When I boot up my machine instead of my usual desktop I get a blue screen with the message 'warning spyware has been detected on your PC' and 'click here to scan your pc for spyware'. If I click I get redirected to a website selling spyware removal software. I also get popups from the system tray telling me my laptop is infected with spyware.
I have run adware and removed the files it found but I am still seeing the problem.
Please see below for my hijack this report.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:35:05, on 05/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\nslsvice.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AspenTech\BPE\AfwSecCliSvc.exe
C:\WINNT\system32\bmwebcfg.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\winself.exe
C:\Program Files\Common Files\AspenTech Shared\Portmapper\PORTSERV.EXE
C:\WINNT\system32\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Passlogix\v-GO SSO\ssoshell.exe
c:\Program Files\SmartPipes\PMAC\sp_SWIns.exe
C:\WINNT\system32\wmsdkns.exe
C:\WINNT\Explorer.EXE
c:\Program Files\AccessManager\Client\sygman.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\TPHDEXLG.EXE
C:\WINNT\system32\TpKmpSVC.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINNT\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Common Files\AspenTech Shared\Toolbar\aspenONEtoolbar.exe
C:\Program Files\Passlogix\v-GO SSO\Helper\Moz\ssomozho.exe
C:\Program Files\Passlogix\v-GO SSO\Helper\Emulator\ssomho.exe
C:\WINNT\system32\igfxtray.exe
C:\Program Files\Passlogix\v-GO SSO\Helper\IE\ssobho.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://theedge.rohmhaas.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://theedge.rohmhaas.com
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\Program Files\Passlogix\v-GO SSO\ssoshell.exe /background,C:\WINNT\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINNT\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINNT\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [aspenONE Toolbar] "C:\Program Files\Common Files\AspenTech Shared\Toolbar\aspenONEtoolbar.exe" -auto
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [Webroot Spy Sweeper, Enterprise Edition] C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-21-2059484695-1622420474-1353397897-42016\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2059484695-1622420474-1353397897-801686\..\Run: [IBM RecordNow!] (User '?')
O4 - HKUS\S-1-5-21-2059484695-1622420474-1353397897-9775\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-2059484695-1622420474-1353397897-15012 Startup: Startup.lnk = C:\Program Files\ROH\Support\New User\Customize.vbs (User '?')
O4 - S-1-5-21-2059484695-1622420474-1353397897-9775 Startup: Startup.lnk = C:\Program Files\ROH\Support\New User\Customize.vbs (User '?')
O4 - .DEFAULT User Startup: Startup.lnk = C:\Program Files\ROH\Support\New User\Customize.vbs (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://theedge.rohmhaas.com
O15 - Trusted Zone: *.adobe.com
O15 - Trusted Zone: *.alertdriving.com
O15 - Trusted Zone: *.attexecubill.com
O15 - Trusted Zone: *.bna.com
O15 - Trusted Zone: *.bnatax.com
O15 - Trusted Zone: *.boardvantage.com
O15 - Trusted Zone: rohmhaas.culturalnavigator.com
O15 - Trusted Zone: *.financialcontent.com
O15 - Trusted Zone: *.ftssol.com
O15 - Trusted Zone: *.gov.cn
O15 - Trusted Zone: *.hewitt.com
O15 - Trusted Zone: *.infuzer.com
O15 - Trusted Zone: *.Intechnologies.com
O15 - Trusted Zone: *.lrn.com
O15 - Trusted Zone: *.macromedia.com
O15 - Trusted Zone: *.mymeetings.com
O15 - Trusted Zone: *.placeware.com
O15 - Trusted Zone: *.shockwave.com
O15 - Trusted Zone: *.signkorea.com
O15 - Trusted Zone: *.skillsoft.com
O15 - Trusted Zone: *.smartforce.com
O15 - Trusted Zone: *.smartfresh.com
O15 - Trusted Zone: *.stf.com
O15 - Trusted Zone: *.strategicsourcing.com
O15 - Trusted Zone: *.systemsoftinc.com
O15 - Trusted Zone: *.teamanywhere.com
O15 - Trusted Zone: mdsuars01.usi.net
O15 - Trusted Zone: mdsuars02.usi.net
O15 - Trusted Zone: *.webex.com
O15 - Trusted Zone: *.webridge.com
O15 - Trusted Zone: *.webx.com
O15 - Trusted Zone: *.adobe.com (HKLM)
O15 - Trusted Zone: *.alertdriving.com (HKLM)
O15 - Trusted Zone: *.attexecubill.com (HKLM)
O15 - Trusted Zone: *.bna.com (HKLM)
O15 - Trusted Zone: *.bnatax.com (HKLM)
O15 - Trusted Zone: *.boardvantage.com (HKLM)
O15 - Trusted Zone: rohmhaas.culturalnavigator.com (HKLM)
O15 - Trusted Zone: *.financialcontent.com (HKLM)
O15 - Trusted Zone: *.ftssol.com (HKLM)
O15 - Trusted Zone: *.gov.cn (HKLM)
O15 - Trusted Zone: *.hewitt.com (HKLM)
O15 - Trusted Zone: *.infuzer.com (HKLM)
O15 - Trusted Zone: *.Intechnologies.com (HKLM)
O15 - Trusted Zone: *.lrn.com (HKLM)
O15 - Trusted Zone: *.macromedia.com (HKLM)
O15 - Trusted Zone: *.mymeetings.com (HKLM)
O15 - Trusted Zone: *.placeware.com (HKLM)
O15 - Trusted Zone: *.shockwave.com (HKLM)
O15 - Trusted Zone: *.signkorea.com (HKLM)
O15 - Trusted Zone: *.skillsoft.com (HKLM)
O15 - Trusted Zone: *.smartforce.com (HKLM)
O15 - Trusted Zone: *.smartfresh.com (HKLM)
O15 - Trusted Zone: *.stf.com (HKLM)
O15 - Trusted Zone: *.strategicsourcing.com (HKLM)
O15 - Trusted Zone: *.systemsoftinc.com (HKLM)
O15 - Trusted Zone: *.teamanywhere.com (HKLM)
O15 - Trusted Zone: mdsuars01.usi.net (HKLM)
O15 - Trusted Zone: mdsuars02.usi.net (HKLM)
O15 - Trusted Zone: *.webex.com (HKLM)
O15 - Trusted Zone: *.webridge.com (HKLM)
O15 - Trusted Zone: *.webx.com (HKLM)
O15 - Trusted IP range: 10.1.*.*
O15 - Trusted IP range: 10.2.*.*
O15 - Trusted IP range: 10.3.*.*
O15 - Trusted IP range: 10.4.*.*
O15 - Trusted IP range: 10.5.*.*
O15 - Trusted IP range: 10.1.*.* (HKLM)
O15 - Trusted IP range: 10.2.*.* (HKLM)
O15 - Trusted IP range: 10.3.*.* (HKLM)
O15 - Trusted IP range: 10.4.*.* (HKLM)
O15 - Trusted IP range: 10.5.*.* (HKLM)
O16 - DPF: Sametime MRC 651 - http://stho1.rohmhaa...gRoomClient.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://www.teamanywhere.com/qp2.cab
O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://stho1.rohmhaa...STJNILoader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://rohmhaas.web...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rohmhaas.net
O17 - HKLM\Software\..\Telephony: DomainName = rohmhaas.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rohmhaas.net
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AFW Security Client Service (AfwSecCliSvc) - Aspen Technology, Inc. - C:\Program Files\AspenTech\BPE\AfwSecCliSvc.exe
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - c:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINNT\system32\bmwebcfg.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - c:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINNT\system32\nslsvice.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINNT\winself.exe
O23 - Service: NobleNet Portmapper for TCP - Unknown owner - C:\Program Files\Common Files\AspenTech Shared\Portmapper\PORTSERV.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - c:\Program Files\SmartPipes\PMAC\sp_SWIns.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - c:\Program Files\SmartPipes\SMOC\spi_da.exe
O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - c:\Program Files\AccessManager\Client\sygman.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINNT\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe
O24 - Desktop Component 0: (no name) - About:Home
--
End of file - 14984 bytes
Thanks to anyone who can help.
Edited by wyexile, 05 May 2008 - 09:51 AM.