experts. Firstly, let me say that I am not here for a quick fix. I don't want you guys to just link me to an anti-spyware or anything like that. I just wanna post a highjackthis log if that's ok and I'd really appreciate any insight into why I have been unsuccessful so far in my attempts to remove this particular infection. From what I can tell with my limited knowledge, the infection is probably in my HKEY files somewhere, reseting my ie7 homepage or redirecting it. Either way, it causes my ie7 to open momentarily, but frequently. For the most part it is annoying and nothing more(minimizing fullscreen progs, like games/media players), but if i leave it for a prolonged length of time without taking action then it also causes my windows explorer to crash. Noticeably the processes iexplore.exe, iedw.exe and fksrzwxe.exe are affected(the last obviously being some sort of culprit, after finding no information on it, i took it off my machine but that hasn't solved my problem, just most likely will stop my os explorer from crashin again). Here's the log anyway, hopefully you guys might see something I missed.

Logfile of HijackThis v1.97.7
Scan saved at 13:11:18, on 25/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Windows\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\PestPatrol\ppmcactivedetection.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Zenox Software\AppBlocker XP\AppBlocker XP.exe
C:\Program Files\HighjackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 89.220.9.48 l2authd.lineage2.com
O1 - Hosts: 89.220.9.48 l2testauthd.lineage2.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (file missing)
O2 - BHO: (no name) - {6905911C-ADD2-5C9B-ABE9-06091A626707} - C:\WINDOWS\system32\nevnybn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {901D022C-F217-77D7-EA51-CB7880A5059A} - C:\DOCUME~1\BALROG~1\APPLIC~1\CAKEPH~1\LIVE PLUS.exe (file missing)
O2 - BHO: (no name) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: (no name) - {F6E20ADE-8CE8-492c-BCBA-ABF3EF2DE4E8} - C:\Windows\system32\\msrdo20x26.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [PPMCActiveDetection] C:\Program Files\Common Files\PestPatrol\ppmcactivedetection.exe "-ini:C:\Program Files\Common Files\PestPatrol\ppmcad.ini"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129745320171
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab


------------------------------

Cheers in advance if anyone has any info, I'm running eTrust anti-virus realtime monitor, ad-aware anti-spyware, pestpatrol anti-spyware monitor and my router(NAT), still no joy.

[MysteryFCM]

We don't (at least to my knowledge) provide support for infections here, but if I'm wrong I'm sure someone will correct me. The following do provide support though;

http://temerc.com/forum
http://spywarewarrior.com/index.php
http://malwarebytes.org/forums

.... amongst others ....

In the meantime, your log clearly slows infections, and I'd strongly recommend you ditch eTrust as it's absolute rubbish same goes for PestPatrol). Get yourself one of the following instead;

Avira
http://free-av.com/en/products/1/avira_antivir_personal__free_antivirus.html

Avast:
http://avast.com

NOD32 (my personal recommendation)
http://eset.com

[BalrogRoke]

My apologies, I didn't know that before making my post, my bad. Thank you all the same though for the links. A mate of mine actually works for eset and keeps telling me to get nod32 but I like my software because of the highly dynamic command line scanner. Either way, I'll probably get it when I finally decide to get rid of this infection, it was only because I had so much trouble with it that I was compelled to find out if anyone knew how it worked. Merely curious 

Thanks for humoring me all the same 

[Drusepth]

Oh, my bad.  He asked me about his problem and I didn't know how to remove it so I referred him to the people I thought would. 

I'll keep in mind the other sites that do provide the infection help from now on

[TeMerc]

As an FYI, that version of HJT is way out of date, current versions accepted at all security forums:
1.99.1
2.02

Prefer 1.99.1 myself.

[Kayrac]

in addition theres also

castlecops.com(they seem to be having server issues currently), and there often overloaded with requests there, but good people

and my personal favorite
http://www.dslreports.com/forum/cleanup

just follow the steps here
http://www.dslreports.com/faq/13616
before you post your log

and yes update your hijackthis

[tjs]

If you're still stuck on this, you can try:
http://safety.live.com

It's a free online scanner. If you use it and find any bugs, please let me know.

TJS

[CM_MWR]

If you are after more private help and dont wanna install a thousand scanners and follow along in a forum type layout,just shoot me a email message,you can pm me for the correct address.   

[sowhat-x]

Rotflmao,what is everyone replying to here...
that's an infection that took place 2-3 months ago... 

[Kayrac]

My fault it looks like :p, it was on the first forum page , guess you guys aern't super busy