Red "(!)" Icon - "Your computer is infected!" (WorldAntiSpy)

Okay... I've read several responses to the "PSGuard" variant of this virus/trojan/spyware, and tried all those solutions. Nothing seems to work. This think is kicking my butt... basically... I don't think it's actually doing anything. I've removed several Trojans that 'were' infecting my computer which is where this stupid little icon came from:



... but the icon remains. That was screen-cap'd in SAFE MODE with nothing on. I'll post two HiJackThis logs. The first one is from safe mode... the second is the one of my currently running system.

-First Log (SAFE MODE)-

-------------------------------------------------
----------------------------------------


Current Log

----------------------------------------
--------------------------------------------

Edit by chaslang: Multiple unrequested inline logs removed


Scanners/Utilities Ran (All scans done in safe mode, as well as regular with current def's)

- Ewido Security Scan (removed several trojans most likely associated with icon)
- SpyBot S&D (Removed several 'normal' spyware entries)
- HiJackThis (Manually removed any entries/services that were not identifiable)
- AdAware (after other scans, literally found 0 entries)
- TrendMicro SysClean (Took forever, also found nothing)
- RootKitRevealer (Only found my SCSI Enabler used by Daemon Tools and other non-threatening entries, will post log at request)
- AutoRuns (Nothing unidentifiable)
- Performed Uninstall of 'WorldAntiSpy' from Add/Rem. Prog.
- RegSearch (Ran checks for 'WorldAntiSpy' among other suggestions)
- AutoStartViewer (I'll post the log)


AutoStartViewer Logfile
--------------------------------------
DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Zeuromus@Z-MACHINE-01, 08-23-2005
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\wininit.ini [rename]
NUL=
NUL=
NUL=
NUL=
NUL=
NUL=
NUL=
NUL=
NUL=
NUL=
NUL=
NUL=
NUL=
NUL=
NUL=
NUL=
NUL=
NUL=
NUL=
NUL=
NUL=
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
nwiz.exe /install
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvMediaCenter
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LVCOMSX
C:\WINDOWS\system32\LVCOMSX.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Logitech Hardware Abstraction Layer
C:\WINDOWS\KHALMNPR.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\eTrustPPAP
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DAEMON Tools-1033
C:\Program Files\D-Tools\daemon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CTSysVol
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CursorXP
C:\Program Files\CursorXP\CursorXP.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\Program Files\Common Files\Stardock\MCPCore.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\system32\upnpui.dll
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Zeuromus.job
C:\PROGRA~1\NORTON~1\Navw32.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\Zeuromus\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINDOWS\inf\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}\
C:\WINDOWS\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\system32\ie4uinit.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\6to4\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Alerter\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\BITS\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ccEvtMgr\
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
HKLM\System\CurrentControlSet\Services\ccSetMgr\
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
HKLM\System\CurrentControlSet\Services\Creative Service for CDROM Access\
C:\WINDOWS\system32\CTSvcCDA.EXE
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\DcomLaunch\
C:\WINDOWS\system32\svchost -k DcomLaunch
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\dmserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\drvnddm\
C:\WINDOWS\system32\drivers\drvnddm.sys
HKLM\System\CurrentControlSet\Services\ERSvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\ewido security suite control\
C:\Program Files\ewido\security suite\ewidoctrl.exe
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\HidServ\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\hidusb\
C:\WINDOWS\System32\DRIVERS\hidusb.sys
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\navapsvc\
C:\Program Files\Norton AntiVirus\navapsvc.exe
HKLM\System\CurrentControlSet\Services\NPFMntor\
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
HKLM\System\CurrentControlSet\Services\NvNdis\
\??\C:\WINDOWS\system32\Drivers\NvNdis.sys
HKLM\System\CurrentControlSet\Services\NVSvc\
C:\WINDOWS\system32\nvsvc32.exe
HKLM\System\CurrentControlSet\Services\PfModNT\
\??\C:\WINDOWS\system32\drivers\PfModNT.sys
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RemoteRegistry\
C:\WINDOWS\system32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\SBService\
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Secdrv\
C:\WINDOWS\System32\DRIVERS\secdrv.sys
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SharedAccess\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SNDSrvc\
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
HKLM\System\CurrentControlSet\Services\SPBBCSvc\
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\stisvc\
C:\WINDOWS\System32\svchost.exe -k imgsvc
HKLM\System\CurrentControlSet\Services\Symantec Core LC\
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
HKLM\System\CurrentControlSet\Services\symlcbrd\
\??\C:\WINDOWS\system32\drivers\symlcbrd.sys
HKLM\System\CurrentControlSet\Services\tfsnboio\
C:\WINDOWS\system32\dla\tfsnboio.sys
HKLM\System\CurrentControlSet\Services\tfsncofs\
C:\WINDOWS\system32\dla\tfsncofs.sys
HKLM\System\CurrentControlSet\Services\tfsndrct\
C:\WINDOWS\system32\dla\tfsndrct.sys
HKLM\System\CurrentControlSet\Services\tfsndres\
C:\WINDOWS\system32\dla\tfsndres.sys
HKLM\System\CurrentControlSet\Services\tfsnifs\
C:\WINDOWS\system32\dla\tfsnifs.sys
HKLM\System\CurrentControlSet\Services\tfsnopio\
C:\WINDOWS\system32\dla\tfsnopio.sys
HKLM\System\CurrentControlSet\Services\tfsnpool\
C:\WINDOWS\system32\dla\tfsnpool.sys
HKLM\System\CurrentControlSet\Services\tfsnudf\
C:\WINDOWS\system32\dla\tfsnudf.sys
HKLM\System\CurrentControlSet\Services\tfsnudfa\
C:\WINDOWS\system32\dla\tfsnudfa.sys
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\UMWdf\
C:\WINDOWS\system32\wdfmgr.exe
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wscsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
C:\WINDOWS\System32\svchost.exe -k netsvcs
--------------------------------------


I'm now at a total loss, I don't know what else to do. I don't think the icon is 'doing' anything... other than popping up with the stupid little message every few minutes. It just seems like it's hard-coded itself into explorer or something. I'm about ready to go insane here...

-Z

 

-=PROBLEM SOLVED=-

Okay... my system was clean. But, the icon roots itself in the %system%\system32\wininet.dll file, so... I went into the windows recovery console, and copied over a fresh one from the %system%\ServicePackInformation\I386 folder and poof... icon gone.

Then when I rebooted, I had a nice little windows update waiting for me.

If you'd like, I can attach the infected dll file (renamed wininet.old 643k) or e-mail it somewhere for analyzation purposes.

Thanks for all your help!!!

-Z

 

The SmitRem tool did nothing for me, except make my desktop blue. ^.^