I have read the forum guideline requests nad I have Run ATF Cleaner, Cleansed System restore, Re-enabled everything in msconfig, ran AVG & Superantispyware (earlier when possible to run)----->both found nothing, Ran Panda scan---->found nothing, Windows update used regularly, just ran www.secunia.com checker, ran Sophos SARCLI.EXE---->clean., Bitdefender--->clean, SOPHOS anti-root kit ---->nothing found.
I just had a new hard drive and Win XP Pro reinstalled professionally. I installed Zone Alarm pro Internet Suite 6.5 2007 for AV/Spyware protection (I used to use Norton Internet Security). I also have added many programs recommended at spywarewarrior.com, merijn.org. majorgeeks.com etc. These include Spybot, Adaware, IE-Spyad for Zoned out, Spyblaster, some Sysinternal programs from Microsoft, (also loaded at times AVG, Super-AntiSpyware among others)
After the re-install I had to re-update IE6 to IE7 with some problems doping so, possibly getting infected in the process too. I frequently get redirected to a new start page with my normal one changed. I try to use Firefox when possible.
I was previously infected several months ago with a Smitfraud virus…ran Smitrem by Noah Fear which found 2 programs –I have run this again and still find these programs so something is still lurking in my system. I must have a program etc. that is infected or I am re-downloading a program that is corrupt during my reinstalls.
I have also found unwise.exe and unwise32qt.exe on my system some time ago. Some bulletins state these may be trojans calling www.nymex.com.
I have blocked a number of sites sited as those in which these trojans might call (Smitfraud, unvise32.exe, Cadux) I still get periodic outbound attempts blocked by my firewall by these programs to sites that I am trying to block. I do not know what is triggering it. (ie. realsearch.cc, ecjnoe3inwe.com, dkjfwekjnc.com etc.)
I just recently tried the e-mail battery test at gfi.com which my ZA pro/Outlook Express 6 seemed to protect against . However, afterwards my ZA pro AV/Antipyware updater could not update my spyware part. Also, the My Vault and all my configs and logs were cleansed.My Help & Support is loading slow again. (I have other related posts...this may be the same problem from a program re-infecting me)
I have run numerous AV/Antispyware programs. Besides those listed above I have run SOPHOS Savcli.exe, Stinger, Pnda online Activescan2 (totalscan), Bitdefender online, Kaspersky online, Sophos anti-rootkit, Rootkit Revealer-Sysinternals. Nothing significant was found except for Adware Luke the Screenwasher? which was deleted.
I have just installed the AntiHook 3.0 and Sandboxie per Gizmo Richards site recommendations. This program has found a number of hooks.
In my Antihook logs I have found programs GLB9.tmp launching zauninst.exe; GLBC.tmp launching isafe.exe; GLBC.tmp launching unwise.exe; unwise.exe launching GLB1a2b.exe. Most of these launches are form C:\Document & Settings\ Administrator\ Local Services\Temp folder. Somehow my ZoneAlarm pro was unstalled!!! After losing my ZA pro I have used either the ZA-fee or Windows XP firewall.
Recently, I have tried installing the AVG (I keep it off with the installer handy just if need to avoid ZA conflicts) but I get Access Denied dialogs –failed code 5 (apparently my Administrator privileges were somehow changed to prevent installation of many programs) The same thing happens when I try to install Webroot Spysweeper. How can i change the registry etc. to regain these privileges? If I try to install things freeze up and I get a dialog stating " program cannot be closed as it is locked by the system"
Before ZA pro was lost it had touble updating with Windows updater and viewing certain sites (Bitdefender & myspace.com) normally. These sites, however, were viewed normal with just the Windows XP firewall.
I seem to have some malware in my system but I do not know what it is. I have run HJK and have saved logs for the startup as well. I do not know if I have a rootkit infection or something else. I would like to try to avoid re-installing my OS if possible; it is backed up on an external drive which I just got.
I ran a Trend Micro Spywarescan and it found Spyware_KEYL_ASTLOG. This changed a registry key HKCU\S-1-5-21...\SOFTWARE\NIRSOFT....
The bulletin on Trend Micro states that HKCU\SOFTWARE\NIRSOFT\AsterikLogger\Columns is added and that this spyware reveals passwords of target applications. I must have gotten infected with this when I downloaded a program, CurrPorts from Nirsoft, which was recommended by Gizmo Richards' Tech alert site.(per article "Tracing Unexpected Internet Activity".
I probably have other malware on my machine. I am attaching a current HJK, a startup config from the HJK, and a portion of a log from AntiHook 3.
I appreciate any assistance that you can give me.
Attached Files
Edited by brokenfoot, 20 March 2007 - 09:49 PM.