"Virus Alert!" in Task Bar + fake warnings

Hi guys,

I stupidly fell into a trap of downloading what looked like a Flash update but was in fact a package of a whole heap of nasties! The first noticable symptom is "Virus Alert!" appearing in the Task Bar by the Date/Time. This phrase seems to pop up alongside ANY System DateTime being displayed. Also I think my desktop has been hijacked as it changes colour and turns white. A load of restrictions have been put on any account I log into, can't run Task Manager, open Explorer, many Start menu items have been removed. On top of this there are a load of Fake Windows Alerts popping up telling me I need to download Anti Virus software, which then link to some dodgy website. Ran AdAware but it didn't help and ran my McAfee On-Demand scan, which also hasn't found much (just a few trojan files which were deleted but reappear on reboot).

I have attached my HijackThis log, if someone could show me which items can be fixed and address any of the other issues I'd be eternally grateful!

Thanks,
Neil

 

Not sure if my attachment worked so pasting the log in plain view for easier access for you.

Cheers,
Neil

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:13: VIRUS ALERT!, on 28/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fortinet\FortiClient\scheduler.exe
C:\Program Files\Fortinet\FortiClient\FCDBLog.exe
C:\Program Files\Fortinet\FortiClient\fortifw.exe
C:\Program Files\Fortinet\FortiClient\FCMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BMC Software\AppSight\Bin\RI_svc.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Rational\ClearCase\bin\cccredmgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Rational\ClearCase\bin\lockmgr.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\OmniBack\bin\OmniInet.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\program files\timbuktu pro\tb2launch.exe
C:\Program Files\Asset Services Management\ASMAgent.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE
C:\Program Files\Actaris\Vantage Schedule Processor\Actaris.Vantage.ScheduleProcessor.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\timbuktu pro\tb2pro.exe
C:\Program Files\Fortinet\FortiClient\FortiTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\program files\timbuktu pro\tb2logon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
c:\program files\timbuktu pro\TNOTIFY.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Kontiki\KHost.exe
C:\DOCUME~1\ALDERS~1\LOCALS~1\Temp\UIUCU.EXE
C:\WINDOWS\system32\lphc50oj0erfe.exe
C:\Windows\system32\YURB1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.euro.dell.com
O1 - Hosts: 172.23.81.75 fxtwiki.felixstowe.actaris.com fxtwiki
O1 - Hosts: 172.23.80.139 fxebdcrms # for Vantage share
O1 - Hosts: 172.23.49.8 teamtrack.dtc.actaris.com # team track
O1 - Hosts: 172.23.80.138 www.felixstowe.actaris.com www # intranet
O1 - Hosts: 172.23.81.4 fx003 # Appsight License Server
O1 - Hosts: 172.23.80.248 fx1427s # Appsight Server
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QXK Olive - {129D532E-E2EC-4527-B4BA-4626830EFE18} - C:\WINDOWS\dfmlxbpkbkl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: peltodgx - {BAB8F6DC-41B1-440F-A066-AAC224906880} - C:\WINDOWS\peltodgx.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TLogonPath] "c:\program files\timbuktu pro\tb2logon.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [CCDoctorLogonTesting] "C:\Program Files\Rational\ClearCase\bin\ccdoctor.exe" /LogonStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\ALDERS~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [lphc50oj0erfe] C:\WINDOWS\system32\lphc50oj0erfe.exe
O4 - HKLM\..\Run: [\YURD5.exe] C:\Windows\system32\YURD5.exe
O4 - HKLM\..\Run: [\YURD6.exe] C:\Windows\system32\YURD6.exe
O4 - HKLM\..\Run: [\YURD7.exe] C:\Windows\system32\YURD7.exe
O4 - HKLM\..\Run: [\YURD8.exe] C:\Windows\system32\YURD8.exe
O4 - HKLM\..\Run: [\YUR72.exe] C:\Windows\system32\YUR72.exe
O4 - HKLM\..\Run: [\YUR73.exe] C:\Windows\system32\YUR73.exe
O4 - HKLM\..\Run: [\YUR76.exe] C:\Windows\system32\YUR76.exe
O4 - HKLM\..\Run: [\YURB0.exe] C:\Windows\system32\YURB0.exe
O4 - HKLM\..\Run: [\YURB1.exe] C:\Windows\system32\YURB1.exe
O4 - HKLM\..\Run: [\YURB3.exe] C:\Windows\system32\YURB3.exe
O4 - HKLM\..\Run: [\YURB4.exe] C:\Windows\system32\YURB4.exe
O4 - HKLM\..\Run: [\YURCA.exe] C:\Windows\system32\YURCA.exe
O4 - HKLM\..\Run: [\YURCD.exe] C:\Windows\system32\YURCD.exe
O4 - HKLM\..\Run: [\YURB5.exe] C:\Windows\system32\YURB5.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [\YURCA.exe] C:\Windows\system32\YURCA.exe
O4 - HKCU\..\Run: [\YURCD.exe] C:\Windows\system32\YURCD.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [\YURB1.exe] C:\Windows\system32\YURB1.exe
O4 - HKCU\..\Run: [\YURB5.exe] C:\Windows\system32\YURB5.exe
O4 - HKLM\..\Policies\Explorer\Run: [mC85vZsMwb] C:\DOCUME~1\ALDERS~1\LOCALS~1\Temp\windfr.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0533AC04-11E3-48CA-A167-40D782C6BD1C} (FileTransferControl Class) - http://pdm.dtc.actaris.com/Advitium/ActiveX/FileTransfer2.cab
O16 - DPF: {493EBD8D-8D67-4A2D-8CF9-B8FC992DCFF6} (ProcessViewer Class) - http://pdm.dtc.actaris.com/Advitium/ActiveX/ProcessViewer.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://pdm.dtc.actaris.com/Advitium/ActiveX/msxml4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O21 - SSODL: rwlfsdmk - {E8ACF29E-CF02-4B6C-83B3-136B1F15A7CE} - C:\WINDOWS\rwlfsdmk.dll
O21 - SSODL: onfwbsak - {15E4D4B5-A7D1-4541-9220-FC5EAFC15054} - C:\WINDOWS\onfwbsak.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Atria Location Broker (Albd) - Unknown owner - C:\Program Files\Rational\ClearCase\bin\albd_server.exe
O23 - Service: AppSight Install Service (AppSightInstallService) - Identify Software Ltd. - C:\Program Files\BMC Software\AppSight\Bin\RI_svc.exe
O23 - Service: AppSight Server (ApsSrvService) - Identify Software Ltd. - C:\Program Files\BMC Software\AppSight\Bin\ApsSrv.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: ASMAgent - ASAP Software, Inc. - C:\Program Files\Asset Services Management\ASMAgent.exe
O23 - Service: Atria Cred Manager (cccredmgr) - Unknown owner - C:\Program Files\Rational\ClearCase\bin\cccredmgr.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Fortinet Service Scheduler (FA_Scheduler) - Fortinet Inc. - C:\Program Files\Fortinet\FortiClient\scheduler.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Atria Lock Manager (LockMgr) - Unknown owner - C:\Program Files\Rational\ClearCase\bin\lockmgr.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Data Protector Inet (OmniInet) - Hewlett-Packard - C:\Program Files\OmniBack\bin\OmniInet.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - c:\program files\timbuktu pro\tb2launch.exe
O23 - Service: Vantage Comms Server - Actaris - C:\Program Files\Actaris\Vantage Comms Server\Actaris.Vantage.CommsServer.exe
O23 - Service: Vantage Schedule Processor - Actaris - C:\Program Files\Actaris\Vantage Schedule Processor\Actaris.Vantage.ScheduleProcessor.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13811 bytes