I am having an issue with popups to install AV 2008 which has Not been installed. I have been trying for 2 days to stop this issue. So far, I have been having multiple DLL files regenerating with random names. I have shut off system restore and ran Trend Sysclean with no luck. I use Autoruns to see these DLL files (located in System32 folder) and have deleted them to see them immediatley come back. I have used Killbox to delete on boot up with no luck and I do not see anything running in Process Explorer. Currently, Trend sees TROJ_CONHOOK.DQ as the problem. The current DLL's that will not go away are 2 random dll's (khfcutka & ljjbqplx) and WINCTRL32. I am currently running SDFix and will not be checking it again until the morning. Below is the Hijack This file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:34 PM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Drivers\trcboot.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SUSS.EXE
C:\WINDOWS\system32\tlntsvr.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\WVC691.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.planetarrow.com/na/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.planetarrow.com/na/index.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.planetarrow.com/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = arrowproxy.arrow.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.sbm.com;*.arrow.com;*.planetarrow.com;*.arrowecs.com;*.arrownacp.com;*.arrownac.com;*.supnet.com;*.micron.com;*.eaglegl.com;*.divsys.com;*.sun.com;planetarrow.com;*.arrowacs.com;*.arrowkeylink.com;*.pios.com;10.*;206.135.167.137;206.135.167.180;*.hp.com;*.compaq.com;*.ibm.com;*.arrowdevtools.com;*.eldec.com;*.craneaerospace.com;*.netapp.com;*.altera.com;*.analog.com;*.freescale;arrownac.com;*.emc.com;*.hitachi.com;*.beckman.com;192.168.14.244;ep.bitechnologies.com;199.243.76.209;105.128.2.0;erp.avagotech.com;enterprisehr.adphc.com;*.agilysys.com;*.keylink.com,*.oracle.com,192.168.63.*;<local>
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bginfo.lnk = C:\WINDOWS\Bginfo.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.planetarrow.com/na/index.html
O15 - Trusted Zone: http://egain.arrow.com
O15 - Trusted Zone: http://egain2.arrow.com
O15 - Trusted Zone: http://*.arrow.com
O15 - Trusted Zone: http://*.arrowecs.com
O15 - Trusted Zone: http://*.arrowkeylink.com
O15 - Trusted Zone: http://*.arrownac.com
O15 - Trusted Zone: http://*.arrownacp.com
O15 - Trusted Zone: *.arwnet.com
O15 - Trusted Zone: http://*.planetarrow.com
O15 - Trusted Zone: http://www.skillport.com
O15 - Trusted Zone: http://www.skillsoft.com
O15 - Trusted Zone: http://www.skillwsa.com
O15 - Trusted Zone: http://arrow.webex.com
O15 - Trusted Zone: http://egain.arrow.com (HKLM)
O15 - Trusted Zone: http://egain2.arrow.com (HKLM)
O15 - Trusted Zone: http://*.arrow.com (HKLM)
O15 - Trusted Zone: http://*.arrowecs.com (HKLM)
O15 - Trusted Zone: http://*.arrowkeylink.com (HKLM)
O15 - Trusted Zone: http://*.arrownac.com (HKLM)
O15 - Trusted Zone: http://*.arrownacp.com (HKLM)
O15 - Trusted Zone: *.arwnet.com (HKLM)
O15 - Trusted Zone: http://*.planetarrow.com (HKLM)
O15 - Trusted Zone: http://www.skillport.com (HKLM)
O15 - Trusted Zone: http://www.skillsoft.com (HKLM)
O15 - Trusted Zone: http://www.skillwsa.com (HKLM)
O15 - Trusted Zone: http://arrow.webex.com (HKLM)
O15 - Trusted IP range: http://192.168.63.*
O15 - Trusted IP range: http://192.168.63.* (HKLM)
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 6731318126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6731293305
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://td.planetarrow.com/Spider90.ocx
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://usmlrh68.arrow.com:8004/jinitiator/oajinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://usmliu14.arrow.com:7778/forms/ji ... /jinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = arrownao.corp.arrow.com
O17 - HKLM\Software\..\Telephony: DomainName = arrownao.corp.arrow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = arrownao.corp.arrow.com
O20 - AppInit_DLLs: AMInit.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\SQLLIB\BIN\db2sec.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OracleDev6iClientCache80 - Unknown owner - C:\Dev6i\BIN\ONRSD80.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\Drivers\trcboot.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 9242 bytes