Ladanea
2008-03-08, 09:21
I started having a problem with a search engine redirect from both Google and Yahoo in both Firefox and IE. I scanned my computer with AVG and it showed nothing. Reset cookies. Cleared cache and history. It was still redirecting and I couldn't figure out what to do so I started Spybot S&D and Ad-Aware and went to bed.
The next morning they had turned up a bunch of cookies and something else on the winsock (which I didn't understand), and I cleaned all that up. The redirect somehow stopped, but I found this forum and decided to run Kaspersky anyway. It identified a virus still in the system, which AVG still doesn't see. Here is the log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 07, 2008 6:55:09 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/03/2008
Kaspersky Anti-Virus database records: 610241
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 126822
Number of viruses found: 1
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 01:06:54
Infected Object Name / Virus Name / Last Action
F:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
F:\Documents and Settings\All Users\Downloads\WeatherbugSetupZ6157.msi/Cabs.w1.cab/wxutil.dll24 Infected: Trojan.Win32.Agent.fua skipped
F:\Documents and Settings\All Users\Downloads\WeatherbugSetupZ6157.msi/Cabs.w1.cab Infected: Trojan.Win32.Agent.fua skipped
F:\Documents and Settings\All Users\Downloads\WeatherbugSetupZ6157.msi Embedded: infected - 2 skipped
F:\Documents and Settings\Lillian\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\cert8.db Object is locked skipped
F:\Documents and Settings\Lillian\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\formhistory.dat Object is locked skipped
F:\Documents and Settings\Lillian\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\history.dat Object is locked skipped
F:\Documents and Settings\Lillian\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\key3.db Object is locked skipped
F:\Documents and Settings\Lillian\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\parent.lock Object is locked skipped
F:\Documents and Settings\Lillian\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\search.sqlite Object is locked skipped
F:\Documents and Settings\Lillian\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\urlclassifier2.sqlite Object is locked skipped
F:\Documents and Settings\Lillian\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\Cache\_CACHE_001_ Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\Cache\_CACHE_002_ Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\Cache\_CACHE_003_ Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\Cache\_CACHE_MAP_ Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\History\History.IE5\MSHist012008030720080308\index.dat Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Temp\Free Download Manager\tic322.tmp Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Temp\Free Download Manager\tic336.tmp Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Lillian\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\Lillian\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
F:\Program Files\AWS\WeatherBug\wxutil.dll Infected: Trojan.Win32.Agent.fua skipped
F:\Program Files\Yahoo!\Messenger\logs\billing_Lillian.log Object is locked skipped
F:\Program Files\Yahoo!\Messenger\logs\client_Lillian.log Object is locked skipped
F:\Program Files\Yahoo!\Messenger\logs\network_Lillian.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{13DFD6F0-844A-4015-9D56-6B74DE52A416}\RP29\A0007236.msi/Cabs.w1.cab/wxutil.dll24 Infected: Trojan.Win32.Agent.fua skipped
F:\System Volume Information\_restore{13DFD6F0-844A-4015-9D56-6B74DE52A416}\RP29\A0007236.msi/Cabs.w1.cab Infected: Trojan.Win32.Agent.fua skipped
F:\System Volume Information\_restore{13DFD6F0-844A-4015-9D56-6B74DE52A416}\RP29\A0007236.msi Embedded: infected - 2 skipped
F:\System Volume Information\_restore{13DFD6F0-844A-4015-9D56-6B74DE52A416}\RP80\change.log Object is locked skipped
F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
F:\WINDOWS\Internet Logs\ELINOR.ldb Object is locked skipped
F:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
F:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
F:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
F:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
F:\WINDOWS\SchedLgU.Txt Object is locked skipped
F:\WINDOWS\SoftwareDistribution\EventCache\{B368B614-0E07-410C-9A2E-5A50E3B5CC12}.bin Object is locked skipped
F:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
F:\WINDOWS\Sti_Trace.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\default Object is locked skipped
F:\WINDOWS\system32\config\default.LOG Object is locked skipped
F:\WINDOWS\system32\config\Internet.evt Object is locked skipped
F:\WINDOWS\system32\config\SAM Object is locked skipped
F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SECURITY Object is locked skipped
F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
F:\WINDOWS\system32\config\software Object is locked skipped
F:\WINDOWS\system32\config\software.LOG Object is locked skipped
F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\system Object is locked skipped
F:\WINDOWS\system32\config\system.LOG Object is locked skipped
F:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
F:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
F:\WINDOWS\system32\h323log.txt Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
F:\WINDOWS\Temp\Perflib_Perfdata_efc.dat Object is locked skipped
F:\WINDOWS\Temp\ZLT036e1.TMP Object is locked skipped
F:\WINDOWS\Temp\ZLT044c3.TMP Object is locked skipped
F:\WINDOWS\wiadebug.log Object is locked skipped
F:\WINDOWS\wiaservc.log Object is locked skipped
F:\WINDOWS\WindowsUpdate.log Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
---------------------
I then ran HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:56 PM, on 3/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
F:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exl
F:\WINDOWS\vsnpstd3.exe
F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CoolIrisIEHelperObject.CoolIrisIEBHO - {AD0BAB4B-212D-45D7-9E5B-CB1579132715} - F:\Program Files\CoolIris\CoolIrisIEHelperObject.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - F:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [googletalk] F:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] "F:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [snpstd3] F:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PaperQuote '01] F:\Program Files\PaperQuote\PQ.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Analogue Vista Clock] F:\Program Files\Analogue Vista Clock\Analogue Vista Clock.exe
O4 - HKCU\..\Run: [Weather] F:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TwitBox] F:\Program Files\TwitBox_0925\TwitBox.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: TimeLeft.lnk = F:\Program Files\TimeLeft3\TimeLeft.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = F:\Program Files\Palm\hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MiniMavis.lnk = F:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://F:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://F:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://F:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: CoolIris Preferences - {449DB14A-F988-4fd8-9361-F212D7B6414B} - F:\Program Files\CoolIris\CoolIrisPreferences.exe
O9 - Extra 'Tools' menuitem: CoolIris Preferences - {449DB14A-F988-4fd8-9361-F212D7B6414B} - F:\Program Files\CoolIris\CoolIrisPreferences.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - F:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
------------
How can I get rid of this apparent virus (and what is it)? I don't even know if this is what caused the redirect problem, since that has stopped.
Thank you in advance!
Lillian
The next morning they had turned up a bunch of cookies and something else on the winsock (which I didn't understand), and I cleaned all that up. The redirect somehow stopped, but I found this forum and decided to run Kaspersky anyway. It identified a virus still in the system, which AVG still doesn't see. Here is the log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 07, 2008 6:55:09 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/03/2008
Kaspersky Anti-Virus database records: 610241
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 126822
Number of viruses found: 1
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 01:06:54
Infected Object Name / Virus Name / Last Action
F:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
F:\Documents and Settings\All Users\Downloads\WeatherbugSetupZ6157.msi/Cabs.w1.cab/wxutil.dll24 Infected: Trojan.Win32.Agent.fua skipped
F:\Documents and Settings\All Users\Downloads\WeatherbugSetupZ6157.msi/Cabs.w1.cab Infected: Trojan.Win32.Agent.fua skipped
F:\Documents and Settings\All Users\Downloads\WeatherbugSetupZ6157.msi Embedded: infected - 2 skipped
F:\Documents and Settings\Lillian\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\cert8.db Object is locked skipped
F:\Documents and Settings\Lillian\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\formhistory.dat Object is locked skipped
F:\Documents and Settings\Lillian\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\history.dat Object is locked skipped
F:\Documents and Settings\Lillian\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\key3.db Object is locked skipped
F:\Documents and Settings\Lillian\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\parent.lock Object is locked skipped
F:\Documents and Settings\Lillian\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\search.sqlite Object is locked skipped
F:\Documents and Settings\Lillian\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\urlclassifier2.sqlite Object is locked skipped
F:\Documents and Settings\Lillian\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\Cache\_CACHE_001_ Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\Cache\_CACHE_002_ Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\Cache\_CACHE_003_ Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Application Data\Mozilla\Firefox\Profiles\gxuiupgy.default\Cache\_CACHE_MAP_ Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\History\History.IE5\MSHist012008030720080308\index.dat Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Temp\Free Download Manager\tic322.tmp Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Temp\Free Download Manager\tic336.tmp Object is locked skipped
F:\Documents and Settings\Lillian\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Lillian\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\Lillian\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
F:\Program Files\AWS\WeatherBug\wxutil.dll Infected: Trojan.Win32.Agent.fua skipped
F:\Program Files\Yahoo!\Messenger\logs\billing_Lillian.log Object is locked skipped
F:\Program Files\Yahoo!\Messenger\logs\client_Lillian.log Object is locked skipped
F:\Program Files\Yahoo!\Messenger\logs\network_Lillian.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{13DFD6F0-844A-4015-9D56-6B74DE52A416}\RP29\A0007236.msi/Cabs.w1.cab/wxutil.dll24 Infected: Trojan.Win32.Agent.fua skipped
F:\System Volume Information\_restore{13DFD6F0-844A-4015-9D56-6B74DE52A416}\RP29\A0007236.msi/Cabs.w1.cab Infected: Trojan.Win32.Agent.fua skipped
F:\System Volume Information\_restore{13DFD6F0-844A-4015-9D56-6B74DE52A416}\RP29\A0007236.msi Embedded: infected - 2 skipped
F:\System Volume Information\_restore{13DFD6F0-844A-4015-9D56-6B74DE52A416}\RP80\change.log Object is locked skipped
F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
F:\WINDOWS\Internet Logs\ELINOR.ldb Object is locked skipped
F:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
F:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
F:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
F:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
F:\WINDOWS\SchedLgU.Txt Object is locked skipped
F:\WINDOWS\SoftwareDistribution\EventCache\{B368B614-0E07-410C-9A2E-5A50E3B5CC12}.bin Object is locked skipped
F:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
F:\WINDOWS\Sti_Trace.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\default Object is locked skipped
F:\WINDOWS\system32\config\default.LOG Object is locked skipped
F:\WINDOWS\system32\config\Internet.evt Object is locked skipped
F:\WINDOWS\system32\config\SAM Object is locked skipped
F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SECURITY Object is locked skipped
F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
F:\WINDOWS\system32\config\software Object is locked skipped
F:\WINDOWS\system32\config\software.LOG Object is locked skipped
F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\system Object is locked skipped
F:\WINDOWS\system32\config\system.LOG Object is locked skipped
F:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
F:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
F:\WINDOWS\system32\h323log.txt Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
F:\WINDOWS\Temp\Perflib_Perfdata_efc.dat Object is locked skipped
F:\WINDOWS\Temp\ZLT036e1.TMP Object is locked skipped
F:\WINDOWS\Temp\ZLT044c3.TMP Object is locked skipped
F:\WINDOWS\wiadebug.log Object is locked skipped
F:\WINDOWS\wiaservc.log Object is locked skipped
F:\WINDOWS\WindowsUpdate.log Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
---------------------
I then ran HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:56 PM, on 3/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
F:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exl
F:\WINDOWS\vsnpstd3.exe
F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CoolIrisIEHelperObject.CoolIrisIEBHO - {AD0BAB4B-212D-45D7-9E5B-CB1579132715} - F:\Program Files\CoolIris\CoolIrisIEHelperObject.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - F:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [googletalk] F:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] "F:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [snpstd3] F:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PaperQuote '01] F:\Program Files\PaperQuote\PQ.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Analogue Vista Clock] F:\Program Files\Analogue Vista Clock\Analogue Vista Clock.exe
O4 - HKCU\..\Run: [Weather] F:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TwitBox] F:\Program Files\TwitBox_0925\TwitBox.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: TimeLeft.lnk = F:\Program Files\TimeLeft3\TimeLeft.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = F:\Program Files\Palm\hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MiniMavis.lnk = F:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://F:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://F:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://F:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: CoolIris Preferences - {449DB14A-F988-4fd8-9361-F212D7B6414B} - F:\Program Files\CoolIris\CoolIrisPreferences.exe
O9 - Extra 'Tools' menuitem: CoolIris Preferences - {449DB14A-F988-4fd8-9361-F212D7B6414B} - F:\Program Files\CoolIris\CoolIrisPreferences.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - F:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
------------
How can I get rid of this apparent virus (and what is it)? I don't even know if this is what caused the redirect problem, since that has stopped.
Thank you in advance!
Lillian