I am having all kinds of problems, here is what I am seeing:
- when I am in IE, going to any site is very slow (<10 seconds most times)
- I then started getting pop-up ads with a title in the title bar all starting with two dashes (all related to my original destination).
- Shortly after that, I could not get to any web site at all, I would get an error and the URL it was trying to go to was www.ads234.com (and passing my original URL as a parameter in the ads234 URL)
- I would end up on a website called www.incredifind.com, with an error message saying it could not get to the www.ads234.com URL
- also my WINDOWS explorer is extremely slow when navigating directories, but when I navigate the same directory tree within another application (e.g. File, Open in Excel), it is very fast
I ran all the programs in the required steps, it found a bunch of things and fixed them, but I am still having problems. I also have disabled Windows messenger, have the latest definitions for Norton (which is always running), and also have the XP built-in firewall enabled.
IE is still very slow, as is Windows Explorer. Also, I frequently get a dialogue box saying that the ts2.exe program crashed (and I know ts2.exe is a malicious program). I can now get to other websites, but I suspect this may be because there was a problem with the ads234 website before that they have since fixed (if it was "down" previously, that may have been the reason I could not get redirected to my originally intended URL after it did its thing). I still get some popups, but not nearly as many as before (when I was getting 2 or 3 every time I tried to go to a new site). Finally, I installed Firefox and it is very fast, several times (at least) faster than IE.
In any case, below is my HijackThis log. Please let me know if you have any questions or require any additiional info. Thanks again for the help.
PS. Anything with Accenture in it is probably OK, that is the company I work for and we have a lot of pre-installed software including security protection programs such as BlackIce.
Logfile of HijackThis v1.99.0
Scan saved at 12:02:06 AM, on 1/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\acstp\icserv.exe
c:\program files\firm applications\media viewer\services\streamviewerservice.exe
C:\WINDOWS\system32\acstp\wake_up.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\System\sdlss.exe
C:\MYAPPL~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Accenture Connection\9341989\Program\Accenture Connection.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\ACNU\ACNUpdater.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\My Applications\DigiDay\dd_clock.exe
C:\Palm\HOTSYNC.EXE
C:\My Applications\X1\X1Systray.exe
C:\My Applications\X1\X1.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
c:\program files\acnu\acnupdatersvc.exe
C:\Palm\Palm.exe
C:\Palm\AlarmApp.exe
C:\Program Files\Nortel Networks\Extranet.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://portal.accenture.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://set-proxy.acc...bin/setup.proxy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [eSupInit] "C:\Program Files\Support.com\bin\eSupCmd.exe" -inituser
O4 - HKLM\..\Run: [EM_EXEC] C:\MYAPPL~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Accenture Connection] "C:\Program Files\Accenture Connection\9341989\Program\Accenture Connection.exe"
O4 - HKLM\..\Run: [Unc.exe] C:\documents and settings\david_m_chen\local settings\temp\Unc.exe
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Progra~1\Support.com\bin\tgcmd.exe " /nosystray
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\My Applications\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [wzszmtkx] C:\WINDOWS\wzszmtkx.exe
O4 - HKLM\..\Run: [zkfbpaez] C:\WINDOWS\System32\wykibbkc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [aauclient] C:\Program Files\ACNU\ACNUpdater.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - Startup: BounceBack Launcher.lnk = ?
O4 - Startup: DigiDay Clock.lnk = C:\My Applications\DigiDay\dd_clock.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: X1 Tray Icon.lnk = C:\My Applications\X1\X1Systray.exe
O4 - Startup: X1.lnk = C:\My Applications\X1\X1.exe
O4 - Global Startup: BlackICE Agent.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com
O15 - Trusted Zone: *.accenture.com
O15 - Trusted Zone: *.accenture.com (HKLM)
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - https://esupport.acc...oad/tgctlsi.cab
O16 - DPF: {2D43C9E8-E08F-11D3-95A4-0090271F0946} (Keon Class) - https://enrolltoken....WebPassPort.cab
O16 - DPF: {2F175895-5819-4014-83BF-385FA6833677} (IObjSafety.eSupportWS) - https://esupport.acc.../IObjSafety.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {42442236-3673-4054-89C0-A7408BC51EFC} (SDLNSrvr.clsNotes) - https://methodology....ChainMaster.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://usvas04/proje...ts/pjclient.cab
O16 - DPF: {61CE1CA1-6577-49B6-AE2C-43007A942429} (WebcastLogOut.Webcast) - https://webcast.acce...WebcastInfo.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104718429204
O16 - DPF: {763C10EE-E4C6-49AA-9325-F15ABF1C52B0} (X1 DownloadControl Class) - http://www.x1.com/do...1WebInstall.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://usvps01/proje...033/pjcintl.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dotphoto.com/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Accenture.com
O17 - HKLM\Software\..\Telephony: DomainName = Accenture.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{17395153-269B-4203-AFD7-067CBED5EE5B}: NameServer = 10.30.5.6,10.30.5.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Accenture.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com,internal.accenture.com,ausv,agc.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{17395153-269B-4203-AFD7-067CBED5EE5B}: NameServer = 10.30.5.6,10.30.5.70
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Accenture.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com,internal.accenture.com,ausv,agc.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com,internal.accenture.com,ausv,agc.local
O23 - Service: ACNUSvc - - c:\program files\acnu\acnupdatersvc.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Gear Security Service - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: MC/Empower i.collect Service - Unknown - C:\WINDOWS\system32\acstp\icserv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Accenture Media Viewer - - c:\program files\firm applications\media viewer\services\streamviewerservice.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe