Note: When someone has time to help me, I'll need to re-post my log. I've been trying to follow others' questions and concerns and using the advice given to them (using Ewido, etc). So, this will most likely look different by the time it gets to me.
I am still having problems, though, and would appreciate some help.
I've gone through all the requisite steps by running Adawre (multiple times after reboot), Spybot (multiple times after reboot), the online virus scan, cleanup, cwshredder, etc.
Still, I am getting popups after removing many things...
I cannot boot into safe mode. The Administrator username/password and my regular username/password do not work and I can't get into it for some reason. (This is a work PC, not a personal one).
How does one update CWShredder when there is a proxy? I do not see a way to provide a proxy through the program like Adaware and Spybot have.
Thanks in advance for the help...
Mike
--------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:28:00 AM, on 6/29/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\system32\cusrvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\PROGRA~1\COMERI~1\NetCfgSv.EXE
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\System32\QCONSVC.EXE
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NALNTSRV.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\system32\TpScrLk.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\NALDESK.EXE
C:\WINNT\system32\ICO.EXE
C:\WINNT\system32\Pelmiced.exe
C:\WINNT\system32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\WINNT\pwreset.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINNT\system32\bcmwltry.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\WINNT\system32\rrmpau.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\HAS\HAS.EXE
C:\Program Files\Adobe\Acrobat6\Distillr\acrotray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\clntrust.exe
C:\PVSW\Bin\W3DBSMGR.EXE
C:\notes\NLNOTES.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\notes\ntaskldr.EXE
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\HiJack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wsj.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.7.2.40:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 128.1.*;129.1.*;*.INT.COMERICA.COM;131.1.*.*;172.16.*.*;*.userconnect.com;170.228.*.*;172.30.1.*;arhdal1;arhdal2;arhmro1;arhmro2;<local>
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfgmgr52.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINNT\system32\TpScrLk.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [NumChk] NumpChk.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [PWReset] C:\WINNT\pwreset.exe 15 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] c:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rrmpau.exe reg_run
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\system32\msconfig.exe /auto
O4 - HKCU\..\Run: [HAS.exe] "C:\Program Files\HAS\HAS.EXE" -m
O4 - HKCU\..\Run: [c0spRVK4i] dpswsewm.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat6\Distillr\acrotray.exe
O4 - Global Startup: Clntrust.exe
O4 - Global Startup: Pervasive.SQL Workstation Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\Downloaded Program Files\SbCIe02a.dll (file missing)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://remoteaccess...ca32/wficac.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online Enterprise Edition) - https://remoteaccess...in2k/AX2KEE.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep....00719/sb02a.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_02) - http://miosgas205/WF..._3_1_02-win.exe
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = int.comerica.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = int.comerica.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = int.comerica.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: QConGina - C:\WINNT\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINNT\SYSTEM32\tphklock.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\system32\NALNTSRV.EXE
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\COMERI~1\NetCfgSv.EXE
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\bin\ONRSD.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\system32\wm.exe
Edited by analyst44, 29 June 2005 - 07:30 AM.