I ran the symantex online virus scan as, none of the others seemed to work. I have it's info listed below the HiJackThis log. I have removed the viruses that Symantec found.


Logfile of HijackThis v1.99.1
Scan saved at 2:38:30 PM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Pinnacle\SHARED~1\Filter\server.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Jon
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe






50614 files scanned, 20 file(s) infected on your disk drives.

No viruses were detected in memory.

Your computer is infected with at least one known virus or Trojan horse.

Note: The scan was cancelled before finishing. There may be more infected files on this computer.

Search for the name of the threat(s) listed below on the Symantec Security Response site for removal information.


A scan has not been run. To start Virus Detection, click here.

C:\WINDOWS\cfg32.exe is infected with Adware.PStrip
C:\WINDOWS\cfg32a.exe is infected with Adware.PStrip
C:\WINDOWS\em.ocx is infected with Adware.Medload
C:\WINDOWS\haklxmz.exe is infected with Trojan.Popper
C:\WINDOWS\Justin.exe is infected with Adware.Ezula
C:\WINDOWS\MirarSetup_876057.exe is infected with Adware.Mirar
C:\WINDOWS\TIELT001.exe is infected with Adware.ZenoSearch
C:\WINDOWS\uninst104.exe is infected with Trojan Horse
C:\WINDOWS\uni_ehhhh.exe is infected with Trojan Horse
C:\WINDOWS\system32\BattyRun2.dll is infected with Adware.FCHelp
C:\WINDOWS\system32\bk.exe is infected with Adware.SurfSideKick
C:\WINDOWS\system32\msvcrl.dll is infected with Infostealer
C:\WINDOWS\system32\nsd96.dll is infected with Adware.Ezula
C:\WINDOWS\system32\sachostp.exe is infected with W32.Looksky.H@mm
C:\WINDOWS\system32\WinNB58.dll is infected with Adware.Mirar
C:\WINDOWS\system32\crunner\cproc.exe is infected with Adware.TargetSaver
C:\WINDOWS\system32\crunner\cupdater.exe is infected with Adware.TargetSaver
C:\WINDOWS\Sm9u\mA6R.vbs is infected with Spyware.ISearch
C:\Program Files\Common Files\misc002\141.exe is infected with Adware.TargetSaver
C:\Program Files\Common Files\misc002\calli.exe is infected with Adware.Purityscan

Split off from:
http://forums.spybot.info/showthread.php?p=42767#post42767

hi GOsCheshire,

first:
VundoFix by Atri
Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.


Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
----------------------------------------------------------------------
next:
Download ewido anti-spyware. a 30 day trial version. Install, update and run it:

http://www.ewido.net/en/download/

download, install, click on update now

Ewido will download/install the latest def. files

Next:
--> Click on scanner.
-->Run a full system scan
-->ewido will scan.
-->While the scan is in progress you will be prompted to clean files, click OK.
Select Perform action on all infections
-->Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
-->Click Save report.
Save the report to your desktop.
-----------------------------------------------------
see if things improve after that.

shelf life

This topic has been archived due to lack of a response.
If you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.