Continuing popup problems[resolved]
Saracen
At the puter !
Hi all,
Seems my sister in law has been running her Toshiba Satellite laptop without any AV or firewall ! Gives me a call to say something is wrong with her computer and could I have a look.
As expected, virus and malware ridden so tried numerous things that cleared up most of it. Need some help on the last popup window issue
Been through the stickied procedure but still get popup IE windows
when connected to internet.
Downloaded and ran "ATF Cleaner"
Installed, updated and ran "Ad-Aware SE"
Ran "Scan Now" with required options and removed all found items.
Installed, updated and ran S&D
Ran "Check for Problems" and removed all found items.
Installed Spyware blaster as directed.
Ran McAfee VirusScan "On demand Scan" to check for remaining viri and found nothing further.
Renamed the Hijackthis.exe to analyse.exe as I have seen comments about current malware not being found by hijackthis. ran it with the following results.
Logfile of HijackThis v1.99.1
Scan saved at 09:24:15, on 24/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\Hijackthis\analyse.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164301657281
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371110.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{050A1F5A-01A9-4C21-A94A-8A448FD7A3A9}: NameServer = 194.168.4.100,194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{050A1F5A-01A9-4C21-A94A-8A448FD7A3A9}: NameServer = 194.168.4.100,194.168.8.100
O17 - HKLM\System\CS2\Services\Tcpip\..\{050A1F5A-01A9-4C21-A94A-8A448FD7A3A9}: NameServer = 194.168.4.100,194.168.8.100
O20 - AppInit_DLLs:
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\mvrol9931.dll
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hope you guys can help.....
*Edit Forgot to add the Ad-Aware log file showing a Look2me infection.
Ad-Aware SE Build 1.06r1
Logfile Created on:24 November 2006 10:05:11
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:Se1R134 20.11.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Adware.Look2Me(TAC index:7):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
24-11-2006 10:05:11 - Scan started. (Full System Scan)
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 652
ThreadCreationTime : 24-11-2006 08:39:46
BasePriority : Normal
#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 736
ThreadCreationTime : 24-11-2006 08:39:52
BasePriority : High
Adware.Look2Me Object Recognized!
Type : Process
Data : mvrol9931.dll
TAC Rating : 7
Category : Adware
Comment : iieshare.dll.dmp
Object : C:\WINDOWS\system32\
Warning! Adware.Look2Me Object found in memory(C:\WINDOWS\system32\mvrol9931.dll)
#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 784
ThreadCreationTime : 24-11-2006 08:39:56
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 796
ThreadCreationTime : 24-11-2006 08:39:56
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 940
ThreadCreationTime : 24-11-2006 08:40:00
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1060
ThreadCreationTime : 24-11-2006 08:40:02
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [vsmon.exe]
FilePath : C:\WINDOWS\system32\ZoneLabs\
ProcessID : 1220
ThreadCreationTime : 24-11-2006 08:40:05
BasePriority : Normal
FileVersion : 6.5.737.000
ProductVersion : 6.5.737.000
ProductName : TrueVector Service
CompanyName : Zone Labs, LLC
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 1998-2006, Zone Labs, LLC
OriginalFilename : vsmon.exe
#:8 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1488
ThreadCreationTime : 24-11-2006 08:40:22
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE
Adware.Look2Me Object Recognized!
Type : Process
Data : dntrans.dll
TAC Rating : 7
Category : Adware
Comment : iieshare.dll.dmp
Object : C:\WINDOWS\system32\
Warning! Adware.Look2Me Object found in memory(C:\WINDOWS\system32\dntrans.dll)
"C:\WINDOWS\system32\rundll32.exe"Process terminated successfully
#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1644
ThreadCreationTime : 24-11-2006 08:40:26
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
Adware.Look2Me Object Recognized!
Type : Process
Data : dntrans.dll
TAC Rating : 7
Category : Adware
Comment : iieshare.dll.dmp
Object : C:\WINDOWS\system32\
Warning! Adware.Look2Me Object found in memory(C:\WINDOWS\system32\dntrans.dll)
#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1772
ThreadCreationTime : 24-11-2006 08:40:29
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
#:11 [ceepwrsvc.exe]
FilePath : C:\Program Files\TOSHIBA\Power Management\
ProcessID : 1860
ThreadCreationTime : 24-11-2006 08:40:30
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : CeEPwrSvc Module
CompanyName : COMPAL ELECTRONIC INC.
FileDescription : CeEPwrSvc Module
InternalName : CeEPwrSvc
LegalCopyright : Copyright 2003 Compal Electronic Inc.
OriginalFilename : CeEPwrSvc.EXE
Comments : James Kang
#:12 [dkservice.exe]
FilePath : C:\Program Files\Diskeeper Corporation\Diskeeper\
ProcessID : 1880
ThreadCreationTime : 24-11-2006 08:40:30
BasePriority : Normal
FileVersion : 10.0.593.0
ProductVersion : 10.0.593.0
ProductName : Diskeeper (TM) Disk Defragmenter
CompanyName : Diskeeper Corporation
FileDescription : DKSERVICE.EXE
InternalName : DKSERVICE
LegalCopyright : © 1995-2005 Diskeeper Corporation
OriginalFilename : DKSERVICE
#:13 [frameworkservice.exe]
FilePath : C:\Program Files\Network Associates\Common Framework\
ProcessID : 1912
ThreadCreationTime : 24-11-2006 08:40:31
BasePriority : Normal
FileVersion : 3.5.0.412
ProductName : McAfee Common Framework
CompanyName : Network Associates, Inc.
FileDescription : Framework Service
InternalName : Framework
LegalCopyright : Copyright© 2000-2004 Networks Associates Technology, Inc. All Rights Reserved.
OriginalFilename : Framework.exe
#:14 [mcshield.exe]
FilePath : C:\Program Files\Network Associates\VirusScan\
ProcessID : 112
ThreadCreationTime : 24-11-2006 08:40:34
BasePriority : High
#:15 [vstskmgr.exe]
FilePath : C:\Program Files\Network Associates\VirusScan\
ProcessID : 148
ThreadCreationTime : 24-11-2006 08:40:36
BasePriority : Normal
#:16 [nicserv.exe]
FilePath : C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\
ProcessID : 272
ThreadCreationTime : 24-11-2006 08:40:39
BasePriority : Normal
FileVersion : 1.1.0.0
ProductVersion : 1.0.0.0
#:17 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 428
ThreadCreationTime : 24-11-2006 08:40:43
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:18 [wmiapsrv.exe]
FilePath : C:\WINDOWS\System32\wbem\
ProcessID : 1124
ThreadCreationTime : 24-11-2006 08:40:52
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI Performance Adapter Service
InternalName : WmiApSrv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WmiApSrv.exe
#:19 [igfxtray.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2396
ThreadCreationTime : 24-11-2006 08:41:28
BasePriority : Normal
FileVersion : 3.0.0.2172
ProductVersion : 7.0.0.2172
ProductName : Intel(R) Common User Interface
CompanyName : Intel Corporation
FileDescription : igfxTray Module
InternalName : IGFXTRAY
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : IGFXTRAY.EXE
#:20 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2560
ThreadCreationTime : 24-11-2006 08:41:32
BasePriority : Normal
FileVersion : 3.0.0.2172
ProductVersion : 7.0.0.2172
ProductName : Intel(R) Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : HKCMD.EXE
#:21 [apoint.exe]
FilePath : C:\Program Files\Apoint2K\
ProcessID : 2572
ThreadCreationTime : 24-11-2006 08:41:33
BasePriority : Normal
FileVersion : 5.3.10.166
ProductVersion : 5.3.10.166
ProductName : Alps Pointing-device Driver
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver
InternalName : Alps Pointing-device Driver
LegalCopyright : Copyright (C) 1999-2003 Alps Electric Co., Ltd.
OriginalFilename : Apoint.exe
#:22 [cepmtray.exe]
FilePath : C:\Program Files\TOSHIBA\Power Management\
ProcessID : 2584
ThreadCreationTime : 24-11-2006 08:41:33
BasePriority : Normal
FileVersion : 1, 0, 0, 26
ProductVersion : 1, 0, 0, 26
ProductName : CeTray Application
CompanyName : COMPAL ELECTRONIC INC.
FileDescription : CeTray MFC Application
InternalName : CeTray
LegalCopyright : Copyright 2003 Compal Electronic Inc.
OriginalFilename : CeTray.EXE
Comments : James Kang
#:23 [ceekey.exe]
FilePath : C:\Program Files\TOSHIBA\E-KEY\
ProcessID : 2592
ThreadCreationTime : 24-11-2006 08:41:35
BasePriority : Normal
FileVersion : 2, 0, 0, 18
ProductVersion : 2, 0, 0, 18
ProductName : EKey Application
CompanyName : COMPAL ELECTRONIC INC.
FileDescription : TOSHIBA HotKey Utility
InternalName : E_Key
LegalCopyright : Copyright 2003 Compal Electronic Inc.
OriginalFilename : CeEKey.EXE
Comments : Eva Hung
#:24 [tptray.exe]
FilePath : C:\Program Files\TOSHIBA\TouchPad\
ProcessID : 2600
ThreadCreationTime : 24-11-2006 08:41:35
BasePriority : Normal
FileVersion : 1, 0, 0, 11
ProductVersion : 1, 0, 0, 11
ProductName : TPTray Application
CompanyName : COMPAL ELECTRONIC INC.
FileDescription : TPTray Application
InternalName : TPTray
LegalCopyright : Copyright 2002 Compal Electronic Inc.
OriginalFilename : TPTray.EXE
Comments : Mei Hsu
#:25 [ezsp_px.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2620
ThreadCreationTime : 24-11-2006 08:41:36
BasePriority : Normal
#:26 [dragdrop.exe]
FilePath : C:\Program Files\Drag'n Drop CD+DVD\BinFiles\
ProcessID : 2648
ThreadCreationTime : 24-11-2006 08:41:40
BasePriority : Normal
#:27 [apntex.exe]
FilePath : C:\Program Files\Apoint2K\
ProcessID : 2656
ThreadCreationTime : 24-11-2006 08:41:40
BasePriority : Normal
FileVersion : 5.0.1.15
ProductVersion : 5.0.1.15
ProductName : Alps Pointing-device Driver for Windows NT/2000/XP
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver for Windows NT/2000/XP
InternalName : Alps Pointing-device Driver for Windows NT/2000/XP
LegalCopyright : Copyright (C) 1998-2003 Alps Electric Co., Ltd.
OriginalFilename : ApntEx.exe
#:28 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 2684
ThreadCreationTime : 24-11-2006 08:41:41
BasePriority : Normal
FileVersion : 6.0.4.2
ProductVersion : 6.0.4.2
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe
#:29 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 2692
ThreadCreationTime : 24-11-2006 08:41:42
BasePriority : Normal
FileVersion : 7.0.4
ProductVersion : QuickTime 7.0.4
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
FileDescription : QuickTime Task
InternalName : QuickTime Task
LegalCopyright : Copyright Apple Computer, Inc. 1989-2006
OriginalFilename : QTTask.exe
#:30 [shstat.exe]
FilePath : C:\Program Files\Network Associates\VirusScan\
ProcessID : 2700
ThreadCreationTime : 24-11-2006 08:41:42
BasePriority : Normal
#:31 [updaterui.exe]
FilePath : C:\Program Files\Network Associates\Common Framework\
ProcessID : 2708
ThreadCreationTime : 24-11-2006 08:41:42
BasePriority : Normal
FileVersion : 3.5.0.412
ProductName : McAfee Common Framework
CompanyName : Network Associates, Inc.
FileDescription : Common User Interface
InternalName : UpdaterUI
LegalCopyright : Copyright© 2000-2004 Networks Associates Technology, Inc. All Rights Reserved.
OriginalFilename : UpdaterUI.exe
#:32 [tbmon.exe]
FilePath : C:\Program Files\Common Files\Network Associates\TalkBack\
ProcessID : 2716
ThreadCreationTime : 24-11-2006 08:41:43
BasePriority : Normal
FileVersion : 2.0.275.0
ProductVersion : 2.0.275.0
ProductName : TalkBack Monitor
CompanyName : Network Associates, Inc.
FileDescription : TalkBack Monitor
InternalName : TBMON
LegalCopyright : ©2003 Networks Associates Technology, Inc. All Rights Reserved.
LegalTrademarks : McAfee & Network Associates are registered trademarks of Network Associates and/or its affiliates in the US and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. (c) 2003 Network Associates Technology, Inc. All Rights Reserved.
OriginalFilename : TBMON.EXE
#:33 [zlclient.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ProcessID : 2752
ThreadCreationTime : 24-11-2006 08:41:44
BasePriority : Normal
FileVersion : 6.5.737.000
ProductVersion : 6.5.737.000
ProductName : Zone Labs Client
CompanyName : Zone Labs, LLC
FileDescription : Zone Labs Client
InternalName : zlclient
LegalCopyright : Copyright © 1998-2006, Zone Labs, LLC
OriginalFilename : zlclient.exe
#:34 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 2812
ThreadCreationTime : 24-11-2006 08:41:46
BasePriority : Normal
FileVersion : 6.0.4.2
ProductVersion : 6.0.4.2
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe
#:35 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 2848
ThreadCreationTime : 24-11-2006 08:41:48
BasePriority : Normal
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright (c) Microsoft Corporation 2004
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe
#:36 [odhost.exe]
FilePath : C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\
ProcessID : 2936
ThreadCreationTime : 24-11-2006 08:41:56
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
FileDescription : Odyssey COM Host
InternalName : OdHost
LegalCopyright : Copyright (C) 2003
OriginalFilename : Odhost.exe
#:37 [wpc54cfg.exe]
FilePath : C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\
ProcessID : 2992
ThreadCreationTime : 24-11-2006 08:42:01
BasePriority : Normal
FileVersion : 1.1.0.35
ProductVersion : 1.3.0.1
ProductName : Linksys Instant WLAN Monitor
CompanyName : The Linksys Group, Inc.
FileDescription : Linksys Instant WLAN Monitor
InternalName : WLANMonitor.EXE
LegalCopyright : Copyright (C) 2003, Linksys
LegalTrademarks : Instant Wireless
OriginalFilename : WLANMonitor.EXE
Comments : Linksys Instant WLAN Monitor
#:38 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 1464
ThreadCreationTime : 24-11-2006 09:53:09
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE
#:39 [taskmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2340
ThreadCreationTime : 24-11-2006 09:55:09
BasePriority : High
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows TaskManager
InternalName : taskmgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : taskmgr.exe
#:40 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3368
ThreadCreationTime : 24-11-2006 10:00:18
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 3
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3
10:15:38 Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:10:26.812
Objects scanned:150073
Objects identified:0
Objects ignored:0
New critical objects:0
Seems my sister in law has been running her Toshiba Satellite laptop without any AV or firewall ! Gives me a call to say something is wrong with her computer and could I have a look.
As expected, virus and malware ridden so tried numerous things that cleared up most of it. Need some help on the last popup window issue
Been through the stickied procedure but still get popup IE windows
when connected to internet.
Downloaded and ran "ATF Cleaner"
Installed, updated and ran "Ad-Aware SE"
Ran "Scan Now" with required options and removed all found items.
Installed, updated and ran S&D
Ran "Check for Problems" and removed all found items.
Installed Spyware blaster as directed.
Ran McAfee VirusScan "On demand Scan" to check for remaining viri and found nothing further.
Renamed the Hijackthis.exe to analyse.exe as I have seen comments about current malware not being found by hijackthis. ran it with the following results.
Logfile of HijackThis v1.99.1
Scan saved at 09:24:15, on 24/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\Hijackthis\analyse.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164301657281
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371110.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{050A1F5A-01A9-4C21-A94A-8A448FD7A3A9}: NameServer = 194.168.4.100,194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{050A1F5A-01A9-4C21-A94A-8A448FD7A3A9}: NameServer = 194.168.4.100,194.168.8.100
O17 - HKLM\System\CS2\Services\Tcpip\..\{050A1F5A-01A9-4C21-A94A-8A448FD7A3A9}: NameServer = 194.168.4.100,194.168.8.100
O20 - AppInit_DLLs:
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\mvrol9931.dll
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hope you guys can help.....
*Edit Forgot to add the Ad-Aware log file showing a Look2me infection.
Ad-Aware SE Build 1.06r1
Logfile Created on:24 November 2006 10:05:11
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:Se1R134 20.11.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Adware.Look2Me(TAC index:7):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
24-11-2006 10:05:11 - Scan started. (Full System Scan)
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 652
ThreadCreationTime : 24-11-2006 08:39:46
BasePriority : Normal
#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 736
ThreadCreationTime : 24-11-2006 08:39:52
BasePriority : High
Adware.Look2Me Object Recognized!
Type : Process
Data : mvrol9931.dll
TAC Rating : 7
Category : Adware
Comment : iieshare.dll.dmp
Object : C:\WINDOWS\system32\
Warning! Adware.Look2Me Object found in memory(C:\WINDOWS\system32\mvrol9931.dll)
#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 784
ThreadCreationTime : 24-11-2006 08:39:56
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 796
ThreadCreationTime : 24-11-2006 08:39:56
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 940
ThreadCreationTime : 24-11-2006 08:40:00
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1060
ThreadCreationTime : 24-11-2006 08:40:02
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [vsmon.exe]
FilePath : C:\WINDOWS\system32\ZoneLabs\
ProcessID : 1220
ThreadCreationTime : 24-11-2006 08:40:05
BasePriority : Normal
FileVersion : 6.5.737.000
ProductVersion : 6.5.737.000
ProductName : TrueVector Service
CompanyName : Zone Labs, LLC
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 1998-2006, Zone Labs, LLC
OriginalFilename : vsmon.exe
#:8 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1488
ThreadCreationTime : 24-11-2006 08:40:22
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE
Adware.Look2Me Object Recognized!
Type : Process
Data : dntrans.dll
TAC Rating : 7
Category : Adware
Comment : iieshare.dll.dmp
Object : C:\WINDOWS\system32\
Warning! Adware.Look2Me Object found in memory(C:\WINDOWS\system32\dntrans.dll)
"C:\WINDOWS\system32\rundll32.exe"Process terminated successfully
#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1644
ThreadCreationTime : 24-11-2006 08:40:26
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
Adware.Look2Me Object Recognized!
Type : Process
Data : dntrans.dll
TAC Rating : 7
Category : Adware
Comment : iieshare.dll.dmp
Object : C:\WINDOWS\system32\
Warning! Adware.Look2Me Object found in memory(C:\WINDOWS\system32\dntrans.dll)
#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1772
ThreadCreationTime : 24-11-2006 08:40:29
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
#:11 [ceepwrsvc.exe]
FilePath : C:\Program Files\TOSHIBA\Power Management\
ProcessID : 1860
ThreadCreationTime : 24-11-2006 08:40:30
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : CeEPwrSvc Module
CompanyName : COMPAL ELECTRONIC INC.
FileDescription : CeEPwrSvc Module
InternalName : CeEPwrSvc
LegalCopyright : Copyright 2003 Compal Electronic Inc.
OriginalFilename : CeEPwrSvc.EXE
Comments : James Kang
#:12 [dkservice.exe]
FilePath : C:\Program Files\Diskeeper Corporation\Diskeeper\
ProcessID : 1880
ThreadCreationTime : 24-11-2006 08:40:30
BasePriority : Normal
FileVersion : 10.0.593.0
ProductVersion : 10.0.593.0
ProductName : Diskeeper (TM) Disk Defragmenter
CompanyName : Diskeeper Corporation
FileDescription : DKSERVICE.EXE
InternalName : DKSERVICE
LegalCopyright : © 1995-2005 Diskeeper Corporation
OriginalFilename : DKSERVICE
#:13 [frameworkservice.exe]
FilePath : C:\Program Files\Network Associates\Common Framework\
ProcessID : 1912
ThreadCreationTime : 24-11-2006 08:40:31
BasePriority : Normal
FileVersion : 3.5.0.412
ProductName : McAfee Common Framework
CompanyName : Network Associates, Inc.
FileDescription : Framework Service
InternalName : Framework
LegalCopyright : Copyright© 2000-2004 Networks Associates Technology, Inc. All Rights Reserved.
OriginalFilename : Framework.exe
#:14 [mcshield.exe]
FilePath : C:\Program Files\Network Associates\VirusScan\
ProcessID : 112
ThreadCreationTime : 24-11-2006 08:40:34
BasePriority : High
#:15 [vstskmgr.exe]
FilePath : C:\Program Files\Network Associates\VirusScan\
ProcessID : 148
ThreadCreationTime : 24-11-2006 08:40:36
BasePriority : Normal
#:16 [nicserv.exe]
FilePath : C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\
ProcessID : 272
ThreadCreationTime : 24-11-2006 08:40:39
BasePriority : Normal
FileVersion : 1.1.0.0
ProductVersion : 1.0.0.0
#:17 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 428
ThreadCreationTime : 24-11-2006 08:40:43
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:18 [wmiapsrv.exe]
FilePath : C:\WINDOWS\System32\wbem\
ProcessID : 1124
ThreadCreationTime : 24-11-2006 08:40:52
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI Performance Adapter Service
InternalName : WmiApSrv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WmiApSrv.exe
#:19 [igfxtray.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2396
ThreadCreationTime : 24-11-2006 08:41:28
BasePriority : Normal
FileVersion : 3.0.0.2172
ProductVersion : 7.0.0.2172
ProductName : Intel(R) Common User Interface
CompanyName : Intel Corporation
FileDescription : igfxTray Module
InternalName : IGFXTRAY
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : IGFXTRAY.EXE
#:20 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2560
ThreadCreationTime : 24-11-2006 08:41:32
BasePriority : Normal
FileVersion : 3.0.0.2172
ProductVersion : 7.0.0.2172
ProductName : Intel(R) Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : HKCMD.EXE
#:21 [apoint.exe]
FilePath : C:\Program Files\Apoint2K\
ProcessID : 2572
ThreadCreationTime : 24-11-2006 08:41:33
BasePriority : Normal
FileVersion : 5.3.10.166
ProductVersion : 5.3.10.166
ProductName : Alps Pointing-device Driver
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver
InternalName : Alps Pointing-device Driver
LegalCopyright : Copyright (C) 1999-2003 Alps Electric Co., Ltd.
OriginalFilename : Apoint.exe
#:22 [cepmtray.exe]
FilePath : C:\Program Files\TOSHIBA\Power Management\
ProcessID : 2584
ThreadCreationTime : 24-11-2006 08:41:33
BasePriority : Normal
FileVersion : 1, 0, 0, 26
ProductVersion : 1, 0, 0, 26
ProductName : CeTray Application
CompanyName : COMPAL ELECTRONIC INC.
FileDescription : CeTray MFC Application
InternalName : CeTray
LegalCopyright : Copyright 2003 Compal Electronic Inc.
OriginalFilename : CeTray.EXE
Comments : James Kang
#:23 [ceekey.exe]
FilePath : C:\Program Files\TOSHIBA\E-KEY\
ProcessID : 2592
ThreadCreationTime : 24-11-2006 08:41:35
BasePriority : Normal
FileVersion : 2, 0, 0, 18
ProductVersion : 2, 0, 0, 18
ProductName : EKey Application
CompanyName : COMPAL ELECTRONIC INC.
FileDescription : TOSHIBA HotKey Utility
InternalName : E_Key
LegalCopyright : Copyright 2003 Compal Electronic Inc.
OriginalFilename : CeEKey.EXE
Comments : Eva Hung
#:24 [tptray.exe]
FilePath : C:\Program Files\TOSHIBA\TouchPad\
ProcessID : 2600
ThreadCreationTime : 24-11-2006 08:41:35
BasePriority : Normal
FileVersion : 1, 0, 0, 11
ProductVersion : 1, 0, 0, 11
ProductName : TPTray Application
CompanyName : COMPAL ELECTRONIC INC.
FileDescription : TPTray Application
InternalName : TPTray
LegalCopyright : Copyright 2002 Compal Electronic Inc.
OriginalFilename : TPTray.EXE
Comments : Mei Hsu
#:25 [ezsp_px.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2620
ThreadCreationTime : 24-11-2006 08:41:36
BasePriority : Normal
#:26 [dragdrop.exe]
FilePath : C:\Program Files\Drag'n Drop CD+DVD\BinFiles\
ProcessID : 2648
ThreadCreationTime : 24-11-2006 08:41:40
BasePriority : Normal
#:27 [apntex.exe]
FilePath : C:\Program Files\Apoint2K\
ProcessID : 2656
ThreadCreationTime : 24-11-2006 08:41:40
BasePriority : Normal
FileVersion : 5.0.1.15
ProductVersion : 5.0.1.15
ProductName : Alps Pointing-device Driver for Windows NT/2000/XP
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver for Windows NT/2000/XP
InternalName : Alps Pointing-device Driver for Windows NT/2000/XP
LegalCopyright : Copyright (C) 1998-2003 Alps Electric Co., Ltd.
OriginalFilename : ApntEx.exe
#:28 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 2684
ThreadCreationTime : 24-11-2006 08:41:41
BasePriority : Normal
FileVersion : 6.0.4.2
ProductVersion : 6.0.4.2
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe
#:29 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 2692
ThreadCreationTime : 24-11-2006 08:41:42
BasePriority : Normal
FileVersion : 7.0.4
ProductVersion : QuickTime 7.0.4
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
FileDescription : QuickTime Task
InternalName : QuickTime Task
LegalCopyright : Copyright Apple Computer, Inc. 1989-2006
OriginalFilename : QTTask.exe
#:30 [shstat.exe]
FilePath : C:\Program Files\Network Associates\VirusScan\
ProcessID : 2700
ThreadCreationTime : 24-11-2006 08:41:42
BasePriority : Normal
#:31 [updaterui.exe]
FilePath : C:\Program Files\Network Associates\Common Framework\
ProcessID : 2708
ThreadCreationTime : 24-11-2006 08:41:42
BasePriority : Normal
FileVersion : 3.5.0.412
ProductName : McAfee Common Framework
CompanyName : Network Associates, Inc.
FileDescription : Common User Interface
InternalName : UpdaterUI
LegalCopyright : Copyright© 2000-2004 Networks Associates Technology, Inc. All Rights Reserved.
OriginalFilename : UpdaterUI.exe
#:32 [tbmon.exe]
FilePath : C:\Program Files\Common Files\Network Associates\TalkBack\
ProcessID : 2716
ThreadCreationTime : 24-11-2006 08:41:43
BasePriority : Normal
FileVersion : 2.0.275.0
ProductVersion : 2.0.275.0
ProductName : TalkBack Monitor
CompanyName : Network Associates, Inc.
FileDescription : TalkBack Monitor
InternalName : TBMON
LegalCopyright : ©2003 Networks Associates Technology, Inc. All Rights Reserved.
LegalTrademarks : McAfee & Network Associates are registered trademarks of Network Associates and/or its affiliates in the US and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. (c) 2003 Network Associates Technology, Inc. All Rights Reserved.
OriginalFilename : TBMON.EXE
#:33 [zlclient.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ProcessID : 2752
ThreadCreationTime : 24-11-2006 08:41:44
BasePriority : Normal
FileVersion : 6.5.737.000
ProductVersion : 6.5.737.000
ProductName : Zone Labs Client
CompanyName : Zone Labs, LLC
FileDescription : Zone Labs Client
InternalName : zlclient
LegalCopyright : Copyright © 1998-2006, Zone Labs, LLC
OriginalFilename : zlclient.exe
#:34 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 2812
ThreadCreationTime : 24-11-2006 08:41:46
BasePriority : Normal
FileVersion : 6.0.4.2
ProductVersion : 6.0.4.2
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe
#:35 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 2848
ThreadCreationTime : 24-11-2006 08:41:48
BasePriority : Normal
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright (c) Microsoft Corporation 2004
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe
#:36 [odhost.exe]
FilePath : C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\
ProcessID : 2936
ThreadCreationTime : 24-11-2006 08:41:56
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
FileDescription : Odyssey COM Host
InternalName : OdHost
LegalCopyright : Copyright (C) 2003
OriginalFilename : Odhost.exe
#:37 [wpc54cfg.exe]
FilePath : C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\
ProcessID : 2992
ThreadCreationTime : 24-11-2006 08:42:01
BasePriority : Normal
FileVersion : 1.1.0.35
ProductVersion : 1.3.0.1
ProductName : Linksys Instant WLAN Monitor
CompanyName : The Linksys Group, Inc.
FileDescription : Linksys Instant WLAN Monitor
InternalName : WLANMonitor.EXE
LegalCopyright : Copyright (C) 2003, Linksys
LegalTrademarks : Instant Wireless
OriginalFilename : WLANMonitor.EXE
Comments : Linksys Instant WLAN Monitor
#:38 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 1464
ThreadCreationTime : 24-11-2006 09:53:09
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE
#:39 [taskmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2340
ThreadCreationTime : 24-11-2006 09:55:09
BasePriority : High
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows TaskManager
InternalName : taskmgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : taskmgr.exe
#:40 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3368
ThreadCreationTime : 24-11-2006 10:00:18
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 3
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3
10:15:38 Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:10:26.812
Objects scanned:150073
Objects identified:0
Objects ignored:0
New critical objects:0
0
This discussion has been closed.
Comments
http://download.bleepingcomputer.com/sUBs/combofix.exe
And save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Also just copy and paste your hijackthis log.
Thanks for your time anyway.
http://www.lavasoftusa.com/support/securitycenter/look2me_removal_tool.php
Errmm, we are not done yet
How's it looking now ?
Logfile of HijackThis v1.99.1
Scan saved at 15:18:10, on 25/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164301657281
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371110.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{050A1F5A-01A9-4C21-A94A-8A448FD7A3A9}: NameServer = 194.168.4.100,194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{050A1F5A-01A9-4C21-A94A-8A448FD7A3A9}: NameServer = 194.168.4.100,194.168.8.100
O17 - HKLM\System\CS2\Services\Tcpip\..\{050A1F5A-01A9-4C21-A94A-8A448FD7A3A9}: NameServer = 194.168.4.100,194.168.8.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Logfile of HijackThis v1.99.1
Scan saved at 18:35, on 06-11-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Hijackthis\scan.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164301657281
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371110.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{050A1F5A-01A9-4C21-A94A-8A448FD7A3A9}: NameServer = 194.168.4.100,194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{050A1F5A-01A9-4C21-A94A-8A448FD7A3A9}: NameServer = 194.168.4.100,194.168.8.100
O17 - HKLM\System\CS2\Services\Tcpip\..\{050A1F5A-01A9-4C21-A94A-8A448FD7A3A9}: NameServer = 194.168.4.100,194.168.8.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O20 - AppInit_DLLs:
Click on the below link to begin the Kaspersky Online scanner program.
Kaspersky On-line Scanner
When you are prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files
When the files finish downloading click on NEXT
Now click on Scan Settings
In Scan Settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This program will start and scan your system.
Online scan can take a long time to complete and the time is impacted by the speed of your internet connection. Be patient and let it run. It is best not to do anything else while the scan is running. This will help it to complete faster.
When the scan has completed, it will display whether your system has been infected or not
Click on the Save as Text button:
Save the file to your desktop or another folder where you can locate it later.
Attach this file to your next message.
Also Post a Fresh HJT-Log.
KASPERSKY ONLINE SCANNER REPORT
06-11-26 13:44
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 26/11/2006
Kaspersky Anti-Virus database records: 245609
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 56995
Number of viruses found: 1
Number of infected objects: 3 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:47:01
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20061126_Time-123919203_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20061126_Time-123919203_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_LAPTOP-P-GRIFF.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_LAPTOP-P-GRIFF.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mine\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mine\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mine\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mine\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mine\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mine\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mine\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERS_9999_N91S2507NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UERS_9999_N91S2507NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\UERS_9999_N91S2507NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\LAPTOP-P-GRIFF.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0B829419-6014-4B06-AD6F-0F89230713A1}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6fc.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT055b6.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT0597d.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 13:47, on 06-11-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\scan.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164301657281
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371110.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{050A1F5A-01A9-4C21-A94A-8A448FD7A3A9}: NameServer = 194.168.4.100,194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{050A1F5A-01A9-4C21-A94A-8A448FD7A3A9}: NameServer = 194.168.4.100,194.168.8.100
O17 - HKLM\System\CS2\Services\Tcpip\..\{050A1F5A-01A9-4C21-A94A-8A448FD7A3A9}: NameServer = 194.168.4.100,194.168.8.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Note: In the event you already have Killbox, this is a new version that I need you to download.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERS_9999_N91S2507NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UERS_9999_N91S2507NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UERS_9999_N91S2507NetInstaller.exe
If your computer does not restart automatically, please restart it manually.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox,
Click here. to download and run missingfilesetup.exe. Then try Killbox again.
Please Post a Fresh HJT-Log
I have also noticed that "explorer.exe" is using 63,250K when viewed from the Task Manager. On my PC its only running at 14,000K. Can this be right ?
Latest HJT log
Logfile of HijackThis v1.99.1
Scan saved at 15:36, on 06-11-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\Hijackthis\scan.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164301657281
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371110.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{050A1F5A-01A9-4C21-A94A-8A448FD7A3A9}: NameServer = 194.168.4.100,194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{050A1F5A-01A9-4C21-A94A-8A448FD7A3A9}: NameServer = 194.168.4.100,194.168.8.100
O17 - HKLM\System\CS2\Services\Tcpip\..\{050A1F5A-01A9-4C21-A94A-8A448FD7A3A9}: NameServer = 194.168.4.100,194.168.8.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware
Update it and scan your computer regularly with it.
Use Spybot S&D
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file
This prevents your computer from connecting to harmful sites.
Use Firefox browser
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein
So how did I get infected in the first place?
Stand Up and Be Counted !
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Safe surfing
Now the laptop is clean, with antivirus installed, Spybot S&D, Adware SE, updated "hosts" file and links to the Kaspersky online plus a quick lesson from me on how to protect herself from the scum, my sister in law should be good to go.
Thanks once again.