Ok - here goes!
I did the first step which you asked - which was to check the system32
folder for any .ico and found a bunch of them (the same ones that are
on my desktop) all created at the same time (4/23/2005 9.28AM) In that
same search a bunch of other items came up, but they all had dates of
8/23/2001 and 8/24/2001 respectively...including some dll files...not
sure if this computer is that old?? Why they would have that date
confuses me? Maybe the computer is that old...I did buy it second hand.
Secondly, I unzipped and ran FindQoologic and this was the log
generated -
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES,
THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING.
IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
(fstarts by IMM - test ver. 0.001) NOT using address check --
0x77f7ecc3
Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
Microsoft Office.lnk
User Startup:
C:\Documents and Settings\Jennifer\Start Menu\Programs\Startup
.
..
desktop.ini
»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
<NO NAME> REG_SZ {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TDS-3
<NO NAME> REG_SZ {E8ADA3E1-CE9B-44A0-A165-997304EF4E18}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-970
8-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin
»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
"Find activesetup", version1, launched at: 10:55
Operating System: Windows XP
Next I did the dll.compare and came up with this logfile -
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
"
________________________________________________
1,116 items found: 1,116 files, 0 directories.
Total of file sizes: 202,857,479 bytes 193.46 M
Administrator Account = True
--------------------End log---------------------
Lastly, I ran the FindIt and after a long while - got this log to pop
up along with a list of errors in the cmd part -
Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 04/28/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES,
THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING.
IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
»»»»» lagitamate file's can/will show in this section.
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»» Checking Windir\svcproc.exe and nail.exe.
»»»»» Checking for System32\DrPMon.dll.
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
Volume in drive C has no label.
Volume Serial Number is 3B13-16DD
Directory of C:\WINDOWS\SYSTEM32
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 3B13-16DD
Directory of C:\WINDOWS\system32
04/23/2005 09:28 AM 2,238 MP3.ico
04/23/2005 09:28 AM 766 BlackJack.ico
04/23/2005 09:28 AM 2,238 Cruises.ico
04/23/2005 09:28 AM 766 Air Tickets.ico
04/23/2005 09:28 AM 2,238 Online Betting.ico
04/23/2005 09:28 AM 2,238 Viagra.ico
04/23/2005 09:28 AM 2,238 Car Insurance.ico
04/23/2005 09:28 AM 766 Pharmacy.ico
04/23/2005 09:28 AM 4,534 Remove Spyware.ico
04/23/2005 09:28 AM 2,238 Cigarettes.ico
04/23/2005 09:28 AM 766 Phentermine.ico
04/23/2005 09:28 AM 766 Online Casino.ico
04/23/2005 09:28 AM 766 Party Poker.ico
04/23/2005 09:28 AM 4,606 Credit Card.ico
04/23/2005 09:28 AM 2,238 Forex Trading.ico
04/23/2005 09:28 AM 4,286 Big Tits.ico
04/23/2005 09:28 AM 2,238 Britney Spears.ico
04/23/2005 09:28 AM 4,286 Pornstars.ico
04/23/2005 09:28 AM 4,286 Lesbian Sex.ico
04/23/2005 09:28 AM 4,286 Oral Sex.ico
20 File(s) 48,784 bytes
0 Dir(s) 15,055,044,608 bytes free
»»»»»»»»»»»»»»»»»»»»»»»».
And FINALLY - here is my current Hijackthis log -
Logfile of HijackThis v1.99.1
Scan saved at 11:22:32 AM, on 4/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jennifer\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.newgenlook.info/ad/ad0337/O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
/STARTUP
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE
Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SmartLinkService (SLService) - -
C:\WINDOWS\SYSTEM32\slserv.exe
Ok, thats it, I've done all you asked. Those are all my logs.
I await your guidance from here as to what to do next.
Many, MANY thanks for all your help so far! Didn't realise this would
be such an intensive process!
Hayden