I recently contracted what I originally thought was spyware, but might be a trojan. I have run a number of spyware/virus scanners and they all detect an unnamed trojan (it is simply named Win32 Trojan, but not more specific).
The symptoms are that it slows my computer down and messes with my internet. Whatever website I go to it starts opening links to everywhere and anywhere. This frequently leads to spyware removal tools such as "antispyware suite". I googled this and believe I am supposed to just close all the links.
Another symptom occurs on start up where I get the following message:
During a scan of files at systems startup, potential errors in the system registry were found. p07-0100 irql 1f sysver 0xff00024
NT_kernel error 1256
kmode_exception_not_handled
This messages comes up twice at the same time and again I close from the X rather than clicking okay in case it tries to install something new.
Next is log taken from Ewido/AVG. I ran the scans during safe mode in the hope that they would be able to disinfect files that were running in a normal windows mode.
==================
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 14:57:46 30/01/2008
+ Scan result:
C:\System Volume Information\_restore{17BA8639-DDC3-47C9-ACB3-E048E295FC6E}\RP128\A0007624.exe -> Adware.Agent : Cleaned.
C:\Program Files\MSN Gaming Zone\cece.html -> Hijacker.IFrame.dn : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe -> Not-A-Virus.Adware.PurityScan : Ignored.
C:\Program Files\Outerinfo\FF\components\FF.dll -> Not-A-Virus.Adware.ZenoSearch : Ignored.
C:\Documents and Settings\Rich\Cookies\rich@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@disneyintranet.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@entrepreneur.122.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@heavycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@shopping.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ads.adengage[2].txt -> TrackingCookie.Adengage : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adrevolver[5].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@media.adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adtech[1].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adtech[3].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@www.adtrak[2].txt -> TrackingCookie.Adtrak : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@www.adtrak[3].txt -> TrackingCookie.Adtrak : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@advertising[3].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@advertising[4].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adviva[2].txt -> TrackingCookie.Adviva : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@casalemedia[3].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@casalemedia[5].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@casalemedia[6].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@connextra[1].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@connextra[4].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@doubleclick[3].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@doubleclick[4].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@fastclick[4].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ehg-tigerdirect2.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@auto.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@questionmarket[3].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@revsci[3].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@tacoda[3].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@weborama[1].txt -> TrackingCookie.Weborama : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@m.webtrends[3].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ad.yieldmanager[4].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ad.yieldmanager[5].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\UmljaGFyZCBBZGFtcw\oA53u3IVtF11t3IQwT.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\uninstall_nmon.vbs -> Trojan.Small : Cleaned with backup (quarantined).
::Report end
========================
Edit:
My log taken from hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:07:19, on 31/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PPATCH~1\netdde.exe
C:\WINDOWS\system32\??sks\?hkntfs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [04c24e01] rundll32.exe "C:\WINDOWS\system32\jalnajhy.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Atat] "C:\WINDOWS\system32\PPATCH~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Nkpjk] C:\WINDOWS\system32\??sks\?hkntfs.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 0091912875
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0091897125
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\hpjbkgep.exe (file missing)
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\cece.html
--
End of file - 5781 bytes