A HJT log, help desperately required

[theoldGL]

Hi, I seem to have a trojan or two on my system that I cannot get rid of, it's causing my PC to run very slow, as well as pop ups from Norton every 5 seconds.

I've tried spybot s&d, ccleaner, cwshredder, adaware, ewido, spyware doctor, windows defender, trojan hunter, trojan remover, did an online scan with trendmicro house call and updated windows.

Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 2:56:38 AM, on 7/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NCTV\bin\dm.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\TEMP\win74B.tmp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: Shell=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - Startup: Registration-Studio 8.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL
O9 - Extra 'Tools' menuitem: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1131804544041
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/ca...ail/DASAct.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C8124F6-5728-4084-9FE0-13B7DEF1FC33}: NameServer = 220.233.0.4,220.233.0.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{7C8124F6-5728-4084-9FE0-13B7DEF1FC33}: NameServer = 220.233.0.4,220.233.0.3
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winbfi32 - C:\WINDOWS\SYSTEM32\winbfi32.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Download Manager Lite Service (DownloadManagerLite) - NetCableTV - C:\PROGRA~1\NCTV\bin\dm.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

I would be eternally grateful for any help received.

Thanks.

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

I see you have Ewido 3.5 on this system. It has been updated to version 4.0 Please uninstall Ewido 3.5, restart your system, and follow the next procedures:

Download Ewido Anti-Malware

• Install Ewido Anti-Malware
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the top of the main screen click Shield
• Click the word active to change it to inactive
• On the top of the main screen click Update.
• Then click on Start Update. The update will start and a progress bar will show the updates being installed.

If you are having problems with the updater, you can use this link to manually update Ewido

• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

When you have finished updating, EXIT Ewido anti-spyware. Do Not run a scan just yet, we will shortly.

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

---------------------------------------------------------------------------------------------

Windows Defender

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.

• Open Windows Defender.
• Click on Tools>Options.
• Scroll down and uncheck "Use real-time protection (recommended)".
• After you uncheck this, click on the Save button and close Windows Defender.

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

F2 - REG:system.ini: Shell=
O20 - Winlogon Notify: winbfi32 - C:\WINDOWS\SYSTEM32\winbfi32.dll


---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete the following if they exist:

C:\WINDOWS\SYSTEM32\winbfi32.dll

---------------------------------------------------------------------------------------------

Run Cleanup! using the following configuration:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files (if present)
• Cleanup! All Users
• Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

1. Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

Ewido
Panda
HJT

[theoldGL]

Hi, thanks for replying!

I think I've gotten rid of it all now, I wrote down the names of the trojans from the warnings Norton was giving me, googled them and found removal guides. The Panda scan didn't go too well though, I got a blue warning screen during the scan and had to restart the PC, so I haven't tried it again. I also can't update Ewido at the moment, hopefully the log from the version I currently have will suffice.

Here's my latest Ewido and HJT log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:46:15 AM, 7/29/2006
+ Report-Checksum: 89D13BB2

+ Scan result:


C:\Documents and Settings\Dave\Cookies\dave@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup



::Report End





Logfile of HijackThis v1.99.1
Scan saved at 3:57:18 AM, on 7/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NCTV\bin\dm.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Registration-Studio 8.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL
O9 - Extra 'Tools' menuitem: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\PROGRA~1\HTTPAN~1\IEHTTP~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1131804544041
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/ca...ail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C8124F6-5728-4084-9FE0-13B7DEF1FC33}: NameServer = 220.233.0.4,220.233.0.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{7C8124F6-5728-4084-9FE0-13B7DEF1FC33}: NameServer = 220.233.0.4,220.233.0.3
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Download Manager Lite Service (DownloadManagerLite) - NetCableTV - C:\PROGRA~1\NCTV\bin\dm.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

Thanks.

[tetonbob]

Quote:

I also can't update Ewido at the moment

Why is that? What issues did you encounter?

Looks like you got the nasties, but it would be good to get one online scan in. They often find what other scanners miss.

Perhaps give Kaspersky a try. I've never known an online scan to cause a blue screen. Has this happened recently otherwise to your system?

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

[theoldGL]

I can update definitions, just not the version. It's complicated :)

I've never had this blue screen before, it sounded really bad too, it said things like 'physical memory dump completed' (which i think may not be anything to worry about but sounded as though my HD was wiped), and above that message was something like I've seen in a HJT log, like this - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}. Can't remember the rest except for a message that said if this is the first time it has happened then just ignore it and restart the PC, which I did and heard no more about it.

I'll definitely give Kaspersky a go, I've heard good things.

Saturday, July 29, 2006 8:52:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 29/07/2006
Kaspersky Anti-Virus database records: 197230


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
G:\

Scan Statistics
Total number of scanned objects 67983
Number of viruses found 13
Number of infected objects 142 / 0
Number of suspicious objects 9
Duration of the scan process 00:59:51

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-06082006-122829.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Prevx\Local.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-07-29_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\Dave\.housecall\Quarantine\win371.tmp.exe.bac_a02348 Infected: Packed.Win32.Klone.g skipped

C:\Documents and Settings\Dave\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Dave\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Dave\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Dave\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{4FCBFE0D-BA08-451D-B3C1-2BAE96CBB91E} Object is locked skipped

C:\Documents and Settings\Dave\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Dave\Local Settings\Temp\Perflib_Perfdata_338.dat Object is locked skipped

C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Dave\ntuser.dat Object is locked skipped

C:\Documents and Settings\Dave\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2006-07-29.02-48-37.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\Program Files\Norton AntiVirus\Quarantine\007B49DA Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\05812282 Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\05812282.exe Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\05FD260C.tmp Infected: Trojan.Win32.Dialer.pz skipped

C:\Program Files\Norton AntiVirus\Quarantine\06090CE5 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\06FE5C2C Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\077F3FDE.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\Program Files\Norton AntiVirus\Quarantine\078C67CF.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\Program Files\Norton AntiVirus\Quarantine\08590776.tmp Infected: Trojan.Win32.Dialer.pz skipped

C:\Program Files\Norton AntiVirus\Quarantine\09EE0BA3.exe Infected: not-virus:Hoax.Win32.Renos.aj skipped

C:\Program Files\Norton AntiVirus\Quarantine\0A05318A Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\0A05318A.exe Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\0B0C7AC4.exe Infected: not-virus:Hoax.Win32.Renos.aj skipped

C:\Program Files\Norton AntiVirus\Quarantine\0B3F19CA Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\0BA50FD2 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\0C0B05D9 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\0C843097.tmp Infected: Trojan.Win32.Dialer.pz skipped

C:\Program Files\Norton AntiVirus\Quarantine\0C8A2BB5.tmp Infected: Trojan.Win32.Dialer.pz skipped

C:\Program Files\Norton AntiVirus\Quarantine\0CCD7DEA Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\0E0C25EE/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped

C:\Program Files\Norton AntiVirus\Quarantine\0E0C25EE ZIP: infected - 1 skipped

C:\Program Files\Norton AntiVirus\Quarantine\0E0C25EE CryptFF: infected - 1 skipped

C:\Program Files\Norton AntiVirus\Quarantine\11767355 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\1278609C Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\132650BD Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\13712378.htm Suspicious: Exploit.HTML.Mht skipped

C:\Program Files\Norton AntiVirus\Quarantine\1646262E Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\164A502A Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\164D7A27 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\16502423 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\16534E20 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\1657781C Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\165A2218 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\165D4C15 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\16607611 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\1664200E Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\16674A0A Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\166A7406 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\166E1E03 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\167147FF Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\167471FC Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\16771BF8 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\167B45F5 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\167E6FF1 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\168119ED Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\168443EA Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\16886DE6 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\168B17E3 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\168E41DF Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\16916BDB Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\169515D8 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\16983FD4 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\169B69D1 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\169F13CD Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\16A23DC9 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\17354BD0 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\179B41D8 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\18964551 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\18BE7557 Infected: not-virus:Hoax.Win32.Renos.aj skipped

C:\Program Files\Norton AntiVirus\Quarantine\1B0E21E1 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\1FB7174D Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\22C607CF Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\232C7DD6 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\250011D9 Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\250011D9.exe Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\28A16882.tmp Infected: Trojan.Win32.Dialer.pz skipped

C:\Program Files\Norton AntiVirus\Quarantine\29794947.tmp Infected: Trojan.Win32.Dialer.pz skipped

C:\Program Files\Norton AntiVirus\Quarantine\2E5643CD Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\2F222FDD Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\310953D2.tmp Infected: Trojan.Win32.Dialer.pz skipped

C:\Program Files\Norton AntiVirus\Quarantine\35180D40 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\364D21C0.tmp Infected: Trojan.Win32.Dialer.pz skipped

C:\Program Files\Norton AntiVirus\Quarantine\39C102AC Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\39E67FCC Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\3AB36BDB Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\3D5D30A7 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\40B171C9.rra/data0002/data0003 Infected: Trojan-Downloader.Win32.Keenval.f skipped

C:\Program Files\Norton AntiVirus\Quarantine\40B171C9.rra/data0002 Infected: Trojan-Downloader.Win32.Keenval.f skipped

C:\Program Files\Norton AntiVirus\Quarantine\40B171C9.rra NSIS: infected - 2 skipped

C:\Program Files\Norton AntiVirus\Quarantine\40B171C9.rra CryptFF: infected - 2 skipped

C:\Program Files\Norton AntiVirus\Quarantine\40E154A8 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\43583138 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\43C82300 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\448A54F2 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\45773BCB Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\464327DA Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\480126A4 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\4A780334 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\4EC560BE.class Infected: Exploit.Java.ByteVerify skipped

C:\Program Files\Norton AntiVirus\Quarantine\4EC80ABB.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped

C:\Program Files\Norton AntiVirus\Quarantine\4ECB34B7.class Infected: Exploit.Java.ByteVerify skipped

C:\Program Files\Norton AntiVirus\Quarantine\4ED532AC.class Infected: Exploit.Java.ByteVerify skipped

C:\Program Files\Norton AntiVirus\Quarantine\4EF22C8C Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\4EF22C8C.exe Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\4F2278A0 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\516D6DD1 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\51D363D8 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\5340694E.tmp Infected: Trojan.Win32.Dialer.pz skipped

C:\Program Files\Norton AntiVirus\Quarantine\53870D82 Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\53870D82.exe Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\5AEA43BC.tmp Infected: Trojan.Win32.Dialer.pz skipped

C:\Program Files\Norton AntiVirus\Quarantine\5B2E042F/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped

C:\Program Files\Norton AntiVirus\Quarantine\5B2E042F ZIP: infected - 1 skipped

C:\Program Files\Norton AntiVirus\Quarantine\5B2E042F CryptFF: infected - 1 skipped

C:\Program Files\Norton AntiVirus\Quarantine\5CFD29D0 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\5D641FD7 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\5E92676F.tmp Infected: Trojan.Win32.Dialer.pz skipped

C:\Program Files\Norton AntiVirus\Quarantine\62847E7A Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\63007E7B Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\63007E7B.exe Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\64471003.tmp Infected: Trojan.Win32.Dialer.pz skipped

C:\Program Files\Norton AntiVirus\Quarantine\67B645F1.tmp Infected: Trojan.Win32.Dialer.pz skipped

C:\Program Files\Norton AntiVirus\Quarantine\681020C3.exe Infected: Packed.Win32.Klone.b skipped

C:\Program Files\Norton AntiVirus\Quarantine\688E65CE Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\68F45BD6 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\692C63FF Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\695A51DD Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\6BA3408F Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\6D4B0BCE.tmp Infected: Trojan.Win32.Dialer.pz skipped

C:\Program Files\Norton AntiVirus\Quarantine\6DDE3A85 Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\6DDE3A85.exe Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\6DFE02EA Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\6F6D3CCF Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\6F6D3CCF.exe Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\704C35FA Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\724879AA Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\724879AA.exe Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\72C3128B Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\72E86CC4.tmp Infected: Trojan.Win32.Dialer.pz skipped

C:\Program Files\Norton AntiVirus\Quarantine\741E21CD Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\74EA0DDC Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\776C07F6 Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\7A27777B Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\7B5C152D Infected: Email-Worm.Win32.NetSky.q skipped

C:\Program Files\Norton AntiVirus\Quarantine\7BA430DE Infected: Email-Worm.Win32.NetSky.q skipped

C:\Program Files\Norton AntiVirus\Quarantine\7BB158D0/[From graf@grafnet.com][Date Tue, 29 Mar 2005 22:42:25 +1000]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

C:\Program Files\Norton AntiVirus\Quarantine\7BB158D0/[From graf@grafnet.com][Date Tue, 29 Mar 2005 22:42:25 +1000]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped

C:\Program Files\Norton AntiVirus\Quarantine\7BB158D0 Mail: suspicious - 2 skipped

C:\Program Files\Norton AntiVirus\Quarantine\7BB158D0 CryptFF: suspicious - 2 skipped

C:\Program Files\Norton AntiVirus\Quarantine\7BD526A8/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped

C:\Program Files\Norton AntiVirus\Quarantine\7BD526A8 ZIP: infected - 1 skipped

C:\Program Files\Norton AntiVirus\Quarantine\7BD526A8 CryptFF: infected - 1 skipped

C:\Program Files\Norton AntiVirus\Quarantine\7C166E60 Infected: Email-Worm.Win32.NetSky.q skipped

C:\Program Files\Norton AntiVirus\Quarantine\7C231652/[From robertson@ljh.com.au][Date Wed, 30 Mar 2005 07:28:53 +1000]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

C:\Program Files\Norton AntiVirus\Quarantine\7C231652/[From robertson@ljh.com.au][Date Wed, 30 Mar 2005 07:28:53 +1000]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped

C:\Program Files\Norton AntiVirus\Quarantine\7C231652 Mail: suspicious - 2 skipped

C:\Program Files\Norton AntiVirus\Quarantine\7C231652 CryptFF: suspicious - 2 skipped

C:\Program Files\Norton AntiVirus\Quarantine\7D9C1D33 Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\7D9C1D33.exe Infected: Trojan-Dropper.Win32.Delf.pb skipped

C:\Program Files\Norton AntiVirus\Quarantine\7FAE5DCB Infected: P2P-Worm.Win32.SdDrop.c skipped

C:\Program Files\Prevx1\lclbrk.cache Object is locked skipped

C:\Program Files\Prevx1\log\px-log.txt Object is locked skipped

C:\Program Files\Prevx1\paws.cache Object is locked skipped

C:\Program Files\Prevx1\prevx.cache Object is locked skipped

C:\Program Files\Prevx1\proc.cat Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{7EC8EDE2-5467-4D3A-953F-CFA4ACE08456}\RP415\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{1DED6887-A409-4ADE-9158-E67A1E4363D4}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Thanks

[tetonbob]

Quote:

I can update definitions, just not the version. It's complicated :)

Well, it's your system, but I haven't had it be complicated on the systems I've upgraded. I uninstalled the old free version, and installed the new free version. Perhaps it's a personal complication...so we won't go there.

Anyway......All those items found by Kaspersky are locked away in Quarantines. We can clear them out.

Delete the contents of these folders, but not the folders themselves:

C:\Documents and Settings\Dave\.housecall\Quarantine

C:\Program Files\Norton AntiVirus\Quarantine

Other than that, your logs appear clean.

Well done. Any more issues? If not you should be good to go. We still have a few items to address.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Please ensure that you have already patched your system against the recent WMF exploit.
Go to this page to get the KB912919 patch.

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software
  
  
• IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
    From within the folder, double-click install.bat
    Select Option #2 - Install the new IE-SPYAD list.
    Then return to the main menu.
    Select option #4 - Add the old porn sites domain
  
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  
  
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial
  
  Here are two very good free Antivirus products which are available:
  
• Avast!
  
  
• AVG

If you do not have a firewall, here are 4 free ones available for personal use:

• ZoneAlarm
• Avast Antivirus/Firewall
• Tiny Personal Firewall
• OutPost Firewall

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[theoldGL]

All done.

Thank you so much for your help, can't tell you how much I appreciate it.

Just a quick question about the zone alarm firewall, I actually have this but I haven't installed it yet because I wasn't sure if it would interfere with my bittorrent client?

[tetonbob]

That's a good question, and one I don't have an immediate answer to. I don't use torrents. I do use Zone Alarm. I know it can take some configuring to allow some programs the access you want them to have.

Install it and see. If there's conflict, disable it until you get it configured correctly....or perhaps you can ask the question in our Firewalls forum, or the Zonelabs User Forum. (You'll need to register there to pose a question)

Hope that helps.