Because my regular computer is in the shop for repair, my dad gave me an old but still decent Toshiba laptop of his to use. He hasn't worked with it for quite a while, and I can imagine why: it's literally teeming with malware. I have already decided to give him a crash course in safer surfing and a bunch of protective programs before his new one finds the same fate.
I don't think this poor computer even has Service Pack 2 (it's running Windows XP Home Edition, in Dutch), and I tried downloading updates but there's constantly problems getting to the Windows Update website, it gives a 0x80072EE2 error when I try to update on the site probably unrelated to the problems at hand.
A big nuisance is the constant pop-up ads for, most of the time, anti-virus and anti-spyware programs. It's very hard to dodge them because they especially pop up when there's a legitimate site using ActiveX components (like the Panda Software on line scan and Microsoft Update) and try to entice you to click something. I have Spyware Blaster installed to help deal with that problem. Still, I am typing this in notepad with the cat-5 cable unplugged from the computer and how odd, Internet Explorer (I usually use Firefox which is also installed on this computer) keeps asking me to connect to the internet because the requested page I never requested is not available off line.
Spybot S&D finds lots of problems, but usually after they've been repaired I find them right back the next day. I can't yet tell you anything about the effectivity of Clamwin (an anti-virus program) I tried to boot in Safe Mode then run AVG-AntiSpyware then reboot, but I am still getting attempts to connect to a website in Internet Explorer (which I set for 'work offline' to work around the pop-ups, I work with Firefox). The websites that pop-up otherwise advertise Winantivirus and drivecleaner, and if I fill those in in a browser it redicrets me to another pop-up. Browser windows shut when I was looking for a way to work around the fact that in safe mode there were no icons or taskbar, just black background with letters spelling "Safe Mode". (The trick was to use task manager, which I did).
Here's the logs, if you could help me that would be great. Maybe I did something wrong with the self help, the problem doesn´t seem to be solved yet.
Thanks in advance!
=== Hijack This! ===
Logfile of HijackThis v1.99.1
Scan saved at 22:51:54, on 4-7-2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32 THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Tablet\TabUserW.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\MasterSolution\MasterPointer\Marker.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PVSW\Bin\W3DBSMGR.EXE
C:\WINDOWS\system32\RaConfig2500.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32 THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Msn Windows Joiner] msnwin.exe
O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\WINDOWS\system32\jmovxgi.exe
O4 - HKLM\..\Run: [Microsoft Corporation winb Services] .exe
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\System32\jiglrfvr.dll",forkonce
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [Msn Windows Joiner] msnwin.exe
O4 - HKLM\..\RunServices: [Microsoft Corporation winb Services] .exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [Microsoft Corporation winb Services] .exe
O4 - HKCU\..\RunServices: [Microsoft Corporation winb Services] .exe
O4 - Startup: OpenOffice.org 2.2 .lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
O4 - Global Startup: Tablet.lnk = C:\Program Files\Tablet\TabUserW.exe
O4 - Global Startup: MasterPointer.lnk = C:\Program Files\MasterSolution\MasterPointer\Marker.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O4 - Global Startup: RaConfig2500.lnk = C:\WINDOWS\system32\RaConfig2500.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://update.microsoft.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1183502979505
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1183502703018
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - AppInit_DLLs: c:\windows\system32\mllkkli.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\fddanhrk.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Universal Printer NT Service - Unknown owner - C:\WINDOWS\System32\dllcache\upnt.exe (file missing)
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 22:39:23 4-7-2007
+ Scan result:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Error during cleaning.
HKU\S-1-5-21-2796713857-919082819-4212676017-1006\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\Maartje Swart\.clamwin\quarantine\infected.ddcccdd.dll.000 -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\Maartje Swart\.clamwin\quarantine\infected.opnmnnm.dll.000 -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\Maartje Swart\.clamwin\quarantine\infected.ssqrqoo.dll.000 -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\Maartje Swart\.clamwin\quarantine\infected.yayawus.dll.000 -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C564255C-6D1B-449D-85D8-E7ADCDEE3A81}\RP582\A0035372.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C564255C-6D1B-449D-85D8-E7ADCDEE3A81}\RP582\A0035374.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C564255C-6D1B-449D-85D8-E7ADCDEE3A81}\RP582\A0035380.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C564255C-6D1B-449D-85D8-E7ADCDEE3A81}\RP582\A0035383.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\awttuvv.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\efebc.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\iifcbay.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\opnmnnm.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDQRSTUV\84785_mssql[1].exe -> Backdoor.Mytobor.c : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dllcache\upnt.exe -> Backdoor.Mytobor.c : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C564255C-6D1B-449D-85D8-E7ADCDEE3A81}\RP582\A0035369.exe -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C564255C-6D1B-449D-85D8-E7ADCDEE3A81}\RP583\A0039779.exe -> Backdoor.Rbot.bqj : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\Maartje Swart\Application Data\Mozilla\Firefox\Profilesepj8fmv.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.16:C:\Documents and Settings\Maartje Swart\Application Data\Mozilla\Firefox\Profilesepj8fmv.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
C:\System Volume Information\_restore{C564255C-6D1B-449D-85D8-E7ADCDEE3A81}\RP582\A0035377.exe -> Trojan.Agent.anr : Cleaned with backup (quarantined).
C:\Documents and Settings\Maartje Swart\Application Data\tmp46.tmp.exe -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\Documents and Settings\Maartje Swart\Application Data\tmp6.tmp.exe -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\Documents and Settings\Maartje Swart\Application Data\tmpF.tmp.exe -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C564255C-6D1B-449D-85D8-E7ADCDEE3A81}\RP582\A0035370.exe -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C564255C-6D1B-449D-85D8-E7ADCDEE3A81}\RP582\A0035384.exe -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C564255C-6D1B-449D-85D8-E7ADCDEE3A81}\RP582\A0036677.EXE -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C564255C-6D1B-449D-85D8-E7ADCDEE3A81}\RP582\A0036678.EXE -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C564255C-6D1B-449D-85D8-E7ADCDEE3A81}\RP582\A0036679.EXE -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lnedpdnk.exe -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\owfqlkcq.exe -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sjyssgyt.exe -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C564255C-6D1B-449D-85D8-E7ADCDEE3A81}\RP582\A0035371.dll -> Trojan.Klone.k : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C564255C-6D1B-449D-85D8-E7ADCDEE3A81}\RP582\A0035376.dll -> Trojan.Klone.k : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C564255C-6D1B-449D-85D8-E7ADCDEE3A81}\RP582\A0035379.dll -> Trojan.Klone.k : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C564255C-6D1B-449D-85D8-E7ADCDEE3A81}\RP582\A0035382.dll -> Trojan.Klone.k : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C564255C-6D1B-449D-85D8-E7ADCDEE3A81}\RP582\A0036675.DLL -> Trojan.Klone.k : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C564255C-6D1B-449D-85D8-E7ADCDEE3A81}\RP583\A0037656.dll -> Trojan.Klone.k : Cleaned with backup (quarantined).
::Report end