This seems to be getting worse, I can no longer use ctrl alt delete.
Edit: I ran highjack, ewido, avg, and active scan and the viruses seem to be coming back.
Ewido healed like 13, and AVG found and deleted these three.
womr/agbot TF in C:\WINDOWS\svchost.eve
and 2 GM trojans in C:\System Volume Information|_restore...
Here are the logs:
Logfile of HijackThis v1.99.1
Scan saved at 3:38:53 PM, on 8/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
O4 - Global Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) -
http://aolcc.aol.com...kup/qdiagcc.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
http://download.av.a...77/mcinsctl.cabO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://207.188.7.150...ip/RdxIE601.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoft...free/asinst.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
http://download.av.a...,18/mcgdmgr.cabO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Configuration Loader - Unknown owner - C:\WINDOWS\svchost.exe
_____________________________
smitRem log file
version 2.3
by noahdfear
The current date is: Tue 08/09/2005
The current time is: 15:39:34.26
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Wininet.dll ~~~
CLEAN!
____________________________
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Tuesday, August 09, 2005 3:42:53 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R347 26.10.2004
______________________________________________________
Reffile status:
=========================
Reference file loaded:
Reference Number : 01R347 26.10.2004
Internal build : 281
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1379284 Bytes
Signature data size : 1356739 Bytes
Reference data size : 22481 Bytes
Signatures total : 29961
Target categories : 10
Target families : 587
8-9-2005 3:42:46 PM Error retrieving update
Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:19 %
Total physical memory:129008 kb
Available physical memory:23264 kb
Total page file size:314428 kb
Available on page file:253048 kb
Total virtual memory:2097024 kb
Available virtual memory:2056696 kb
OS:
Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file
8-9-2005 3:42:53 PM - Scan started. (Custom mode)
Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Tracking Cookie Object recognized!
Type : File
Data : owner@adrevolver[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\
Created on : 8/9/2005 3:53:28 AM
Last accessed : 8/9/2005 11:43:02 PM
Last modified : 8/9/2005 3:53:33 AM
Tracking Cookie Object recognized!
Type : File
Data : owner@adrevolver[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\
Created on : 8/9/2005 3:53:28 AM
Last accessed : 8/9/2005 11:43:02 PM
Last modified : 8/9/2005 3:53:33 AM
Tracking Cookie Object recognized!
Type : File
Data : owner@cgi-bin[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\
Created on : 8/9/2005 6:47:33 PM
Last accessed : 8/9/2005 11:43:03 PM
Last modified : 8/9/2005 6:47:33 PM
Tracking Cookie Object recognized!
Type : File
Data : owner@clickbank[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\
Created on : 8/8/2005 6:48:20 PM
Last accessed : 8/9/2005 11:43:03 PM
Last modified : 8/8/2005 6:48:20 PM
Tracking Cookie Object recognized!
Type : File
Data : owner@maxserving[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\
Created on : 8/9/2005 6:16:06 AM
Last accessed : 8/9/2005 11:43:04 PM
Last modified : 8/9/2005 6:16:06 AM
Tracking Cookie Object recognized!
Type : File
Data : owner@metriweb[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\
Created on : 8/5/2005 4:33:28 AM
Last accessed : 8/9/2005 11:43:04 PM
Last modified : 8/5/2005 4:33:28 AM
Tracking Cookie Object recognized!
Type : File
Data : owner@realmedia[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\
Created on : 8/9/2005 8:34:34 PM
Last accessed : 8/9/2005 11:43:04 PM
Last modified : 8/9/2005 8:51:09 PM
Tracking Cookie Object recognized!
Type : File
Data : owner@tripod[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\
Created on : 8/9/2005 8:51:14 PM
Last accessed : 8/9/2005 11:43:05 PM
Last modified : 8/9/2005 8:51:14 PM
Tracking Cookie Object recognized!
Type : File
Data : owner@zedo[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\
Created on : 8/9/2005 9:15:12 PM
Last accessed : 8/9/2005 11:43:05 PM
Last modified : 8/9/2005 9:15:14 PM
Disk scan result for C:\
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 9
3:59:46 PM Scan complete
Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:16:52:516
Objects scanned :93111
Objects identified :9
Objects ignored :0
New objects :9
__________________
Active scan:
Incident Status Location
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\SYSTEM32\i
Adware:adware/azesearch No disinfected C:\WINDOWS\SYSTEM32\ztoolbar.bmp
Edited by niccolai, 10 August 2005 - 04:16 PM.