Your computer is infected! Windows has detected spyware infection!

[agrossi49]

Good day:
I have been battling this pop-up balloon in my system tray for about a week, using Smiterm, as I once did before but this time the situation/cause may be a little different. I ran HijackThis and I am enclosing the log if anyone has any further ideas what is causing this problem.
THank you;

Logfile of HijackThis v1.99.1
Scan saved at 9:51:50 AM, on 4/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bell\Security Manager\Fws.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Personal Vault\VaultClientUpgrade.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Bell\Security Manager\Rps.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Jack.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [Sympatico Security Manager] "C:\Program Files\Bell\Security Manager\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Security Manager\IdxClnR.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Security Manager\IdxClnR.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O20 - AppInit_DLLs: karna.dat
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sympatico Security Manager (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\RpsSecurityAware.exe
O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe
O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - C:\Program Files\Personal Vault\VaultClientUpgrade.exe

Thank you;
Al;

[CCT]

Aside from having 2 instances of Windows Update running (C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe)

and a Java file missing (O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)) I can only see that you have AV from Bell Sympatic running with a copy of Authentium also running (C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe).

Running 2 AV's at once isn't recommended.

I do note that C:\WINDOWS\System32\smss.exe shows 'System32' folder with a capital 'S' whereas all the others have lower case. Make sure you search for smss.exe and it is in the system32 folder with the others.

You should download and run Malwarebytes, Spybot Search and Destroy.

http://www.malwarebytes.org/
http://www.safer-networking.org/index2.html

Then let us know how you make out.

[slgrieb]

Welcome to Windrivers, agrossi49! On line 020 of your HJT log, karna.dat is a file usually associated with Antivirus 2009. Of course, since these pests morph all the time, you might have a different SmitFraud variant.

I'm not familiar with the Sympatico package you've gotten from your ISP, so I'm not certain if the Athenium AV entries in the log are part of the package, or if you actually have two AV programs running. For what it's worth Athenium is legitimate AV software.

Anyway, neither of these issues is really relevant to the immediate task of cleaning your computer. First off, I always start malware removal by running Combofix. Here is the download link and the tutorial. Combofix isn't designed to be a universal malware remover; it targets specific groups of pests including many SmitFraud variants, but it excellent at removing many rootkits and hard-to-kill pests.

You can read a lot of debate about the merits of Spybot vs. Malwarebytes Antimalware. Generally, I will run Spybot after Combofix finishes, but it doesn't hurt to use both. At this point, most SmitFraud variants and other nasties will be gone.

[CCT]

Should you decide to go with Combofix at some point, please follow this sites' guide:

http://www.bleepingcomputer.com/comb...o-use-combofix

[agrossi49]

I've had another day of fun!
I already had SpybotSD from another incident and it has always been useful. I also downloaded Malwarebytes. I first ran Malwarebytes and then SpybotSD. The combination of these two removed the infamous balloon telling me Windows was infected.
I now have the task of removeing or determining whether Authentium is legitimate. I think it's some kind of a pest since I booted into DOS and renamed its folder. After rebooting into Windows, it re-installed itself. I tried to cancel the install but every time I clicked CANCEL it started installing again. CCleaner also removed a sackful of useless items from the registry and some obscure .exe programs from the WINDOWS\system32 folder.
The system is looking rather healthy and happy now with the exception of Authentium.
I think I'll start fresh in the morning and see what I can throw at it so it doesn't re-install at bootup time.
Cheers - and thank you for all your suggestions. You are a great bunch and this is a great forum.
Have a great day;
Al;

[slgrieb]

Authentium is legit. But that isn't the same thing as saying it's any good. Unfortuantely, many AV programs use rootkits and exhibit other malware-type behaviors that may make them hard to remove.

Authentium is distributed with lots of the "free" security suites you get from ISPs , so I still think you got it as part of the Sympatico package, and you can probably uninstall it from there, or use HijackThis to kill the dvapi entry in section 023 of your HijackThis log. If HijackThis doesn't work, Autoruns will.

Anyway, personally, I'd ditch Sympatico for a more effective AV solution. I believe removing it will remove Authentium, and if it doesn't, see previous paragraph. There are several effective AV programs around. I'm a big NOD32 partisan, but Avira and Avast! are pretty good freeware.

[NooNoo]

Check any of these programs at www.spywarewarrior.net - they maintain a list of anti virus and malware programs that have shown themselves to be scams or rogue programs.