So, yeah. Reformatted, and was swamped again. Rarrrghs. I performed Kaspersky online and Hijack This! searches; here are the logs.

Kaspersky log:

Attached; it's 770kb (!) big, so it's been zipped.

HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:36 PM, on 9/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
c:\tjncm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: 1.exe
O4 - Global Startup: 2.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189200778921
O22 - SharedTaskScheduler: COM+ Service - {3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 2662 bytes

/// Off hand, it looks like every .exe on my external HD's is a virus. This may explain how I got hit right after I reformatted (did not reformat the externals, only my main partition with windows).

As always, thanks in advance for helping!

http://forums.spybot.info/showthread.php?t=17573

hi UdakW,

cant tell if you have a resident av app on your computer or not.


looks like every .exe on my external HD'is a virus

Virus.Win32 attaches itself to windows .exe files. even if you use a antivirus to attempt to clean it up, it could leave behind a damaged .exe
i would reformat again then download a resident updated antivirus app. dont attach any external hd or infected source until you have av. then maybe you can use the av to clean up the other drive or source. or you can consider reformatting them also. looking at the online log it looks like its all over your computer

shelf life

I had avast until it pegged every single .exe pegged as a virus. I deep-sixed it at that point.

I'd prefer not to reformat again...is there really no way to weed it out?

hi UdakW,


.is there really no way to weed it out?

well you could try cleaning it up with avast or another updated antivirus, i would run one several times, then follow it with a good antimalware app.
even if cleaned up it could leave behind corrupted/damaged files which might cause problems later. As you found out it also can infect other drives which means they will have to be cleaned up also.
its up to you, good luck.

Avast's way of "fixing" the problem was to take all those .exe's (that still work) and shove them in quarantine. This meant I couldn't even log on, as every single windows .exe is apparently infected. I'm guessing thats what any other AV software would do.

In any case, yeah, I guess I'm just going to have to reformat. This time I'm wiping my other internal along with the drive that has windows. . The externals' system restore was compromised, but I easily was able to delete that.

So, thanks. I didn't realize exactly how screwed I was until I did that Kasp scan

hi UdakW,


I'm just going to have to reformat
i would say thats the safest thing to do. if you tried another AV, some of the cleaned up .exe's would probably cause you more headaches down the road. and any virus still lurking on one of your drives could reinfect all of them again.
i have some prevention tips in my link below. good luck

shelf life

Yeah, just reformatted and cleared everything relevant. Starting anew, but its for the best. Feel free to lock this topic, and thanks for the advice.

hi UdakW,

glad to help.

happy safe surfing

shelf life