Argh.
OK, I've pretty much done the following:
ran cleanmgr
enabled default configuration in msconfig
ran Adaware
ran CWShredder
uninstalled/reinstalled Spybot (had problems doing so for some reason...but managed...)
ran Ewido (I like this program!) + saved log
ran Trend Housecall
ran Trojanhunter
Windows Update is current
ran HJT + Saved log
rebooted, and still Winfixer problem (Ewido catches most of these).
So here are the respective log files. There's probably more things running than I care about as I bypassed some via msconfig in the past.
Thanks in advance!
----------------------------------------------------------------------------------------------------------------------------
Ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 8:54:33 PM, 10/29/2005
+ Report-Checksum: A37DE1D6
+ Scan result:
HKLM\SOFTWARE\Classes\Interface\{E9CBBEED-20B6-456C-8589-CF364D9D2370} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{E9CBBEED-20B6-456C-8589-CF364D9D2370}\TypeLib\\ -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\TopSearch.TSLink -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\TopSearch.TSLink\CLSID -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\TopSearch.TSLink\CurVer -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\TopSearch.TSLink.1 -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/BridgeX.dll\\.Owner -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/BridgeX.dll\\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\PerfectNav -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-2298212029-1623293429-3340021601-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} -> Spyware.MyWay : Cleaned with backup
HKU\S-1-5-21-2298212029-1623293429-3340021601-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{000020DD-C72E-4113-AF77-DD56626C6C42} -> Spyware.TwainTech : Cleaned with backup
HKU\S-1-5-21-2298212029-1623293429-3340021601-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Maki\Application Data\Mozilla\Firefox\Profiles\ah85ce05.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Maki\Application Data\Mozilla\Firefox\Profiles\ah85ce05.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Maki\Application Data\Mozilla\Firefox\Profiles\ah85ce05.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Maki\Application Data\Mozilla\Firefox\Profiles\ah85ce05.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Maki\Application Data\Mozilla\Firefox\Profiles\ah85ce05.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Maki\Application Data\Mozilla\Firefox\Profiles\ah85ce05.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Maki\Application Data\Mozilla\Firefox\Profiles\ah85ce05.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Maki\Cookies\maki@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Maki\Cookies\[email protected][1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Maki\Desktop\backups\backup-20051029-004529-786.dll -> Spyware.Virtumonde : Cleaned with backup
C:\WINDOWS\NDNuninstall6_10.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\SYSTEM32\gebxu.dll -> Spyware.Virtumonde : Cleaned with backup
::Report End
----------------------------------------------------------------------------------------------------------------------
HJT
------------------------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:59:54 PM, on 10/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2
(6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security
suite\ewidoctrl.exe
C:\Program Files\ewido\security
suite\ewidoguard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft
Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\MXOALDR.EXE
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpz
tsb11.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common
Files\Real\Update_OB\realsched.exe
C:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Dell\Media
Experience\PCMService.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\HP\HP Software
Update\HPWuSchd2.exe
C:\Program Files\Common
Files\Dell\EUSW\Support.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program
Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\RamXPro\FreeRAM XP Pro 1.40.exe
C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\MMDiag.exe
C:\Program Files\TelSIP\TelSIP.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\Program Files\Pantone, Inc\PANTONE®
colorist\PANTONE® colorist.exe
C:\Program Files\PGP Corporation\PGP for
Windows XP\PGPtray.exe
C:\Program Files\Internet
Explorer\iexplore.exe
C:\Documents and
Settings\Maki\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://www.comcast.net/explore.html
O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat
6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -
{53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object -
{FC148228-87E1-4D00-AC06-58DCAA52A4D1} -
C:\WINDOWS\system32\gebxu.dll
O3 - Toolbar: McAfee VirusScan -
{BA52B914-B692-46c4-B683-905236F6F655} -
c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program
Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program
Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MXO Auto Loader]
C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch]
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [imjpmig]
C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG
/Migration /SetPreload
O4 - HKLM\..\Run: [HPHUPD06] C:\Program
Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D
}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06]
C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpz
tsb11.exe
O4 - HKLM\..\Run: [HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program
Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program
Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Phase One Media Reader]
C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe
/noscan /CheckAutoStart
O4 - HKLM\..\Run: [VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe"
/checktask
O4 - HKLM\..\Run: [VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe
/startup
O4 - HKLM\..\Run: [MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program
Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ttucrltksluys]
C:\WINDOWS\System32\gmhlyqgq.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]
C:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program
Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [Iomega Drive Icons]
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HP Software Update]
C:\Program Files\HP\HP Software
Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program
Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Deskup] C:\Program
Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program
Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program
Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [i8kfangui] C:\Program
Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [FreeRAM XP]
"C:\RamXPro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TelSIP] C:\Program
Files\TelSIP\TelSIP.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program
Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: PANTONE® colorist.lnk =
C:\Program Files\Pantone, Inc\PANTONE®
colorist\PANTONE® colorist.exe
O4 - Startup: PGPtray.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk =
C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ColorVisionStartup.lnk =
C:\Program Files\PANTONE
COLORVISION\Startup\ColorVisionStartup.exe
O4 - Global Startup: HP Digital Imaging
Monitor.lnk = C:\Program Files\HP\digital
imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast
Start.lnk = C:\Program Files\HP\digital
imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk =
C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: MultiMon Taskbar.lnk =
C:\Program Files\MMTaskbar\MultiMon.exe
O4 - Global Startup: TabUserW.exe.lnk =
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to
Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/
3000
O8 - Extra context menu item: Save Flash -
res://C:\Program Files\UnH Solutions\Flash
Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: View EXIF -
C:\ViewEXIF\EXIF.htm
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program
Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console
- {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program
Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Real.com -
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger
- {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash -
{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} -
C:\Program Files\UnH Solutions\Flash Saving
Plugin\FlashSButton.dll (HKCU)
O15 - Trusted Zone: http://us.mcafee.com
O16 - DPF:
{4A026B12-94F3-4D2F-A468-96AA55DE20A5}
(NetCamPlayerWeb11g Control) -
http://192.168.1.104...PlayerWeb11g.oc
x
O16 - DPF:
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
(McAfee.com Operating System Class) -
http://download.mcaf...in/shared/mcins
ctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF:
{74D05D43-3236-11D4-BDCD-00C04F9A3B61}
(HouseCall Control) -
http://a840.g.akamai...537/2005102501/
housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF:
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
(ActiveScan Installer Class) -
http://acs.pandasoft...tivescan/as5fre
e/asinst.cab
O16 - DPF:
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
(DwnldGroupMgr Class) -
http://download.mcaf...in/shared/mcgdm
gr/en-us/1,0,0,21/mcgdmgr.cab
O20 - Winlogon Notify: gebxu -
C:\WINDOWS\system32\gebxu.dll
O23 - Service: Adobe LM Service - Adobe
Systems - C:\Program Files\Common Files\Adobe
Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown
owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control -
ewido networks - C:\Program
Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard -
ewido networks - C:\Program
Files\ewido\security suite\ewidoguard.exe
O23 - Service: Iomega App Services - Iomega
Corporation -
C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Macromedia Licensing Service -
Unknown owner - C:\Program Files\Common
Files\Macromedia Shared\Service\Macromedia
Licensing.exe
O23 - Service: McAfee.com McShield (McShield)
- Unknown owner -
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update
Manager (mcupdmgr.exe) - McAfee, Inc -
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online
Realtime Engine (MCVSRte) - McAfee, Inc -
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall
Service (MpfService) - McAfee Corporation -
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server
(MskService) - McAfee Inc. -
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PGPsdkService (PGPsdkServ) -
PGP Corporation -
C:\WINDOWS\System32\PGPsdkServ.exe
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher
(RetroLauncher) - Dantz Development
Corporation -
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz
Development Corporation - C:\Program
Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: TabletService - Wacom
Technology, Corp. -
C:\WINDOWS\system32\Tablet.exe
O23 - Service: WLTRYSVC - Unknown owner -
C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: ZipToA - Iomega Corporation -
C:\WINDOWS\System32\ZipToA.exe
O23 - Service: Iomega Active Disk
(_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega
Corporation - C:\Program
Files\Iomega\AutoDisk\ADService.exe
------------------------------------------------------------------------------------------------------------------------