Multiple infections HELP!

[tsf1jay]

My computer is infected with multiple visruses which do not go away after mcafee scan. I ran mcafee in SAFE mode in DOS and it says it cleaned a bunch of viruses/trojans (please see the log). When I reboot in normal mode, viruses/trojans reappear and also replicate too many times. I also had run tune-up! registry fix after mcafee scan but that does not seem to help. Attaching the log from mcafee scan and HijackThis log I got after I rebooted in normal mode.
================= begin of McAfee scan log ============
McAfee VirusScan for Win32 v5.10.0
Copyright (c) 1992-2006 McAfee, Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - May 26 2006

Scan engine v5.1.00 for Win32.
Virus data file v4967 created Feb 20 2007
Scanning for 230136 viruses, trojans and variants.



02/20/2007 23:43:33


Options:
C:\WINDOWS /ADL /CLEAN /ALL /REPORT REPORT.TXT

Scanning C: []
Scanning C:\WINDOWS\*.*

Summary report on C:\WINDOWS\*.*
File(s)
Total files: ........... 287
Clean: ................. 287
Possibly Infected: ..... 0
Cleaned: ............... 0
Scanning C: []
Scanning C:\*.*
C:\Documents and Settings\Owner\Local Settings\Temp\1.dllb ... Found the Generic Downloader.f trojan !!!
The file has been deleted.
C:\Documents and Settings\Owner\Local Settings\Temp\5.dllb ... Found the W32/Zhelatin.gen.b@MM virus !!!
The file has been deleted.
C:\Documents and Settings\Owner\Local Settings\Temp\qv3xt3.game ... Found the Generic Downloader.f trojan !!!
The file has been deleted.
C:\Documents and Settings\Owner\Local Settings\Temp\qvxt34.game ... Found the Generic Downloader.f trojan !!!
The file has been deleted.
C:\Documents and Settings\Owner\Local Settings\Temp\qvxt42.game ... Found the Tibs trojan !!!
The file has been deleted.
C:\Documents and Settings\Owner\Local Settings\Temp\win9868.tmp\win9868.tmp ... Found the BackDoor-CXJ trojan !!!
The file has been deleted.
C:\Program Files\Common Files\{1417BE8B-0A1F-1033-0916-031025200001}\Update.exe ... Found the Generic Downloader.k trojan !!!
The file has been deleted.
C:\Program Files\Common Files\{3417BE8B-0A1F-1033-0916-031025200001}\Bar888.dll ... Found the Matcash.dll trojan !!!
The file has been deleted.
C:\RECYCLER\S-1-5-21-2105242733-1762407506-2985652280-1003\Dc1\Update.exe ... Found the Generic Downloader.k trojan !!!
The file has been deleted.
C:\RECYCLER\S-1-5-21-2105242733-1762407506-2985652280-1003\Dc2\Update.exe ... Found the Generic Downloader.k trojan !!!
The file has been deleted.
C:\WINDOWS\system32\adir.dll ... Found the Downloader-ZQ trojan !!!
The file has been deleted.
C:\WINDOWS\system32\dlh9jkd1q1.exe ... Found the Generic Downloader.f trojan !!!
The file has been deleted.
C:\WINDOWS\system32\dlh9jkd1q5.exe ... Found the W32/Zhelatin.gen.b@MM virus !!!
The file has been deleted.
C:\WINDOWS\system32\inet.exe ... Found the Tibs trojan !!!
The file has been deleted.
C:\WINDOWS\system32\qvx5gamet2.exe ... Found the Tibs trojan !!!
The file has been deleted.
C:\WINDOWS\system32\qvxga6met3.exe ... Found the Generic Downloader.f trojan !!!
The file has been deleted.
C:\WINDOWS\system32\qvxga7met4.exe ... Found the Generic Downloader.f trojan !!!
The file has been deleted.
C:\WINDOWS\system32\unsvchosts.exe ... Found the Matcash trojan !!!
The file has been deleted.
C:\WINDOWS\system32\vxga1me4t1.exe ... Found the W32/Zhelatin.gen.b@MM virus !!!
The file has been deleted.
C:\WINDOWS\system32\vxga3me2.exe ... Found the Generic Downloader.f trojan !!!
The file has been deleted.
C:\WINDOWS\system32\vxga4m1et4.exe ... Found the Generic Downloader.f trojan !!!
The file has been deleted.
C:\WINDOWS\system32\vxga4me1.exe\00001060.EXE\00001060.EXE ... Found the BackDoor-CXJ trojan !!!
The file has been deleted.
C:\WINDOWS\system32\wincom32.sys ... Found the Downloader-BAI.sys.gen trojan !!!
The file has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 74855
Clean: ................. 74744
Possibly Infected: ..... 23
Cleaned: ............... 0
Deleted: ............... 23
Non-critical Error(s): 1
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 01:13.42
================= end of McAfee scan log============

then I ran HijackThis to take the log
================= Begin of HijackThis log============
Logfile of HijackThis v1.99.1
Scan saved at 7:58:15 AM, on 2/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\dxdlg32.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\kernels88.exe
C:\Program Files\Common Files\{1417BE8B-0A1F-1033-0916-031025200001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\internet explorer\iexplore.exe
C:\Windows\xpupdate.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\dlh9jkd1q6.exe
C:\WINDOWS\system32\dlh9jkd1q7.exe
C:\WINDOWS\system32\dlh9jkd1q6.exe
C:\WINDOWS\system32\dlh9jkd1q7.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://portal.mailaka.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.mailaka.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb1\ofb1.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5ccaab50-41e0-4574-a1c6-5a4847a9ce57} - C:\WINDOWS\system32\ideoept.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3417B~1\Bar888.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3417B~1\Bar888.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [DxDialog] C:\WINDOWS\system32\dxdlg32.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels88.exe
O4 - HKLM\..\Run: [dns.exe] C:\WINDOWS\system32\dns.exe
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download...reeInstall.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48FF8732-2D9A-45D2-AC39-928DFE93D2A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C946AAC-89EC-4E1D-807A-18480BAD72A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B499E2-243B-40DC-A325-188732468138}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECA75678-EDD3-48EB-8F6C-0B68EB1251BA}: NameServer = 165.76.12.2
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: ideoept - C:\WINDOWS\SYSTEM32\ideoept.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000271 (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
O23 - Service: Network Connections Sharing (RpcTftpd) - Unknown owner - C:\WINDOWS\System32\wins\svchost.exe (file missing)
================= end of HijackThis log============

Please help how to remove all these trojans/viruses.

[Sempurna]

Hi tsf1jay,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

You have a heavily infected system, and it will patience and a few rounds of cleaning to clear your system. Hang in there, and it will be all over before you know it. :)

OK, here’s what we do first.


BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

Please download SDFix by AndyManchesta and save it to your desktop.

Right-click the SDFix.zip folder and choose Extract All to extract it to its own folder on the desktop.

Please then reboot your computer into Safe Mode by doing the following:

• Restart your computer.
• After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
• Instead of Windows loading as normal, a menu with options should appear.
• Select the first option, to run Windows in "Safe Mode", then press "Enter".
• Choose your usual account.

Once in Safe Mode, please do the following:

• Open the extracted folder and double-click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found, then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process, then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Finally, copy and paste the contents of the results file Report.txt back onto the forum along with a new HijackThis log.

NEXT:

Please download VundoFix.exe by Atribune and save it to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES.
• Once you click YES, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HijackThis log.

NOTE : It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "click the Scan for Vundo button" when VundoFix appears at reboot.


NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: (no name) - {5ccaab50-41e0-4574-a1c6-5a4847a9ce57} - C:\WINDOWS\system32\ideoept.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3417B~1\Bar888.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3417B~1\Bar888.dll
O4 - HKLM\..\Run: [DxDialog] C:\WINDOWS\system32\dxdlg32.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels88.exe
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download...reeInstall.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: ideoept - C:\WINDOWS\SYSTEM32\ideoept.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000271 (file missing)
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
O23 - Service: Network Connections Sharing (RpcTftpd) - Unknown owner - C:\WINDOWS\System32\wins\svchost.exe (file missing)


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please go to Start -> Run and type (or copy and paste) the following lines in the Open field, ONE AT A TIME, then click OK:

sc stop "Client IP-IPX"

sc stop RpcPatch

sc stop RpcTftpd

sc delete "Client IP-IPX"

sc delete RpcPatch

sc delete RpcTftpd


NEXT:

Please download OTMoveIt by OldTimer:

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  C:\WINDOWS\system32\svchosts.exe
  C:\WINDOWS\system32\dxdlg32.exe
  C:\WINDOWS\system32\kernels88.exe
  C:\Program Files\Common Files\{1417BE8B-0A1F-1033-0916-031025200001}
  C:\Windows\xpupdate.exe
  C:\WINDOWS\system32\dlh9jkd1q6.exe
  C:\WINDOWS\system32\dlh9jkd1q7.exe
  C:\WINDOWS\system32\dlh9jkd1q6.exe
  C:\WINDOWS\system32\dlh9jkd1q7.exe
  C:\WINDOWS\system32\ideoept.dll
  C:\WINDOWS\system32\adirss.exe
  C:\WINDOWS\system32\a3dxq.dll
  C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
  C:\WINDOWS\System32\wins\DLLHOST.EXE
  C:\WINDOWS\System32\wins\svchost.exe
  C:\WINDOWS\System32\wins
  
  
• Return to OTMoveIt, right-click on the Paste List of Files/Folders to be moved window and choose Paste.
• Click the red MoveIt! button.
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it on your next reply.
• Close OTMoveIt.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


NEXT:

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.


Please download Dr.Web CureIt and save it to your desktop:


Next, please reboot your computer into Safe Mode by doing the following:

• Reboot your computer.
• After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
• Instead of Windows loading as normal, a menu should appear.
• Using the arrow keys on the keyboard, scroll to and select the Safe Mode menu item, and then press Enter.

Now scan with Dr.Web CureIt:

• Double-click the drweb-cureit.exe file. It will then suggest to run an "Express Scan" -- this you should allow.
• After this (Dr.Web writes "Done" at the bottom left), you click "Options" menu -> "Change settings".
• Choose the "Scan" tab, uncheck the mark at "Heuristic analysis".
• Choose the "Actions" tab, and choose "Rename" under all the "Malware" issues. Then click "OK".
• Back at the main window, you should now mark the drives that you want to scan (a red dot shows which drives have been chosen).
• Click the green arrow at the right, and the scan will start. The first time Dr.Web finds something, you click "Yes to All", and it will after this automatically fix what is found.
• After the scan, go to the "View" menu -> "Report list".
• Then go to the "File" menu -> "Save report list".
• Save the report to your desktop. The report will be called DrWeb.csv. Copy and paste the contents of the report in your next reply.
• Close Dr.Web CureIt.
• REBOOT your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

After reboot, post the contents of the log from Dr.Web you saved previously in your next reply, together with a new HijackThis log.


NEXT:

I notice that your system doesn’t have an anti-virus program running. This can be suicidal in today’s digital age. :)

So, let’s set you up with a FREE and excellent anti-virus program called Active Virus Shield (Powered by Kaspersky). This is a highly ranked and highly regarded anti-virus program by our experts. It’s ranked #2 in the latest anti-virus test here:
http://www.virus.gr/english/fullxml/default.asp?id=82

Please download Active Virus Shield (Powered by Kaspersky) and save it to your desktop.

• Please remember to register for your Activation Code using a legitimate email address.
• Double-click avs.msi to run the installer, but please uncheck "Install Security Toolbar" during the installation process:
  
  
  
  
  
  
• Then please update the program and run a scan on My Computer. Allow it to neutralize all that it finds.
• When done, launch Active Virus Shield's main window.
  
  
  
  
  
  
• Click the Scan button on the left, and then click Detected.
  
  
  
  
  
  
• In the ensuing window, click the Save As button to save a copy of the log.
• Copy and paste that log in your next reply.

Note: You must only use 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

1. The log from the SDFix scan.
2. The log from the VundoFix scan.
3. The report from OTMoveIt.
4. The log from the Dr.Web CureIt scan.
5. The log from the Active Virus Shield scan.
6. A new HijackThis log.

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

[tsf1jay]

I am done with SDFix step and HJT log following SDfix. Posting those logs, I will continue from VundoFix step onwards this evening and let you know.

Contents of SDFix Report.txt
==================
SDFix: Version 1.67

Run by Owner - Wed 02/21/2007 @ 2241.70

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
EXAMPLE

Path:
"C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000271
\??\C:\WINDOWS\system32\main.sys

Client IP-IPX Deleted
EXAMPLE Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\DNS.EXE - Deleted
C:\WINDOWS\system32\ma.exe.exe - Deleted
C:\WINDOWS\system32\pp.exe.exe - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\hd4.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\hd5.tmp - Deleted
C:\as.txt - Deleted
C:\WINDOWS\system32\adirss.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q6.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q7.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q8.exe - Deleted
C:\WINDOWS\system32\dxdlg32.exe - Deleted
C:\WINDOWS\system32\kernels88.exe - Deleted
C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\svchosts.exe - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\taskdir.exe - Deleted
C:\WINDOWS\system32\vxga1me4t1.exe - Deleted
C:\WINDOWS\system32\vxga3me2.exe - Deleted
C:\WINDOWS\system32\vxga4m1et4.exe - Deleted
C:\WINDOWS\system32\vxga4me1.exe - Deleted
C:\WINDOWS\system32\vxga5me3.exe - Deleted
C:\WINDOWS\system32\vxg3am1et3.exe - Deleted
C:\WINDOWS\system32\vxg4am1et2.exe - Deleted
C:\WINDOWS\system32\vxg6ame4.exe - Deleted
C:\WINDOWS\system32\wincom32.ini - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted
C:\WINDOWS\system32\zlbw.dll - Deleted
C:\WINDOWS\Uninst2.htm - Deleted
C:\WINDOWS\Unist1.htm - Deleted
C:\WINDOWS\Temp\win*.tmp - Deleted

Could Not Remove C:\WINDOWS\Temp\wuauclt.exe


ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Remaining Files:
---------------
C:\WINDOWS\Temp\wuauclt.exe Found

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\Picasa2\setup.exe
C:\WINDOWS\Downloaded Program Files\WebDriverFullInstall.exe
C:\WINDOWS\F?nts\chkdsk.exe
C:\CONFIG.SYS
C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0246.tmp
C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0460.tmp
C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0476.tmp
C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1277.tmp
C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1313.tmp
C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1343.tmp
C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2326.tmp
C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2665.tmp
C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3020.tmp
C:\HUSE100\~WRL0067.tmp
C:\HUSE100\~WRL0311.tmp
C:\HUSE100\~WRL1168.tmp
C:\HUSE100\~WRL1705.tmp
C:\HUSE100\~WRL1776.tmp
C:\HUSE100\~WRL2041.tmp
C:\HUSE100\~WRL2478.tmp
C:\HUSE100\~WRL2812.tmp
C:\HUSE100\~WRL3401.tmp
C:\HUSE100\~WRL3402.tmp
C:\My Pics\smartCardcopy\DCIM\100_PANA\SIV8.tmp
C:\WINDOWS\temp\BIT3B.tmp
C:\WINDOWS\temp\BIT3B1.tmp
C:\WINDOWS\temp\BITE2.tmp
C:\WINDOWS\temp\win16C7.tmp
C:\WINDOWS\temp\win55DD.tmp
C:\WINDOWS\temp\winBC04.tmp
C:\WRIT121\Paper II\~WRL0004.tmp
C:\WRIT121\Paper II\~WRL0193.tmp
C:\WRIT121\Paper II\~WRL0240.tmp
C:\WRIT121\Paper II\~WRL0266.tmp
C:\WRIT121\Paper II\~WRL0339.tmp
C:\WRIT121\Paper II\~WRL0411.tmp
C:\WRIT121\Paper II\~WRL0470.tmp
C:\WRIT121\Paper II\~WRL0471.tmp
C:\WRIT121\Paper II\~WRL0525.tmp
C:\WRIT121\Paper II\~WRL0661.tmp
C:\WRIT121\Paper II\~WRL0800.tmp
C:\WRIT121\Paper II\~WRL1180.tmp
C:\WRIT121\Paper II\~WRL1272.tmp
C:\WRIT121\Paper II\~WRL1373.tmp
C:\WRIT121\Paper II\~WRL1408.tmp
C:\WRIT121\Paper II\~WRL1414.tmp
C:\WRIT121\Paper II\~WRL1534.tmp
C:\WRIT121\Paper II\~WRL1700.tmp
C:\WRIT121\Paper II\~WRL1746.tmp
C:\WRIT121\Paper II\~WRL1809.tmp
C:\WRIT121\Paper II\~WRL1834.tmp
C:\WRIT121\Paper II\~WRL2129.tmp
C:\WRIT121\Paper II\~WRL2180.tmp
C:\WRIT121\Paper II\~WRL2205.tmp
C:\WRIT121\Paper II\~WRL2317.tmp
C:\WRIT121\Paper II\~WRL2318.tmp
C:\WRIT121\Paper II\~WRL2432.tmp
C:\WRIT121\Paper II\~WRL2434.tmp
C:\WRIT121\Paper II\~WRL2506.tmp
C:\WRIT121\Paper II\~WRL2755.tmp
C:\WRIT121\Paper II\~WRL2851.tmp
C:\WRIT121\Paper II\~WRL2852.tmp
C:\WRIT121\Paper II\~WRL2868.tmp
C:\WRIT121\Paper II\~WRL2871.tmp
C:\WRIT121\Paper II\~WRL3175.tmp
C:\WRIT121\Paper II\~WRL3318.tmp
C:\WRIT121\Paper II\~WRL3605.tmp
C:\WRIT121\Paper II\~WRL3614.tmp
C:\WRIT121\Paper II\~WRL3939.tmp
C:\WRIT121\Paper II\~WRL3945.tmp
C:\WRIT121\Paper II\~WRL3956.tmp

Add/Remove Programs List:

ECHO is off.
7-Zip 4.12 beta
Adobe Acrobat 5.0
Adobe Shockwave Player
Adobe Download Manager 2.0 (Remove Only)
Blue's Art Time Activities
Britannica Ready Reference
CleanUp!
Clifford Thinking Adventures
Conexant SoftK56 Modem(M)
Grammar Games
HijackThis 1.99.1
Pinnacle Hollywood FX for Studio
Chutes and Ladders
SmartSound Quicktracks Plugin
Java 2 Runtime Environment Standard Edition v1.3.1
Java 2 Runtime Environment Standard Edition v1.3.1_02
JumpStart Music
Microsoft Data Access Components KB870669
Kid Pix Studio Deluxe
Logitech Print Service
Magic School Bus - Rainforest
MSN Toolbar
Netscape 6 (6.2.1)
Outerinfo
Panda ActiveScan
Phonics
Picasa 2
Logitechr Camera Driver
QuickTime
RC Daredevil
RealPlayer
Registry Mechanic 6.0
Adobe Flash Player 9 ActiveX
SoundCapture
Learn2 Player (Uninstall Only)
Study Helpers Math Booster
TaxCut 2003
TaxCut 2004
TaxCut Deluxe 2005
Winamp (remove only)
Windows XP Service Pack 2
Yahoo! Browser Services
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Photos Easy Upload Tool 1v7
Outerinfo
Yahoo! Install Manager
Microsoft Office 2000 Premium
Google Talk (remove only)
Jasc Paint Shop Photo Album 5
Google Earth
Logitech QuickCam
SmartSound Quicktracks Plugin
SD Viewer for DSC
Windows XP Junglebook Compatiblity Fix
PowerDVD
NetZero
Windows Backup Utility
Intel(R) Extreme Graphics Driver
Disney's The Jungle Book Learning
Logitech Desktop Messenger
Studio 9
Dora the Explorer: Animal Adventures
SpyWare Killer Pro
Adobe Reader 7.0.9
Genesys USB Mass Storage Device
ArcSoft Software Suite
TuneUp Utilities 2007
Search for the Secret Keys
Pinnacle Instant DVD Recorder
Microsoft Works 6.0
Realtek AC'97 Audio
Multimedia Keyboard Driver

Finished

HijackThis log after SDFix
===================
Logfile of HijackThis v1.99.1
Scan saved at 10:19:41 PM, on 2/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\FNTS~1\chkdsk.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://portal.mailaka.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.mailaka.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb1\ofb1.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5ccaab50-41e0-4574-a1c6-5a4847a9ce57} - C:\WINDOWS\system32\ideoept.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: (no name) - {8049C913-2385-5D21-8848-2A909BA33FE9} - C:\WINDOWS\system32\gka.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [dns.exe] C:\WINDOWS\system32\dns.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\bak\exec.exe regrun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Usrr] "C:\WINDOWS\FNTS~1\chkdsk.exe" -vt yazb
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download...reeInstall.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48FF8732-2D9A-45D2-AC39-928DFE93D2A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C946AAC-89EC-4E1D-807A-18480BAD72A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B499E2-243B-40DC-A325-188732468138}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECA75678-EDD3-48EB-8F6C-0B68EB1251BA}: NameServer = 165.76.12.2
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: ideoept - C:\WINDOWS\SYSTEM32\ideoept.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
O23 - Service: Network Connections Sharing (RpcTftpd) - Unknown owner - C:\WINDOWS\System32\wins\svchost.exe (file missing)

[Sempurna]

OK, looking forward to the rest of the logs.

Cheers!
~ Semps

[tsf1jay]

Hello Sempurna,

Posting logs from VundoFix, OTmoveIt, Dr Web cureIt scans. Actually I had unintalled Mcafee when it failed to remove the viruses/trojans that infected my computer. I tried running mcAfee VirusScan in DOS / SAFE mode which said it deleted all viruses/trojans but when I rebooted in Normal mode, the viruses were coming back and disabling Mcafee. Hence I had uninstalled. Now I have installed again and finally took a HJT scan. I did not install active virus schield. I am planning to upgrade to Macfee Internet security (or Panda internet security as it is cheaper), let me know if that is bad idea.

===== VundoFix log =======
VundoFix V6.3.9

Checking Java version...

Sun Java not detected
Scan started at 7:27:51 PM 2/22/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...
=======end of VundoFix log ============

===== OTMoveIt log =======
File/Folder C:\WINDOWS\system32\svchosts.exe not found.
File/Folder C:\WINDOWS\system32\dxdlg32.exe not found.
File/Folder C:\WINDOWS\system32\kernels88.exe not found.
C:\Program Files\Common Files\{1417BE8B-0A1F-1033-0916-031025200001} moved successfully.
File/Folder C:\Windows\xpupdate.exe not found.
File/Folder C:\WINDOWS\system32\dlh9jkd1q6.exe not found.
File/Folder C:\WINDOWS\system32\dlh9jkd1q7.exe not found.
File/Folder C:\WINDOWS\system32\dlh9jkd1q6.exe not found.
File/Folder C:\WINDOWS\system32\dlh9jkd1q7.exe not found.
File/Folder C:\WINDOWS\system32\ideoept.dll not found.
File/Folder C:\WINDOWS\system32\adirss.exe not found.
LoadLibrary failed for C:\WINDOWS\system32\a3dxq.dll
C:\WINDOWS\system32\a3dxq.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\a3dxq.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll NOT unregistered.
File move failed. C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\System32\wins\DLLHOST.EXE not found.
File/Folder C:\WINDOWS\System32\wins\svchost.exe not found.
C:\WINDOWS\System32\wins moved successfully.

Created on 02/22/2007 19:58:35
===== End of OTMoveIt log =======

===== Dr Web CureIt log =======
msnetax.dll;c:\windows\system32;Trojan.Sender;Deleted.;
wuauclt.exe;c:\windows\temp;Trojan.DownLoader.18510;Deleted.;
exe.exe;C:\;Trojan.Proxy.1390;Deleted.;
svchost2.exe;C:\;Trojan.AVKill.252;Deleted.;
setup[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\BCVDC12O;Trojan.Packed.32;Deleted.;
ma[1].exe;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\10XDBVKI;Trojan.Packed.32;Deleted.;
rproxy[1].exe;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\10XDBVKI;Trojan.Proxy.1390;Deleted.;
pp[1].exe;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C1HCG86S;Trojan.Packed.32;Deleted.;
Yazzle1122OinAdmin.exe\data001;C:\Program Files\Common Files\Yazzle1122OinAdmin.exe;Adware.ClickSpring;;
Yazzle1122OinAdmin.exe;C:\Program Files\Common Files;Archive contains infected objects;Moved.;
system.dll;C:\Program Files\Common Files\{1417BE8B-0A20-1033-0916-031025200001};Trojan.DownLoader.17799;Deleted.;
Uninstall.exe;C:\Program Files\SpySheriff;Adware.Spysheriff;Renamed.;
system.dll;C:\RECYCLER\S-1-5-18\Dc1;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc2;Trojan.DownLoader.17799;Deleted.;
xxee;C:\RECYCLER\S-1-5-18\Dc4;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc5;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc6;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc7;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc8;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc9;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-21-2105242733-1762407506-2985652280-1003\Dc1;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-21-2105242733-1762407506-2985652280-1003\Dc2;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-21-2105242733-1762407506-2985652280-1003\Dc3;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-21-2105242733-1762407506-2985652280-1003\Dc4;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-21-2105242733-1762407506-2985652280-1003\Dc6;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-21-2105242733-1762407506-2985652280-1003\Dc7;Trojan.DownLoader.17799;Deleted.;
xpupdate.vxe;C:\WINDOWS;Trojan.Packed.30;Deleted.;
dd.exe;C:\WINDOWS\system32;Trojan.Packed.31;Deleted.;
dlh9jkd1q2.vxe;C:\WINDOWS\system32;Trojan.Packed.30;Deleted.;
setup.exe;C:\WINDOWS\system32;Trojan.Packed.32;Deleted.;
sm.exe;C:\WINDOWS\system32;Trojan.Packed.31;Deleted.;
wsys.dll;C:\WINDOWS\system32;Trojan.MulDrop.5450;Will be cured after reboot.;
cel90xbe.sys;C:\WINDOWS\temp;Trojan.NtRootKit.206;Will be cured after reboot.;
winsys2f.dll;C:\_OTMoveIt\MovedFiles\Documents and Settings\All Users\Documents\Settings;BackDoor.Uragan;Deleted.;
system.dll;C:\_OTMoveIt\MovedFiles\Program Files\Common Files\{1417BE8B-0A1F-1033-0916-031025200001};Trojan.DownLoader.17799;Deleted.;

===== End of Dr Web CureIt log =======

Reinstalled McAfee VisusScan...

=== HJT log after Mcafee VirusScan reinstallation =======
Logfile of HijackThis v1.99.1
Scan saved at 11:09:18 PM, on 2/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\zHotkey.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\NZSearch\nzspc.exe
C:\WINDOWS\FNTS~1\chkdsk.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://portal.mailaka.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.mailaka.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb1\ofb1.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: (no name) - {8049C913-2385-5D21-8848-2A909BA33FE9} - C:\WINDOWS\system32\gka.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [dns.exe] C:\WINDOWS\system32\dns.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\bak\exec.exe regrun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Usrr] "C:\WINDOWS\FNTS~1\chkdsk.exe" -vt yazb
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48FF8732-2D9A-45D2-AC39-928DFE93D2A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C946AAC-89EC-4E1D-807A-18480BAD72A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B499E2-243B-40DC-A325-188732468138}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECA75678-EDD3-48EB-8F6C-0B68EB1251BA}: NameServer = 165.76.12.2
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
================

Computer seems to be okay now, let me know if any further steps I need to take (should I use Active Virus shield rather than McAfee). Thanks!

[Sempurna]

Hi tsf1jay,

Well, it is entirely up to you whether you want to keep McAfee or not. It is a good and reliable AV. I’ve never used a paid security suite before, but I hear that they may use up a lot of system resources, and may slow down your system.

You can set up your own FREE security suite if you like. In some cases, they can be better than the paid security suites. You may look at this site for more info:
http://wiki.castlecops.com/Roll_your...Security_Suite

I myself use Active Virus Shield powered by Kaspersky (NOTE: please do NOT install the Security Toolbar that comes with it) as my onboard AV. It is highly rated by our own experts and by the security community at large. And it is FREE! It is rated No. 2 in this test:
http://www.virus.gr/english/fullxml/default.asp?id=82

For my firewall, I use Comodo Personal Firewall, another excellent and FREE security app. It even beats many paid firewalls! It is robust, passes the majority of leak tests, easy to use (and has pro features if you know how to use them… if you don’t, leave them things on the default settings), and it is FREE!:


The other tools I use to protect my system are in the Roll your own Free Security Suite site. I use IE-SPYAD and SpywareBlaster for protection (they take no system resources at all, although you have to manually update them). I also use SUPERAnti-Spyware, Spybot-S&D, Ad-Aware SE, and AVG Anti-Spyware for ad-hoc scans. You have to manually update these, too.

OK, let’s continue with the cleaning up of your system.


NEXT:

Please download LSPFix and save it to your desktop:

• Disconnect from the Internet.
• Unzip the LSPFix file to your desktop.
• Open the lspfix folder and double-click on LSPFix.exe to start the program.
• Check the "I know what I'm doing" checkbox.
• Select (highlight) all instances of "msnetax.dll" in the left-hand column under "Keep".
• Click the arrow >> so it goes over to the right-hand column under "Remove".
• Then click Finish to allow LSPFix to rebuild the LSP chain.

NEXT:

Please run OTMoveIt and quarantine these files:

c:\windows\system32\msnetax.dll
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\WINDOWS\temp\BIT3B.tmp
C:\WINDOWS\temp\BIT3B1.tmp
C:\WINDOWS\temp\BITE2.tmp
C:\WINDOWS\temp\win16C7.tmp
C:\WINDOWS\temp\win55DD.tmp
C:\WINDOWS\temp\winBC04.tmp


NEXT:

Please delete this folder:

C:\WINDOWS\F?nts


The question mark (?) could be a foreign alphabet or a symbol. Or it could just be "Fonts".


NEXT:

Let's run some cleanup and diagnostic scans to make sure we're not leaving anything behind.

Please download CCleaner (freeware) and save it to your desktop:

1. Run the CCleaner installer.
2. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
3. Once installed, run CCleaner and click the Windows tab.
4. Select the following:
   • Check everything under the Internet Explorer section.
   • Check everything under the Windows Explorer section.
   • Check everything under the System section.
   • Check ONLY Old Prefetch data under the Advanced section.
5. Then, click the Applications tab:
   • UNCHECK everything there.
6. Next, click the Options button, then click the Advanced button:
   • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
7. Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION : Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.


NEXT:

Please do an online scan with Panda ActiveScan:

1. Once you are on the Panda site click the "Scan your PC" button located at the bottom of the page.
2. A new window will open... click the "Check Now" button.
3. Enter your Country.
4. Enter your State/Province.
5. Enter your e-mail address.
6. Select either Home User or Company.
7. Click the big "Free Online Scan" button.
8. If it wants to install an ActiveX component allow it.
9. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes).
10. When the download is complete, click on "Local Disks" to start the scan.
11. When the scan completes, if anything malicious is detected, click the "See Report" button; then "Save Report" and save it to a convenient location. Post the contents of the Panda scan report in your next reply.

NEXT:

Please do an online scan with Kaspersky Online Scanner:

1. Click on Kaspersky Online Scanner.
2. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
3. The program will launch and then begin downloading the latest definition files.
4. Once the files have been downloaded click on Next.
5. Now click on Scan Settings.
6. In the scan settings make sure that the following are selected:
   • Scan using the following Anti-Virus database:
     Extended
   • Scan Options:
     Scan Archives
     Scan Mail Bases
7. Click OK.
8. Now under select a target to scan:
   • Select My Computer.
9. This program will start and scan your system.
10. The scan will take a while so be patient and let it run.
11. Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As button.
    • In the File name: field, type kavscan.
    • In the Save as type: field, select Text file (*.txt).
12. Save the file to your desktop.
13. Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please download ComboScan by Deckard and save it to your desktop:

• Close all applications and windows (including this one).
• Double-click on comboscan.exe to run it, and follow the prompts.
• When the scan is complete, a text file will open – ComboScan.txt.
• Copy (Ctrl + A then Ctrl + C) and paste (Ctrl + V) the contents of ComboScan.txt in your next reply.
• A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
• Please attach Supplementary.txt to your post.

Note: Some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

1. The log from the Panda scan.
2. The log from the Kaspersky scan.
3. The logs from ComboScan.

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

[tsf1jay]

Ran Lspfix, OTmoveIt, then could NOT delete C:\windows\Fonts folder, it gave "Cannot delete chkdsk.exe: Access is denied" error. Posting other logs below.

The log from Kaspersky online scan is huge as it lists a HUGE numbers of "skipped" message from my old C:\Program Files\Norton AntiVirus\Quarantine\ folder. I have stripped off most of those logs for Norton AntiVirus\Quarantine\ to keep this post small, just left a sample for you. If you need to know all of those, please let me know. Can I delete those quarantined files/folders?


==== from OTMoveIt ====
DllUnregisterServer procedure not found in c:\windows\system32\msnetax.dll
c:\windows\system32\msnetax.dll NOT unregistered.
c:\windows\system32\msnetax.dll moved successfully.
File/Folder C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll not found.
File/Folder C:\Program Files\Common Files\Yazzle1122OinAdmin.exe not found.
C:\WINDOWS\temp\BIT3B.tmp moved successfully.
C:\WINDOWS\temp\BIT3B1.tmp moved successfully.
File/Folder C:\WINDOWS\temp\BITE2.tmp not found.
C:\WINDOWS\temp\win16C7.tmp moved successfully.
C:\WINDOWS\temp\win55DD.tmp moved successfully.
C:\WINDOWS\temp\winBC04.tmp moved successfully.

Created on 02/23/2007 22:22:34
======end of OTmoveIt log========

==== from Panda activescan=====

Incident Status Location

Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\dasj@mailaka.net\cookies.txt[.bfast.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\dasj@mailaka.net\cookies.txt[.atdmt.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\dasj@mailaka.net\cookies.txt[.clickbank.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Cookies\owner@hitbox[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Owner\Cookies\owner@searchportal.information[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\Yazzle1122OinAdmin.exe
Adware:Adware/SpySheriff Not disinfected C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Adware:Adware/888Bar Not disinfected C:\Program Files\Common Files\{3417BE8B-0A1F-1033-0916-031025200001}\UnInstall.exe
Adware:Adware/888Bar Not disinfected C:\Program Files\Common Files\{3417BE8B-0A20-1033-0916-031025200001}\UnInstall.exe
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{03306E57-A3DF-4DA6-AF30-6C753DCC9B47}]
Spyware:Cookie/BurstNet Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{060A390A-9D76-4F3C-A6D4-1D866892B9EB}]
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{0BFC94B7-E26D-4E8B-994E-8237C400981A}]
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{1663E6B5-5FA6-48F0-AE70-7FFDDF44034E}]
Spyware:Cookie/Sextracker Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{1EDADB09-B213-4F46-B7D1-CE5BFE5A32FC}]
Spyware:Cookie/WUpd Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{204E342C-4171-4CF1-B8C0-8D6DE42A7B04}]
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{213CC799-CE3A-4135-9CCA-BA29A94122FF}]
Spyware:Cookie/Valueclick Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{2278D47D-B79D-4285-9455-2A3DD14A8159}]
Spyware:Cookie/Adrevolver Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{255E79AD-CC6A-463C-8F03-BBA01B9DBAB3}]
Spyware:Cookie/Humanclick Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{31D83B40-804E-49B1-A3F6-9557E9C61F34}]
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{3CD6525A-9BDA-40C9-BA23-BA9E261037A1}]
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{3F16DBB8-A62F-4CE4-ACFC-8BF2ECD89DAB}]
Spyware:Cookie/Linksynergy Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{433890CC-7DF9-47BA-8049-22B2E8EBACB1}]
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{45126A04-4B1A-4381-A7DD-EBA877D4EADA}]
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{4B04FFCE-8748-4ED2-A069-D50C12FDC01C}]
Spyware:Cookie/AdDynamix Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{4E141273-2811-4828-B3F9-FFE99AD4502C}]
Spyware:Cookie/Cgi-bin Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{51170D1E-2A8D-4BE9-8C4B-5A88EB59CE40}]
Spyware:Cookie/2o7 Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{5AD21610-C841-4CBD-8962-A1043C31A168}]
Spyware:Cookie/Santa Monica networks inc Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{608690E1-0193-47BE-B9B8-560795302AAD}]
Spyware:Cookie/Coremetrics Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{614F85BD-BB04-49B2-97E0-E9CA02576E05}]
Spyware:Cookie/Hitslink Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{73B606C5-C052-4ED0-930D-6A19B00BECA1}]
Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{768243DB-0AE7-4FC9-B163-E32054DEDE29}]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{86BA5EB4-835C-405C-B117-17032D347B01}]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{87E53708-7D9A-4EBF-866E-18F5A0AFEC47}]
Spyware:Cookie/QkSrv Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{88353D82-15AE-4B53-81BC-4FDE1BC88C83}]
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{8ABCAC24-766C-4FE9-AF34-0893E9E2C820}]
Spyware:Cookie/Adrevolver Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{8D62D382-38D7-482E-9C4C-B67F50F0D7B6}]
Spyware:Cookie/HotLog Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{917CEB92-EAD4-4E4E-945B-734041485571}]
Spyware:Cookie/Tradedoubler Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{92717291-4F4C-4A1E-BA31-E775D80173F3}]
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{958F6EF1-F061-4F37-9ECD-93F2A57CF762}]
Spyware:Cookie/FastClick Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{98F7C4D1-FB6E-4FE5-9BE3-71FE80E05F86}]
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{9B2E121C-4607-477E-98EF-C764A332D71A}]
Spyware:Cookie/bravenetA Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{9B453C96-2CD3-48D8-8D7B-AE2D2DD6DC1C}]
Spyware:Cookie/FastClick Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{9B8A80AA-384F-4675-9BD2-4FF1101C7127}]
Spyware:Cookie/Adserver Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{B2050641-25BB-4C2F-98F4-814BBDCC1CC9}]
Spyware:Cookie/Zedo Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{BC848E2B-CBEC-4DA6-8224-404918EC91C3}]
Spyware:Cookie/Bridgetrack Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{BD702E78-AAF7-4885-A387-114943B99D47}]
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{BDA6AFBE-4886-4B8E-BC0C-9282E1262A17}]
Spyware:Cookie/FortuneCity Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{C058BDDF-D653-4355-ADC7-757E84F7BD05}]
Spyware:Cookie/Sextracker Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{C23B1B21-61BA-476F-AE7D-4147F6E02DB8}]
Spyware:Cookie/Overture Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{C27ADF7B-D317-4B82-8F3B-952694665D44}]
Spyware:Cookie/Findwhat Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{CC5974D8-E300-4874-B87F-B79704D4FA5B}]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{D1940468-C316-4D3B-A88A-4BA98FC844DA}]
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{D3FC36AF-8F7A-4130-B269-20FCC73A04C9}]
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{E23C0020-2CAB-47C1-9185-D54577572A7E}]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{E63B2A34-6CEE-4977-B973-FD8C9751387A}]
Spyware:Cookie/Adtech Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{E6F1F439-A1D8-4003-B0AF-5520ECE56DE2}]
Spyware:Cookie/Weborama Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{EAFBEB0A-137C-41FA-A589-F29F207A0D6B}]
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{F11C9576-BEB4-4BC0-8AF6-A41AA8A57CB9}]
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{F31A8D2C-EAF5-4650-BEB2-92E52BEA09B6}]
Spyware:Cookie/Clickbank Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{877FD653-43CD-4F66-955A-DA50E97995F7}.zip[{FB4004D4-0410-4B36-AB5E-AAD58929C244}]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{08575037-7C36-4DEE-9ADE-07BDEEDB24E9}]
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{08F9CE75-5BB1-4629-9995-953FA4CA6CF5}]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{1B01BC05-07B6-49A2-B5EE-32146BDAE769}]
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{20664B0C-89C1-445D-B9E4-F0520A643BAA}]
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{23CB515A-037A-4CBC-9D21-B78A67EC088E}]
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{274F895D-E959-41AF-A1DE-388E6FCEAB19}]
Spyware:Cookie/WUpd Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{30A91AB3-0D0B-4970-AF95-1432A661307E}]
Spyware:Cookie/Tradedoubler Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{4CEFEF54-22D5-4575-B1BF-5FA1ABB24735}]
Spyware:Cookie/Adserver Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{4FDCDCF7-C7C6-4CCA-8F5D-F6369E2D32A2}]
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{5701CA04-93D9-41FF-9951-D69D1C4844B7}]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{57068A6E-7663-41F4-B9FD-2BE3B05A7BE8}]
Spyware:Cookie/2o7 Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{60836F16-3C5F-45C0-9CDD-7ADB6B9153F0}]
Spyware:Cookie/Bfast Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{61476CCC-9509-4D6B-95D8-61E7660F5315}]
Spyware:Cookie/Cgi-bin Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{61EF7613-58A2-4AA1-9A4A-2DFCD99ADB94}]
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{62244945-30EF-45F3-8766-314EC22C1556}]
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{623A1EB2-6D0E-4C64-BAD6-777B5421AF07}]
Spyware:Cookie/Overture Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{6245CD45-0F93-4E36-AECD-C2FBBCA0D96E}]
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{6315E0A8-B78F-4F34-823E-B536EB940978}]
Spyware:Cookie/FortuneCity Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{65872DD2-365B-4CC0-81D1-B6AE1D1904E9}]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{67FA405B-FA51-4040-9965-32DF5A9CD3DC}]
Spyware:Cookie/Valueclick Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{72EBEC10-92C5-4D9E-8DC0-B53658C9B779}]
Spyware:Cookie/AdDynamix Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{7484B8FC-4264-49E2-9559-F9C03186A3E5}]
Spyware:Cookie/FastClick Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{74CE4440-A51C-4471-BC0A-A0561DD5FE65}]
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{8507BE01-AAED-4198-8DD1-8585478AE27B}]
Spyware:Cookie/Bridgetrack Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{8B38811C-D344-4693-8A1B-BBE3ED3FAA1E}]
Spyware:Cookie/FastClick Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{97D05FE0-1373-46B1-BB8C-3096362CA1E5}]
Spyware:Cookie/Linksynergy Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{B851AD79-B5EB-453D-B9FE-F5B95C026E76}]
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{C6A0E03D-E4C3-425D-8E81-96F715BA2B8B}]
Spyware:Cookie/Adrevolver Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{CB0E2500-C1A8-488C-9701-B5BB8ABE1D72}]
Spyware:Cookie/Zedo Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{D1836A64-B3AD-4F87-877A-A8760D4E0A23}]
Spyware:Cookie/Casalemedia Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{DDDE459A-19D2-4CA6-B9EC-00DAE289C0FB}]
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{E9A73CB7-80D2-4716-9A14-57CDF70130D1}]
Spyware:Cookie/Adrevolver Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{EA0A0969-5E1F-43CD-A02A-F121E4AEA335}]
Spyware:Cookie/Coremetrics Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{EBC55916-4597-431D-BE0A-D362659BF68E}]
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{EE8B3B00-4647-484B-BC61-476A2377F5ED}]
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{EFB62422-534C-4CF8-B198-2997370DB970}]
Spyware:Cookie/CentrPort Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{F0D0123B-7361-45D3-A27E-F27E4B16BFC8}]
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\Quarantine\{C9AE7021-1EF7-4BD4-94A7-CF4B93363250}.zip[{FAD509FA-F064-4342-9EA8-2F3890E3F038}]
Adware:Adware/SpySheriff Not disinfected C:\Program Files\Microsoft Works\WkDetect.exe
Adware:Adware/SpySheriff Not disinfected C:\Program Files\NetZero\exec.exe
Adware:Adware/SpySheriff Not disinfected C:\Program Files\NZSearch\nzspc.exe
Adware:Adware/MediaTickets Not disinfected C:\Program Files\Outerinfo\OiUninstaller.exe
Adware:Adware/SpySheriff Not disinfected C:\Program Files\SpySheriff\SpySheriff.exe
Adware:Adware/PestCapture Not disinfected C:\Program Files\SpySheriff\Uninstall.#xe
Virus:W32/Nuwar.N.worm Disinfected C:\SDFix\backups\backups.zip[backups/adirss.exe]
Adware:Adware/SpySheriff Not disinfected C:\SDFix\backups\backups.zip[backups/dxdlg32.exe]
Adware:Adware/Adsmart Not disinfected C:\SDFix\backups\backups.zip[backups/kernels88.exe]
Virus:Trj/Alanchum.RX Disinfected C:\SDFix\backups\backups.zip[backups/ma.exe.exe]
Adware:Adware/Maxifiles Not disinfected C:\SDFix\backups\backups.zip[backups/svchosts.exe]
Virus:Trj/Rizalof.WY Disinfected C:\SDFix\backups\backups.zip[backups/taskdir.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\tools\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:application/winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\USDR6_0001_D17M1107NetInstaller.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\gka.dll
Virus:Trj/Spammer.ZO Disinfected C:\WINDOWS\system32\msnetax.dll
Virus:Trj/Abwiz.BW Disinfected C:\WINDOWS\system32\spoolsvv.vxe
Virus:Trj/Spammer.ZO Disinfected C:\_OTMoveIt\MovedFiles\WINDOWS\system32\msnetax.dll
Virus:Trj/Abwiz.BW Disinfected C:\_OTMoveIt\MovedFiles\WINDOWS\temp\win16C7.tmp
Virus:Trj/Abwiz.BW Disinfected C:\_OTMoveIt\MovedFiles\WINDOWS\temp\win55DD.tmp
Adware:Adware/WebAttaker Not disinfected C:\_OTMoveIt\MovedFiles\WINDOWS\temp\winBC04.tmp ========== end of Panda Activescan =========
============= log from KASPERSKY ONLINE scan =========
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 24, 2007 2:50:40 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 24/02/2007
Kaspersky Anti-Virus database records: 273130
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 62209
Number of viruses found: 25
Number of infected objects: 3930 / 0
Number of suspicious objects: 24
Duration of the scan process: 01:14:38

Infected Object Name / Virus Name / Last Action
C:\cp1041.nls Infected: SpamTool.Win32.Agent.u skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_5ac.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_658.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe Infected: Trojan.Win32.Obfuscated.dr skipped
C:\Program Files\Microsoft Works\WkDetect.exe Infected: Trojan.Win32.Obfuscated.dr skipped
C:\Program Files\NetZero\exec.exe Infected: Trojan.Win32.Obfuscated.dr skipped
C:\Program Files\Norton AntiVirus\Quarantine\00992A7A/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\00992A7A ZIP: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\00992A7A CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\091F64A9/[From hostmaster@ezy.net][Date Sat, 18 Dec 2004 05:53:44 GMT]/ezy.txt.zip/message_text.txt .pif Infected: Email-Worm.Win32.Sober.i skipped
C:\Program Files\Norton AntiVirus\Quarantine\091F64A9/[From hostmaster@ezy.net][Date Sat, 18 Dec 2004 05:53:44 GMT]/ezy.txt.zip Infected: Email-Worm.Win32.Sober.i skipped
C:\Program Files\Norton AntiVirus\Quarantine\091F64A9 Mail: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\091F64A9 CryptFF: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\093A348C/[From user_info@core.com][Date Sat, 18 Dec 2004 14:04:46 GMT]/core_6147.zip/message_text.txt .pif Infected: Email-Worm.Win32.Sober.i skipped
C:\Program Files\Norton AntiVirus\Quarantine\093A348C/[From user_info@core.com][Date Sat, 18 Dec 2004 14:04:46 GMT]/core_6147.zip Infected: Email-Worm.Win32.Sober.i skipped
C:\Program Files\Norton AntiVirus\Quarantine\0B2A5607/[From Mail Delivery System <Mailer-Daemon@washington.noc11.net>][Date Wed, 17 Nov 2004 12:49:26 -0800]/UNNAMED/[From amchimes@shaktisolutions.com][Date Wed, 17 Nov 2004 14:49:19 -0600]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Program Files\Norton AntiVirus\Quarantine\0B2A5607/[From Mail Delivery System <Mailer-Daemon@washington.noc11.net>][Date Wed, 17 Nov 2004 12:49:26 -0800]/UNNAMED/[From amchimes@shaktisolutions.com][Date Wed, 17 Nov 2004 14:49:19 -0600]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Program Files\Norton AntiVirus\Quarantine\0B2A5607/[From Mail Delivery System <Mailer-Daemon@washington.noc11.net>][Date Wed, 17 Nov 2004 12:49:26 -0800]/UNNAMED/[From amchimes@shaktisolutions.com][Date Wed, 17 Nov 2004 14:49:19 -0600]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Program Files\Norton AntiVirus\Quarantine\0B2A5607/[From Mail Delivery System <Mailer-Daemon@washington.noc11.net>][Date Wed, 17 Nov 2004 12:49:26 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Program Files\Norton AntiVirus\Quarantine\0B2A5607 Mail: suspicious - 4 skipped
C:\Program Files\Norton AntiVirus\Quarantine\0B2A5607 CryptFF: suspicious - 4 skipped
C:\Program Files\Norton AntiVirus\Quarantine\0CEF25F0/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\0CEF25F0 ZIP: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\0CEF25F0 CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\0CF020A9.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\0CFC4DE1/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\0CFC4DE1 ZIP: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\0CFC4DE1 CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\6AAA4078/[From re-mail_system@tempositions.com][Date Thu, 16 Dec 2004 23:45:46 UTC]/auto__mail.tempositions_9499.word.zip/message_text.txt .pif Infected: Email-Worm.Win32.Sober.i skipped
C:\Program Files\Norton AntiVirus\Quarantine\6AAA4078/[From re-mail_system@tempositions.com][Date Thu, 16 Dec 2004 23:45:46 UTC]/auto__mail.tempositions_9499.word.zip Infected: Email-Worm.Win32.Sober.i skipped
C:\Program Files\NZSearch\nzspc.exe Infected: Trojan.Win32.Obfuscated.dr skipped
C:\Program Files\Outerinfo\OiUninstaller.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\Program Files\Outerinfo\OiUninstaller.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Program Files\Outerinfo\OiUninstaller.exe NSIS: infected - 2 skipped
C:\SDFix\backups\backups.zip/backups/dxdlg32.exe Infected: Trojan.Win32.Obfuscated.dr skipped
C:\SDFix\backups\backups.zip/backups/kernels88.exe Infected: Trojan-Downloader.Win32.Small.cwj skipped
C:\SDFix\backups\backups.zip/backups/pp.exe.exe Infected: Email-Worm.Win32.Zhelatin.aj skipped
C:\SDFix\backups\backups.zip/backups/wuauclt.exe Infected: Trojan-Downloader.Win32.Small.ego skipped
C:\SDFix\backups\backups.zip ZIP: infected - 4 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D17M1107NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\bvjg.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\ndis.sys Object is locked skipped
C:\WINDOWS\system32\gka.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\msnetax.dll Infected: Trojan.Win32.Agent.afg skipped
C:\WINDOWS\system32\runtime.sys Infected: Rootkit.Win32.Agent.dw skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.g skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
======= end of Kaspersky log ======

======from ComboScan.txt=====
ComboScan v20070221.16 run by Owner on 2007-02-24 at 15:28:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Restore was disabled; re-enabling.
Failed to create restore point: System Restore is disabled (service is not running).
Performed disk cleanup.


-- HijackThis (run as Owner.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:29:14 PM, on 2/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\NZSearch\nzspc.exe
C:\WINDOWS\FNTS~1\chkdsk.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\Owner\Desktop\comboscan.exe
C:\tools\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://portal.mailaka.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.mailaka.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb1\ofb1.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {B46C7639-C8F4-E008-F7DA-C3DEBFC105B6} - C:\WINDOWS\system32\bvjg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\bak\exec.exe regrun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Usrr] "C:\WINDOWS\FNTS~1\chkdsk.exe" -vt yazb
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48FF8732-2D9A-45D2-AC39-928DFE93D2A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C946AAC-89EC-4E1D-807A-18480BAD72A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B499E2-243B-40DC-A325-188732468138}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECA75678-EDD3-48EB-8F6C-0B68EB1251BA}: NameServer = 165.76.12.2
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe


-- HijackThis Fixed Entries (C:\tools\backups\) ---------------------------------

backup-20070222-195237-102 O15 - Trusted Zone: *.media-motor.com (HKLM)
backup-20070222-195237-117 O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
backup-20070222-195237-181 O15 - Trusted Zone: *.imagesrvr.com (HKLM)
backup-20070222-195237-182 O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
backup-20070222-195237-198 O15 - Trusted Zone: *.adgate.info
backup-20070222-195237-260 O15 - Trusted Zone: *.matcash.com (HKLM)
backup-20070222-195237-267 O15 - Trusted Zone: *.winantivirus.com
backup-20070222-195237-322 O15 - Trusted Zone: *.matcash.com
backup-20070222-195237-333 O15 - Trusted Zone: *.winfixer.com (HKLM)
backup-20070222-195237-440 O15 - Trusted Zone: *.systemdoctor.com (HKLM)
backup-20070222-195237-447 O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download...reeInstall.cab
backup-20070222-195237-450 O15 - Trusted Zone: *.systemdoctor.com
backup-20070222-195237-452 O15 - Trusted Zone: *.errorsafe.com (HKLM)
backup-20070222-195237-457 O15 - Trusted Zone: *.snipernet.biz
backup-20070222-195237-474 O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
backup-20070222-195237-499 O15 - Trusted Zone: *.imagesrvr.com
backup-20070222-195237-527 O15 - Trusted Zone: *.winfixer.com
backup-20070222-195237-589 O15 - Trusted Zone: *.media-motor.com
backup-20070222-195237-685 O15 - Trusted Zone: *.errorsafe.com
backup-20070222-195237-707 O15 - Trusted Zone: *.snipernet.biz (HKLM)
backup-20070222-195237-788 O15 - Trusted Zone: *.mediatickets.net
backup-20070222-195237-812 O2 - BHO: (no name) - {5ccaab50-41e0-4574-a1c6-5a4847a9ce57} - C:\WINDOWS\system32\ideoept.dll
backup-20070222-195237-824 O15 - Trusted Zone: *.mediatickets.net (HKLM)
backup-20070222-195237-860 O15 - Trusted Zone: *.winantivirus.com (HKLM)
backup-20070222-195237-874 O15 - Trusted Zone: *.media-motor.net (HKLM)
backup-20070222-195237-957 O15 - Trusted Zone: *.adgate.info (HKLM)
backup-20070222-195237-978 O15 - Trusted Zone: *.dollarrevenue.com
backup-20070222-195238-261 O20 - Winlogon Notify: ideoept - C:\WINDOWS\SYSTEM32\ideoept.dll
backup-20070222-195238-262 O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
backup-20070222-195238-509 O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
backup-20070222-195238-675 O23 - Service: Network Connections Sharing (RpcTftpd) - Unknown owner - C:\WINDOWS\System32\wins\svchost.exe (file missing)

-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - notepad.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - notepad.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

3R ALCXWDM (Service for Realtek AC97 Audio (WDM)) - C:\WINDOWS\system32\drivers\ALCXWDM.SYS
3R ASAPIW2k - C:\WINDOWS\system32\drivers\asapiW2k.sys
2R ASPI32 - C:\WINDOWS\system32\drivers\ASPI32.SYS
3S CCDECODE (Closed Caption Decoder) - C:\WINDOWS\system32\drivers\ccdecode.sys
3S HidUsb (Microsoft HID Class Driver) - C:\WINDOWS\system32\drivers\hidusb.sys
3R HSFHWBS2 - C:\WINDOWS\system32\drivers\HSFHWBS2.sys
3R HSF_DP - C:\WINDOWS\system32\drivers\HSF_DP.sys
3R ialm - C:\WINDOWS\system32\drivers\ialmnt5.sys
1R intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys
1S kbdhid (Keyboard HID Driver) - C:\WINDOWS\system32\drivers\kbdhid.sys
2R mdmxsdk - C:\WINDOWS\system32\drivers\mdmxsdk.sys
3S mouhid (Mouse HID Driver) - C:\WINDOWS\system32\drivers\mouhid.sys
3S MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - C:\WINDOWS\system32\drivers\mstee.sys
3S NABTSFEC (NABTS/FEC VBI Codec) - C:\WINDOWS\system32\drivers\nabtsfec.sys
3R NaiAvFilter1 - C:\WINDOWS\system32\drivers\naiavf5x.sys
3S NdisIP (Microsoft TV/Video Connection) - C:\WINDOWS\system32\drivers\ndisip.sys
3S ntldr.sys - C:\ntldr.sys (not found)
2S ONSIO - C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS (not found)
3S PCANDIS5 (PCANDIS5 Protocol Driver) - C:\PROGRA~1\NETGEAR\MA111C~1\PCANDIS5.SYS (not found)
1R PCLEPCI - C:\WINDOWS\system32\drivers\Pclepci.sys
3S PRISM_USB (D-Link Air DWL-122 Wireless USB Adapter Driver) - C:\WINDOWS\system32\drivers\PRISMUSB.sys
0R PxHelp20 - C:\WINDOWS\system32\drivers\pxhelp20.sys
3S QCMerced (Logitech QuickCam Communicate) - C:\WINDOWS\system32\drivers\lvcm.sys
3R rtl8139 (Realtek RTL8139/810X Family PCI Fast Ethernet NIC NT Driver) - C:\WINDOWS\system32\drivers\RTL8139.sys
3S Runtime - C:\WINDOWS\system32\runtime.sys
3S SLIP (BDA Slip De-Framer) - C:\WINDOWS\system32\drivers\slip.sys
0S SMPLSCSI - C:\WINDOWS\system32\drivers\SMPLSCSI.SYS
3S streamip (BDA IPSink) - C:\WINDOWS\system32\drivers\streamip.sys
3S usbaudio (USB Audio Driver (WDM)) - C:\WINDOWS\system32\drivers\USBAUDIO.sys
3S usbccgp (Microsoft USB Generic Parent Driver) - C:\WINDOWS\system32\drivers\usbccgp.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\usbstor.sys
3S wanatw (WAN Miniport (ATW)) - C:\WINDOWS\system32\DRIVERS\wanatw4.sys (not found)
3R winachsf - C:\WINDOWS\system32\drivers\HSF_CNXT.sys
3S WLAN_USB (Wireless LAN USB Driver) - C:\WINDOWS\system32\drivers\MA111nd5.sys
4R WS2IFSL (Windows Socket 2.0 Non-IFS Service Provider Support Environment) - C:\WINDOWS\system32\drivers\ws2ifsl.sys
3S WSTCODEC (World Standard Teletext Codec) - C:\WINDOWS\system32\drivers\wstcodec.sys
3R {6080A529-897E-4629-A488-ABA0C29B635E} (Intel(R) Graphics Platform (SoftBIOS) Driver) - C:\WINDOWS\system32\drivers\ialmsbw.sys
3R {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (Intel(R) Graphics Chipset (KCH) Driver) - C:\WINDOWS\system32\drivers\ialmkchw.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

4S Alerter - C:\WINDOWS\System32\svchost.exe -k LocalService
3S ALG (Application Layer Gateway Service) - C:\WINDOWS\System32\alg.exe
3S AppMgmt (Application Management) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R AudioSrv (Windows Audio) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R BITS (Background Intelligent Transfer Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2S Browser (Computer Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S CiSvc (Indexing Service) - C:\WINDOWS\system32\cisvc.exe
4S ClipSrv (ClipBook) - C:\WINDOWS\system32\clipsrv.exe
3S COMSysApp (COM+ System Application) - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
2R CryptSvc (Cryptographic Services) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R DcomLaunch (DCOM Server Process Launcher) - C:\WINDOWS\system32\svchost -k DcomLaunch
2R Dhcp (DHCP Client) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S dmadmin (Logical Disk Manager Administrative Service) - C:\WINDOWS\System32\dmadmin.exe /com
3S dmserver (Logical Disk Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R Dnscache (DNS Client) - C:\WINDOWS\System32\svchost.exe -k NetworkService
2R ERSvc (Error Reporting Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R Eventlog (Event Log) - C:\WINDOWS\system32\services.exe
3R EventSystem (COM+ Event System) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S FastUserSwitchingCompatibility (Fast User Switching Compatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S gusvc (Google Updater Service) - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
2R helpsvc (Help and Support) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R HidServ (HID Input Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S HTTPFilter (HTTP SSL) - C:\WINDOWS\System32\svchost.exe -k HTTPFilter
3S ImapiService (IMAPI CD-Burning COM Service) - C:\WINDOWS\System32\imapi.exe
2R lanmanserver (Server) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R lanmanworkstation (Workstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R LmHosts (TCP/IP NetBIOS Helper) - C:\WINDOWS\System32\svchost.exe -k LocalService
2R McDetect.exe (McAfee WSC Integration) - c:\program files\mcafee.com\agent\mcdetect.exe
2R McShield (McAfee.com McShield) - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
2R McTskshd.exe (McAfee Task Scheduler) - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
3S mcupdmgr.exe (McAfee SecurityCenter Update Manager) - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
4S Messenger - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S mnmsrvc (NetMeeting Remote Desktop Sharing) - C:\WINDOWS\System32\mnmsrvc.exe
3S MSDTC (Distributed Transaction Coordinator) - C:\WINDOWS\System32\msdtc.exe
3S MSIServer (Windows Installer) - C:\WINDOWS\System32\msiexec.exe /V
4S NetDDE (Network DDE) - C:\WINDOWS\system32\netdde.exe
4S NetDDEdsdm (Network DDE DSDM) - C:\WINDOWS\system32\netdde.exe
3S Netlogon (Net Logon) - C:\WINDOWS\System32\lsass.exe
3R Netman (Network Connections) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R Nla (Network Location Awareness (NLA)) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S NtLmSsp (NT LM Security Support Provider) - C:\WINDOWS\System32\lsass.exe
3S NtmsSvc (Removable Storage) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R PlugPlay (Plug and Play) - C:\WINDOWS\system32\services.exe
2R PolicyAgent (IPSEC Services) - C:\WINDOWS\System32\lsass.exe
2R ProtectedStorage (Protected Storage) - C:\WINDOWS\system32\lsass.exe
2R RasAuto (Remote Access Auto Connection Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R RasMan (Remote Access Connection Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S RDSessMgr (Remote Desktop Help Session Manager) - C:\WINDOWS\system32\sessmgr.exe
4S RemoteAccess (Routing and Remote Access) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S RpcLocator (Remote Procedure Call (RPC) Locator) - C:\WINDOWS\System32\locator.exe
2R RpcSs (Remote Procedure Call (RPC)) - C:\WINDOWS\system32\svchost -k rpcss
3S RSVP (QoS RSVP) - C:\WINDOWS\System32\rsvp.exe
2R SamSs (Security Accounts Manager) - C:\WINDOWS\system32\lsass.exe
3S SCardSvr (Smart Card) - C:\WINDOWS\System32\SCardSvr.exe
2R Schedule (Task Scheduler) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R seclogon (Secondary Logon) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R SENS (System Event Notification) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R ShellHWDetection (Shell Hardware Detection) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R Spooler (Print Spooler) - C:\WINDOWS\system32\spoolsv.exe
2R srservice (System Restore Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R SSDPSRV (SSDP Discovery Service) - C:\WINDOWS\System32\svchost.exe -k LocalService
2R stisvc (Windows Image Acquisition (WIA)) - C:\WINDOWS\System32\svchost.exe -k imgsvc
3S SwPrv (MS Software Shadow Copy Provider) - C:\WINDOWS\System32\dllhost.exe /Processid:{195E6122-CAE8-4FC9-BD96-F81BBD1135E2}
3S SysmonLog (Performance Logs and Alerts) - C:\WINDOWS\system32\smlogsvc.exe
3R TapiSrv (Telephony) - C:\WINDOWS\System32\svchost.exe -k netsvcs
4S TermService (Terminal Services) - C:\WINDOWS\System32\svchost -k DComLaunch
2R Themes - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R TrkWks (Distributed Link Tracking Client) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3S upnphost (Universal Plug and Play Device Host) - C:\WINDOWS\System32\svchost.exe -k LocalService
3S UPS (Uninterruptible Power Supply) - C:\WINDOWS\System32\ups.exe
2R UxTuneUp (TuneUp Design Expansion) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S VSS (Volume Shadow Copy) - C:\WINDOWS\System32\vssvc.exe
2R W32Time (Windows Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R WebClient - C:\WINDOWS\System32\svchost.exe -k LocalService
2R winmgmt (Windows Management Instrumentation) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3S WmdmPmSN (Portable Media Serial Number Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S WmiApSrv (WMI Performance Adapter) - C:\WINDOWS\System32\wbem\wmiapsrv.exe
2R wuauserv (Automatic Updates) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R WZCSVC (Wireless Zero Configuration) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S xmlprov (Network Provisioning Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs


-- Scheduled Tasks --------------------------------------------------------------

2007-02-23 22:04:28 390 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job<1-CLIC~1.JOB>


-- Files created between 2007-01-24 and 2007-02-24 ------------------------------

2007-02-24 12:52:43 0 d-------- C:\WINDOWS\system32\Kaspersky Lab<KASPER~1>
2007-02-24 12:52:34 0 d-------- C:\WINDOWS\LastGood
2007-02-24 11:34:44 71 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys<PFDNNT~1.SYS>
2007-02-24 11:34:43 8704 --a------ C:\WINDOWS\system32\pfdnnt.exe
2007-02-24 09:26:35 20480 -----n--- C:\WINDOWS\system32\msnetax.dll
2007-02-24 09:25:25 56832 --a------ C:\WINDOWS\system32\bvjg.dll
2007-02-23 22:29:54 0 d-------- C:\Program Files\CCleaner
2007-02-22 22:43:46 0 d-------- C:\tools
2007-02-22 22:25:24 114464 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-02-22 22:24:18 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-02-22 22:24:00 288320 -ra------ C:\WINDOWS\system32\mcgdmgr.dll
2007-02-22 22:23:59 349760 --a------ C:\WINDOWS\system32\mcinsctl.dll
2007-02-22 22:23:59 0 d-------- C:\Program Files\McAfee.com
2007-02-22 20:15:15 0 d-------- C:\Documents and Settings\Owner\DoctorWeb<DOCTOR~1>
2007-02-22 19:58:35 0 d-------- C:\_OTMoveIt<_OTMOV~1>
2007-02-22 19:27:51 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-02-21 19:48:17 0 d-------- C:\SDFix
2007-02-21 15:31:16 0 d-------- C:\spoolerlogs<SPOOLE~1>
2007-02-21 08:07:12 2 --a------ C:\WINDOWS\system32\wtssvcc.exe
2007-02-21 08:07:09 0 d-------- C:\WINDOWS\system32\s?stem32
2007-02-21 08:07:09 0 d-------- C:\Program Files\Outerinfo<OUTERI~1>
2007-02-21 08:07:07 56832 -----n--- C:\WINDOWS\system32\gka.dll
2007-02-21 0852 0 d-------- C:\Program Files\InetGet2
2007-02-21 08:04:47 0 d-------- C:\Program Files\Common Files\{3417BE8B-0A20-1033-0916-031025200001}<{3417B~2>
2007-02-21 08:04:47 0 d-------- C:\Program Files\Common Files\{1417BE8B-0A20-1033-0916-031025200001}<{1417B~2>
2007-02-21 07:29:13 24072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2007-02-21 07:28:13 0 d-------- C:\Program Files\TuneUp Utilities 2007<TUNEUP~1>
2007-02-21 07:28:13 0 d-------- C:\Documents and Settings\Owner\Application Data\TuneUp Software<TUNEUP~1>
2007-02-21 07:26:34 0 d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software<TUNEUP~1>
2007-02-20 23:25:31 0 d-------- C:\Program Files\Registry Mechanic<REGIST~1>
2007-02-20 21:27:40 0 d-------- C:\SDAT
2007-02-20 20:16:10 14782728 --a------ C:\sdat4967.exe
2007-02-19 23:34:52 4864 --a------ C:\WINDOWS\system32\runtime.sys
2007-02-19 22:36:46 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-02-19 22:17:03 0 d-------- C:\Program Files\Common Files\{3417BE8B-0A1F-1033-0916-031025200001}<{3417B~1>
2007-02-19 1818 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-02-19 1818 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust<INTERT~1>
2007-02-19 1818 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-02-19 1817 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-02-19 1817 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-02-19 00:14:26 0 d-a-s---- C:\Program Files\NewDotNet<NEWDOT~1>
2007-02-19 00:14:01 0 d-------- C:\Program Files\Ofb1
2007-02-16 10:02:51 0 d-------- C:\Documents and Settings\All Users\Application Data\MCA1C.tmp
2007-02-16 07:35:50 0 d-------- C:\Program Files\SpySheriff<SPYSHE~1>
2007-02-16 07:35:41 1443213 --a------ C:\Documents and Settings\Owner\Application Data\Install.dat
2007-02-14 14:18:12 0 d-------- C:\Practicum<PRACTI~1>
2007-02-05 21:49:36 0 d-------- C:\PMBOK Guide<PMBOKG~1>


-- Find3M Report ----------------------------------------------------------------

2007-02-24 11:00:47 0 d-------- C:\Program Files\NZSearch
2007-02-24 10:58:50 0 d-------- C:\Program Files\NetZero
2007-02-24 10:55:12 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-02-21 07:26:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-02-20 21:13:58 502272 --a------ C:\WINDOWS\system32\winlogon.exe
2007-02-20 21:09:52 1993270 --a------ C:\Documents and Settings\Owner\Application Data\CleanUp!.log
2007-02-20 07:51:35 0 d-------- C:\Program Files\7-Zip
2007-02-15 21:37:48 0 d-------- C:\Program Files\Microsoft Works<MICROS~4>
2007-01-16 21:26:18 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-01-09 08:55:46 0 d-------- C:\Program Files\Microsoft<MICROS~3>
2006-12-31 20:46:19 0 d-------- C:\Program Files\Picasa2
2006-12-31 20:45:55 0 d-------- C:\Program Files\Google


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"NetZero_uoltray"="C:\\Program Files\\NetZero\\bak\\exec.exe regrun"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"googletalk"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"spc_w"="\"C:\\Program Files\\NZSearch\\nzspc.exe\" -w"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"
"Usrr"="\"C:\\WINDOWS\\FNTS~1\\chkdsk.exe\" -vt yazb"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CHotkey"="zHotkey.exe"
"googletalk"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe /autostart"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="c:\windows\system32\ldcore.dll"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{55667788-ABCD-1234-5678-00C04FD8DBD8}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{1417BE8B-0A1F-1033-0916-031025200001}"="\"C:\\Program Files\\Common Files\\{1417BE8B-0A1F-1033-0916-031025200001}\\Update.exe\" te-110-12-0000271"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"{1417BE8B-0A1F-1033-0916-031025200001}"="\"C:\\Program Files\\Common Files\\{1417BE8B-0A1F-1033-0916-031025200001}\\Update.exe\" te-110-12-0000271"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\A3dxq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
UxTuneUp



-- End of ComboScan: finished at 2007-02-24 at 15:29:57 -------------------------

I will be posting Comboscan supplementary log as a separate reply as it exceeds #of characters.

[tsf1jay]

ComboScan v20070221.16 run by Owner on 2007-02-24 at 15:28:34
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information -----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) CPU 2.60GHz
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 253.98 MiB / 98.77 MiB
Pagefile Memory (total/avail): 621.96 MiB / 437.5 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1999.22 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 76.33 GiB total, 66.62 GiB free.
D: is CDROM (No Media)


-- Security Center --------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

AV: McAfee VirusScan v (McAfee)


-- Environment Variables --------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH="C:\Program Files\JavaSoft\JRE\1.3.1\lib\ext\QTJava.zip"
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-SMYLJR82PW
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\YOUR-SMYLJR82PW
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA="C:\Program Files\JavaSoft\JRE\1.3.1\lib\ext\QTJava.zip"
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=YOUR-SMYLJR82PW
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ----------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ----------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.12 beta --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\7-zip.inf,SevenZip.Uninstall
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ArcSoft Software Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BC03FCE8-388F-48C0-9600-B53ACB297B5F}\setup.exe" -l0x9 -uninst
Bar888 --> C:\Program Files\Common Files\{3417BE8B-0A1F-1033-0916-031025200001}\UnInstall.exe
Blue's Art Time Activities --> C:\WINDOWS\IsUninst.exe -fC:\HEGames\ArtTime\Uninst.isu -c"C:\HEGames\ArtTime\Uninst.dll
Britannica Ready Reference --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Britannica\b2003ce.isu"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Chutes and Ladders --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Hasbro Interactive\Chutes\DeIsL1.isu"
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Clifford Thinking Adventures --> C:\WINDOWS\System32\Clifford Uninstall.exe C:\Program Files\Scholastic's Clifford\Clifford Adventure\
Conexant SoftK56 Modem(M) --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F00&SUBSYS_8D8B155D\HXFSETUP.EXE -U -IVEN_14F1&DEV_2F00&SUBSYS_200214F1
Disney's The Jungle Book Learning --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8FB33DAA-0132-11D7-8944-0002A5E32BEF}\setup.exe" Disney's The Jungle Book Learning
Dora the Explorer: Animal Adventures --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A34CCD1C-7738-47B9-863D-8E0C478FB8F7}\setup.exe" -l0x9 -uninst
Genesys USB Mass Storage Device --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4BF87C8-3EEC-4774-82A2-584F109187B1}\Setup.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
Grammar Games --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Davidson\Grammar\DeIsL1.isu"
HijackThis 1.99.1 --> C:\tools\HijackThis.exe /uninstall
Intel(R) Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Jasc Paint Shop Photo Album 5 --> MsiExec.exe /I{24960CD0-661D-4957-9D5F-D2905A30EDB1}
Java 2 Runtime Environment Standard Edition v1.3.1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1\Uninst.isu"
Java 2 Runtime Environment Standard Edition v1.3.1_02 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1_02\Uninst.isu"
JumpStart Music --> C:\WINDOWS\IsUninst.exe -fC:\KA\JSMUSIC\DeIsL1.isu
Kaspersky Online Scanner --> C:\WINDOWS\system32\KASPER~1\KASPER~1\kavuninstall.exe
Kid Pix Studio Deluxe --> C:\WINDOWS\uninst.exe -fC:\KPSDLUX\DeIsL1.isu
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\Setup.exe" -l0x9 UNINSTALL
Logitech Print Service --> C:\PROGRA~1\Logitech\PRINTS~1\UNWISE.EXE C:\PROGRA~1\Logitech\PRINTS~1\INSTALL.LOG
Logitech QuickCam --> MsiExec.exe /I{466B21EE-2858-4845-B2B3-056FC544DAA3}
Logitech® Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Magic School Bus - Rainforest --> C:\Program Files\Microsoft Kids\MSB Rainforest\System\MSBRUNST.EXE /L"C:\Program Files\Microsoft Kids\MSB Rainforest\System\MSB Rainforest.log"
McAfee SecurityCenter --> C:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=msc /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\screm.ui::uninstall.htm
McAfee VirusScan --> C:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=vso /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\vsoremui.dll::uninstall.htm
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Works 6.0 --> MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}
MSN Toolbar --> C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\mtbs.exe c
Multimedia Keyboard Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF262740-C85A-11D5-BBEC-00D0B740900A}\Setup.exe" -l0x9
Netscape 6 (6.2.1) --> C:\WINDOWS\N6Uninst.exe /ua "6.2.1 (en)"
NetZero --> "C:\Program Files\NetZero\uninst.exe"
Outerinfo --> C:\Program Files\Outerinfo\OiUninstaller.exe
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Phonics --> C:\WINDOWS\unvise32.exe C:\Program Files\sz8064\uninstal.log
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Pinnacle Hollywood FX for Studio --> C:\WINDOWS\unvise32.exe C:\Program Files\Pinnacle\Hollywood FX for Studio\5.5\uninstal.log
Pinnacle Instant DVD Recorder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}\Setup.exe" -l0x9 UNINSTALL
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RC Daredevil --> C:\PROGRA~1\eGames\RCDARE~1\UNWISE.EXE C:\PROGRA~1\eGames\RCDARE~1\INSTALL.LOG
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Registry Mechanic 6.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
SD Viewer for DSC --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5A8D3524-79DB-11D5-99D1-00010256D40E}\setup.exe"
Search for the Secret Keys --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CA0AD614-3FD5-11D6-B234-0050DACD394D}\setup.exe" -l0x9 Uninstall
SmartSound Quicktracks Plugin --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
SoundCapture --> C:\PROGRA~1\MAGICS~1\SC\UNWISE.EXE C:\PROGRA~1\MAGICS~1\SC\INSTALL.LOG
SpyWare Killer Pro --> MsiExec.exe /I{ABD372EC-3EC6-49EA-AA5B-32101028A750}
Studio 9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E491AB7-4589-48CA-9CBB-874CB2788391}\Setup.exe" -l0x9 UNINSTALL
Study Helpers Math Booster --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\SHMathUn.exe
TaxCut 2003 --> C:\Program Files\TaxCut03\Program\removetc.exe
TaxCut 2004 --> C:\Program Files\TaxCut04\Program\removetc.exe
TaxCut Deluxe 2005 --> C:\PROGRA~1\TaxCut05\Program\removetc.exe
TuneUp Utilities 2007 --> MsiExec.exe /I{C8BB4912-12D9-42AE-B571-E580D8CD1B5B}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows XP Junglebook Compatiblity Fix --> C:\WINDOWS\system32\sdbinst.exe -u "C:\WINDOWS\AppPatch\Custom\{659660d0-edb3-4afb-be92-7ea22a0cae65}.sdb"
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Photos Easy Upload Tool 1v7 --> C:\WINDOWS\system32\regsvr32 /u /s "C:\WINDOWS\cache\YDropper.dll"


-- End of ComboScan: finished at 2007-02-24 at 15:29:57 -------------------------
======= End of ComboScan supplementary log============

[Sempurna]

Hi tsf1jay,

Yes, you may delete what is inside the quarantine folders of both Norton and SpyWare Killer Pro. Do NOT delete the quarantine folders themselves, just the contents.


NEXT:

Go to the Start menu, and click on Control Panel. Choose Add/Remove Programs and remove any of the following that are listed:

ClickSpring
Cowabanga by OIN
MediaTickets
MediaTickets by OIN
OIN
Outerinfo
Outer Info Network
PurityScan
PurityScan by OIN
Snowball Wars by OIN
TizzleTalk
TizzleTalk by OIN
Yazzle by OIN
Yazzle ActiveX by OIN
Yazzle Cowabanga by OIN
Yazzle Kobe Balls! By OIN
Yazzle Picster by OIN
Yazzle Snowball Wars by OIN
Yazzle Sudoku by OIN
Zolero Translator
(Anything else with the word "OIN" or "Outerinfo" or "Outer Info Network" or "Yazzle" in them)

If none of the above programs are listed, then download and run this OIN Uninstaller.


NEXT:

Please also uninstall the following programs:

New.Net
NewDotNet

If it is not listed, follow these instructions:

• From a computer that has Internet access, click on the following link:
  http://www.new.net/support/uninstall6_90.exe.
• Download and save uninstall6_90.exe to the desktop.
• Go to the desktop and double-click on uninstall6_90.exe
• Click on the OK button.
• After removal, you may be prompted to reboot. Please reboot even if not prompted.

NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: (no name) - {B46C7639-C8F4-E008-F7DA-C3DEBFC105B6} - C:\WINDOWS\system32\bvjg.dll
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKCU\..\Run: [Usrr] "C:\WINDOWS\FNTS~1\chkdsk.exe" -vt yazb
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please run OTMoveIt and quarantine the following files/folders (please also remember to copy the report generated and paste it in your next reply for me to see):

C:\Program Files\Common Files\{3417BE8B-0A1F-1033-0916-031025200001}
C:\Program Files\Common Files\{3417BE8B-0A20-1033-0916-031025200001}
C:\Program Files\Outerinfo
C:\Program Files\SpySheriff
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D17M1107NetInstaller.exe
C:\WINDOWS\system32\gka.dll
C:\cp1041.nls
C:\WINDOWS\system32\msnetax.dll
C:\WINDOWS\system32\wtssvcc.exe
C:\Program Files\NewDotNet
C:\WINDOWS\system32\bvjg.dll

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


NEXT:

Try deleting the C:\windows\Fonts folders manually. If you cannot delete it in Normal Mode, try doing the deletion in Safe Mode.

Please reboot your computer into Safe Mode by doing the following:

• Reboot your computer.
• After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
• Instead of Windows loading as normal, a menu should appear.
• Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter".

Also, please delete these folders:

C:\WINDOWS\FNTS~1
C:\WINDOWS\system32\s?stem32


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

1. The report from OTMoveIt.
2. A new HijackThis log.

How are things running now? Please let me know of any problems that still persist.

[tsf1jay]

I removed the contents of quarantine folders and then from Add/Remove Programs and removed Bar888 and Outerinfo. Then I think I messed up; I removed C:\WINDOWS\Fonts using TuneUP, when I tried to reboot, it gives error "Windows could not start because the following file is missing or corrupt: \Windows\System\vgaoem.fon.

You can attempt to repair this file by restarting Windows setup CD-ROM. Selecr 'r' at the first screen to start repair"

Please advise how to correct this.

[Sempurna]

Yep, do just like it says. Get your XP CD handy, and select "R" at the first screen. It will prompt you to insert the CD when ready.

Look into the C:\WINDOWS\Fonts folder. If it is full of fonts, then that is the correct folder, and the malware folder no longer exists on your computer. The malware folder has morphed to C:\WINDOWS\FNTS~1 and C:\WINDOWS\System32\S?stem32.

Let me know how it goes.

[tsf1jay]

I restored vgaoem.fon and when rebooted, Mcafee shows that C:\windows\system32\winlogon.exe is infected with Spy-Agent.bv!inf trojan. It could not delete or quarantine this trojan. While the trojan was still active, I tried to download uninstall6_90.exe, but was not successful. It did not allow me to save anywhere by saying the disk is write-protected. May be it was the virus which prevented this?

Then I fixed some entries listed with HJT, and ran OTmoveIt as you said, took HJT log again. The logs are attached below.

Could not delete C:\WINDOWS\system32\s?stem32 folder. I can see folder only in DOS prompt, could not remove it by REMDIR command.
I do not see any C:\WINDOWS\FNTS~1 folder, however I do have a C:\WINDOWS\Fonts folder, which appears to have real fonts (all files dated 2000 or prior). I thought I would ask you again before deleting C:\WINDOWS\Fonts because last time I faced that vgaoem.fon issue.

=====MoveIt log======
C:\Program Files\Common Files\{3417BE8B-0A1F-1033-0916-031025200001} moved successfully.
C:\Program Files\Common Files\{3417BE8B-0A20-1033-0916-031025200001} moved successfully.
C:\Program Files\Outerinfo moved successfully.
C:\Program Files\SpySheriff moved successfully.
File/Folder C:\WINDOWS\Downloaded Program Files\USDR6_0001_D17M1107NetInstaller.exe not found.
File/Folder C:\WINDOWS\system32\gka.dll not found.
File/Folder C:\cp1041.nls not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\msnetax.dll
C:\WINDOWS\system32\msnetax.dll NOT unregistered.
C:\WINDOWS\system32\msnetax.dll moved successfully.
C:\WINDOWS\system32\wtssvcc.exe moved successfully.
C:\Program Files\NewDotNet moved successfully.
File/Folder C:\WINDOWS\system32\bvjg.dll not found.

Created on 02/28/2007 07:59:13

===HJT log after OTmoveIt run========
Logfile of HijackThis v1.99.1
Scan saved at 8:24:07 AM, on 2/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\NZSearch\nzspc.exe
C:\Program Files\NZSearch\bak\nzspc.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://portal.mailaka.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.mailaka.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb1\ofb1.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {B632296A-CCF4-B65E-F9DA-C3DEBFC15CE2} - C:\WINDOWS\system32\hzjs.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\bak\exec.exe regrun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\msnetax.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48FF8732-2D9A-45D2-AC39-928DFE93D2A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C946AAC-89EC-4E1D-807A-18480BAD72A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B499E2-243B-40DC-A325-188732468138}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECA75678-EDD3-48EB-8F6C-0B68EB1251BA}: NameServer = 165.76.12.2
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
=== end of log ===
Please advise and also advise how to get rid of Spy-Agent.bv!inf trojan.

[Sempurna]

Hi tsf1jay,

Hmm, somehow the malware is getting regenerated. OK, let’s do this next.

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.


1. Please download SmitfraudFix (by S!Ri):

• Extract the content (a folder named SmitfraudFix) to your desktop.
• Please do NOT run a scan yet!

NOTE : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm



2. Please download CCleaner and save it to your desktop:

• Run the CCleaner installer.
• During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
• Please do NOT run a scan yet!

3. Please download and install SUPERAntiSpyware

• Load SUPERAntiSpyware and click the Check for Updates button.
• Once the update has finished, exit SUPERAntiSpyware. Please do NOT run a scan yet!

4. Please reboot your computer into Safe Mode by doing the following:

• Reboot your computer.
• After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Instead of Windows loading as normal, a menu should appear.
• Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter".

5. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd:

• Select Option #2 - Clean by typing 2 and press "Enter" to delete infected files.
• You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the desktop background and clean registry keys associated with the infection.
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
• The tool may need to restart your computer to finish the cleaning process (if a reboot is required, please boot BACK into Safe Mode). A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

WARNING : Running Option #2 on a non-infected computer will remove your desktop background.



6. AFTER SmitfraudFix finishes (and after a reboot if required), please run CCleaner. (If a reboot is required, please boot BACK into Safe Mode)

• Click the Windows tab.
• Select the following:
  • Check everything under the Internet Explorer section.
  • Check everything under the Windows Explorer section.
  • Check everything under the System section.
  • Check ONLY Old Prefetch data under the Advanced section.
• Then, click the Applications tab:
  • UNCHECK everything there.
• Next, click the Options button, then click the Advanced button:
  • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
• Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION : Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.



7. Then please run a scan with SUPERAntiSpyware:

IMPORTANT : Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.

• Open SUPERAntiSpyware and click the Scan your Computer button.
• Check Perform Complete Scan and then click Next.
• SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
• Make sure that they all have a check next to them, and then click Next.
• Click Finish and you will be taken back to the main interface.
• It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
• I'll need a log afterwards of what has been found.
• To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
• Please post the results of the SUPERAntiSpyware log in your next reply.

NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: (no name) - {B632296A-CCF4-B65E-F9DA-C3DEBFC15CE2} - C:\WINDOWS\system32\hzjs.dll (file missing)
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Using Windows Explorer, please navigate to and delete the following FILES (if they exist):

c:\windows\system32\ldcore.dll


Please let me know if you encountered any problems finding or deleting the file.


NEXT:

Let’s see if we can find that obfuscated folder that you have trouble deleting.

Open Notepad and copy and paste the text present inside the code box below:

Code:

dir C:\WINDOWS\System32\S?stem32 /a h > files.txt
notepad files.txt

Save this as FindFile.bat and change the "Save as type" to "All Files" and place it on your desktop.

It should look like this:

Locate FindFile.bat on your desktop and double-click on it. It will open Notepad with some text in it. Please post the text in your next reply.


NEXT:

You may leave the C:\WINDOWS\Fonts folder alone. It is legit.

Please do another online scan with Panda ActiveScan and post the log for me to see.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

1. The log from the SmitfraudFix scan located at C:\rapport.txt.
2. The log from the SUPERAntiSpyware scan.
3. The log from the FindFile.bat scan.
4. The log from the Panda scan.
5. A new ComboScan log.

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

[tsf1jay]

I still have McAfee showing C:\windows\system32\winlogon.exe infected with Spy-Agent.bv!inf trojan, but cannot remove/delete/quarantine.

Here are the other scan logs.

====== rapport.txt =======
SmitFraudFix v2.145

Scan done at 19:37:22.14, Wed 02/28/2007
Run from C:\tools\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Documents and Settings\Owner\Application Data\Install.dat Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



====== SuperAntispyware scan ====
SUPERAntiSpyware Scan Log
Generated 02/28/2007 at 08:35 PM

Application Version : 3.5.1016

Core Rules Database Version : 3192
Trace Rules Database Version: 1202

Scan type : Complete Scan
Total Scan Time : 00:46:04

Memory items scanned : 160
Memory threats detected : 0
Registry items scanned : 5380
Registry threats detected : 34
File items scanned : 31628
File threats detected : 22

Trojan.Downloader-Gen/OFB
HKLM\Software\Classes\CLSID\{3E1500AC-87A5-416b-A211-82E848649DA9}
HKCR\CLSID\{3E1500AC-87A5-416B-A211-82E848649DA9}
HKCR\CLSID\{3E1500AC-87A5-416B-A211-82E848649DA9}
HKCR\CLSID\{3E1500AC-87A5-416B-A211-82E848649DA9}\InprocServer32
HKCR\CLSID\{3E1500AC-87A5-416B-A211-82E848649DA9}\InprocServer32#ThreadingModel
HKCR\CLSID\{3E1500AC-87A5-416B-A211-82E848649DA9}\ProgID
HKCR\CLSID\{3E1500AC-87A5-416B-A211-82E848649DA9}\Programmable
HKCR\CLSID\{3E1500AC-87A5-416B-A211-82E848649DA9}\TypeLib
HKCR\CLSID\{3E1500AC-87A5-416B-A211-82E848649DA9}\VersionIndependentProgID
C:\PROGRA~1\OFB1\OFB1.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3E1500AC-87A5-416b-A211-82E848649DA9}
C:\PROGRAM FILES\OFB1\OFB1.DLL

Trojan.Net-MSNetAX
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000036
C:\WINDOWS\SYSTEM32\MSNETAX.DLL
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\MSNETAX.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt

Adware.WebHancer
C:\Program Files\whInstall\license.txt
C:\Program Files\whInstall\readme.txt
C:\Program Files\whInstall\Sporder.dll
C:\Program Files\whInstall\whAgent.ini
C:\Program Files\whInstall\whInstaller.ini
C:\Program Files\whInstall

Adware.ClickSpring
HKLM\Software\ClickSpring
HKLM\Software\ClickSpring#UBWKR

Trojan.NewDotNet
HKLM\Software\New.net

Adware.MediaMotor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#C:\WINDOWS\System32\safe.tlb [
]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/amm06.ocx
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/amm06.ocx#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/amm06.ocx#{5526B4C6-63D6-41A1-9783-0FABF529859A}
HKCR\Interface\{41E1565D-B7A8-4251-BD79-E6C5FACB2B5F}
HKCR\Interface\{41E1565D-B7A8-4251-BD79-E6C5FACB2B5F}\Forward
HKCR\Interface\{41E1565D-B7A8-4251-BD79-E6C5FACB2B5F}\ProxyStubClsid
HKCR\Interface\{41E1565D-B7A8-4251-BD79-E6C5FACB2B5F}\ProxyStubClsid32
HKCR\Interface\{DB312456-E762-4369-844A-AED9006B1B2F}
HKCR\Interface\{DB312456-E762-4369-844A-AED9006B1B2F}\Forward
HKCR\Interface\{DB312456-E762-4369-844A-AED9006B1B2F}\ProxyStubClsid
HKCR\Interface\{DB312456-E762-4369-844A-AED9006B1B2F}\ProxyStubClsid32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb#{5526B4C6-63D6-41A1-9783-0FABF529859A}
HKLM\software\mm
HKLM\software\mm#check
C:\WINDOWS\Downloaded Program Files\amm06.inf
C:\WINDOWS\System32\safe.tlb
C:\WINDOWS\mm06y.ini

Adware.Toolbar888
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\ProxyStubClsid
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\ProxyStubClsid32

Adware.ClickSpring/Yazzle
C:\DOCUMENTS AND SETTINGS\OWNER\DOCTORWEB\QUARANTINE\YAZZLE1122OINADMIN.EXE

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\VX.TLL
C:\WINDOWS\TEMPF.TXT
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\WTSSVCC.EXE

Trojan.SpySheriff
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\SPYSHERIFF\SPYSHERIFF.EXE


==== Findfile.bat scan ===
Volume in drive C has no label.
Volume Serial Number is 1417-BE8B

Directory of C:\WINDOWS\System32

02/21/2007 09:55 PM <DIR> s?stem32
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Owner\Desktop


== Panda activescan=====
Incident Status Location

Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\dasj@mailaka.net\cookies.txt[.bfast.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\dasj@mailaka.net\cookies.txt[.atdmt.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\dasj@mailaka.net\cookies.txt[.clickbank.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
Adware:Adware/SpySheriff Not disinfected C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Adware:Adware/SpySheriff Not disinfected C:\Program Files\Microsoft Works\WkDetect.exe
Adware:Adware/SpySheriff Not disinfected C:\Program Files\NetZero\exec.exe
Adware:Adware/SpySheriff Not disinfected C:\Program Files\NZSearch\nzspc.exe
Adware:Adware/SpySheriff Not disinfected C:\SDFix\backups\backups.zip[backups/dxdlg32.exe]
Adware:Adware/Adsmart Not disinfected C:\SDFix\backups\backups.zip[backups/kernels88.exe]
Adware:Adware/Maxifiles Not disinfected C:\SDFix\backups\backups.zip[backups/svchosts.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\tools\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\tools\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\tools\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Virus:Trj/Spammer.ZO Disinfected C:\WINDOWS\system32\msnetax.dll
Adware:Adware/888Bar Not disinfected C:\_OTMoveIt\MovedFiles\Program Files\Common Files\{3417BE8B-0A20-1033-0916-031025200001}\UnInstall.exe
Adware:Adware/MediaTickets Not disinfected C:\_OTMoveIt\MovedFiles\Program Files\Outerinfo\OiUninstaller.exe
Adware:Adware/PestCapture Not disinfected C:\_OTMoveIt\MovedFiles\Program Files\SpySheriff\Uninstall.#xe
Adware:Adware/WebAttaker Not disinfected C:\_OTMoveIt\MovedFiles\WINDOWS\temp\winBC04.tmp

==== comboscan log =======
ComboScan v20070221.16 run by Owner on 2007-02-28 at 23:56:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Successfully created restore point.
Performed disk cleanup.


-- HijackThis (run as Owner.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:56:48 PM, on 2/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\Owner\Desktop\comboscan.exe
C:\PROGRA~1\mcafee.com\shared\mghtml.exe
C:\tools\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48FF8732-2D9A-45D2-AC39-928DFE93D2A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C946AAC-89EC-4E1D-807A-18480BAD72A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B499E2-243B-40DC-A325-188732468138}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECA75678-EDD3-48EB-8F6C-0B68EB1251BA}: NameServer = 165.76.12.2
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe


-- HijackThis Fixed Entries (C:\tools\backups\) ---------------------------------

backup-20070222-195237-102 O15 - Trusted Zone: *.media-motor.com (HKLM)
backup-20070222-195237-117 O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
backup-20070222-195237-181 O15 - Trusted Zone: *.imagesrvr.com (HKLM)
backup-20070222-195237-182 O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
backup-20070222-195237-198 O15 - Trusted Zone: *.adgate.info
backup-20070222-195237-260 O15 - Trusted Zone: *.matcash.com (HKLM)
backup-20070222-195237-267 O15 - Trusted Zone: *.winantivirus.com
backup-20070222-195237-322 O15 - Trusted Zone: *.matcash.com
backup-20070222-195237-333 O15 - Trusted Zone: *.winfixer.com (HKLM)
backup-20070222-195237-440 O15 - Trusted Zone: *.systemdoctor.com (HKLM)
backup-20070222-195237-447 O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download...reeInstall.cab
backup-20070222-195237-450 O15 - Trusted Zone: *.systemdoctor.com
backup-20070222-195237-452 O15 - Trusted Zone: *.errorsafe.com (HKLM)
backup-20070222-195237-457 O15 - Trusted Zone: *.snipernet.biz
backup-20070222-195237-474 O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
backup-20070222-195237-499 O15 - Trusted Zone: *.imagesrvr.com
backup-20070222-195237-527 O15 - Trusted Zone: *.winfixer.com
backup-20070222-195237-589 O15 - Trusted Zone: *.media-motor.com
backup-20070222-195237-685 O15 - Trusted Zone: *.errorsafe.com
backup-20070222-195237-707 O15 - Trusted Zone: *.snipernet.biz (HKLM)
backup-20070222-195237-788 O15 - Trusted Zone: *.mediatickets.net
backup-20070222-195237-812 O2 - BHO: (no name) - {5ccaab50-41e0-4574-a1c6-5a4847a9ce57} - C:\WINDOWS\system32\ideoept.dll
backup-20070222-195237-824 O15 - Trusted Zone: *.mediatickets.net (HKLM)
backup-20070222-195237-860 O15 - Trusted Zone: *.winantivirus.com (HKLM)
backup-20070222-195237-874 O15 - Trusted Zone: *.media-motor.net (HKLM)
backup-20070222-195237-957 O15 - Trusted Zone: *.adgate.info (HKLM)
backup-20070222-195237-978 O15 - Trusted Zone: *.dollarrevenue.com
backup-20070222-195238-261 O20 - Winlogon Notify: ideoept - C:\WINDOWS\SYSTEM32\ideoept.dll
backup-20070222-195238-262 O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
backup-20070222-195238-509 O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
backup-20070222-195238-675 O23 - Service: Network Connections Sharing (RpcTftpd) - Unknown owner - C:\WINDOWS\System32\wins\svchost.exe (file missing)
backup-20070228-075556-427 O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
backup-20070228-075556-510 O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
backup-20070228-075557-848 O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)
backup-20070228-075557-999 O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
backup-20070228-204833-400 O2 - BHO: (no name) - {B632296A-CCF4-B65E-F9DA-C3DEBFC15CE2} - C:\WINDOWS\system32\hzjs.dll (file missing)

-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - notepad.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - notepad.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

3R ALCXWDM (Service for Realtek AC97 Audio (WDM)) - C:\WINDOWS\system32\drivers\ALCXWDM.SYS
3R ASAPIW2k - C:\WINDOWS\system32\drivers\asapiW2k.sys
2R ASPI32 - C:\WINDOWS\system32\drivers\ASPI32.SYS
3S CCDECODE (Closed Caption Decoder) - C:\WINDOWS\system32\drivers\ccdecode.sys
3S HidUsb (Microsoft HID Class Driver) - C:\WINDOWS\system32\drivers\hidusb.sys
3R HSFHWBS2 - C:\WINDOWS\system32\drivers\HSFHWBS2.sys
3R HSF_DP - C:\WINDOWS\system32\drivers\HSF_DP.sys
3R ialm - C:\WINDOWS\system32\drivers\ialmnt5.sys
1R intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys
1S kbdhid (Keyboard HID Driver) - C:\WINDOWS\system32\drivers\kbdhid.sys
2R mdmxsdk - C:\WINDOWS\system32\drivers\mdmxsdk.sys
3S mouhid (Mouse HID Driver) - C:\WINDOWS\system32\drivers\mouhid.sys
3S MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - C:\WINDOWS\system32\drivers\mstee.sys
3S NABTSFEC (NABTS/FEC VBI Codec) - C:\WINDOWS\system32\drivers\nabtsfec.sys
3R NaiAvFilter1 - C:\WINDOWS\system32\drivers\naiavf5x.sys
3S NdisIP (Microsoft TV/Video Connection) - C:\WINDOWS\system32\drivers\ndisip.sys
3S ntldr.sys - C:\ntldr.sys (not found)
2S ONSIO - C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS (not found)
3S PCANDIS5 (PCANDIS5 Protocol Driver) - C:\PROGRA~1\NETGEAR\MA111C~1\PCANDIS5.SYS (not found)
1R PCLEPCI - C:\WINDOWS\system32\drivers\Pclepci.sys
3S PRISM_USB (D-Link Air DWL-122 Wireless USB Adapter Driver) - C:\WINDOWS\system32\drivers\PRISMUSB.sys
0R PxHelp20 - C:\WINDOWS\system32\drivers\pxhelp20.sys
3S QCMerced (Logitech QuickCam Communicate) - C:\WINDOWS\system32\drivers\lvcm.sys
3R rtl8139 (Realtek RTL8139/810X Family PCI Fast Ethernet NIC NT Driver) - C:\WINDOWS\system32\drivers\RTL8139.sys
3S Runtime - C:\WINDOWS\system32\runtime.sys
1R SASDIFSV - C:\Program Files\SUPERAntiSpyware\sasdifsv.sys
3R SASENUM - C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
1R SASKUTIL - C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
3S SLIP (BDA Slip De-Framer) - C:\WINDOWS\system32\drivers\slip.sys
0S SMPLSCSI - C:\WINDOWS\system32\drivers\SMPLSCSI.SYS
3S streamip (BDA IPSink) - C:\WINDOWS\system32\drivers\streamip.sys
3S usbaudio (USB Audio Driver (WDM)) - C:\WINDOWS\system32\drivers\USBAUDIO.sys
3S usbccgp (Microsoft USB Generic Parent Driver) - C:\WINDOWS\system32\drivers\usbccgp.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\usbstor.sys
3S wanatw (WAN Miniport (ATW)) - C:\WINDOWS\system32\DRIVERS\wanatw4.sys (not found)
3R winachsf - C:\WINDOWS\system32\drivers\HSF_CNXT.sys
3S WLAN_USB (Wireless LAN USB Driver) - C:\WINDOWS\system32\drivers\MA111nd5.sys
1R WS2IFSL (Windows Socket 2.0 Non-IFS Service Provider Support Environment) - C:\WINDOWS\system32\drivers\ws2ifsl.sys
3S WSTCODEC (World Standard Teletext Codec) - C:\WINDOWS\system32\drivers\wstcodec.sys
3R {6080A529-897E-4629-A488-ABA0C29B635E} (Intel(R) Graphics Platform (SoftBIOS) Driver) - C:\WINDOWS\system32\drivers\ialmsbw.sys
3R {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (Intel(R) Graphics Chipset (KCH) Driver) - C:\WINDOWS\system32\drivers\ialmkchw.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

4S Alerter - C:\WINDOWS\System32\svchost.exe -k LocalService
3S ALG (Application Layer Gateway Service) - C:\WINDOWS\System32\alg.exe
3S AppMgmt (Application Management) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R AudioSrv (Windows Audio) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S BITS (Background Intelligent Transfer Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2S Browser (Computer Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S CiSvc (Indexing Service) - C:\WINDOWS\system32\cisvc.exe
4S ClipSrv (ClipBook) - C:\WINDOWS\system32\clipsrv.exe
3S COMSysApp (COM+ System Application) - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
2R CryptSvc (Cryptographic Services) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R DcomLaunch (DCOM Server Process Launcher) - C:\WINDOWS\system32\svchost -k DcomLaunch
2R Dhcp (DHCP Client) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S dmadmin (Logical Disk Manager Administrative Service) - C:\WINDOWS\System32\dmadmin.exe /com
3S dmserver (Logical Disk Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R Dnscache (DNS Client) - C:\WINDOWS\System32\svchost.exe -k NetworkService
2R ERSvc (Error Reporting Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R Eventlog (Event Log) - C:\WINDOWS\system32\services.exe
3R EventSystem (COM+ Event System) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S FastUserSwitchingCompatibility (Fast User Switching Compatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S gusvc (Google Updater Service) - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
2R helpsvc (Help and Support) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R HidServ (HID Input Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S HTTPFilter (HTTP SSL) - C:\WINDOWS\System32\svchost.exe -k HTTPFilter
3S ImapiService (IMAPI CD-Burning COM Service) - C:\WINDOWS\System32\imapi.exe
2R lanmanserver (Server) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R lanmanworkstation (Workstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R LmHosts (TCP/IP NetBIOS Helper) - C:\WINDOWS\System32\svchost.exe -k LocalService
2R McDetect.exe (McAfee WSC Integration) - c:\program files\mcafee.com\agent\mcdetect.exe
2R McShield (McAfee.com McShield) - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
2R McTskshd.exe (McAfee Task Scheduler) - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
3S mcupdmgr.exe (McAfee SecurityCenter Update Manager) - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
4S Messenger - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S mnmsrvc (NetMeeting Remote Desktop Sharing) - C:\WINDOWS\System32\mnmsrvc.exe
3S MSDTC (Distributed Transaction Coordinator) - C:\WINDOWS\System32\msdtc.exe
3S MSIServer (Windows Installer) - C:\WINDOWS\System32\msiexec.exe /V
4S NetDDE (Network DDE) - C:\WINDOWS\system32\netdde.exe
4S NetDDEdsdm (Network DDE DSDM) - C:\WINDOWS\system32\netdde.exe
3S Netlogon (Net Logon) - C:\WINDOWS\System32\lsass.exe
3R Netman (Network Connections) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R Nla (Network Location Awareness (NLA)) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S NtLmSsp (NT LM Security Support Provider) - C:\WINDOWS\System32\lsass.exe
3S NtmsSvc (Removable Storage) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R PlugPlay (Plug and Play) - C:\WINDOWS\system32\services.exe
2R PolicyAgent (IPSEC Services) - C:\WINDOWS\System32\lsass.exe
2R ProtectedStorage (Protected Storage) - C:\WINDOWS\system32\lsass.exe
2R RasAuto (Remote Access Auto Connection Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R RasMan (Remote Access Connection Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S RDSessMgr (Remote Desktop Help Session Manager) - C:\WINDOWS\system32\sessmgr.exe
4S RemoteAccess (Routing and Remote Access) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S RpcLocator (Remote Procedure Call (RPC) Locator) - C:\WINDOWS\System32\locator.exe
2R RpcSs (Remote Procedure Call (RPC)) - C:\WINDOWS\system32\svchost -k rpcss
3S RSVP (QoS RSVP) - C:\WINDOWS\System32\rsvp.exe
2R SamSs (Security Accounts Manager) - C:\WINDOWS\system32\lsass.exe
3S SCardSvr (Smart Card) - C:\WINDOWS\System32\SCardSvr.exe
2R Schedule (Task Scheduler) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R seclogon (Secondary Logon) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R SENS (System Event Notification) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R ShellHWDetection (Shell Hardware Detection) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R Spooler (Print Spooler) - C:\WINDOWS\system32\spoolsv.exe
2R srservice (System Restore Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R SSDPSRV (SSDP Discovery Service) - C:\WINDOWS\System32\svchost.exe -k LocalService
2R stisvc (Windows Image Acquisition (WIA)) - C:\WINDOWS\System32\svchost.exe -k imgsvc
3S SwPrv (MS Software Shadow Copy Provider) - C:\WINDOWS\System32\dllhost.exe /Processid:{195E6122-CAE8-4FC9-BD96-F81BBD1135E2}
3S SysmonLog (Performance Logs and Alerts) - C:\WINDOWS\system32\smlogsvc.exe
3R TapiSrv (Telephony) - C:\WINDOWS\System32\svchost.exe -k netsvcs
4S TermService (Terminal Services) - C:\WINDOWS\System32\svchost -k DComLaunch
2R Themes - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R TrkWks (Distributed Link Tracking Client) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3S upnphost (Universal Plug and Play Device Host) - C:\WINDOWS\System32\svchost.exe -k LocalService
3S UPS (Uninterruptible Power Supply) - C:\WINDOWS\System32\ups.exe
2R UxTuneUp (TuneUp Design Expansion) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S VSS (Volume Shadow Copy) - C:\WINDOWS\System32\vssvc.exe
2R W32Time (Windows Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R WebClient - C:\WINDOWS\System32\svchost.exe -k LocalService
2R winmgmt (Windows Management Instrumentation) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3S WmdmPmSN (Portable Media Serial Number Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S WmiApSrv (WMI Performance Adapter) - C:\WINDOWS\System32\wbem\wmiapsrv.exe
2R wuauserv (Automatic Updates) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R WZCSVC (Wireless Zero Configuration) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S xmlprov (Network Provisioning Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs


-- Scheduled Tasks --------------------------------------------------------------

2007-02-23 22:04:28 390 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job<1-CLIC~1.JOB>


-- Files created between 2007-01-28 and 2007-02-28 ------------------------------

2007-02-28 23:41:42 0 d-------- C:\WINDOWS\LastGood
2007-02-28 23:25:50 20480 --a------ C:\WINDOWS\system32\msnetax.dll
2007-02-28 21:35:29 15189885 --a------ C:\sdat4973.exe
2007-02-28 19:37:30 2120 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-28 19:29:24 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-02-28 19:29:12 0 d-------- C:\Program Files\SUPERAntiSpyware<SUPERA~1>
2007-02-28 19:29:12 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-02-25 19:47:43 0 d-------- C:\Documents and Settings\Administrator\Application Data\TuneUp Software<TUNEUP~1>
2007-02-24 15:29:00 4403200 --a------ C:\Documents and Settings\Owner\ntuser.dat
2007-02-24 15:28:58 237568 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2007-02-24 12:52:43 0 d-------- C:\WINDOWS\system32\Kaspersky Lab<KASPER~1>
2007-02-23 22:29:54 0 d-------- C:\Program Files\CCleaner
2007-02-22 22:43:46 0 d-------- C:\tools
2007-02-22 22:25:24 114464 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-02-22 22:24:18 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-02-22 22:24:00 288320 -ra------ C:\WINDOWS\system32\mcgdmgr.dll
2007-02-22 22:23:59 349760 --a------ C:\WINDOWS\system32\mcinsctl.dll
2007-02-22 22:23:59 0 d-------- C:\Program Files\McAfee.com
2007-02-22 20:15:15 0 d-------- C:\Documents and Settings\Owner\DoctorWeb<DOCTOR~1>
2007-02-22 19:58:35 0 d-------- C:\_OTMoveIt<_OTMOV~1>
2007-02-22 19:27:51 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-02-21 19:48:17 0 d-------- C:\SDFix
2007-02-21 15:31:16 0 d-------- C:\spoolerlogs<SPOOLE~1>
2007-02-21 08:07:09 0 d-------- C:\WINDOWS\system32\s?stem32
2007-02-21 0852 0 d-------- C:\Program Files\InetGet2
2007-02-21 08:04:47 0 d-------- C:\Program Files\Common Files\{1417BE8B-0A20-1033-0916-031025200001}<{1417B~2>
2007-02-21 07:29:13 24072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2007-02-21 07:28:13 0 d-------- C:\Program Files\TuneUp Utilities 2007<TUNEUP~1>
2007-02-21 07:28:13 0 d-------- C:\Documents and Settings\Owner\Application Data\TuneUp Software<TUNEUP~1>
2007-02-21 07:26:34 0 d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software<TUNEUP~1>
2007-02-20 23:25:31 0 d-------- C:\Program Files\Registry Mechanic<REGIST~1>
2007-02-20 21:27:40 0 d-------- C:\SDAT
2007-02-19 23:34:52 4864 --a------ C:\WINDOWS\system32\runtime.sys
2007-02-19 22:36:46 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-02-19 1818 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-02-19 1818 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust<INTERT~1>
2007-02-19 1818 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-02-19 1817 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-02-19 1817 1048576 --ah----- C:\Documents and Settings\Administrator\ntuser.dat
2007-02-19 00:14:01 0 d-------- C:\Program Files\Ofb1
2007-02-16 10:02:51 0 d-------- C:\Documents and Settings\All Users\Application Data\MCA1C.tmp
2007-02-14 14:18:12 0 d-------- C:\Practicum<PRACTI~1>
2007-02-05 21:49:36 0 d-------- C:\PMBOK Guide<PMBOKG~1>


-- Find3M Report ----------------------------------------------------------------

2007-02-28 21:40:03 0 d-------- C:\Program Files\NZSearch
2007-02-28 19:28:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-02-24 10:58:50 0 d-------- C:\Program Files\NetZero
2007-02-24 10:55:12 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-02-20 21:13:58 502272 -----n--- C:\WINDOWS\system32\winlogon.exe
2007-02-20 21:09:52 1993270 --a------ C:\Documents and Settings\Owner\Application Data\CleanUp!.log
2007-02-20 07:51:35 0 d-------- C:\Program Files\7-Zip
2007-02-15 21:37:48 0 d-------- C:\Program Files\Microsoft Works<MICROS~4>
2007-01-16 21:26:18 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-01-09 08:55:46 0 d-------- C:\Program Files\Microsoft<MICROS~3>
2006-12-31 20:46:19 0 d-------- C:\Program Files\Picasa2
2006-12-31 20:45:55 0 d-------- C:\Program Files\Google


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"googletalk"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CHotkey"="zHotkey.exe"
"googletalk"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe /autostart"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech Desktop Messenger.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\PowerReg Scheduler V3.exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler V3.exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\PowerReg Scheduler V3.exe"
"item"="PowerReg Scheduler V3"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKCU"
"command"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="exec"
"hkey"="HKCU"
"command"="C:\\Program Files\\NetZero\\bak\\exec.exe regrun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spc_w]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nzspc"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\NZSearch\\nzspc.exe\" -w"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SUPERAntiSpyware"
"hkey"="HKCU"
"command"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{55667788-ABCD-1234-5678-00C04FD8DBD8}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{1417BE8B-0A1F-1033-0916-031025200001}"="\"C:\\Program Files\\Common Files\\{1417BE8B-0A1F-1033-0916-031025200001}\\Update.exe\" te-110-12-0000271"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"{1417BE8B-0A1F-1033-0916-031025200001}"="\"C:\\Program Files\\Common Files\\{1417BE8B-0A1F-1033-0916-031025200001}\\Update.exe\" te-110-12-0000271"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
UxTuneUp



-- End of ComboScan: finished at 2007-02-28 at 23:57:26 -------------------------

==== Comboscan supplementary ====
ComboScan v20070221.16 run by Owner on 2007-02-28 at 23:56:24
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information -----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) CPU 2.60GHz
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 253.98 MiB / 97.68 MiB
Pagefile Memory (total/avail): 621.9 MiB / 430.37 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1999.38 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 76.33 GiB total, 66.61 GiB free.
D: is CDROM (No Media)


-- Security Center --------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

AV: McAfee VirusScan v (McAfee)


-- Environment Variables --------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH="C:\Program Files\JavaSoft\JRE\1.3.1\lib\ext\QTJava.zip"
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-SMYLJR82PW
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\YOUR-SMYLJR82PW
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA="C:\Program Files\JavaSoft\JRE\1.3.1\lib\ext\QTJava.zip"
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=YOUR-SMYLJR82PW
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ----------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ----------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.12 beta --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\7-zip.inf,SevenZip.Uninstall
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ArcSoft Software Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BC03FCE8-388F-48C0-9600-B53ACB297B5F}\setup.exe" -l0x9 -uninst
Blue's Art Time Activities --> C:\WINDOWS\IsUninst.exe -fC:\HEGames\ArtTime\Uninst.isu -c"C:\HEGames\ArtTime\Uninst.dll
Britannica Ready Reference --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Britannica\b2003ce.isu"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Chutes and Ladders --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Hasbro Interactive\Chutes\DeIsL1.isu"
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Clifford Thinking Adventures --> C:\WINDOWS\System32\Clifford Uninstall.exe C:\Program Files\Scholastic's Clifford\Clifford Adventure\
Conexant SoftK56 Modem(M) --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F00&SUBSYS_8D8B155D\HXFSETUP.EXE -U -IVEN_14F1&DEV_2F00&SUBSYS_200214F1
Disney's The Jungle Book Learning --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8FB33DAA-0132-11D7-8944-0002A5E32BEF}\setup.exe" Disney's The Jungle Book Learning
Dora the Explorer: Animal Adventures --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A34CCD1C-7738-47B9-863D-8E0C478FB8F7}\setup.exe" -l0x9 -uninst
Genesys USB Mass Storage Device --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4BF87C8-3EEC-4774-82A2-584F109187B1}\Setup.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
Grammar Games --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Davidson\Grammar\DeIsL1.isu"
HijackThis 1.99.1 --> C:\tools\HijackThis.exe /uninstall
Intel(R) Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Jasc Paint Shop Photo Album 5 --> MsiExec.exe /I{24960CD0-661D-4957-9D5F-D2905A30EDB1}
Java 2 Runtime Environment Standard Edition v1.3.1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1\Uninst.isu"
Java 2 Runtime Environment Standard Edition v1.3.1_02 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1_02\Uninst.isu"
JumpStart Music --> C:\WINDOWS\IsUninst.exe -fC:\KA\JSMUSIC\DeIsL1.isu
Kaspersky Online Scanner --> C:\WINDOWS\system32\KASPER~1\KASPER~1\kavuninstall.exe
Kid Pix Studio Deluxe --> C:\WINDOWS\uninst.exe -fC:\KPSDLUX\DeIsL1.isu
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\Setup.exe" -l0x9 UNINSTALL
Logitech Print Service --> C:\PROGRA~1\Logitech\PRINTS~1\UNWISE.EXE C:\PROGRA~1\Logitech\PRINTS~1\INSTALL.LOG
Logitech QuickCam --> MsiExec.exe /I{466B21EE-2858-4845-B2B3-056FC544DAA3}
Logitech® Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Magic School Bus - Rainforest --> C:\Program Files\Microsoft Kids\MSB Rainforest\System\MSBRUNST.EXE /L"C:\Program Files\Microsoft Kids\MSB Rainforest\System\MSB Rainforest.log"
McAfee SecurityCenter --> C:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=msc /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\screm.ui::uninstall.htm
McAfee VirusScan --> C:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=vso /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\vsoremui.dll::uninstall.htm
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Works 6.0 --> MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}
MSN Toolbar --> C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\mtbs.exe c
Multimedia Keyboard Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF262740-C85A-11D5-BBEC-00D0B740900A}\Setup.exe" -l0x9
Netscape 6 (6.2.1) --> C:\WINDOWS\N6Uninst.exe /ua "6.2.1 (en)"
NetZero --> "C:\Program Files\NetZero\uninst.exe"
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Phonics --> C:\WINDOWS\unvise32.exe C:\Program Files\sz8064\uninstal.log
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Pinnacle Hollywood FX for Studio --> C:\WINDOWS\unvise32.exe C:\Program Files\Pinnacle\Hollywood FX for Studio\5.5\uninstal.log
Pinnacle Instant DVD Recorder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}\Setup.exe" -l0x9 UNINSTALL
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RC Daredevil --> C:\PROGRA~1\eGames\RCDARE~1\UNWISE.EXE C:\PROGRA~1\eGames\RCDARE~1\INSTALL.LOG
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Registry Mechanic 6.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
SD Viewer for DSC --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5A8D3524-79DB-11D5-99D1-00010256D40E}\setup.exe"
Search for the Secret Keys --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CA0AD614-3FD5-11D6-B234-0050DACD394D}\setup.exe" -l0x9 Uninstall
SmartSound Quicktracks Plugin --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
SoundCapture --> C:\PROGRA~1\MAGICS~1\SC\UNWISE.EXE C:\PROGRA~1\MAGICS~1\SC\INSTALL.LOG
SpyWare Killer Pro --> MsiExec.exe /I{ABD372EC-3EC6-49EA-AA5B-32101028A750}
Studio 9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E491AB7-4589-48CA-9CBB-874CB2788391}\Setup.exe" -l0x9 UNINSTALL
Study Helpers Math Booster --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\SHMathUn.exe
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TaxCut 2003 --> C:\Program Files\TaxCut03\Program\removetc.exe
TaxCut 2004 --> C:\Program Files\TaxCut04\Program\removetc.exe
TaxCut Deluxe 2005 --> C:\PROGRA~1\TaxCut05\Program\removetc.exe
TuneUp Utilities 2007 --> MsiExec.exe /I{C8BB4912-12D9-42AE-B571-E580D8CD1B5B}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows XP Junglebook Compatiblity Fix --> C:\WINDOWS\system32\sdbinst.exe -u "C:\WINDOWS\AppPatch\Custom\{659660d0-edb3-4afb-be92-7ea22a0cae65}.sdb"
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Photos Easy Upload Tool 1v7 --> C:\WINDOWS\system32\regsvr32 /u /s "C:\WINDOWS\cache\YDropper.dll"


-- End of ComboScan: finished at 2007-02-28 at 23:57:26 -------------------------

[Sempurna]

Hi tsf1jay,

This is one stubborn malware.

OK, here’s what we do next.

Please download LSPFix and save it to your desktop:

• Disconnect from the Internet.
• Unzip the LSPFix file to your desktop.
• Open the lspfix folder and double-click on LSPFix.exe to start the program.
• Check the "I know what I'm doing" checkbox.
• Select (highlight) all instances of "msnetax.dll" in the left-hand column under "Keep".
• Click the arrow >> so it goes over to the right-hand column under "Remove".
• Then click Finish to allow LSPFix to rebuild the LSP chain.

NEXT:

1. Please download The Avenger by Swandog46 to your desktop.

• Right-click on avenger.zip and select "Extract All". Follow the prompts.
• A new avenger folder will be created on your desktop.

2. Copy all the text contained inside the code box below to your clipboard by highlighting it and pressing (Ctrl+C):

Code:

Files to delete:
C:\WINDOWS\system32\msnetax.dll
C:\sdat4973.exe
C:\Documents and Settings\All Users\Application Data\MCA1C.tmp

Folders to delete:
C:\Program Files\Common Files\{1417BE8B-0A20-1033-0916-031025200001}
C:\WINDOWS\system32\system32

CAUTION: The above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



3. Now, to start The Avenger program, open the avenger folder and double-click avenger.exe to run it.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script".
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done.
• Now click on the Green Traffic Light icon to begin execution of the script.
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system TWICE).
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip

5. Please copy and paste the contents of c:\avenger.txt into your reply along with a fresh HijackThis log by using Add/Reply.


NEXT:

Please download FindAWF by noahdfear and save it to your desktop:

• Please double-click FindAWF.exe to run it.
• If a security alert shows, allow the program to run.
• When the tool has completed, a report will open in Notepad.
• Please post the results of the awf.txt in your next reply.

NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

1. The log from the Avenger scan.
2. The log from the FindAWF scan.
3. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

[tsf1jay]

Posting logs from Avenger, FindAWF, HJT and also I did a Kaspersky online scan.

==== Avenger log ======
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lqhtbttd

*******************

Script file located at: \??\C:\Program Files\otntkbr^.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\msnetax.dll deleted successfully.
File C:\sdat4973.exe deleted successfully.


Error: C:\Documents and Settings\All Users\Application Data\MCA1C.tmp is a folder, not a file!
Deletion of file C:\Documents and Settings\All Users\Application Data\MCA1C.tmp failed!

Could not process line:
C:\Documents and Settings\All Users\Application Data\MCA1C.tmp
Status: 0xc00000ba

Folder C:\Program Files\Common Files\{1417BE8B-0A20-1033-0916-031025200001} deleted successfully.


Folder C:\WINDOWS\system32\system32 not found!
Deletion of folder C:\WINDOWS\system32\system32 failed!

Could not process line:
C:\WINDOWS\system32\system32
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

===== awf log ====

Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MICROS~4\BAK

07/13/2000 03:00 PM 28,739 WkDetect.exe
1 File(s) 28,739 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\NETZERO\BAK

08/01/2004 04:47 PM 102,672 exec.exe
1 File(s) 102,672 bytes

Directory of C:\PROGRA~1\NZSEARCH\BAK

02/28/2007 11:02 PM 23 hcmconf.ini
11/09/2004 03:29 AM 286,786 nzspc.exe
02/28/2007 11:02 PM 562 regconf.ini
02/28/2007 11:02 PM 1,074 search.log
02/28/2007 11:02 PM 5,021 txlog.xml
5 File(s) 293,466 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/15/2003 08:12 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

02/25/2004 04:15 PM 221,184 LVCOMSX.EXE
03/10/2004 04:26 PM 406,016 PSDrvCheck.exe
2 File(s) 627,200 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

08/15/2006 07:42 PM 3,661,824 googletalk.exe
1 File(s) 3,661,824 bytes

Directory of C:\PROGRA~1\LOGITECH\VIDEO\BAK

02/25/2004 05:15 PM 454,656 ISStart.exe
02/25/2004 05:06 PM 212,992 LogiTray.exe
2 File(s) 667,648 bytes

Directory of C:\PROGRA~1\SKYPE\PHONE\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK

03/30/2006 04:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

01/06/2006 10:46 PM 180,269 realsched.exe
1 File(s) 180,269 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

23564 Feb 15 2007 "C:\Program Files\Microsoft Works\WkDetect.exe"
28739 Jul 13 2000 "C:\Program Files\Microsoft Works\bak\WkDetect.exe"
23564 Feb 15 2007 "C:\Program Files\NetZero\exec.exe"
102672 Aug 1 2004 "C:\Program Files\NetZero\bak\exec.exe"
114960 Jul 1 2003 "C:\Program Files\NetZero\qs\exec.exe"
1406 Feb 20 2007 "C:\Program Files\NZSearch\hcmconf.ini"
23 Feb 28 2007 "C:\Program Files\NZSearch\bak\hcmconf.ini"
23564 Feb 15 2007 "C:\Program Files\NZSearch\nzspc.exe"
286786 Nov 9 2004 "C:\Program Files\NZSearch\bak\nzspc.exe"
2264 Sep 2 2006 "C:\Program Files\NZSearch\regconf.ini"
562 Feb 28 2007 "C:\Program Files\NZSearch\bak\regconf.ini"
544 Sep 2 2006 "C:\Program Files\NZSearch\search.log"
1074 Feb 28 2007 "C:\Program Files\NZSearch\bak\search.log"
21 Sep 2 2006 "C:\Program Files\NZSearch\txlog.xml"
5021 Feb 28 2007 "C:\Program Files\NZSearch\bak\txlog.xml"
77824 Dec 15 2003 "C:\Program Files\QuickTime\bak\qttask.exe"
221184 Feb 25 2004 "C:\WINDOWS\system32\bak\LVCOMSX.EXE"
406016 Mar 10 2004 "C:\WINDOWS\system32\bak\PSDrvCheck.exe"
11817800 Aug 25 2006 "C:\My Downloads\GoogleEarth.exe"
3698688 Sep 27 2006 "C:\Program Files\Google\Google Talk\googletalk.exe1160568994"
458820 Nov 17 2005 "C:\Program Files\Google\Google Earth\GoogleEarth.exe"
559784 Jan 6 2006 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
135608 Dec 3 2006 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
3661824 Aug 15 2006 "C:\Program Files\Google\Google Talk\bak\googletalk.exe"
1581768 Oct 25 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.100\googletalk-setup-upgrade.exe"
1606064 Jan 4 2007 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.104\googletalk-setup-upgrade.exe"
931192 Sep 23 2005 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.70\googletalk-setup-upgrade.exe"
931944 Oct 4 2005 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.72\googletalk-setup-upgrade.exe"
854120 Nov 11 2005 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.76\googletalk-setup-upgrade.exe"
862368 Dec 14 2005 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.80\googletalk-setup-upgrade.exe"
893408 Jan 13 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.82\googletalk-setup-upgrade.exe"
892080 Jan 28 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.84\googletalk-setup-upgrade.exe"
896720 Feb 8 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.86\googletalk-setup-upgrade.exe"
1334520 Apr 6 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.92\googletalk-setup-upgrade.exe"
1531784 Aug 22 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.96\googletalk-setup-upgrade.exe"
454656 Feb 25 2004 "C:\Program Files\Logitech\Video\bak\ISStart.exe"
212992 Feb 25 2004 "C:\Program Files\Logitech\Video\bak\LogiTray.exe"
23564 Feb 15 2007 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
180269 Jan 6 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


end of report

======== HJT log =======
Logfile of HijackThis v1.99.1
Scan saved at 9:13:59 PM, on 3/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48FF8732-2D9A-45D2-AC39-928DFE93D2A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C946AAC-89EC-4E1D-807A-18480BAD72A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B499E2-243B-40DC-A325-188732468138}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECA75678-EDD3-48EB-8F6C-0B68EB1251BA}: NameServer = 165.76.12.2
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

=====Kaspersky online scan log ====
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 01, 2007 11:04:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/03/2007
Kaspersky Anti-Virus database records: 275317
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 60687
Number of viruses found: 12
Number of infected objects: 29 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:26:04

Infected Object Name / Virus Name / Last Action
C:\avenger\backup.zip/avenger/msnetax.dll Infected: Trojan.Win32.Agent.afg skipped
C:\avenger\backup.zip ZIP: infected - 1 skipped
C:\cp1041.nls Infected: SpamTool.Win32.Agent.u skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007030120070302\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_77c.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe Infected: Trojan.Win32.Obfuscated.dr skipped
C:\Program Files\Microsoft Works\WkDetect.exe Infected: Trojan.Win32.Obfuscated.dr skipped
C:\Program Files\NetZero\exec.exe Infected: Trojan.Win32.Obfuscated.dr skipped
C:\Program Files\NZSearch\nzspc.exe Infected: Trojan.Win32.Obfuscated.dr skipped
C:\SDFix\backups\backups.zip/backups/dxdlg32.exe Infected: Trojan.Win32.Obfuscated.dr skipped
C:\SDFix\backups\backups.zip/backups/hd4.tmp Infected: Trojan-Proxy.Win32.Xorpix.m skipped
C:\SDFix\backups\backups.zip/backups/hd5.tmp Infected: Trojan-Proxy.Win32.Xorpix.m skipped
C:\SDFix\backups\backups.zip/backups/kernels88.exe Infected: Trojan-Downloader.Win32.Small.cwj skipped
C:\SDFix\backups\backups.zip/backups/pp.exe.exe Infected: Email-Worm.Win32.Zhelatin.aj skipped
C:\SDFix\backups\backups.zip/backups/wuauclt.exe Infected: Trojan-Downloader.Win32.Small.ego skipped
C:\SDFix\backups\backups.zip ZIP: infected - 6 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7EDB5A9C-466C-4274-AEC3-C534983AC7C7}\RP1\A0000008.dll Infected: Trojan.Win32.Agent.afg skipped
C:\System Volume Information\_restore{7EDB5A9C-466C-4274-AEC3-C534983AC7C7}\RP2\A0000024.dll Infected: Trojan.Win32.Agent.afg skipped
C:\System Volume Information\_restore{7EDB5A9C-466C-4274-AEC3-C534983AC7C7}\RP2\A0000044.dll Infected: Trojan.Win32.Agent.afg skipped
C:\System Volume Information\_restore{7EDB5A9C-466C-4274-AEC3-C534983AC7C7}\RP2\change.log Object is locked skipped
C:\tools\SmitfraudFix\SmitfraudFix\Process.exe Object is locked skipped
C:\tools\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\tools\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\tools\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\ndis.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\msnetax.dll Infected: Trojan.Win32.Agent.afg skipped
C:\WINDOWS\system32\runtime.sys Infected: Rootkit.Win32.Agent.dw skipped
C:\WINDOWS\system32\totour.exe Infected: Trojan.Win32.Agent.afg skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.g skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\Program Files\Outerinfo\OiUninstaller.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\_OTMoveIt\MovedFiles\Program Files\Outerinfo\OiUninstaller.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\_OTMoveIt\MovedFiles\Program Files\Outerinfo\OiUninstaller.exe NSIS: infected - 2 skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\a3dxq.dll Infected: Trojan-Proxy.Win32.Xorpix.m skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\temp\winBC04.tmp Infected: Trojan-Proxy.Win32.Xorpix.m skipped

Scan process completed.

==========
Please advise what else should I do to get it all done. Thanks for all your help through this long process. I truely admire your patience and guidance.

[tsf1jay]

continues from my previous post....
I forgot to mention that now I am getting following error while opening Explorer. I clicked "do not send" report and continued

Sample LSP Installer has encountered a problem and needs to close. We are sorry for the inconvenience.

AppName: totour.exe AppVer: 5.2.3790.1830 ModName: totour.exe
ModVer: 5.2.3790.1830 Offset: 000018d5

[Sempurna]

Hi tsf1jay,

OK, we have a nasty one here. It will take quite a number of posts to nuke this malware, as it is quite resistant and has hidden processes all over the place.

Do this first.

Please download DelDomains by WinHelp2002 and save it to your desktop:

• Right-click on DelDomains.inf, and choose [bInstall[/b].
• You may not see any noticeable changes or prompts; this is normal.
• Then, please restart your computer, and post a new HijackThis log.
• You will have to re-immunize with SpywareBlaster, IE-SPYAD, and/or Spybot – Search & Destroy after doing this.

NEXT:

Please download ResetProtocolDefaults by WinHelp2002 and save it to your desktop:

• Locate ResetProtocolDefaults.reg which should be on your desktop.
• Right-click and select Merge.
• OK the prompt.

NEXT:

Please open Notepad, and copy and paste the text present inside the code box below:

Code:

if exist "C:\Program Files\Microsoft Works\WkDetect.exe" del /q "C:\Program Files\Microsoft Works\WkDetect.exe"
copy "C:\Program Files\Microsoft Works\bak\WkDetect.exe" "C:\Program Files\Microsoft Works"
del /q "C:\Program Files\Microsoft Works\bak\WkDetect.exe"
rmdir "C:\Program Files\Microsoft Works\bak"

if exist "C:\Program Files\NetZero\exec.exe" del /q "C:\Program Files\NetZero\exec.exe"
copy "C:\Program Files\NetZero\bak\exec.exe" "C:\Program Files\NetZero"
del /q "C:\Program Files\NetZero\bak\exec.exe"
rmdir "C:\Program Files\NetZero\bak"

if exist "C:\Program Files\NZSearch\hcmconf.ini" del /q "C:\Program Files\NZSearch\hcmconf.ini"
copy "C:\Program Files\NZSearch\bak\hcmconf.ini" "C:\Program Files\NZSearch"
del /q "C:\Program Files\NZSearch\bak\hcmconf.ini"

if exist "C:\Program Files\NZSearch\nzspc.exe" del /q "C:\Program Files\NZSearch\nzspc.exe"
copy "C:\Program Files\NZSearch\bak\nzspc.exe" "C:\Program Files\NZSearch"
del /q "C:\Program Files\NZSearch\bak\nzspc.exe"
rmdir "C:\Program Files\NZSearch\bak"

if exist "C:\Program Files\NZSearch\regconf.ini" del /q "C:\Program Files\NZSearch\regconf.ini"
copy "C:\Program Files\NZSearch\bak\regconf.ini" "C:\Program Files\NZSearch
del /q "C:\Program Files\NZSearch\bak\regconf.ini"

if exist "C:\Program Files\NZSearch\search.log" del /q "C:\Program Files\NZSearch\search.log"
copy "C:\Program Files\NZSearch\bak\search.log" "C:\Program Files\NZSearch"
del /q "C:\Program Files\NZSearch\bak\search.log"

if exist "C:\Program Files\NZSearch\txlog.xml" del /q "C:\Program Files\NZSearch\txlog.xml"
copy "C:\Program Files\NZSearch\bak\txlog.xml" "C:\Program Files\NZSearch"
del /q "C:\Program Files\NZSearch\bak\txlog.xml"
rmdir "C:\Program Files\NZSearch\bak"

if exist "C:\Program Files\QuickTime\qttask.exe" del /q "C:\Program Files\QuickTime\qttask.exe"
copy "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime"
del /q "C:\Program Files\QuickTime\bak\qttask.exe"
rmdir "C:\Program Files\QuickTime\bak"

if exist "C:\WINDOWS\system32\LVCOMSX.EXE" del /q "C:\WINDOWS\system32\LVCOMSX.EXE"
copy "C:\WINDOWS\system32\bak\LVCOMSX.EXE" "C:\WINDOWS\system32"
del /q "C:\WINDOWS\system32\bak\LVCOMSX.EXE"

if exist "C:\WINDOWS\system32\PSDrvCheck.exe" del /q "C:\WINDOWS\system32\PSDrvCheck.exe"
copy "C:\WINDOWS\system32\bak\PSDrvCheck.exe" "C:\WINDOWS\system32"
del /q "C:\WINDOWS\system32\bak\PSDrvCheck.exe"
rmdir "C:\WINDOWS\system32\bak"

if exist "C:\Program Files\Google\Google Talk\googletalk.exe" del /q "C:\Program Files\Google\Google Talk\googletalk.exe"
copy "C:\Program Files\Google\Google Talk\bak\googletalk.exe" "C:\Program Files\Google\Google Talk"
del /q "C:\Program Files\Google\Google Talk\bak\googletalk.exe"
rmdir "C:\Program Files\Google\Google Talk\bak"

if exist "C:\Program Files\Logitech\Video\ISStart.exe" del /q "C:\Program Files\Logitech\Video\ISStart.exe"
copy "C:\Program Files\Logitech\Video\bak\ISStart.exe" "C:\Program Files\Logitech\Video"
del /q "C:\Program Files\Logitech\Video\bak\ISStart.exe"

if exist "C:\Program Files\Logitech\Video\LogiTray.exe" del /q "C:\Program Files\Logitech\Video\LogiTray.exe"
copy "C:\Program Files\Logitech\Video\bak\LogiTray.exe" "C:\Program Files\Logitech\Video"
del /q "C:\Program Files\Logitech\Video\bak\LogiTray.exe"
rmdir "C:\Program Files\Logitech\Video\bak"

if exist "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" del /q "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
copy "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe" "C:\Program Files\Adobe\Acrobat 7.0\Reader"
del /q "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
rmdir "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak"

if exist "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" del /q "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
copy "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB"
del /q "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
rmdir "C:\Program Files\Common Files\Real\Update_OB\bak"

Save this as restore.bat. Choose to save as "All files" and place it on your desktop.

It should look like this:

Double-click on restore.bat and allow it to run.

In case you still are unsure on how to create a BAT file, please take a look HERE with screenshots.


NEXT:

Please download L2Mfix by shadowwar from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

• Save the file to your desktop and double-click l2mfix.exe.
• Click the Install button to extract the files and follow the prompts.
• Open the l2mfix folder on your desktop, double-click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing Enter.
• The program will process, and then start. Your desktop and icons will disappear (this is normal).
• L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot.
• After the reboot Notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new HijackThis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do NOT run in Safe Mode!!

If after the reboot the log does not open, double-click on log.txt in the l2mfix folder.


NEXT:

Please run FindAWF one more time and post the log it creates for me to see.


NEXT:

Please delete these FILES (if found):

C:\ cp1041.nls
C:\WINDOWS\system32\msnetax.dll
C:\WINDOWS\system32\runtime.sys
C:\WINDOWS\system32\totour.exe


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

1. The log from the L2Mfix scan.
2. The log from the FindAWF scan.
3. A new HijackThis log.

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

[tsf1jay]

posting logs..

=====
L2mfix 032106
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
"DllName"="C:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (188 bytes security) (deflated 87%)
adding: backregs/shell.reg (188 bytes security) (deflated 73%)

==== AWF scan ======

Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~

25600 "C:\Program Files\Java\jre1.6.0\bin\keytool.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\kinit.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\klist.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\ktab.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\orbd.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\pack200.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\policytool.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\rmid.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\rmiregistry.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\servertool.exe"


25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SKYPE\PHONE\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK

03/30/2006 04:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"


end of report

==== HJT log ====
Logfile of HijackThis v1.99.1
Scan saved at 5:51:30 AM, on 3/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\shared\mghtml.exe
C:\tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\msnetax.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} - http://www.snapfish.com/SnapfishUpload.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48FF8732-2D9A-45D2-AC39-928DFE93D2A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C946AAC-89EC-4E1D-807A-18480BAD72A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B499E2-243B-40DC-A325-188732468138}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECA75678-EDD3-48EB-8F6C-0B68EB1251BA}: NameServer = 165.76.12.2
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

=========

Please let me know the next step I need to follow. I still have winlogon.exe infected per McAfee. I asked in McAfee help forum about this winlogon.exe virus, they asked me to continue with your advise (actually they are the ones who had asked me to come here when it all started). Thank you so much for being so helpful.

[Sempurna]

Hi tsf1jay,

You’re most welcome, tsf1jay.

We’re half way to solving this persistent malware problem of yours. Hang in there and we’ll be done in no time.

Please open Notepad, and copy and paste the text present inside the code box below:

Code:

if exist "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" del /q "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
copy "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe" "C:\Program Files\Adobe\Acrobat 7.0\Reader"
del /q "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
rmdir "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak"

rmdir "C:\PROGRA~1\MESSEN~1\BAK"

rmdir "C:\PROGRA~1\MSNMES~1\BAK"

rmdir "C:\PROGRA~1\SKYPE\PHONE\BAK"

Save this as restore2.bat. Choose to save as "All files" and place it on your desktop.

It should look like this:

Double-click on restore2.bat and allow it to run.

In case you still are unsure on how to create a BAT file, please take a look HERE with screenshots.


NEXT:

Please run OTMoveIt and quarantine the following files/folders (please also remember to copy the report generated and paste it in your next reply for me to see):

C:\Program Files\Java\jre1.6.0\bin\keytool.exe
C:\Program Files\Java\jre1.6.0\bin\kinit.exe
C:\Program Files\Java\jre1.6.0\bin\klist.exe
C:\Program Files\Java\jre1.6.0\bin\ktab.exe
C:\Program Files\Java\jre1.6.0\bin\orbd.exe
C:\Program Files\Java\jre1.6.0\bin\pack200.exe
C:\Program Files\Java\jre1.6.0\bin\policytool.exe
C:\Program Files\Java\jre1.6.0\bin\rmid.exe
C:\Program Files\Java\jre1.6.0\bin\rmiregistry.exe
C:\Program Files\Java\jre1.6.0\bin\servertool.exe

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


NEXT:

Please download Process Explorer by Sysinternals and save it to your desktop:

1. Start the program by double-clicking on procexp.exe.
2. Click View on the top menu bar, and make sure Show Lower Pane is selected.
3. Again under the View menu, point to Lower Pane View, and select Dlls.
4. Now, in the upper left pane, click on the process winlogon.exe.
5. When information appears in the lower pane, click File -> Save as.
6. Save winlogon.exe.txt to the desktop.

Now repeat steps 4-6 for the following:

explorer.exe (the report will be explorer.exe.txt)


If there is a problem with obtaining the info for explorer.exe, please cancel the action, close Process Explorer, re-open the program, and re-do the steps for explorer.exe only.

NOTE :While in Process Explorer, if you see an Iexplore process loaded under anything other than explorer.exe, please select the process it is running under and save that log as well.


NEXT:

Please open Notepad, and copy and paste the text present inside the code box below:

Code:

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" /s >>notify.txt

Save this as notify.bat. Choose to save as "All files" and place it on your desktop.

It should look like this:

Double-click on notify.bat and a report should open in Notepad. Please post the contents of the notify.txt report in your next reply.

In case you still are unsure on how to create a BAT file, please take a look HERE with screenshots.


NEXT:

Please download WinSock XP Fix by Option^Explicit:

• Place it on your desktop.
• Run WinsockxpFix.exe and click "Reg backup".
• Your current registry will be saved in the folder "ERDNT".
• Then click FIX.
• Your system will reboot.

NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

1. The winlogon.exe.txt report.
2. The explorer.exe.txt report.
3. The notify.txt report.
4. A new FindAWF log.
5. A new HijackThis log.

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.