W32.Rontockbro@mm

[localau]

Hello

I use symantec antivirus corporate edition (university network pc), and I keep getting 40 or so virus notifications every 10 minutes that look like this:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\Data ??? john Lee.exe
Location: C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS
Computer: LAU
User: Guest
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Thursday, October 05, 2006 10:22:34 PM


I run AdAware and SpyBot, but after running the scans the symantec alerts keep showing up. Here's my HJ log:

C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.731\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration974.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144859554\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Copernic Desktop Search] "C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - https://webadmin.is.tcu.edu/av/Deplo...st/webinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


Thanks for any help you can offer! I really appreciate it.

[localau]

Bump!

[localau]

Re-bump?

Anyway, here's a fresh log:


Logfile of HijackThis v1.99.1
Scan saved at 4:59:16 PM, on 10/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1144859554\ee\AOLSoftware.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\EvilLyrics\EvilLyrics.exe
C:\WINDOWS\system32\msiexec.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration974.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144859554\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Copernic Desktop Search] "C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - https://webadmin.is.tcu.edu/av/Deplo...st/webinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

[Deckard]

Hello localau, and welcome to TSF. You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

I don't see anything obvious in your log. Let's try to remove that file and then run a few scanners to see if anything else is lurking.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any.


HijackThis Is In Temp Folder
You are running HijackThis from a temporary directory. It needs to be in a permanent folder. Please go into Windows Explorer, click on C: then click on File > New > Folder and call it HJT, or another name of your choice. Extract HijackThis from the archive and move it to this folder. The program creates backup files that we may need to use later. If the program is in a Temporary folder, files may be deleted by you or automatically if your system is set to empty temp files.


Unhide Files
Go to My Computer > Tools > Folder Options > View tab and select "Show hidden files and folders". Uncheck the "Hide protected operating system files (Recommended)" option. Also make sure there is no checkmark beside "Hide file extensions for known file types". Click OK.


Download CleanUp!
Download and install CleanUp! but do not run it yet.

WARNING: CleanUp! deletes EVERYTHING out of temporary folders and does not make backups. If you have any documents or programs that are saved in any temporary folders, please make a backup of these before running CleanUp!

WARNING: Do not run cleanup under Windows XP x64 Edition. If you're not sure if you have the 64-bit version of Windows then you probably do not; however, you can check by using IE to download the whichcpu tool and then running it.


Download AVG Anti-Spyware
Please download, install, and update AVG Anti-Spyware Anti-Spyware.

1. Load AVG Anti-Spyware and then click the Shield tab at the top
   • Click on the word active to change it to inactive.
2. Click the Update tab at the top:
   • Under Manual update, click Start update. After the update finishes, the status bar at the bottom will display "Update successful". If you are having trouble updating, you can also download and run the manual updater.
   • Under Automatic update, change the Update interval to something more reasonable like 12 or 24 hours.
3. Click the Scanner tab at the top and then the Settings sub-tab:
   • Under How to act?, click Recommended actions and select Quarantine.
   • Under Reports, select Automatically generate report after every scan
4. Close AVG Anti-Spyware. Do not run a scan with it yet.

Download ComboFix
Download ComboFix from one of the following links:

1. http://www.techsupportforum.com/sectools/combofix.exe
2. http://download.bleepingcomputer.com/sUBs/combofix.exe

Double click combofix.exe & follow the prompts. While ComboFix is running, please do not click or move the window, as this may cause the tool to stall. When the tool has finished, it will produce a log for you and save it as C:\ComboFix.txt. Post that log in your next reply.


Reboot
Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows.


Delete File
Try deleting C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\Data ??? john Lee.exe. If it still says permission denied,

1. Go to My Computer > Tools > Folder Options > View tab and uncheck "Use simple file sharing (Recommended)". The option is all the way at the bottom. Click OK.
2. Right-click on Data ??? john Lee.exe and select Properties, then the Security tab.
3. Click the Advanced button.
4. Highlight all the Permission Entries that have <not inherited> under the Inherited From column and click the Remove button.
5. Make sure the Inherit from parent checkbox is checked. Leave replace permission entries unchecked.
6. Click OK.

Now try deleting that file again.


Run CleanUp!
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

• Click "Options..."
• Move the arrow down to "Custom CleanUp!"
• Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the "Temporary Files" and make sure the box for "Scan drives for file matching" is unchecked.
  Click OK.
• Press the CleanUp! button to start the program.

Once it's finished CleanUp! will ask you to logoff/reboot. Please select NO as we will do this later.


Run AVG Anti-Spyware

• Run AVG Anti-Spyware and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
• AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
• Click on Save Report, then Save Report As. Save the report so that you can find it again (like on the Desktop).
• Close AVG Anti-Spyware.

Reboot
Reboot your system to Normal Mode.


Online Scan
Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files.
• Once the files have been downloaded, click on NEXT.
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database: extended
  • Scan Options: Scan Archives and Scan Mail Bases
• Click OK
• Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done.
• Now under select a target to scan, select My Computer
• The program will start and scan your system.
• The scan will take a while so be patient and let it run all the way.
• Once the scan is complete it will display if your system has been infected.
• Click on the Save as Text button and save the file to your desktop.
• Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.


With Your Next Post...
Please paste the following with your next reply (in this order please):

1. The contents of C:\ComboFix.txt,
2. AVG Anti-Spyware scan report,
3. Kaspersky scan report, and
4. a new HiJackThis log taken after Kaspersky finishes.

[localau]

Where do i download AVG? It appears to be a paid service :s
Thanks for helping me, i really apreciate it.

[Deckard]

I apologize; my link was broken in the text. You can download the software here for free: http://www.ewido.net/en/download/

[localau]

It took a while, but i finished running the scans. The file wasn't there, though. The Kaspersky scan log is attached due to extreme lengthiness.


Owner - Mon 10/09/2006 21:53:56.33 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Program Files\Mozilla Firefox"

((((((((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010/09/2006 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2012/17/2005 12:56 AM 51120 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys
2012/17/2005 12:56 AM 21744 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys
2012/17/2005 12:56 AM 16496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2012/16/2004 05:14 PM 347264 --a------ C:\WINDOWS\system32\drivers\snpstd2.sys
2012/14/2004 09:58 PM 45056 --a------ C:\WINDOWS\system32\drivers\bcm4sbxp.sys
2012/08/2003 11:53 AM 70688 --a------ C:\WINDOWS\system32\drivers\alcaudsl.sys
2012/08/2003 11:53 AM 53600 --a------ C:\WINDOWS\system32\drivers\alcan5wn.sys
2012/08/2003 11:53 AM 5280 --a------ C:\WINDOWS\system32\drivers\alcawh.sys
2012/08/2003 11:53 AM 3968 --a------ C:\WINDOWS\system32\drivers\alcacr.sys
2011/17/2004 08:27 AM 3222784 --a------ C:\WINDOWS\system32\drivers\w29n51.sys
2011/07/2003 04:50 AM 70798 --a------ C:\WINDOWS\system32\drivers\LMouFlt2.Sys
2011/07/2003 04:50 AM 51486 --a------ C:\WINDOWS\system32\drivers\L8042PR2.SYS
2011/07/2003 04:50 AM 37884 --a------ C:\WINDOWS\system32\drivers\LHIDUSB.SYS
2011/07/2003 04:50 AM 25502 --a------ C:\WINDOWS\system32\drivers\LHidFlt2.Sys
2011/07/2003 04:50 AM 14092 --a------ C:\WINDOWS\system32\drivers\LCCFLTR.SYS
2011/04/2004 06:47 PM 185824 --a------ C:\WINDOWS\system32\drivers\SynTP.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"Copernic Desktop Search"="\"C:\\Program Files\\Copernic Desktop Search\\CopernicDesktopSearch.exe\" /tray"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d,49,4e,53,54,5c,52,45,43,47,\
55,41,52,44,2e,45,58,45,00
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Logitech Utility"="Logi_MwX.Exe"
"Reminder"=hex(2):25,57,49,4e,44,49,52,25,5c,43,72,65,61,74,6f,72,5c,52,65,6d,\
69,6e,64,5f,58,50,2e,65,78,65,00
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"SNPSTD2"="C:\\WINDOWS\\vsnpstd2.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1144859554\\ee\\AOLSoftware.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"!AVG Anti-Spyware"="\"C:\\Program Files\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e1,00,00,00,00,00,00,00,1f,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Critical Battery Alarm Program.job
C:\WINDOWS\tasks\Low Battery Alarm Program.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Mon 10/09/2006 21:56:33.72
ComboFix.txt



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:56:15 PM 10/9/2006

+ Scan result:



:mozilla.16:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.18:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.19:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.108:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.80:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.81:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.48:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.49:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.50:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.52:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.53:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.23:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.24:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.86:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.118:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.119:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.76:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.78:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.79:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.130:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Commission-junction : Cleaned.
:mozilla.131:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Commission-junction : Cleaned.
:mozilla.43:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.22:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.75:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.46:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.47:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.139:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned.
:mozilla.34:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.35:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.88:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.90:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.112:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.120:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.121:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.77:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.140:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.101:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.102:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.103:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.104:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.105:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.106:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.107:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.122:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.123:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ys46eu1t.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ112.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ116.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ120.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ13E.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ142.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ152.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ156.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ157.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ15D.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ163.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ165.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ16F.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ170.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ1AF.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ1B17.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ1B18.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ1C6.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ1C7.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQA3.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQA4.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQA5.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQA7.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQB4.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQC7.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQC9.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQCA.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQCB.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQCD.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQCE.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQCF.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQD0.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQD1.tmp -> Worm.Brontok.c : Cleaned with backup (quarantined).


::Report end





Logfile of HijackThis v1.99.1
Scan saved at 3:12:01 AM, on 10/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1144859554\ee\AOLSoftware.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144859554\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Copernic Desktop Search] "C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - https://webadmin.is.tcu.edu/av/Deplo...st/webinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


Thanks again for your help!

[Deckard]

We're in the homestretch. Just some routine cleaning up and you should be good to go. I guess the file got deleted for good at some point -- is Norton still giving you that virus warning?

Deletions
Delete the following files indicated in RED if they still exist:

C:\Documents and Settings\Owner\My Documents\My Downloads\prototype2007.exe
C:\Documents and Settings\Owner\My Documents\My Downloads\weather_dir.exe

Clean Quarantine
Please follow Symantec's guide to clean out your Norton quarantine directory.


Clear Cookies
Clear your Firefox cookies. From the open browser, go to Tools>Options>Privacy>Cookies>Clear.


Online Scan
Please perform an BitDefender Online Scan using Internet Explorer. Once finished, click on the Details button to view the results. To the upper right of the results you will see an option saying "Click here to export the scan results". Please do so and save it to your desktop.

Post the results of the BitDefender scan along with one more HijackThis log. Also let me know how your machine is behaving now.

[localau]

Yes, i'm still getting the notifications :( There's less of them now though, and i have noticed my pc seems less bogged down :) .. Here's the one's I'm getting now:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Sample Music.exe
Location: C:\Documents and Settings\All Users\Documents\My Music\Sample Music
Computer: LAU
User: Guest
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Tuesday, October 10, 2006 10:11:39 PM

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0002613C\0002613C.exe
Location: Quarantine
Computer: LAU
User: Guest
Action taken: Quarantine succeeded : Access denied
Date found: Tuesday, October 10, 2006 10:11:47 PM

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\My Music\Sync Playlists\0002613C\0002613C.exe
Location: Quarantine
Computer: LAU
User: Guest
Action taken: Quarantine succeeded : Access denied
Date found: Tuesday, October 10, 2006 10:11:49 PM

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0002613C\0002613C.exe
Location: Quarantine
Computer: LAU
User: Guest
Action taken: Quarantine succeeded : Access denied
Date found: Tuesday, October 10, 2006 10:11:47 PM

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0009A54A\0009A54A.exe
Location: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0009A54A
Computer: LAU
User: Guest
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Tuesday, October 10, 2006 10:11:44 PM


Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0009A54A\0009A54A.exe
Location: Quarantine
Computer: LAU
User: Guest
Action taken: Quarantine succeeded : Access denied
Date found: Tuesday, October 10, 2006 10:11:43 PM

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\My Music\Sample Playlists\Sample Playlists.exe
Location: Quarantine
Computer: LAU
User: Guest
Action taken: Quarantine succeeded : Access denied
Date found: Tuesday, October 10, 2006 10:11:41 PM

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Sample Music.exe
Location: Quarantine
Computer: LAU
User: Guest
Action taken: Quarantine succeeded : Access denied
Date found: Tuesday, October 10, 2006 10:11:39 PM

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\SharedDocs.exe
Location: Quarantine
Computer: LAU
User: Guest
Action taken: Quarantine succeeded : Access denied
Date found: Tuesday, October 10, 2006 10:11:39 PM




I'll go follow your instructions and report back soon. Thanks again!

[localau]

These are additional notifications that appeared:


Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\Data ??? john Lee.exe
Location: C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS
Computer: LAU
User: Guest
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Tuesday, October 10, 2006 10:43:24 PM

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\My Music\My Music.exe
Location: C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\My Music
Computer: LAU
User: Guest
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Tuesday, October 10, 2006 10:43:27 PM

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Sample Music.exe
Location: C:\Documents and Settings\All Users\Documents\My Music\Sample Music
Computer: LAU
User: Guest
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Tuesday, October 10, 2006 10:43:28 PM

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\SharedDocs.exe
Location: Quarantine
Computer: LAU
User: Guest
Action taken: Quarantine succeeded : Access denied
Date found: Tuesday, October 10, 2006 10:43:27 PM

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0009A54A\0009A54A.exe
Location: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0009A54A
Computer: LAU
User: Guest
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Tuesday, October 10, 2006 10:43:29 PM

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0009A54A\0009A54A.exe
Location: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0009A54A
Computer: LAU
User: Guest
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Tuesday, October 10, 2006 10:43:29 PM

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Sample Music.exe
Location: Quarantine
Computer: LAU
User: Guest
Action taken: Quarantine succeeded : Access denied
Date found: Tuesday, October 10, 2006 10:43:28 PM

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\My Music\Sync Playlists\Sync Playlists.exe
Location: Quarantine
Computer: LAU
User: Guest
Action taken: Quarantine succeeded : Access denied
Date found: Tuesday, October 10, 2006 10:43:33 PM

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0009A54A\0009A54A.exe
Location: Quarantine
Computer: LAU
User: Guest
Action taken: Quarantine succeeded : Access denied
Date found: Tuesday, October 10, 2006 10:43:29 PM

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\My Music\Sample Playlists\Sample Playlists.exe
Location: Quarantine
Computer: LAU
User: Guest
Action taken: Quarantine succeeded : Access denied
Date found: Tuesday, October 10, 2006 10:43:28 PM


I succeeded in deleting the files you mentioned, but got 4 "failed" statuses when clearing the quarantine. They are:

10/10/2006 22:11 0009A54A.exe W32.Rontokbro@mm C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0009A54A\ Infected
10/10/2006 22:11 0002613C.exe W32.Rontokbro@mm C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\My Music\Sync Playlists\0002613C\ Infected
10/10/2006 22:11 Sync Playlists.exe W32.Rontokbro@mm C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\My Music\Sync Playlists\ Infected
10/10/2006 22:11 0002613C.exe W32.Rontokbro@mm C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0002613C\ Infected

I'll run the scans and post back again.

[Deckard]

I think I know what's happening. This is one entrenched virus. Please download the attached file and unarchive it to your desktop. Double-click on localau.reg first and allow it to merge with your Registry. Then, click on the rontokbro.bat file. It should run for a few seconds and then open Notepad up with a logfile. Please post that logfile.

[localau]

I attached the bitdefender results. Here's a fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:47:32 AM, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1144859554\ee\AOLSoftware.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144859554\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Copernic Desktop Search] "C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - https://webadmin.is.tcu.edu/av/Deplo...st/webinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


I'll go follow your instructions and report back. Thanks!

[localau]

Here's the logfile:


Directory of C:\Documents and Settings\Administrator

08/01/2005 10:08 PM <DIR> .
08/01/2005 10:08 PM <DIR> ..
06/18/2005 04:30 PM <DIR> Favorites
08/01/2005 10:08 PM 262,144 NTUSER.DAT
08/14/2006 01:53 PM 1,024 NTUSER.DAT.LOG
2 File(s) 263,168 bytes
3 Dir(s) 11,841,425,408 bytes free



Directory of C:\Documents and Settings\All Users\Application Data\Microsoft\Office

08/02/2005 11:24 PM <DIR> Data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage

08/18/2005 03:08 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\All Users\Start Menu\Programs\Nero 7 Premium

01/01/2006 02:45 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Guest\.limewire\xml

12/25/2005 12:13 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Guest\Application Data\.bittorrent

12/23/2005 06:27 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Guest\Local Settings\Application Data\AOL\UserProfiles\1144859554\guest\metrics

05/23/2006 01:11 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Owner\.limewire\xml

09/18/2005 11:06 AM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Owner\Application Data\.bittorrent

10/06/2006 01:32 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Owner\Application Data\Real\RealPlayer\skins

03/24/2006 02:43 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\UserProfiles\1144859554\owner\metrics

10/11/2006 03:01 AM <DIR> data
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
10 Dir(s) 11,840,876,544 bytes free





Directory of C:\Documents and Settings\Administrator.LAU

07/31/2006 03:09 PM <DIR> .
07/31/2006 03:09 PM <DIR> ..
10/05/2006 08:59 PM <DIR> Application Data
07/31/2006 03:09 PM <DIR> Contacts
10/09/2006 10:38 PM <DIR> Cookies
06/18/2005 04:46 PM <DIR> Desktop
06/18/2005 04:46 PM <DIR> Favorites
03/23/2005 05:03 AM <DIR> Local Settings
06/18/2005 04:46 PM <DIR> My Documents
03/23/2005 10:01 PM <DIR> NetHood
10/05/2006 09:24 PM 1,310,720 NTUSER.DAT
10/11/2006 02:34 AM 1,024 ntuser.dat.LOG
10/05/2006 09:24 PM 178 ntuser.ini
03/23/2005 05:03 AM <DIR> PrintHood
10/05/2006 09:23 PM <DIR> Recent
06/18/2005 03:12 PM <DIR> SendTo
06/18/2005 03:12 PM <DIR> Start Menu
03/23/2005 01:08 PM <DIR> Templates
03/23/2005 10:22 PM <DIR> WINDOWS
3 File(s) 1,311,922 bytes
16 Dir(s) 11,840,761,856 bytes free



Directory of C:\Documents and Settings\All Users\Application Data\Microsoft\Office

08/02/2005 11:24 PM <DIR> Data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage

08/18/2005 03:08 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\All Users\Start Menu\Programs\Nero 7 Premium

01/01/2006 02:45 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Guest\.limewire\xml

12/25/2005 12:13 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Guest\Application Data\.bittorrent

12/23/2005 06:27 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Guest\Local Settings\Application Data\AOL\UserProfiles\1144859554\guest\metrics

05/23/2006 01:11 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Owner\.limewire\xml

09/18/2005 11:06 AM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Owner\Application Data\.bittorrent

10/06/2006 01:32 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Owner\Application Data\Real\RealPlayer\skins

03/24/2006 02:43 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\UserProfiles\1144859554\owner\metrics

10/11/2006 03:01 AM <DIR> data
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
10 Dir(s) 11,840,626,688 bytes free


Directory of C:\Documents and Settings\Administrator.LAU\Start Menu

08/01/2005 10:09 PM <DIR> Programs
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
1 Dir(s) 11,840,581,632 bytes free


Directory of C:\Documents and Settings\Administrator.LAU\templates

03/23/2005 01:08 PM <DIR> .
03/23/2005 01:08 PM <DIR> ..
08/04/2004 02:00 PM 4,570 amipro.sam
08/04/2004 02:00 PM 5,632 excel.xls
08/04/2004 02:00 PM 1,518 excel4.xls
08/04/2004 02:00 PM 2,448 lotus.wk4
08/04/2004 02:00 PM 12,288 powerpnt.ppt
08/04/2004 02:00 PM 461 presenta.shw
08/04/2004 02:00 PM 4,017 quattro.wb2
08/04/2004 02:00 PM 58 sndrec.wav
08/04/2004 02:00 PM 4,608 winword.doc
08/04/2004 02:00 PM 1,769 winword2.doc
08/04/2004 02:00 PM 30 wordpfct.wpd
08/04/2004 02:00 PM 57 wordpfct.wpg
12 File(s) 37,456 bytes

Total Files Listed:
12 File(s) 37,456 bytes
2 Dir(s) 11,840,581,632 bytes free



Directory of C:\Documents and Settings\All Users

05/30/2006 08:43 AM <DIR> .
05/30/2006 08:43 AM <DIR> ..
10/05/2006 08:38 PM <DIR> Application Data
10/09/2006 09:42 PM <DIR> Desktop
10/11/2006 12:48 PM <DIR> Documents
10/06/2006 06:43 PM <DIR> DRM
05/30/2006 08:43 AM 166,912 ElGusanoyelEscarabajo.pps
03/23/2005 05:03 AM <DIR> Favorites
12/31/2005 12:59 PM 2,578,935 Nicola Di Bari_ Vagabundo.mp3
08/01/2005 10:08 PM 262,144 NTUSER.DAT
09/14/2006 05:00 PM 1,024 NTUSER.DAT.LOG
09/30/2006 10:58 PM <DIR> Start Menu
03/23/2005 05:03 AM <DIR> Templates
4 File(s) 3,009,015 bytes
9 Dir(s) 11,840,581,632 bytes free







Directory of C:\Documents and Settings\Guest

06/22/2006 09:43 PM <DIR> .
06/22/2006 09:43 PM <DIR> ..
05/23/2006 05:25 PM <DIR> .limewire
05/23/2006 09:24 PM <DIR> Application Data
06/22/2006 09:43 PM <DIR> Contacts
10/09/2006 10:36 PM <DIR> Cookies
01/13/2006 12:16 AM <DIR> Desktop
08/03/2005 07:38 AM <DIR> Favorites
12/25/2005 12:26 PM <DIR> Incomplete
03/23/2005 05:03 AM <DIR> Local Settings
05/23/2006 03:25 PM <DIR> My Documents
03/23/2005 10:01 PM <DIR> NetHood
08/14/2006 01:54 PM 3,407,872 NTUSER.DAT
10/11/2006 04:24 AM 1,024 ntuser.dat.LOG
06/18/2005 05:00 PM 178 ntuser.ini
03/23/2005 05:03 AM <DIR> PrintHood
10/09/2006 10:36 PM <DIR> Recent
06/18/2005 03:12 PM <DIR> SendTo
12/26/2005 11:34 AM <DIR> Shared
06/18/2005 03:12 PM <DIR> Start Menu
03/23/2005 01:08 PM <DIR> Templates
03/23/2005 10:22 PM <DIR> WINDOWS
3 File(s) 3,409,074 bytes
19 Dir(s) 11,840,581,632 bytes free



Directory of C:\Documents and Settings\All Users\Application Data\Microsoft\Office

08/02/2005 11:24 PM <DIR> Data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage

08/18/2005 03:08 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\All Users\Start Menu\Programs\Nero 7 Premium

01/01/2006 02:45 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Guest\.limewire\xml

12/25/2005 12:13 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Guest\Application Data\.bittorrent

12/23/2005 06:27 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Guest\Local Settings\Application Data\AOL\UserProfiles\1144859554\guest\metrics

05/23/2006 01:11 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Owner\.limewire\xml

09/18/2005 11:06 AM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Owner\Application Data\.bittorrent

10/06/2006 01:32 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Owner\Application Data\Real\RealPlayer\skins

03/24/2006 02:43 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\UserProfiles\1144859554\owner\metrics

10/11/2006 03:01 AM <DIR> data
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
10 Dir(s) 11,840,536,576 bytes free


Directory of C:\Documents and Settings\Guest\Start Menu

12/26/2005 12:08 AM <DIR> Programs
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
1 Dir(s) 11,840,536,576 bytes free


Directory of C:\Documents and Settings\Guest\templates

03/23/2005 01:08 PM <DIR> .
03/23/2005 01:08 PM <DIR> ..
08/04/2004 02:00 PM 4,570 amipro.sam
08/04/2004 02:00 PM 5,632 excel.xls
08/04/2004 02:00 PM 1,518 excel4.xls
08/04/2004 02:00 PM 2,448 lotus.wk4
08/04/2004 02:00 PM 12,288 powerpnt.ppt
08/04/2004 02:00 PM 461 presenta.shw
08/04/2004 02:00 PM 4,017 quattro.wb2
08/04/2004 02:00 PM 58 sndrec.wav
08/04/2004 02:00 PM 4,608 winword.doc
08/04/2004 02:00 PM 1,769 winword2.doc
08/04/2004 02:00 PM 30 wordpfct.wpd
08/04/2004 02:00 PM 57 wordpfct.wpg
12 File(s) 37,456 bytes

Total Files Listed:
12 File(s) 37,456 bytes
2 Dir(s) 11,840,536,576 bytes free



Directory of C:\Documents and Settings\Owner

10/05/2006 09:31 PM <DIR> .
10/05/2006 09:31 PM <DIR> ..
02/22/2006 10:13 PM 0 (null)list.gzip
05/30/2006 11:54 PM 0 .gtk-bookmarks
10/05/2006 09:38 PM <DIR> .housecall6.6
09/28/2006 01:53 PM <DIR> .limewire
09/14/2006 04:57 PM <DIR> Application Data
05/30/2006 11:49 PM 337 bittorrent_errors.log
10/07/2006 09:48 PM <DIR> Contacts
10/11/2006 02:35 PM <DIR> Cookies
08/17/2006 08:26 PM 111 default.pls
10/11/2006 02:32 PM <DIR> Desktop
09/09/2006 02:55 PM <DIR> Favorites
08/18/2005 03:41 PM <DIR> Incomplete
10/03/2006 10:35 PM <DIR> InstallAnywhere
04/13/2006 11:50 AM 418 IPH.BAK
03/23/2005 05:03 AM <DIR> Local Settings
08/16/2005 04:07 PM 75 LuResult.txt
10/10/2006 11:04 PM <DIR> My Documents
08/14/2006 09:30 PM <DIR> NetHood
10/10/2006 04:04 PM 6,029,312 NTUSER.DAT
10/11/2006 02:35 PM 1,024 ntuser.dat.LOG
10/10/2006 04:03 PM 278 ntuser.ini
03/23/2005 05:03 AM <DIR> PrintHood
04/28/2006 12:05 AM 600 PUTTY.RND
10/11/2006 08:50 AM <DIR> Recent
04/13/2006 11:27 PM <DIR> SendTo
03/23/2005 01:08 PM <DIR> Templates
08/18/2005 10:59 PM <DIR> UserData
03/23/2005 10:22 PM <DIR> WINDOWS
10 File(s) 6,032,155 bytes
20 Dir(s) 11,840,536,576 bytes free



Directory of C:\Documents and Settings\All Users\Application Data\Microsoft\Office

08/02/2005 11:24 PM <DIR> Data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage

08/18/2005 03:08 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\All Users\Start Menu\Programs\Nero 7 Premium

01/01/2006 02:45 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Guest\.limewire\xml

12/25/2005 12:13 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Guest\Application Data\.bittorrent

12/23/2005 06:27 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Guest\Local Settings\Application Data\AOL\UserProfiles\1144859554\guest\metrics

05/23/2006 01:11 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Owner\.limewire\xml

09/18/2005 11:06 AM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Owner\Application Data\.bittorrent

10/06/2006 01:32 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Owner\Application Data\Real\RealPlayer\skins

03/24/2006 02:43 PM <DIR> data
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\UserProfiles\1144859554\owner\metrics

10/11/2006 03:01 AM <DIR> data
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
10 Dir(s) 11,840,532,480 bytes free


Directory of C:\Documents and Settings\Owner\Cookies\Start Menu

10/09/2006 12:54 AM <DIR> Programs
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
1 Dir(s) 11,840,532,480 bytes free


Directory of C:\Documents and Settings\Owner\templates

03/23/2005 01:08 PM <DIR> .
03/23/2005 01:08 PM <DIR> ..
08/04/2004 02:00 PM 4,570 amipro.sam
08/04/2004 02:00 PM 5,632 excel.xls
08/04/2004 02:00 PM 1,518 excel4.xls
08/04/2004 02:00 PM 2,448 lotus.wk4
08/04/2004 02:00 PM 12,288 powerpnt.ppt
08/04/2004 02:00 PM 461 presenta.shw
08/04/2004 02:00 PM 4,017 quattro.wb2
08/04/2004 02:00 PM 58 sndrec.wav
08/04/2004 02:00 PM 4,608 winword.doc
08/04/2004 02:00 PM 1,769 winword2.doc
08/04/2004 02:00 PM 30 wordpfct.wpd
08/04/2004 02:00 PM 57 wordpfct.wpg
12 File(s) 37,456 bytes

Total Files Listed:
12 File(s) 37,456 bytes
2 Dir(s) 11,840,532,480 bytes free



Directory of C:\WINDOWS\inf

08/11/2004 11:45 AM 192,512 unregmp2.exe
1 File(s) 192,512 bytes

Total Files Listed:
1 File(s) 192,512 bytes
0 Dir(s) 11,840,532,480 bytes free


Directory of C:\WINDOWS\pif

08/27/2006 11:01 PM <DIR> .
08/27/2006 11:01 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 11,840,532,480 bytes free


Directory of C:\WINDOWS\system32

08/04/2004 02:00 PM 220,672 logon.scr
10/17/2001 12:23 AM 163,840 PhotoImpression Screen Saver.scr
11/20/2000 10:58 AM 421,948 Planestate.scr
08/04/2004 02:00 PM 9,216 scrnsave.scr
08/04/2004 02:00 PM 704,512 ss3dfo.scr
08/04/2004 02:00 PM 19,968 ssbezier.scr
08/04/2004 02:00 PM 393,216 ssflwbox.scr
08/04/2004 02:00 PM 20,992 ssmarque.scr
08/04/2004 02:00 PM 47,104 ssmypics.scr
08/04/2004 02:00 PM 18,944 ssmyst.scr
08/04/2004 02:00 PM 610,304 sspipes.scr
08/04/2004 02:00 PM 14,336 ssstars.scr
08/04/2004 02:00 PM 679,936 sstext3d.scr
13 File(s) 3,324,988 bytes
0 Dir(s) 11,840,532,480 bytes free


Directory of C:\WINDOWS\Tasks

10/10/2006 04:37 PM <DIR> .
10/10/2006 04:37 PM <DIR> ..
08/08/2005 09:20 AM 106 Critical Battery Alarm Program.job
08/04/2004 02:00 PM 65 desktop.ini
08/08/2005 09:19 AM 106 Low Battery Alarm Program.job
10/11/2006 02:27 AM 330 MP Scheduled Scan.job
10/10/2006 04:34 PM 6 SA.DAT
5 File(s) 613 bytes
2 Dir(s) 11,840,532,480 bytes free

Contents of C:\WINDOWS\autoexec.bat:
----------------------------------------------------------------
----------------------------------------------------------------


Let me know what's up. Thanks!

[Deckard]

I'm going to flat out admit that this one has me a bit flummoxed. I expected to see a trace of it in the output from that script I had you run, but not one bit of it appears. I'm still scratching my head at how you're staying infected.

Let's try a tool that will dig through your registry. Please download SilentRunners.vbs - Right click & choose Save As... SilentRunners.vbs

Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts.

Launch SilentRunners by double-clicking the downloaded file. In the ensuing Window, select 'No' to avoid skipping supplementary searches. Please be patient as the script requires a few minutes to complete.

When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply.

[localau]

Here's the results:


"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" ["Nero AG"]
"Copernic Desktop Search" = ""C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray" ["Copernic Technologies Inc."]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE"
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"Reminder" = "C:\WINDOWS\Creator\Remind_XP.exe"
"vptray" = "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" ["Symantec Corporation"]
"SNPSTD2" = "C:\WINDOWS\vsnpstd2.exe" [empty string]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"HostManager" = "C:\Program Files\Common Files\AOL\1144859554\ee\AOLSoftware.exe" ["America Online, Inc."]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]
"!AVG Anti-Spyware" = ""C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKCU...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"
-> {HKLM...CLSID} = "ACDWFTHMBPRXY"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll" ["Autodesk"]
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "AutoCAD Digital Signatures Icon Overlay Handler"
-> {HKLM...CLSID} = "AcSignIcon"
\InProcServer32\(Default) = "C:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"
-> {HKLM...CLSID} = "ACTHUMBNAIL"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Default executables:
--------------------

HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"
<<!>> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = ""C:\WINDOWS\system32\notepad.exe" "%1"" [MS]
HKLM\Software\Classes\.scr\(Default) = "AutoCADScript"
<<!>> HKLM\Software\Classes\AutoCADScript\shell\open\command\(Default) = "C:\WINDOWS\NOTEPAD.EXE "%1"" [MS]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------

D:\MiniNT\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKCU...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\PRELOAD\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKCU...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\i386\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKCU...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\updgoi\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKCU...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]


Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]


Enabled Scheduled Tasks:
------------------------

"Critical Battery Alarm Program" -> WARNING -- The file "Critical Battery Alarm Program.job" is corrupt! (no executable)
"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 25
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{92A40B0A-740A-4A11-9DDB-70460C6DA383}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Copernic Desktop Search"
\InProcServer32\(Default) = "C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration974.dll" ["Copernic Technologies Inc."]
{9455301C-CF6B-11D3-A266-00C04F689C50}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Investigador de Encarta"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL" [MS]
{C5F7A735-70F1-477F-8C36-6FF3C736017B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Copernic Desktop Search"
\InProcServer32\(Default) = "C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration974.dll" ["Copernic Technologies Inc."]
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{9455301C-CF6B-11D3-A266-00C04F689C50}\
"ButtonText" = "Investigador"

{B205A35E-1FC4-4CE3-818B-899DBBB3388C}\

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
DefWatch, DefWatch, "C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe" ["Symantec Corporation"]
Messenger Sharing USN Journal Reader service, usnsvc, "C:\WINDOWS\system32\svchost.exe -k usnsvc" {"C:\Program Files\MSN Messenger\usnsvc.dll" [MS]}
PrismXL, PrismXL, "C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS" ["New Boundary Technologies, Inc."]
Symantec AntiVirus Client, Norton AntiVirus Server, "C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe" ["Symantec Corporation"]
Windows Defender Service, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor S200\Driver = "CNMLM3w.DLL" ["CANON INC."]
hpzsnt12\Driver = "hpzsnt12.dll" ["HP"]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 314 seconds.
---------- (total run time: 369 seconds)


Thanks for your patience with this. It's nowhere near as bad as it used to be... at times i think it's gone away (like now). I hope there's a definitive solution, though. Thank you so much.

[Deckard]

So Norton is being quiet right now? If so, we might have gotten it although I'm not sure how. If not; let's try another tool. That one turned up nothing suspicious.

Please download StartDreck. Unzip that file to its own folder on your Desktop and start the program:

1. Press 'Config'
2. Press 'mark all'
3. Uncheck the following box only: List Modules (listed under 'Running Proceses' on the right side).
4. Press 'OK'
5. Press 'Save' and select the location to save the log file (default is the same folder as the application).
6. Post the contents of that log with your next post.

[localau]

Yes, I haven't heard a peep, even after a reboot (prime time for the popups) :D:D:D
StartDreck won't work, though. I start it, but after clicking config it freezes.

[Deckard]

That pleases me, although I hate not knowing what was causing the reinfection. Let's wrap up the thread and give it a few days. If it doesn't return by the weekend, let's call it good. I'll keep the thread open until then, so if it comes back just post a reply here (with a new HJT log, too).

Well done, your logs are clean! Any more issues? If not, you should be good to go but we still have a few items we'd like to address.

Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm and then click OK.

Reset System Restore

• Go to Start>Run, type SYSDM.CPL and press Enter.
• Select the System Restore tab.
• Check "Turn off System Restore on all drives" and click Apply.
• Now uncheck the same option and click OK.

Re-enable Protection
Turn back on any malware prevention tools we might have had you switch off.

Microsoft Updates
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by malware. Using Internet Explorer, please go to Microsoft's Windows Update and download all of the critical updates to help prevent possible re-infection.

Please ensure that you have already patched your system against these recent critical exploits:

• WMF exploit: KB912919
• VML exploit: KB925486

Enable Windows Auto Update:

• Go to Start>Run, type WUAUCPL.CPL and press Enter.
• Make sure "Keep my computer up to date" is checked.
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Update Java
You need to update your Java as it is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

1. Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
2. Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download Windows Offline Installation with or without multi-language and save to your desktop.
7. Close any programs you may have running -- especially your web browser(s).
8. Go to Startâ†'Control Panel double-click on Add/Remove Programs.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Remove or Change/Remove button.
11. Repeat as many times as necessary to remove each version of Java.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.
14. After the reboot, go back into the Control Panel and double-click the Java icon.
15. Under Temporary Internet Files, click the Delete Files button.
16. There are three options in the window to clear the cache - Leave ALL three checked:
    • Downloaded Applets
    • Downloaded Applications
    • Other Files
17. Click OK on Delete Temporary Files Window. NOTE: This deletes ALL of the Downloaded Applications and Applets from the cache.
18. Click OK to leave the Java Control Panel.

Malware Prevention
This is a good time to set up protection against further attacks. You might want to read Tony Klein's "How Did I Get Infected In The First Place?". At the minimum, you need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard to prevent spyware intrusions. I also recommend IE-Spyad, which places over 4,000 websites and domains in the IE Restricted list, thus helping prevent attempts to re-infect your system. All of these have no-strings-attached free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use but often have malware in them.

Two more articles you may want to read at your leisure are "KRC Anti-Spyware Tutorial" and "Making Internet Explorer Safer".

The following is a list of free software we recommend:

Antivirus
AV software should be updated at least once a week for optimum protection. Here are some free AV programs available for personal use. NOTE: Do not install more than one AV program because they will conflict with each other. Only pick one.

• AOL Active Virus Shield (powered by Kaspersky Antivirus)
• BitDefender
• Avira PersonalEdition Classic
• Avast!
• AVG

Firewalls
A good firewall is the first-line of defense for your computer and will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you are unfamiliar with how a firewall works, you can read "Understanding and Using Firewalls". Here are some free firewalls available for personal use:

• Sygate Personal Firewall
• ZoneAlarm
• Tiny Personal Firewall
• Sunbelt Kerio Personal Firewall
• Outpost Firewall PRO

Realtime Malware Prevention Tools
These programs actively watch your computer for possible malware-related changes and help prevent them. You can run more than one of these at a time.

• Spyware Guard
• Spybot Search & Destroy
• AdAware
• WinPatrol - with tutorial

Passive Malware Prevention Tools
These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.

• SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
• IE-Spyad - Extract to your desktop and double-click install.bat. Install options #2 and #4. IE-Spyad places more than 4,000 dubious domains in the IE Restricted list, which impairs attempts to infect your system. It prevents any downloads from the sites although you will still be able to connect to them. You can read more about it on it's homepage.
• MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
• McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.

Alternative Web Browsers
Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

• Firefox
• Opera

Alternative Miscellaneous
Here are some alternatives that are worth looking into if you use their features:

• Trillian - an Instant Messenger client that speaks multiple IM services (AIM, Yahoo!, ICQ, MSN, etc.)
• Miranda-IM - another Instant Messenger client with multiple IM capabilities.
• Desktop Weather - A taskbar weather program that is free and resource light.

Please respond to this thread one more time so we can mark this thread as resolved.

[localau]

Sounds good to me! let's hope it doesn't rear its ugly head again.
Thanks you so so so so much for everything!!!

[localau]

:(
It never left after all. I've been receiving notifications all day.