Only a little while ago I was smart enough to post my malware woes on this forum. In almost no time at all, Blade81 helped me out greatly: see my previous thread here (http://forums.spybot.info/showthread.php?t=13045&goto=newpost).

However now I find that there is an even larger problem.

Symptoms: While working I notice a "clicking" noise like that of when IE is switching between websites; occasionally I get pop-ups from IE telling me about how it just stopped a pop-up (:red: ), sometimes it gives me the pop-up that I am able to be re-directed to another website; and other times my computer starts playing music, I suppose, from some internet site.

Here's the crazy part: I DON'T HAVE IE RUNNING! Checking Taskmanager shows that there are no instances of iexplore.exe. So what in the world is happening?

Here's a fresh HJ log.

Logfile of HijackThis v1.99.1
Scan saved at 4:28:25 PM, on 4/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sean\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDFpas] C:\LingLink\PDFpas.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [keyman.exe] C:\Program Files\Tavultesoft\Keyman\keyman.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120626899539
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Any and all help will be GREATLY appreciated!! :spider: :spider:

Hello and sorry for the wait.

If you are still in need of assistance see this sticky: If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

Hello Dharmabm42 and sorry for the delay...

Nothing fishy in the HjT log. Let's do an online scan first..

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Hi Mr Jak, thanks for your help.

Here's the log from that on-line scan. It said it found some things which even my AVG didn't pick up. I few are Java-related, but I already updated my Java as you might have read in my last thread.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 07, 2007 7:14:43 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/05/2007
Kaspersky Anti-Virus database records: 315198
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 207137
Number of viruses found: 13
Number of infected objects: 26 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:03:29

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sean\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-49f0ede4/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Sean\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-49f0ede4/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Sean\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-49f0ede4/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Sean\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-49f0ede4 ZIP: infected - 3 skipped
C:\Documents and Settings\Sean\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-77590ce4.zip/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Sean\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-77590ce4.zip/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Sean\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-77590ce4.zip/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Sean\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-77590ce4.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Sean\Application Data\Thunderbird\Profiles\9vitixep.default\abook.mab Object is locked skipped
C:\Documents and Settings\Sean\Application Data\Thunderbird\Profiles\9vitixep.default\cert8.db Object is locked skipped
C:\Documents and Settings\Sean\Application Data\Thunderbird\Profiles\9vitixep.default\key3.db Object is locked skipped
C:\Documents and Settings\Sean\Application Data\Thunderbird\Profiles\9vitixep.default\Mail\Local Folders\Inbox.msf Object is locked skipped
C:\Documents and Settings\Sean\Application Data\Thunderbird\Profiles\9vitixep.default\Mail\Local Folders\Junk.msf Object is locked skipped
C:\Documents and Settings\Sean\Application Data\Thunderbird\Profiles\9vitixep.default\Mail\Local Folders\Templates.msf Object is locked skipped
C:\Documents and Settings\Sean\Application Data\Thunderbird\Profiles\9vitixep.default\panacea.dat Object is locked skipped
C:\Documents and Settings\Sean\Application Data\Thunderbird\Profiles\9vitixep.default\parent.lock Object is locked skipped
C:\Documents and Settings\Sean\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Sean\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sean\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sean\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sean\Local Settings\Temp\nsmail.eml/[From Sean Cochran <seanpmcochran@gmail.com>][Date Mon, 24 Apr 2006 10:52:54 -0700]/SetupDVDDecrypter_3.5.1.0.zip/SetupDVDDecrypter_3.5.1.0.exe Infected: Trojan-Dropper.Win32.Delf.dh skipped
C:\Documents and Settings\Sean\Local Settings\Temp\nsmail.eml/[From Sean Cochran <seanpmcochran@gmail.com>][Date Mon, 24 Apr 2006 10:52:54 -0700]/SetupDVDDecrypter_3.5.1.0.zip Infected: Trojan-Dropper.Win32.Delf.dh skipped
C:\Documents and Settings\Sean\Local Settings\Temp\nsmail.eml Mail: infected - 2 skipped
C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\CD09MFWT\index[1].htm Infected: Trojan-Downloader.VBS.Agent.au skipped
C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\S1YV0L2B\index[1].htm Infected: Exploit.HTML.IESlice.i skipped
C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\TWXXNX9N\index[3].htm Infected: Trojan-Downloader.JS.Small.dz skipped
C:\Documents and Settings\Sean\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Sean\ntuser.dat.LOG Object is locked skipped
C:\My Shared Folder\K-Lite.v2.7.RC1.nsane.install.exe/Stream/data0005 Infected: not-a-virus:AdWare.Win32.Altnet.e skipped
C:\My Shared Folder\K-Lite.v2.7.RC1.nsane.install.exe/Stream Infected: not-a-virus:AdWare.Win32.Altnet.e skipped
C:\My Shared Folder\K-Lite.v2.7.RC1.nsane.install.exe Inno: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6B11D502-6825-425C-BE9A-73A545724ED6}\RP67\A0005500.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6B11D502-6825-425C-BE9A-73A545724ED6}\RP67\A0005500.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{6B11D502-6825-425C-BE9A-73A545724ED6}\RP78\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\GATE.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A42B1549-0D7A-486E-89A0-431B051E2CD5}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\bund1\ClientBundle1.exe/data0002 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINDOWS\system32\bund1\ClientBundle1.exe/data0003 Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\WINDOWS\system32\bund1\ClientBundle1.exe/data0004 Infected: Trojan.Win32.BHO.ab skipped
C:\WINDOWS\system32\bund1\ClientBundle1.exe/data0005 Infected: not-a-virus:AdWare.Win32.SurfSide.ax skipped
C:\WINDOWS\system32\bund1\ClientBundle1.exe/data0006 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\WINDOWS\system32\bund1\ClientBundle1.exe/data0007 Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\WINDOWS\system32\bund1\ClientBundle1.exe NSIS: infected - 6 skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd8605.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT06423.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT06426.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Thanks again for your time! It is appreciated!

-Dharma

Hello :)

Kaspersky found some infections.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

You could delete these infected emails:

C:\Documents and Settings\Sean\Local Settings\Temp\nsmail.eml/[From Sean Cochran <seanpmcochran@gmail.com>][Date Mon, 24 Apr 2006 10:52:54 -0700]/SetupDVDDecrypter_3.5.1.0.zip/SetupDVDDecrypter_3.5.1.0.exe Infected: Trojan-Dropper.Win32.Delf.dh skipped
C:\Documents and Settings\Sean\Local Settings\Temp\nsmail.eml/[From Sean Cochran <seanpmcochran@gmail.com>][Date Mon, 24 Apr 2006 10:52:54 -0700]/SetupDVDDecrypter_3.5.1.0.zip Infected: Trojan-Dropper.Win32.Delf.dh skipped
C:\Documents and Settings\Sean\Local Settings\Temp\nsmail.eml Mail: infected - 2 skipped

Delete this file:
C:\My Shared Folder\K-Lite.v2.7.RC1.nsane.install.exe

Delete this folder:
C:\WINDOWS\system32\bund1

Post a fresh HijackThis log. Let me know how the computer is running :bigthumb:

Hi Mr Jak:

There was just the one e-mail file, right? I got that and the other files you mentioned as well as ran ATF cleaner.

Here's the HJ log:

Logfile of HijackThis v1.99.1
Scan saved at 4:54:02 PM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tavultesoft\Keyman\keyman.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sean\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDFpas] C:\LingLink\PDFpas.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [keyman.exe] C:\Program Files\Tavultesoft\Keyman\keyman.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120626899539
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I'm not sure if that did the trick yet. I haven't heard any clicking or bleeping noise like IE does when it blocks something. Any thoughts as to whether those infected files could have been doing anything?

Thanks again,

Dharma.

Hello :)

The log is looking clean now. Yes, only one email....

Hmm are you sure that IE wasn't blocking those popups when you heard the noise?

Download F-Secure Blacklight (http://www.f-secure.com/blacklight/try_blacklight.html) and save it to your desktop.

Doubleclick fsbl.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)

Hi Mr Jak:

Blacklight didn't find anything.

05/09/07 11:37:48 [Info]: BlackLight Engine 1.0.61 initialized
05/09/07 11:37:48 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/09/07 11:37:48 [Note]: 7019 4
05/09/07 11:37:48 [Note]: 7005 0
05/09/07 11:37:55 [Note]: 7006 0
05/09/07 11:37:55 [Note]: 7011 1708
05/09/07 11:37:55 [Note]: 7026 0
05/09/07 11:37:55 [Note]: 7026 0
05/09/07 11:37:57 [Note]: FSRAW library version 1.7.1021
05/09/07 11:46:01 [Note]: 2000 1012
05/09/07 11:53:29 [Note]: 7007 0

I'll keep my ear out. Maybe we got it somehow already? Thanks again for all your help.

- Dharma.

Just a quick word of clarification for your last question: I know that the noises I have been hearing are from IE - sometimes I even get a pop-up from IE telling me about how wonderful its information bar is. The funny thing is I don't have IE running when this happens!

Ok good :)

How is the computer running now? :bigthumb:

I think it might be OK. No mysterious processes, strange bleeps or random pop-ups.

Thanks again.

- Dharma.

That is nice to hear :)

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)