OS Name: Microsoft Windows 2000 Professional
Version: 5.00.2195 Service Pack 4 Build 2195
OS Manufacturer: Microsoft Corporation
System Name: USER1
System Manufacturer: Dell Computer Corporation
System Model: Inspiron 4000
System Type: X86-based PC
Processor: x86 Family 6 Model 8 Stepping 10 GenuineIntel ~902Mhz
BIOS Version: Phoenix ROM BIOS PLUS Version 1.10 A23
Windows Directory: C:\WINNT
Locale: United States
Time Zone: Central Daylight Time
Total Physical Memory: 392,604 KB
Available Physical Memory: 125,648 KB
Total Virtual Memory: 1,333,308 KB
Available Virtual Memory: 765,072 KB
Page File Space: 940,704 KB
I use a "3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)" modem and ADSL Internet service.
I went to http://www.geekstogo...?showtopic=2852 and, in the order that they appear within that text, diligently attempted each of the recommended procedures. I had already installed SP2 and had my computer set to update Windows automatically; I always use the "express install" feature when prompted.
I don't know if this is significant, shortly after I first noticed the problem, I also noticed that the "automatic updates" feature seemed to be deactivated. I reactivated it, and "express installed" whatever updates Microsoft sent me.
Avast! identified the original malware; it recommended the "Move to Chest" option, which I selected. A second indication occurred seconds later and, thinking perhaps the "Move to Chest" option was inadequate, I selected the "Remove" option.
Avast! indicated the malware was successfully removed; however, I continued to get different alerts that I was infected with "Win32.QHost.DF," with some sort of Adware [078], and with some sort of Adware [094]. Regrettably, I remember only the numbers associated with the latter two malware programs: thinking the solution was only a couple of clicks away, I didn't write that stuff down.
The latter two indicated-malware programs may have been identified by Yahoo! AntiSpy (from the Yahoo! toolbar). MSIE toolbars cannot now be either unlocked or selected/deselected from the "View >> Toolbars" tabs in the header, only the "Customize" function is available.
In my MSIE, "View >> Toolbars" shows only "greyed-out" links for "Standard Buttons," "Address Bar" and "Links" -- each of which is preceded by a "greyed-out" checkmark. The Yahoo! toolbar is no longer visible (which ordinarily wouldn't be a big deal for me, since I tried to keep it hidden when I was browsing, but the now it seems not to work, and that alarms me).
Avast! used to launch on startup and run as a little twirling blue ball in the "system tray" (in the same box as where the clock appears); now I have to start it manually, and it only runs from a GUI that resembles the front of an automotive radio or CD player.
I found HiJackThis before I found your site, and tried it. When I downloaded it, it was a .zip file, and the only way I had of unzipping it was to use Zipghost. It didn't give me an "extract to ..." option, so I ran it from the Zipghost window; this is how I ran it the first 3 times I used it.
I think I have all 3 logs available, in case an earlier log is needed than the one posted following these initial comments. I am not sure if the other programs generated useful logs, but if you think they will be helpful (and perhaps can help me find them), I'll try to post them.
I just ran Avast! again, and now it shows that my scanner is infected! I don't think any of my anti-malware efforts recommended at http://www.geekstogo...?showtopic=2852 were able to run to completion, with the possible exception of HiJackThis and maybe one other program -- but I've been working on this for 3 days now, and my brain seems to have turned to rubber.
I am perfectly willing to format my hard drive and reinstall my OS from scratch, but I haven't been able to figure out how to force Windows to let me do even that. I finally figured out how to extract HiJackThis into its own folder, and I renamed it to "C:\HJT" -- and ran it a fourth time to generate the following log:
Thanks for whatever help you're able to provide. Here's my latest HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 12:48:07 AM, on 8/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\cidaemon.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\WINNT\explorer.exe
C:\HTJ\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINNT\system32\lxcccoms.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
Edited by wireflight, 05 August 2006 - 12:02 AM.