Options
popups, popups, popups
Hello!
Thank you in advance for your help. I went through all of the steps in your "Read Her First..." sticky, ran temp cleanup, anti-spyware, anti-virus, downloaded a firewall, etc., but nothing seems to stop this awful thing.
I have tons of spyware on my computer, so say Ad-Aware and Spybot. They delete it, but a few minutes later they're back, especially if I reboot. I get ads for everything from anti-virus software to puppies jumping out of nowhere onto my computer, as well as little windows that appear for a split second in the upper-right hand corner of the screen. Sometimes it teases me, like saying "Zap!" and making a laser-gun noise, then vanishing.
The online virus scans in your "Read Here First..." sticky found plenty of infected files, but AVG continuously finds absolutely nothing.
Here is my HJTlog:
Logfile of HijackThis v1.99.1
Scan saved at 10:35:46 PM, on 10/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HJT\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\HJT\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Here is my Panda log:
Spyware:Cookie/YieldManager C:\Documents and Settings\Matthew\Cookies\matthew@ad.yieldmanager[3].txt
Spyware:Cookie/Belnk C:\Documents and Settings\Matthew\Cookies\matthew@belnk[1].txt
Spyware:Cookie/Com.com C:\Documents and Settings\Matthew\Cookies\matthew@com[1].txt
Spyware:Cookie/Belnk C:\Documents and Settings\Matthew\Cookies\matthew@dist.belnk[2].txt
Spyware:Cookie/Reliablestats C:\Documents and Settings\Matthew\Cookies\matthew@stats1.reliablestats[1].txt
Spyware:Cookie/BurstBeacon C:\Documents and Settings\Matthew\Cookies\matthew@www.burstbeacon[2].txt
Spyware:Cookie/myaffiliateprogram C:\Documents and Settings\Matthew\Cookies\matthew@www.myaffiliateprogram[1].txt
Adware:Adware/DeluxeComunications C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe
Adware:Adware/DeluxeComunications C:\Documents and Settings\Matthew\Local Settings\Temp\i4D.tmp
Spyware:Spyware/Media-motor C:\Documents and Settings\Matthew\Local Settings\Temp\mmxsnet.exe
Adware:Adware/DeluxeComunications C:\Program Files\DeluxeCommunications\Dxc.exe
Adware:Adware/DeluxeComunications C:\Program Files\DeluxeCommunications\DxcBho.dll
Adware:Adware/DeluxeComunications C:\Program Files\DeluxeCommunications\DxcCore.dll
Adware:Adware/WebHancer C:\Program Files\em\dohancer\whCC-GIANT3.exe[whAgent.exe]
Adware:Adware/WebHancer C:\Program Files\em\dohancer\whCC-GIANT3.exe[whInstaller.exe]
Adware:Adware/WebHancer C:\Program Files\em\dohancer\whCC-GIANT3.exe[webhdll.dll]
Adware:Adware/WebHancer C:\Program Files\em\dohancer\whCC-GIANT3.exe[whiehlpr.dll]
Adware:Adware/Maxifiles C:\Program Files\HJT\backups\backup-20061017-201638-158.dll
Adware:Adware/WebHancer C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe[whAgent.exe]
Adware:Adware/WebHancer C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe[whInstaller.exe]
Adware:Adware/WebHancer C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe[webhdll.dll]
Adware:Adware/WebHancer C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe[whiehlpr.dll]
Adware:Adware/DeluxeComunications C:\WINDOWS\DXCecho.exe
Adware:Adware/WebHancer C:\WINDOWS\hancerdoem.exe[whCC-GIANT3.exe][whAgent.exe]
Adware:Adware/WebHancer C:\WINDOWS\hancerdoem.exe[whCC-GIANT3.exe][whInstaller.exe]
Adware:Adware/WebHancer C:\WINDOWS\hancerdoem.exe[whCC-GIANT3.exe][webhdll.dll]
Adware:Adware/WebHancer C:\WINDOWS\hancerdoem.exe[whCC-GIANT3.exe][whiehlpr.dll]
Adware:Adware/WebHancer C:\WINDOWS\hancermm.exe[whCC-GIANT2.exe][whAgent.exe]
Adware:Adware/WebHancer C:\WINDOWS\hancermm.exe[whCC-GIANT2.exe][whInstaller.exe]
Adware:Adware/WebHancer C:\WINDOWS\hancermm.exe[whCC-GIANT2.exe][webhdll.dll]
Adware:Adware/WebHancer C:\WINDOWS\hancermm.exe[whCC-GIANT2.exe][whiehlpr.dll]
Adware:Adware/DigInk C:\WINDOWS\Setup90.exe[Sos28.exe]
Adware:Adware/DigInk C:\WINDOWS\Setup90.exe[TagASaurus.exe]
Adware:Adware/DeluxeComunications C:\WINDOWS\system32\bkd.exe
Spyware:Spyware/Virtumonde C:\WINDOWS\system32\hgggfee.dll
Potentially unwanted tool:Application/VSToolbar C:\WINDOWS\system32\opcdkwyw.exe
And here is my Kaspersky log:
Scan Statistics:
Total number of scanned objects: 62809
Number of viruses found: 16
Number of infected objects: 66 / 0
Number of suspicious objects: 2
Duration of the scan process: 01:19:33
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-10162006-190013.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Matthew\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{B2C2BEC1-3D6A-431E-9719-161BA6E4F863} Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\History\History.IE5\MSHist012006101820061019\index.dat Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\da5D.tmp Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe/InpB/DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe/InpB/DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe/InpB/Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe/InpB/DxcRepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe CAB: infected - 5 skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\i4D.tmp Infected: not-a-virus:AdWare.Win32.SurfSide.ax skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\mmxsnet.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.u skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\s2c8.a.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.TrafficSol.d skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\s2c8.a.exe/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.d skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\s2c8.a.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Matthew\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\Temporary Internet Files\Content.IE5\VA711PVZ\sp2-cydoor-728[1].swf Infected: not-virus:Hoax.SWF.Alerter.a skipped
C:\Documents and Settings\Matthew\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Matthew\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\DeluxeCommunications\Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\Program Files\DeluxeCommunications\DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Program Files\DeluxeCommunications\DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Program Files\em\dohancer\whCC-GIANT3.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\em\dohancer\whCC-GIANT3.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\em\dohancer\whCC-GIANT3.exe RarSFX: infected - 2 skipped
C:\Program Files\HJT\backups\backup-20061017-201638-158 Infected: Exploit.HTML.Mht skipped
C:\Program Files\HJT\backups\backup-20061017-201638-158.dll Infected: not-a-virus:Downloader.Win32.InsTool.a skipped
C:\Program Files\HJT\hijackthis1.txt Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\HJT\hijackthis2.log Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\LOG\ERRORLOG Object is locked skipped
C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP303\A0029963.dll Infected: not-a-virus:AdWare.Win32.EZula.ch skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP325\change.log Object is locked skipped
C:\WINDOWS\1011_justin.exe/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.ch skipped
C:\WINDOWS\1011_justin.exe/data0002/stream Infected: not-a-virus:AdWare.Win32.EZula.ch skipped
C:\WINDOWS\1011_justin.exe/data0002 Infected: not-a-virus:AdWare.Win32.EZula.ch skipped
C:\WINDOWS\1011_justin.exe/data0003/stream/data0001 Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\1011_justin.exe/data0003/stream Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\1011_justin.exe/data0003 Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\1011_justin.exe NSIS: infected - 6 skipped
C:\WINDOWS\aff_0006.exe/AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped
C:\WINDOWS\aff_0006.exe CAB: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\DXCecho.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ax skipped
C:\WINDOWS\hancerdoem.exe/data.rar/whCC-GIANT3.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancerdoem.exe/data.rar/whCC-GIANT3.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancerdoem.exe/data.rar/whCC-GIANT3.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancerdoem.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancerdoem.exe RarSFX: infected - 4 skipped
C:\WINDOWS\hancermm.exe/data.rar/whCC-GIANT2.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancermm.exe/data.rar/whCC-GIANT2.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancermm.exe/data.rar/whCC-GIANT2.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancermm.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancermm.exe RarSFX: infected - 4 skipped
C:\WINDOWS\motorsix.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.t skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Setup90.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\Setup90.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\Setup90.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\Setup90.exe NSIS: infected - 3 skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{FE953301-8858-41CC-A1D9-5AEFCAC1AC5D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\adrotate.dll Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\system32\bkd.exe/InpB/DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\WINDOWS\system32\bkd.exe/InpB/DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\WINDOWS\system32\bkd.exe/InpB/Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\WINDOWS\system32\bkd.exe/InpB/DxcRepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\WINDOWS\system32\bkd.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\WINDOWS\system32\bkd.exe CAB: infected - 5 skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\gebcy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ek skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hgggfee.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\WINDOWS\system32\justin.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.ch skipped
C:\WINDOWS\system32\justin.exe/stream Infected: not-a-virus:AdWare.Win32.EZula.ch skipped
C:\WINDOWS\system32\justin.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\ts_www.exe/stream/data0001 Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\system32\ts_www.exe/stream Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\system32\ts_www.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_70c.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Thank you in advance for your help. I went through all of the steps in your "Read Her First..." sticky, ran temp cleanup, anti-spyware, anti-virus, downloaded a firewall, etc., but nothing seems to stop this awful thing.
I have tons of spyware on my computer, so say Ad-Aware and Spybot. They delete it, but a few minutes later they're back, especially if I reboot. I get ads for everything from anti-virus software to puppies jumping out of nowhere onto my computer, as well as little windows that appear for a split second in the upper-right hand corner of the screen. Sometimes it teases me, like saying "Zap!" and making a laser-gun noise, then vanishing.
The online virus scans in your "Read Here First..." sticky found plenty of infected files, but AVG continuously finds absolutely nothing.
Here is my HJTlog:
Logfile of HijackThis v1.99.1
Scan saved at 10:35:46 PM, on 10/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HJT\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\HJT\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Here is my Panda log:
Spyware:Cookie/YieldManager C:\Documents and Settings\Matthew\Cookies\matthew@ad.yieldmanager[3].txt
Spyware:Cookie/Belnk C:\Documents and Settings\Matthew\Cookies\matthew@belnk[1].txt
Spyware:Cookie/Com.com C:\Documents and Settings\Matthew\Cookies\matthew@com[1].txt
Spyware:Cookie/Belnk C:\Documents and Settings\Matthew\Cookies\matthew@dist.belnk[2].txt
Spyware:Cookie/Reliablestats C:\Documents and Settings\Matthew\Cookies\matthew@stats1.reliablestats[1].txt
Spyware:Cookie/BurstBeacon C:\Documents and Settings\Matthew\Cookies\matthew@www.burstbeacon[2].txt
Spyware:Cookie/myaffiliateprogram C:\Documents and Settings\Matthew\Cookies\matthew@www.myaffiliateprogram[1].txt
Adware:Adware/DeluxeComunications C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe
Adware:Adware/DeluxeComunications C:\Documents and Settings\Matthew\Local Settings\Temp\i4D.tmp
Spyware:Spyware/Media-motor C:\Documents and Settings\Matthew\Local Settings\Temp\mmxsnet.exe
Adware:Adware/DeluxeComunications C:\Program Files\DeluxeCommunications\Dxc.exe
Adware:Adware/DeluxeComunications C:\Program Files\DeluxeCommunications\DxcBho.dll
Adware:Adware/DeluxeComunications C:\Program Files\DeluxeCommunications\DxcCore.dll
Adware:Adware/WebHancer C:\Program Files\em\dohancer\whCC-GIANT3.exe[whAgent.exe]
Adware:Adware/WebHancer C:\Program Files\em\dohancer\whCC-GIANT3.exe[whInstaller.exe]
Adware:Adware/WebHancer C:\Program Files\em\dohancer\whCC-GIANT3.exe[webhdll.dll]
Adware:Adware/WebHancer C:\Program Files\em\dohancer\whCC-GIANT3.exe[whiehlpr.dll]
Adware:Adware/Maxifiles C:\Program Files\HJT\backups\backup-20061017-201638-158.dll
Adware:Adware/WebHancer C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe[whAgent.exe]
Adware:Adware/WebHancer C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe[whInstaller.exe]
Adware:Adware/WebHancer C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe[webhdll.dll]
Adware:Adware/WebHancer C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe[whiehlpr.dll]
Adware:Adware/DeluxeComunications C:\WINDOWS\DXCecho.exe
Adware:Adware/WebHancer C:\WINDOWS\hancerdoem.exe[whCC-GIANT3.exe][whAgent.exe]
Adware:Adware/WebHancer C:\WINDOWS\hancerdoem.exe[whCC-GIANT3.exe][whInstaller.exe]
Adware:Adware/WebHancer C:\WINDOWS\hancerdoem.exe[whCC-GIANT3.exe][webhdll.dll]
Adware:Adware/WebHancer C:\WINDOWS\hancerdoem.exe[whCC-GIANT3.exe][whiehlpr.dll]
Adware:Adware/WebHancer C:\WINDOWS\hancermm.exe[whCC-GIANT2.exe][whAgent.exe]
Adware:Adware/WebHancer C:\WINDOWS\hancermm.exe[whCC-GIANT2.exe][whInstaller.exe]
Adware:Adware/WebHancer C:\WINDOWS\hancermm.exe[whCC-GIANT2.exe][webhdll.dll]
Adware:Adware/WebHancer C:\WINDOWS\hancermm.exe[whCC-GIANT2.exe][whiehlpr.dll]
Adware:Adware/DigInk C:\WINDOWS\Setup90.exe[Sos28.exe]
Adware:Adware/DigInk C:\WINDOWS\Setup90.exe[TagASaurus.exe]
Adware:Adware/DeluxeComunications C:\WINDOWS\system32\bkd.exe
Spyware:Spyware/Virtumonde C:\WINDOWS\system32\hgggfee.dll
Potentially unwanted tool:Application/VSToolbar C:\WINDOWS\system32\opcdkwyw.exe
And here is my Kaspersky log:
Scan Statistics:
Total number of scanned objects: 62809
Number of viruses found: 16
Number of infected objects: 66 / 0
Number of suspicious objects: 2
Duration of the scan process: 01:19:33
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-10162006-190013.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Matthew\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{B2C2BEC1-3D6A-431E-9719-161BA6E4F863} Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\History\History.IE5\MSHist012006101820061019\index.dat Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\da5D.tmp Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe/InpB/DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe/InpB/DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe/InpB/Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe/InpB/DxcRepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe CAB: infected - 5 skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\i4D.tmp Infected: not-a-virus:AdWare.Win32.SurfSide.ax skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\mmxsnet.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.u skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\s2c8.a.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.TrafficSol.d skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\s2c8.a.exe/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.d skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\s2c8.a.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Matthew\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\Temporary Internet Files\Content.IE5\VA711PVZ\sp2-cydoor-728[1].swf Infected: not-virus:Hoax.SWF.Alerter.a skipped
C:\Documents and Settings\Matthew\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Matthew\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\DeluxeCommunications\Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\Program Files\DeluxeCommunications\DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Program Files\DeluxeCommunications\DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Program Files\em\dohancer\whCC-GIANT3.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\em\dohancer\whCC-GIANT3.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\em\dohancer\whCC-GIANT3.exe RarSFX: infected - 2 skipped
C:\Program Files\HJT\backups\backup-20061017-201638-158 Infected: Exploit.HTML.Mht skipped
C:\Program Files\HJT\backups\backup-20061017-201638-158.dll Infected: not-a-virus:Downloader.Win32.InsTool.a skipped
C:\Program Files\HJT\hijackthis1.txt Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\HJT\hijackthis2.log Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\LOG\ERRORLOG Object is locked skipped
C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP303\A0029963.dll Infected: not-a-virus:AdWare.Win32.EZula.ch skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP325\change.log Object is locked skipped
C:\WINDOWS\1011_justin.exe/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.ch skipped
C:\WINDOWS\1011_justin.exe/data0002/stream Infected: not-a-virus:AdWare.Win32.EZula.ch skipped
C:\WINDOWS\1011_justin.exe/data0002 Infected: not-a-virus:AdWare.Win32.EZula.ch skipped
C:\WINDOWS\1011_justin.exe/data0003/stream/data0001 Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\1011_justin.exe/data0003/stream Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\1011_justin.exe/data0003 Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\1011_justin.exe NSIS: infected - 6 skipped
C:\WINDOWS\aff_0006.exe/AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped
C:\WINDOWS\aff_0006.exe CAB: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\DXCecho.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ax skipped
C:\WINDOWS\hancerdoem.exe/data.rar/whCC-GIANT3.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancerdoem.exe/data.rar/whCC-GIANT3.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancerdoem.exe/data.rar/whCC-GIANT3.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancerdoem.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancerdoem.exe RarSFX: infected - 4 skipped
C:\WINDOWS\hancermm.exe/data.rar/whCC-GIANT2.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancermm.exe/data.rar/whCC-GIANT2.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancermm.exe/data.rar/whCC-GIANT2.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancermm.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancermm.exe RarSFX: infected - 4 skipped
C:\WINDOWS\motorsix.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.t skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Setup90.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\Setup90.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\Setup90.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\Setup90.exe NSIS: infected - 3 skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{FE953301-8858-41CC-A1D9-5AEFCAC1AC5D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\adrotate.dll Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\system32\bkd.exe/InpB/DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\WINDOWS\system32\bkd.exe/InpB/DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\WINDOWS\system32\bkd.exe/InpB/Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\WINDOWS\system32\bkd.exe/InpB/DxcRepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\WINDOWS\system32\bkd.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\WINDOWS\system32\bkd.exe CAB: infected - 5 skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\gebcy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ek skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hgggfee.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\WINDOWS\system32\justin.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.ch skipped
C:\WINDOWS\system32\justin.exe/stream Infected: not-a-virus:AdWare.Win32.EZula.ch skipped
C:\WINDOWS\system32\justin.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\ts_www.exe/stream/data0001 Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\system32\ts_www.exe/stream Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\system32\ts_www.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_70c.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
0
Comments
It looks like some infections are hiding from HijackThis. In order to show the infections, I need you to rename HijackThis to HJT. Save a new log, and post it back here.
Also, I would like to see another log from HijackThis (should now be HJT).
Please post the requested logs back here.
Here's my new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 8:52:55 AM, on 10/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HJT\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HJT.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\System32\acblbook.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsf1B.dll
O2 - BHO: (no name) - {BC8065F7-685D-4278-9C61-61FEA8C9A740} - C:\WINDOWS\System32\gebcy.dll
O2 - BHO: AD Rotator - {EEC590D8-0A3C-4464-BB20-25A4747992F9} - C:\WINDOWS\System32\adrotate.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\HJT\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: gebcy - C:\WINDOWS\System32\gebcy.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
And the uninstall list:
Access IBM
Access IBM Message Center
Access IBM Tools
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop 6.0
Adobe Reader 7.0.8
Agere Systems AC'97 Modem
alm
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
Apple Software Update
Atari: The 80 Classic Games
Autodesk Inventor Professional 10
AVG Free Edition
AVI to MPEG Converter
Chessmaster 10th Edition
DeluxeCommunications
Enhanced Browser Overlay
HijackThis 1.99.1
IBM Access Connections
IBM Access Support
IBM Access Support - Local Content Pack
IBM DLA
IBM Rapid Restore PC Setup
IBM RecordNow
IBM Themes
IBM ThinkPad Battery MaxiMiser and Power Management Features
IBM ThinkPad Configuration
IBM ThinkPad EasyEject Utility
IBM ThinkPad Keyboard Customizer Utility
IBM ThinkPad Power Management Driver
IBM ThinkPad Presentation Director
IBM TrackPoint Accessibility Features
IBM TrackPoint Support
Intel(R) Extreme Graphics Driver
InterVideo WinDVD
iPod Updater 2004-11-15
iTunes
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office 2000 Premium
Microsoft SQL Server Desktop Engine (INVENTORCONTENT)
Microsoft WSE 2.0 Runtime
MINITAB Release 14
Mouse Suite
Mozilla Firefox (1.5)
Panda ActiveScan
PC-Doctor for Windows
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Sonic Update Manager
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SSH Secure Shell
Support.com Software
ThinkPad FullScreen Magnifier
ThinkPad Software Installer
TPNala Wallpaper
TunePlus 1.0.0.4
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Viewpoint Media Player
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
ZoneAlarm
Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:
DeluxeCommunications
Enhanced Browser Overlay
__________________________________
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\System32\acblbook.dll (file missing)
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsf1B.dll
O2 - BHO: AD Rotator - {EEC590D8-0A3C-4464-BB20-25A4747992F9} - C:\WINDOWS\System32\adrotate.dll
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis
__________________________________
Please download VundoFix.exe to your desktop.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt, a new HiJackThis log, along with a new Uninstall list.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.O2 - BHO: AD Rotator - {EEC590D8-0A3C-4464-BB20-25A4747992F9} - C:\WINDOWS\System32\adrotate.dll
Didn't show up, this time.
Here's my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 5:27:41 PM, on 10/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HJT\ZoneAlarm\zlclient.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HJT.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11C49866-CED5-4787-96FD-D5484023E501} - C:\WINDOWS\System32\gebcy.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\HJT\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Here's my Vundo txt file:
VundoFix V6.2.6
Checking Java version...
Sun Java not detected
Scan started at 5:04:57 PM 10/19/2006
Listing files found while scanning....
C:\WINDOWS\system32\hgggfee.dll
C:\WINDOWS\system32\opcdkwyw.exe
C:\WINDOWS\System32\gebcy.dll
C:\WINDOWS\System32\ycbeg.ini
C:\WINDOWS\System32\ycbeg.bak1
C:\WINDOWS\System32\ycbeg.bak2
C:\WINDOWS\System32\ycbeg.ini2
Beginning removal...
Attempting to delete C:\WINDOWS\system32\opcdkwyw.exe
C:\WINDOWS\system32\opcdkwyw.exe Has been deleted!
Attempting to delete C:\WINDOWS\System32\gebcy.dll
C:\WINDOWS\System32\gebcy.dll Has been deleted!
Attempting to delete C:\WINDOWS\System32\ycbeg.ini
C:\WINDOWS\System32\ycbeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\System32\ycbeg.bak1
C:\WINDOWS\System32\ycbeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\System32\ycbeg.bak2
C:\WINDOWS\System32\ycbeg.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\System32\ycbeg.ini2
C:\WINDOWS\System32\ycbeg.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
And my new uninstall:
Access IBM
Access IBM Message Center
Access IBM Tools
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop 6.0
Adobe Reader 7.0.8
Agere Systems AC'97 Modem
alm
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
Apple Software Update
Atari: The 80 Classic Games
Autodesk Inventor Professional 10
AVG Free Edition
AVI to MPEG Converter
Chessmaster 10th Edition
HijackThis 1.99.1
IBM Access Connections
IBM Access Support
IBM Access Support - Local Content Pack
IBM DLA
IBM Rapid Restore PC Setup
IBM RecordNow
IBM Themes
IBM ThinkPad Battery MaxiMiser and Power Management Features
IBM ThinkPad Configuration
IBM ThinkPad EasyEject Utility
IBM ThinkPad Keyboard Customizer Utility
IBM ThinkPad Power Management Driver
IBM ThinkPad Presentation Director
IBM TrackPoint Accessibility Features
IBM TrackPoint Support
Intel(R) Extreme Graphics Driver
InterVideo WinDVD
iPod Updater 2004-11-15
iTunes
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office 2000 Premium
Microsoft SQL Server Desktop Engine (INVENTORCONTENT)
Microsoft WSE 2.0 Runtime
MINITAB Release 14
Mouse Suite
Mozilla Firefox (1.5)
Panda ActiveScan
PC-Doctor for Windows
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Sonic Update Manager
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SSH Secure Shell
Support.com Software
ThinkPad FullScreen Magnifier
ThinkPad Software Installer
TPNala Wallpaper
TunePlus 1.0.0.4
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Viewpoint Media Player
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
ZoneAlarm
Thanks!
Remove the following entry with HijackThis (HJT):
O2 - BHO: (no name) - {11C49866-CED5-4787-96FD-D5484023E501} - C:\WINDOWS\System32\gebcy.dll (file missing)
_____________________________
You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
- Install AVG Anti-Spyware by double clicking the installer.
- Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
- On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
- Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
Once in Safe Mode:Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
- Click on Scanner on the toolbar.
- Click on the Settings tab.
- Under How to act?
- Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
- All checkboxes should be ticked.
- Under Possibly unwanted software:
- All checkboxes should be ticked.
- Under Reports:
- Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
- Select Scan every file.
- Click on the Scan tab.
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
- When the scan has finished, follow the instructions below.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
- When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot back into Normal ModeIMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
_____________________________
Please do another scan with Panda or Kaspersky, or even both if you would like.
Then, post the following:
1) AVG Anti-Spyware log
2) Online scan results
3) New HijackThis log
You may need several replies so the logs do not get cut off.
Here's my AVG log:
AVG Anti-Spyware - Scan Report
+ Created at: 12:35:50 PM 10/20/2006
+ Scan result:
C:\Documents and Settings\All Users\Application Data\AutoSearch.dll -> Adware.AutoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\aff_0006.exe/AutoSearch.dll -> Adware.AutoSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP303\A0029963.dll -> Adware.EZula : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Local Settings\Temp\mmxsnet.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\motorsix.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP303\A0030139.dll -> Adware.Searchcolours : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Local Settings\Temp\da5D.tmp -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Local Settings\Temp\i4D.tmp -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP329\A0034244.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP329\A0034245.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP329\A0034246.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\WINDOWS\DXCecho.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP330\A0034267.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP330\A0034270.dll -> Downloader.Bomka.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Local Settings\Temporary Internet Files\Content.IE5\33PRZPW0\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Local Settings\Temporary Internet Files\Content.IE5\GLQRSHMB\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Local Settings\Temporary Internet Files\Content.IE5\VQCRJ1S9\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Program Files\HJT\backups\backup-20061017-201638-158.dll -> Not-A-Virus.Downloader.Win32.InsTool.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Cookies\matthew@adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
::Report end
Here is my Panda log:
Incident Status Location
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Matthew\Cookies\matthew@azjmp[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Matthew\Cookies\matthew@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Matthew\Cookies\matthew@dist.belnk[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Matthew\Cookies\matthew@realmedia[2].txt
Adware:Adware/DeluxeComunications Not disinfected C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe
Adware:Adware/WebHancer Not disinfected C:\Program Files\em\dohancer\whCC-GIANT3.exe[whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\Program Files\em\dohancer\whCC-GIANT3.exe[whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\Program Files\em\dohancer\whCC-GIANT3.exe[webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\Program Files\em\dohancer\whCC-GIANT3.exe[whiehlpr.dll]
Adware:Adware/WebHancer Not disinfected C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe[whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe[whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe[webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe[whiehlpr.dll]
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\VundoFix Backups\opcdkwyw.exe.bad
Adware:Adware/WebHancer Not disinfected C:\WINDOWS\hancerdoem.exe[whCC-GIANT3.exe][whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\WINDOWS\hancerdoem.exe[whCC-GIANT3.exe][whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\WINDOWS\hancerdoem.exe[whCC-GIANT3.exe][webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\WINDOWS\hancerdoem.exe[whCC-GIANT3.exe][whiehlpr.dll]
Adware:Adware/WebHancer Not disinfected C:\WINDOWS\hancermm.exe[whCC-GIANT2.exe][whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\WINDOWS\hancermm.exe[whCC-GIANT2.exe][whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\WINDOWS\hancermm.exe[whCC-GIANT2.exe][webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\WINDOWS\hancermm.exe[whCC-GIANT2.exe][whiehlpr.dll]
Adware:Adware/DigInk Not disinfected C:\WINDOWS\Setup90.exe[Sos28.exe]
Adware:Adware/DigInk Not disinfected C:\WINDOWS\Setup90.exe[TagASaurus.exe]
Here is my Kasperksy log:
KASPERSKY ONLINE SCANNER REPORT
Friday, October 20, 2006 9:57:17 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/10/2006
Kaspersky Anti-Virus database records: 233512
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 65901
Number of viruses found: 14
Number of infected objects: 59 / 0
Number of suspicious objects: 2
Duration of the scan process: 01:12:25
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-10162006-190013.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Matthew\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{39906F29-C645-4FD8-B4C7-019E33AFAB06} Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\History\History.IE5\MSHist012006102020061021\index.dat Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe/InpB/DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe/InpB/DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe/InpB/Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe/InpB/DxcRepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe CAB: infected - 5 skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\s2c8.a.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.TrafficSol.d skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\s2c8.a.exe/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.d skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\s2c8.a.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Matthew\Local Settings\Temporary Internet Files\Content.IE5\49QVSPUV\sp2-adtegrity-nx[1].swf Infected: not-virus:Hoax.SWF.Alerter.a skipped
C:\Documents and Settings\Matthew\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Matthew\Local Settings\Temporary Internet Files\Content.IE5\VA711PVZ\sp2-cydoor-728[1].swf Infected: not-virus:Hoax.SWF.Alerter.a skipped
C:\Documents and Settings\Matthew\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Matthew\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\em\dohancer\whCC-GIANT3.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\em\dohancer\whCC-GIANT3.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\em\dohancer\whCC-GIANT3.exe RarSFX: infected - 2 skipped
C:\Program Files\HJT\backups\backup-20061017-201638-158 Infected: Exploit.HTML.Mht skipped
C:\Program Files\HJT\hijackthis1.txt Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\HJT\hijackthis2.log Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\LOG\ERRORLOG Object is locked skipped
C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\mm\hancmmnew\whCC-GIANT2.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP329\A0034247.exe/InpB/DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP329\A0034247.exe/InpB/DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP329\A0034247.exe/InpB/Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP329\A0034247.exe/InpB/DxcRepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP329\A0034247.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP329\A0034247.exe CAB: infected - 5 skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP330\A0034269.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ek skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP334\A0034546.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP334\A0034547.exe/AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP334\A0034547.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP334\A0034548.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ax skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP334\A0034549.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.t skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP334\A0034550.dll Infected: not-a-virus:Downloader.Win32.InsTool.a skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP335\change.log Object is locked skipped
C:\VundoFix Backups\gebcy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ek skipped
C:\WINDOWS\1011_justin.exe/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.ch skipped
C:\WINDOWS\1011_justin.exe/data0002/stream Infected: not-a-virus:AdWare.Win32.EZula.ch skipped
C:\WINDOWS\1011_justin.exe/data0002 Infected: not-a-virus:AdWare.Win32.EZula.ch skipped
C:\WINDOWS\1011_justin.exe/data0003/stream/data0001 Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\1011_justin.exe/data0003/stream Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\1011_justin.exe/data0003 Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\1011_justin.exe NSIS: infected - 6 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\hancerdoem.exe/data.rar/whCC-GIANT3.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancerdoem.exe/data.rar/whCC-GIANT3.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancerdoem.exe/data.rar/whCC-GIANT3.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancerdoem.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancerdoem.exe RarSFX: infected - 4 skipped
C:\WINDOWS\hancermm.exe/data.rar/whCC-GIANT2.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancermm.exe/data.rar/whCC-GIANT2.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancermm.exe/data.rar/whCC-GIANT2.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancermm.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\WINDOWS\hancermm.exe RarSFX: infected - 4 skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\THIEF.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Setup90.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\Setup90.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\Setup90.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\Setup90.exe NSIS: infected - 3 skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\justin.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.ch skipped
C:\WINDOWS\system32\justin.exe/stream Infected: not-a-virus:AdWare.Win32.EZula.ch skipped
C:\WINDOWS\system32\justin.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\ts_www.exe/stream/data0001 Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\system32\ts_www.exe/stream Infected: Trojan-Downloader.Win32.Bomka.r skipped
C:\WINDOWS\system32\ts_www.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1e8.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT04663.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT04666.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
And my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:09:57 PM, on 10/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HJT\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HJT.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\HJT\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Once again, I really appreciate this.
Please reboot your computer into Safe Mode, like you did previously
_______________________________
Once in Safe Mode, do the following:
We need to view hidden files and folders:
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Show hidden files and folders.
- Uncheck the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Click OK.
_______________________________Next, find and delete the following:
C:\Documents and Settings\Matthew\Local Settings\Temp\DxcUpdater3.exe <-- This file
C:\Program Files\em <-- This folder
C:\Program Files\mm <-- This folder
C:\WINDOWS\hancerdoem.exe <-- This file
C:\WINDOWS\hancermm.exe <-- This file
C:\WINDOWS\Setup90.exe <-- This file
C:\WINDOWS\1011_justin.exe <-- This file
C:\WINDOWS\system32\justin.exe <-- This file
C:\WINDOWS\system32\ts_www.exe <-- This file
Reboot back into Normal Mode
_______________________________
1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Here's my combofix log:
Matthew - 06-10-25 22:58:00.08 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Program Files\Mozilla Firefox"
((((((((((((((((((((((((((((((( Files Created from 2006-09-25 to 2006-10-25 ))))))))))))))))))))))))))))))))))
2006-10-20 10:17 3,968 --a
C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-16 22:40 46,352 --a
C:\WINDOWS\setdebug.exe
2006-10-16 22:40 139,536 --a
C:\WINDOWS\system32\javaee.dll
2006-10-16 22:39 113 --a
C:\WINDOWS\system32\zonedon.reg
2006-10-16 22:39 113 --a
C:\WINDOWS\system32\zonedoff.reg
2006-10-16 18:26 95,424
C:\WINDOWS\system32\drivers\slnthal.sys
2006-10-16 18:26 9,728
C:\WINDOWS\system32\comsdupd.exe
2006-10-16 18:26 88,064
C:\WINDOWS\system32\p2pnetsh.dll
2006-10-16 18:26 870,784
C:\WINDOWS\system32\ati3d1ag.dll
2006-10-16 18:26 86,016
C:\WINDOWS\system32\p2pgasvc.dll
2006-10-16 18:26 86,016
C:\WINDOWS\system32\mdmxsdk.dll
2006-10-16 18:26 81,920
C:\WINDOWS\system32\ieencode.dll
2006-10-16 18:26 81,408
C:\WINDOWS\system32\wscsvc.dll
2006-10-16 18:26 8,192
C:\WINDOWS\system32\smbinst.exe
2006-10-16 18:26 8,192
C:\WINDOWS\system32\bitsprx2.dll
2006-10-16 18:26 78,464
C:\WINDOWS\system32\drivers\usbvideo.sys
2006-10-16 18:26 755,200
C:\WINDOWS\system32\ir50_32.dll
2006-10-16 18:26 75,776
C:\WINDOWS\system32\strmfilt.dll
2006-10-16 18:26 73,832
C:\WINDOWS\system32\slcoinst.dll
2006-10-16 18:26 73,796
C:\WINDOWS\system32\slserv.exe
2006-10-16 18:26 73,216
C:\WINDOWS\system32\drivers\atintuxx.sys
2006-10-16 18:26 71,680
C:\WINDOWS\system32\blastcln.exe
2006-10-16 18:26 701,440
C:\WINDOWS\system32\drivers\ati2mtag.sys
2006-10-16 18:26 7,680
C:\WINDOWS\system32\kbdsmsno.dll
2006-10-16 18:26 7,680
C:\WINDOWS\system32\kbdsmsfi.dll
2006-10-16 18:26 7,168
C:\WINDOWS\system32\kbdukx.dll
2006-10-16 18:26 7,168
C:\WINDOWS\system32\kbdno1.dll
2006-10-16 18:26 7,168
C:\WINDOWS\system32\kbdfi1.dll
2006-10-16 18:26 7,168
C:\WINDOWS\system32\bitsprx3.dll
2006-10-16 18:26 685,056
C:\WINDOWS\system32\drivers\hsfcxts2.sys
2006-10-16 18:26 67,584
C:\WINDOWS\system32\drivers\sdbus.sys
2006-10-16 18:26 63,663
C:\WINDOWS\system32\drivers\ati1rvxx.sys
2006-10-16 18:26 63,488
C:\WINDOWS\system32\drivers\atinxsxx.sys
2006-10-16 18:26 60,416
C:\WINDOWS\system32\fwcfg.dll
2006-10-16 18:26 6,656
C:\WINDOWS\system32\kbdinmal.dll
2006-10-16 18:26 6,656
C:\WINDOWS\system32\kbdinben.dll
2006-10-16 18:26 6,144
C:\WINDOWS\system32\kbdmlt48.dll
2006-10-16 18:26 6,144
C:\WINDOWS\system32\kbdmlt47.dll
2006-10-16 18:26 6,144
C:\WINDOWS\system32\kbdinbe1.dll
2006-10-16 18:26 6,016
C:\WINDOWS\system32\drivers\smbali.sys
2006-10-16 18:26 57,856
C:\WINDOWS\system32\drivers\atinbtxx.sys
2006-10-16 18:26 56,623
C:\WINDOWS\system32\drivers\ati1btxx.sys
2006-10-16 18:26 526,848
C:\WINDOWS\system32\p2psvc.dll
2006-10-16 18:26 52,224
C:\WINDOWS\system32\drivers\atinraxx.sys
2006-10-16 18:26 516,768
C:\WINDOWS\system32\ativvaxx.dll
2006-10-16 18:26 50,688
C:\WINDOWS\system32\btpanui.dll
2006-10-16 18:26 50,176
C:\WINDOWS\system32\xmlprovi.dll
2006-10-16 18:26 5,632
C:\WINDOWS\system32\kbdmaori.dll
2006-10-16 18:26 49,152
C:\WINDOWS\system32\powercfg.exe
2006-10-16 18:26 48,640
C:\WINDOWS\system32\pnrpnsp.dll
2006-10-16 18:26 465,176 --a
C:\WINDOWS\system32\wuapi.dll
2006-10-16 18:26 46,464
C:\WINDOWS\system32\drivers\gagp30kx.sys
2006-10-16 18:26 452,736
C:\WINDOWS\system32\drivers\mtxparhm.sys
2006-10-16 18:26 44,672
C:\WINDOWS\system32\drivers\uagp35.sys
2006-10-16 18:26 44,032
C:\WINDOWS\system32\twext.dll
2006-10-16 18:26 438,784
C:\WINDOWS\system32\xpob2res.dll
2006-10-16 18:26 41,240 --a
C:\WINDOWS\system32\wups.dll
2006-10-16 18:26 404,990
C:\WINDOWS\system32\drivers\slntamr.sys
2006-10-16 18:26 40,832
C:\WINDOWS\system32\drivers\irbus.sys
2006-10-16 18:26 4,274,816
C:\WINDOWS\system32\nv4_disp.dll
2006-10-16 18:26 4,255
C:\WINDOWS\system32\drivers\adv01nt5.dll
2006-10-16 18:26 397,056
C:\WINDOWS\system32\s3gnb.dll
2006-10-16 18:26 377,984
C:\WINDOWS\system32\ati2dvaa.dll
2006-10-16 18:26 36,463
C:\WINDOWS\system32\drivers\ati1tuxx.sys
2006-10-16 18:26 36,096
C:\WINDOWS\system32\drivers\intelppm.sys
2006-10-16 18:26 34,735
C:\WINDOWS\system32\drivers\ati1xsxx.sys
2006-10-16 18:26 327,040
C:\WINDOWS\system32\drivers\ati2mtaa.sys
2006-10-16 18:26 32,866
C:\WINDOWS\system32\slrundll.exe
2006-10-16 18:26 32,866
C:\WINDOWS\slrundll.exe
2006-10-16 18:26 32,768
C:\WINDOWS\system32\ativtmxx.dll
2006-10-16 18:26 32,285
C:\WINDOWS\system32\hsfcisp2.dll
2006-10-16 18:26 312,320
C:\WINDOWS\system32\p2pgraph.dll
2006-10-16 18:26 31,744
C:\WINDOWS\system32\drivers\atinxbxx.sys
2006-10-16 18:26 30,671
C:\WINDOWS\system32\drivers\ati1raxx.sys
2006-10-16 18:26 30,080
C:\WINDOWS\system32\drivers\rndismpx.sys
2006-10-16 18:26 3,967
C:\WINDOWS\system32\drivers\adv02nt5.dll
2006-10-16 18:26 3,901
C:\WINDOWS\system32\drivers\siint5.dll
2006-10-16 18:26 3,775
C:\WINDOWS\system32\drivers\adv11nt5.dll
2006-10-16 18:26 3,711
C:\WINDOWS\system32\drivers\adv09nt5.dll
2006-10-16 18:26 3,647
C:\WINDOWS\system32\drivers\adv07nt5.dll
2006-10-16 18:26 3,615
C:\WINDOWS\system32\drivers\adv05nt5.dll
2006-10-16 18:26 3,135
C:\WINDOWS\system32\drivers\adv08nt5.dll
2006-10-16 18:26 29,455
C:\WINDOWS\system32\drivers\ati1xbxx.sys
2006-10-16 18:26 29,184
C:\WINDOWS\system32\sdhcinst.dll
2006-10-16 18:26 29,056
C:\WINDOWS\system32\drivers\ip6fw.sys
2006-10-16 18:26 286,792
C:\WINDOWS\system32\slextspk.dll
2006-10-16 18:26 28,672
C:\WINDOWS\system32\drivers\atinsnxx.sys
2006-10-16 18:26 262,784
C:\WINDOWS\system32\drivers\http.sys
2006-10-16 18:26 26,367
C:\WINDOWS\system32\drivers\ati1snxx.sys
2006-10-16 18:26 25,471
C:\WINDOWS\system32\drivers\watv10nt.sys
2006-10-16 18:26 25,471
C:\WINDOWS\system32\drivers\atv04nt5.dll
2006-10-16 18:26 24,576
C:\WINDOWS\system32\httpapi.dll
2006-10-16 18:26 23,040 --a
C:\WINDOWS\system32\fltmc.exe
2006-10-16 18:26 229,376
C:\WINDOWS\system32\ati2cqag.dll
2006-10-16 18:26 220,032
C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2006-10-16 18:26 22,271
C:\WINDOWS\system32\drivers\watv06nt.sys
2006-10-16 18:26 21,343
C:\WINDOWS\system32\drivers\ati1ttxx.sys
2006-10-16 18:26 21,183
C:\WINDOWS\system32\drivers\atv01nt5.dll
2006-10-16 18:26 201,728
C:\WINDOWS\system32\ati2dvag.dll
2006-10-16 18:26 200,192
C:\WINDOWS\system32\ir50_qc.dll
2006-10-16 18:26 194,328 --a
C:\WINDOWS\system32\wuaueng1.dll
2006-10-16 18:26 193,024
C:\WINDOWS\system32\fsquirt.exe
2006-10-16 18:26 188,508
C:\WINDOWS\system32\slgen.dll
2006-10-16 18:26 183,808
C:\WINDOWS\system32\ir50_qcx.dll
2006-10-16 18:26 180,360
C:\WINDOWS\system32\drivers\ntmtlfax.sys
2006-10-16 18:26 173,536 --a
C:\WINDOWS\system32\wuweb.dll
2006-10-16 18:26 172,312 --a
C:\WINDOWS\system32\wuauclt1.exe
2006-10-16 18:26 17,408
C:\WINDOWS\system32\winshfhc.dll
2006-10-16 18:26 17,279
C:\WINDOWS\system32\drivers\atv10nt5.dll
2006-10-16 18:26 166,912
C:\WINDOWS\system32\drivers\s3gnbm.sys
2006-10-16 18:26 16,896 --a
C:\WINDOWS\system32\fltlib.dll
2006-10-16 18:26 15,872
C:\WINDOWS\system32\w3ssl.dll
2006-10-16 18:26 15,488
C:\WINDOWS\system32\drivers\mssmbios.sys
2006-10-16 18:26 15,423
C:\WINDOWS\system32\drivers\ch7xxnt5.dll
2006-10-16 18:26 15,104
C:\WINDOWS\system32\drivers\hidir.sys
2006-10-16 18:26 14,336
C:\WINDOWS\system32\drivers\atinpdxx.sys
2006-10-16 18:26 14,336
C:\WINDOWS\system32\auditusr.exe
2006-10-16 18:26 14,143
C:\WINDOWS\system32\drivers\atv06nt5.dll
2006-10-16 18:26 13,824
C:\WINDOWS\system32\wscntfy.exe
2006-10-16 18:26 13,824
C:\WINDOWS\system32\drivers\atinttxx.sys
2006-10-16 18:26 13,824
C:\WINDOWS\system32\drivers\atinmdxx.sys
2006-10-16 18:26 13,824
C:\WINDOWS\system32\cmsetacl.dll
2006-10-16 18:26 13,776
C:\WINDOWS\system32\drivers\recagent.sys
2006-10-16 18:26 13,568
C:\WINDOWS\system32\drivers\wacompen.sys
2006-10-16 18:26 13,240
C:\WINDOWS\system32\drivers\slwdmsup.sys
2006-10-16 18:26 129,536
C:\WINDOWS\system32\xmlprov.dll
2006-10-16 18:26 129,535
C:\WINDOWS\system32\drivers\slnt7554.sys
2006-10-16 18:26 128,896
C:\WINDOWS\system32\drivers\fltmgr.sys
2006-10-16 18:26 127,256 --a
C:\WINDOWS\system32\wucltui.dll
2006-10-16 18:26 126,686
C:\WINDOWS\system32\drivers\mtlmnt5.sys
2006-10-16 18:26 12,672
C:\WINDOWS\system32\drivers\usb8023x.sys
2006-10-16 18:26 12,672
C:\WINDOWS\system32\drivers\mutohpen.sys
2006-10-16 18:26 12,047
C:\WINDOWS\system32\drivers\ati1pdxx.sys
2006-10-16 18:26 118,784
C:\WINDOWS\system32\msdadiag.dll
2006-10-16 18:26 116,224
C:\WINDOWS\system32\p2p.dll
2006-10-16 18:26 11,935
C:\WINDOWS\system32\drivers\wadv11nt.sys
2006-10-16 18:26 11,871
C:\WINDOWS\system32\drivers\wadv09nt.sys
2006-10-16 18:26 11,868
C:\WINDOWS\system32\drivers\mdmxsdk.sys
2006-10-16 18:26 11,807
C:\WINDOWS\system32\drivers\wadv07nt.sys
2006-10-16 18:26 11,615
C:\WINDOWS\system32\drivers\ati1mdxx.sys
2006-10-16 18:26 11,359
C:\WINDOWS\system32\drivers\atv02nt5.dll
2006-10-16 18:26 11,325
C:\WINDOWS\system32\drivers\vchnt5.dll
2006-10-16 18:26 11,295
C:\WINDOWS\system32\drivers\wadv08nt.sys
2006-10-16 18:26 11,136
C:\WINDOWS\system32\drivers\sffdisk.sys
2006-10-16 18:26 104,960
C:\WINDOWS\system32\drivers\atinrvxx.sys
2006-10-16 18:26 100,992
C:\WINDOWS\system32\drivers\bthpan.sys
2006-10-16 18:26 10,240
C:\WINDOWS\system32\drivers\sffp_sd.sys
2006-10-16 18:26 1,897,408
C:\WINDOWS\system32\drivers\nv4_mini.sys
2006-10-16 18:26 1,888,992
C:\WINDOWS\system32\ati3duag.dll
2006-10-16 18:26 1,737,856
C:\WINDOWS\system32\mtxparhd.dll
2006-10-16 18:26 1,309,184
C:\WINDOWS\system32\drivers\mtlstrm.sys
2006-10-16 18:26 1,041,536
C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2006-10-16 18:12 22,752 --a
C:\WINDOWS\system32\spupdsvc.exe
2006-10-16 17:52 107,132 --a
C:\WINDOWS\UninstallFirefox.exe
2006-10-16 17:47 778,656 --a
C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-16 17:47 499,712 --a
C:\WINDOWS\system32\msvcp71.dll
2006-10-16 17:47 4,288 --a
C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-10-16 17:47 348,160 --a
C:\WINDOWS\system32\msvcr71.dll
2006-10-16 17:47 27,904 --a
C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-16 17:47 23,424 --a
C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-10-14 09:47 10,920 --a
C:\aolconnfix.exe
2006-10-13 21:08 50,976 --a
C:\WINDOWS\elitepop06.exe
2006-10-13 21:08 40,572 --a
C:\WINDOWS\MirarSetup_876057.exe
2006-10-13 21:07 45,056 --a
C:\WINDOWS\next06.exe
2006-10-12 10:14 78,848 --a
C:\WINDOWS\system32\nsf1B.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-25 22:57
d
C:\Program Files\Mozilla Firefox
2006-10-25 22:39
d
C:\Program Files\HJT
2006-10-20 18:23
d
C:\Program Files\Windows Defender
2006-10-20 18:16
d
C:\Program Files\Internet Explorer
2006-10-20 10:17
d
C:\Program Files\Grisoft
2006-10-18 18:00
d
C:\Documents and Settings\Matthew\Application Data\Lavasoft
2006-10-17 20:31
d
C:\Program Files\InterMute
2006-10-16 23:46 879 --a
C:\Documents and Settings\Matthew\Application Data\AdobeDLM.log
2006-10-16 23:46 0 --a
C:\Documents and Settings\Matthew\Application Data\dm.ini
2006-10-16 23:46
d
C:\Program Files\Adobe
2006-10-16 23:44
d
C:\Documents and Settings\Matthew\Application Data\Adobe
2006-10-16 23:43
d
C:\Program Files\Common Files\Adobe
2006-10-16 22:53
d
C:\Program Files\Common Files\System
2006-10-16 22:44
d
C:\Program Files\Messenger
2006-10-16 22:42
d
C:\Program Files\Windows Media Player
2006-10-16 22:31
d
C:\Program Files\Outlook Express
2006-10-16 18:59
d
C:\Program Files\Common Files\Microsoft Shared
2006-10-16 18:42
d--h
C:\Program Files\WindowsUpdate
2006-10-16 18:42
d---s---- C:\Documents and Settings\Matthew\Application Data\Microsoft
2006-10-16 18:26
d
C:\Program Files\Movie Maker
2006-10-16 18:20
d
C:\Program Files\Windows NT
2006-10-16 18:20
d
C:\Program Files\NetMeeting
2006-10-16 17:53
d
C:\Documents and Settings\Matthew\Application Data\Talkback
2006-10-16 17:53
d
C:\Documents and Settings\Matthew\Application Data\Mozilla
2006-10-16 17:47
d
C:\Documents and Settings\Matthew\Application Data\AVG7
2006-10-16 17:42
d
C:\Program Files\Common Files
2006-10-14 09:53
d
C:\Program Files\America Online 9.0
2006-09-18 17:38
d
C:\Program Files\iTunes
2006-09-18 17:38
d
C:\Program Files\iPod
2006-09-18 17:36
d
C:\Program Files\QuickTime
2006-09-18 17:34
d
C:\Program Files\Apple Software Update
2006-09-13 01:01 1084416 --a
C:\WINDOWS\system32\msxml3.dll
2006-08-25 11:45 617472 --a
C:\WINDOWS\system32\comctl32.dll
2006-08-16 07:58 100352 --a
C:\WINDOWS\system32\6to4svc.dll
2006-07-27 09:24 679424 --a
C:\WINDOWS\system32\inetcomm.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"S3TRAY2"="S3Tray2.exe"
"TrackPointSrv"="tp4serv.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"TPHOTKEY"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"TPKMAPMN"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapMn.exe"
"TP4EX"="tp4ex.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"BMMGAG"="RunDll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\pwrmonit.dll,StartPwrMonitor"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Zone Labs Client"="\"C:\\Program Files\\HJT\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adstart]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="\"iexplore"
"hkey"="HKLM"
"command"="\"iexplore.exe\" \"http://iesettingsupdate\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICO"
"hkey"="HKLM"
"command"="ICO.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_SMB]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\BMMTask.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
Completion time: 06-10-25 22:59:51.87
C:\ComboFix.txt ... 06-10-25 22:59
Let me know how things are, and if we can mark this resolved.
The only thing I've noticed is that Zone Alarm gives me the occasional cryptic alert message about some connection being blocked, with a strand of numbers. Is that something to be concerned about?
Thanks!
One alert goes something like, "The Firewall has blocked routed traffic from 192.168.1.1 to 192.168.1.101 (ICMP Echo Request 'Ping')."
Another says, "The Firewall has blocked access to 68.87.71.226 (DNS) from your computer. Program: Generic Host Process for Win 32 Services."
The Zonealarm website says these can be randomly or intentionally routed packets over a shared internet connection.