This operation has been cancelled due to restriction in effect on this computer...

[viper2g1]

"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator." This is an exact copy of the message I recieve when I try to open security options in Windows XP SP2 (little red shield with x in it in the system tray), I also get this message when I try to open anything in the control panel (opening from C:\Windows\System32) - although I cannot find the actual control panel... It's not in the start menu anymore.. I had a virus or spyware on my system that I had a very difficult time removing. It would take me to a website to buy antivirus software (probably fake). It would run as printer.exe or winavxx.exe. I have a feeling this was the cause of my problems. I have a log for you to analyze and the extra.txt will be attached. I tried running panda but it just hung after I told it to install the active x control... Please help me, and if you have any suggestions to make my system run better/smoother please let me know. Thanks!

Deckard's System Scanner v20070826.66
Run by Kris on 2007-08-29 19:07:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
61: 2007-08-30 02:09:41 UTC - RP207 - Deckard's System Scanner Restore Point
60: 2007-08-29 20:04:51 UTC - RP206 - Installed AVG 7.5
59: 2007-08-29 19:38:14 UTC - RP205 - Removed Data Lifeguard Tools
58: 2007-08-29 06:15:56 UTC - RP204 - System Checkpoint
57: 2007-08-28 05:48:49 UTC - RP203 - System Checkpoint


-- First Restore Point --
1: 2007-06-01 17:28:01 UTC - RP147 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 224 MiB (512 MiB recommended).


-- HijackThis (run as Kris.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:01 PM, on 8/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Kris\Desktop\SUPERAntiSpyware_Professional_v3.9.0.1008\SUPERAntiSpyware Professional v3.9.0.1008\Thinstall\SUPERAntiSpyware Professional\10000006600002i\regedit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\hadjajr.ini
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 3901 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20070829-185126-928 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.0.1) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.0.1>
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S3 ZD1211BU(WLAN) (IEEE 802.11g USB Wireless LAN(WLAN)) - c:\windows\system32\drivers\zd1211bu.sys <Not Verified; ZyDAS Technology Corporation; ZD1211B 802.11 b+g USB LAN Adapter>
S3 ZDPSp50 (ZDPSp50 NDIS Protocol Driver) - c:\windows\system32\drivers\zdpsp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200014F1&REV_00\3&61AAA01&0&50
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200014F1&REV_00\3&61AAA01&0&50
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: ADMtek AN983 based ethernet adapter
Device ID: PCI\VEN_1317&DEV_0985&SUBSYS_D0201429&REV_11\3&61AAA01&0&58
Manufacturer: ADMtek Incorporated
Name: ADMtek AN983 based ethernet adapter
PNP Device ID: PCI\VEN_1317&DEV_0985&SUBSYS_D0201429&REV_11\3&61AAA01&0&58
Service: AN983


-- Files created between 2007-07-29 and 2007-08-29 -----------------------------

2007-08-29 19:01:35 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-29 19:01:23 0 d-------- C:\WINDOWS\LastGood
2007-08-29 18:49:56 0 d-------- C:\Program Files\Trend Micro
2007-08-29 14:54:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-29 14:36:26 12293130 -----n--- C:\AVG7QT.DAT
2007-08-29 13:46:02 0 dr-h----- C:\$VAULT$.AVG
2007-08-29 13:05:32 0 d-------- C:\Documents and Settings\Kris\Application Data\AVG7
2007-08-29 13:05:19 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-08-29 13:04:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-08-29 13:04:51 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-08-29 13:01:31 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-08-29 13:01:20 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-08-29 13:01:08 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2007-08-29 13:01:03 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-08-29 13:01:03 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-08-29 13:00:37 2961440 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-29 12:59:53 0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-08-29 12:59:06 0 d-------- C:\WINDOWS\Internet Logs
2007-08-22 21:57:19 0 d-------- C:\My Games
2007-08-11 21:36:14 0 d-------- C:\Documents and Settings\Kris\Application Data\My Games
2007-08-10 17:52:44 0 d-------- C:\Documents and Settings\Kris\Application Data\RealArcade


-- Find3M Report ---------------------------------------------------------------

2007-08-22 13:35:06 0 d-------- C:\Program Files\Common Files\Real
2007-08-05 02:46:00 0 d-------- C:\Program Files\Starcraft
2007-07-24 02:27:32 0 d-------- C:\Documents and Settings\Kris\Application Data\Nokia
2007-07-24 02:24:47 0 d-------- C:\Program Files\Common Files\Nokia
2007-07-24 02:24:45 0 d-------- C:\Program Files\Common Files\PCSuite
2007-07-24 02:24:43 0 d-------- C:\Program Files\Common Files
2007-07-24 02:24:41 0 d-------- C:\Program Files\Nokia
2007-07-24 02:24:06 0 d-------- C:\Program Files\DIFX
2007-07-24 02:24:00 0 d-------- C:\Documents and Settings\Kris\Application Data\PC Suite
2007-07-24 02:23:40 0 d-------- C:\Program Files\PC Connectivity Solution
2007-07-20 21:42:53 0 d-------- C:\Program Files\Java
2007-07-19 21:55:18 0 d-------- C:\Program Files\Common Files\Adobe
2007-07-17 18:57:26 49152 --a------ C:\WINDOWS\system32\rnginterstitialclient.dll <Not Verified; RealNetworks, Inc.; RealNetworks, Inc. RngInterstitialClient>
2007-07-17 18:57:26 189952 --a------ C:\WINDOWS\qcard32.dll
2007-07-15 10:57:34 0 d-------- C:\Documents and Settings\Kris\Application Data\iWin
2007-07-09 18:55:00 0 d-------- C:\Documents and Settings\Kris\Application Data\GameBlend
2007-07-09 18:37:45 802816 --a------ C:\WINDOWS\feedingfrenzy.scr <Not Verified; Sprout Games, LLC; Feeding Frenzy>
2007-07-08 09:01:06 109 --a------ C:\WINDOWS\popcinfo.dat
2007-07-04 08:12:44 0 d-------- C:\Documents and Settings\Kris\Application Data\pixelStorm
2007-07-02 09:26:26 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-02 08:53:17 0 d-------- C:\Program Files\Google
2007-07-01 19:43:32 0 d-------- C:\Documents and Settings\Kris\Application Data\EA
2007-07-01 18:05:04 0 d-------- C:\Program Files\MySpace
2007-07-01 18:03:59 0 d-------- C:\Program Files\Common Files\InstallShield
2007-07-01 18:03:37 0 d-------- C:\Program Files\Maestro Learning


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX4600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.exe" [03/04/2004 04:00 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [06/21/2007 09:54 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08/29/2007 02:24 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hadjajr.ini

*Newly Created Service* - GTNDIS5



-- Hosts -----------------------------------------------------------------------

192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 atdmt.com
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net
192.168.200.3 banners.fastclick.net
192.168.200.3 click.atdmt.com
192.168.200.3 clicks.atdmt.com
192.168.200.3 engine.awaps.net

9 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-08-29 19:27:41 ------------

[amateur]

Hello and welcome to TSF.

Please disable SuperAntiSpyware so that it will not interfere with the fixes.

right-click on the shortcut from the system tray :
choose : View Control Center (preferences/options)
on the General and Startup tab:
uncheck : Start SUPERAntispyware when Windows starts
then click Close to exit.

===============================

Please download ComboFix

Note: It is important that it is saved directly to your desktop.

Close all browsers.

================================

Open notepad (it must be notepad, not wordpad, or it won't work) and copy/paste the text inside the quotebox (starting from file::) below into it:

Code:

file::
C:\WINDOWS\system32\hadjajr.ini

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
"DisableTaskMgr"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=-
"NoWindowsUpdate"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\winav.exe"=-
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\winav.exe"=-

Save this as CFScript.txt



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.

=========================================

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe [color=#3366FF]is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. Please allow it.

=========================================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6u2.
• Scroll down to where it says "The JSE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6.0 windows-i586-p.exe to install the newest version.

==========================================

Please post in your next reply:
a fresh HijackThis log,
C:\rapport.txt
Combofix log

[viper2g1]

Alright here ya go,

ComboFix 07-08-30.3 - "Kris" 2007-08-30 8:37:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.62 [GMT -7:00]
Command switches used :: C:\Documents and Settings\Kris\Desktop\cfscript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\hadjajr.ini


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 )))))))))))))))))))))))))))))))


2007-08-30 08:35 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-29 19:06 <DIR> d-------- C:\Deckard
2007-08-29 19:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-29 19:01 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-29 18:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-29 18:13 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-08-29 18:13 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-08-29 18:13 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-08-29 18:13 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-08-29 18:13 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-08-29 18:12 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2007-08-29 18:12 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2007-08-29 18:12 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-08-29 18:12 19,328 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-08-29 18:12 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-08-29 18:12 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-08-29 18:00 6,016 --a--c--- C:\WINDOWS\system32\dllcache\msfsio.sys
2007-08-29 18:00 51,328 --a--c--- C:\WINDOWS\system32\dllcache\msdv.sys
2007-08-29 18:00 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2007-08-29 18:00 49,024 --a--c--- C:\WINDOWS\system32\dllcache\mstape.sys
2007-08-29 18:00 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
2007-08-29 18:00 22,016 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
2007-08-29 18:00 2,944 --a--c--- C:\WINDOWS\system32\dllcache\msmpu401.sys
2007-08-29 18:00 17,280 --a--c--- C:\WINDOWS\system32\dllcache\mraid35x.sys
2007-08-29 18:00 12,416 --a--c--- C:\WINDOWS\system32\dllcache\msriffwv.sys
2007-08-29 17:57 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-08-29 17:57 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2007-08-29 17:57 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2007-08-29 17:57 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-08-29 17:57 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-08-29 17:57 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2007-08-29 17:47 314,752 --a--c--- C:\WINDOWS\system32\dllcache\camdro21.sys
2007-08-29 17:47 223,232 --a--c--- C:\WINDOWS\system32\dllcache\camdrv21.sys
2007-08-29 17:47 171,264 --a--c--- C:\WINDOWS\system32\dllcache\camdrv30.sys
2007-08-29 17:41 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-08-29 14:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-29 14:36 12,293,130 --------- C:\AVG7QT.DAT
2007-08-29 13:01 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-08-29 13:01 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-08-29 13:01 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-08-29 13:01 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-08-29 13:01 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-08-29 13:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-29 13:00 4,294,688 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-29 13:00 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-08-22 21:57 <DIR> d-------- C:\My Games
2007-08-11 21:36 <DIR> d-------- C:\DOCUME~1\Kris\APPLIC~1\My Games
2007-08-10 17:52 <DIR> d-------- C:\DOCUME~1\Kris\APPLIC~1\RealArcade
2007-07-24 02:26 <DIR> d-------- C:\DOCUME~1\Kris\APPLIC~1\Nokia
2007-07-24 02:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite
2007-07-24 02:24 <DIR> d-------- C:\Program Files\DIFX
2007-07-24 02:24 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-07-24 02:24 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-07-24 02:24 <DIR> d-------- C:\DOCUME~1\Kris\APPLIC~1\PC Suite
2007-07-24 02:23 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-07-24 02:23 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-07-24 02:23 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-07-24 02:23 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-07-24 02:23 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-07-24 02:23 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-07-24 02:23 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-07-24 02:23 <DIR> d-------- C:\Program Files\Nokia
2007-07-24 02:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Installations
2007-07-17 18:57 49,152 --a------ C:\WINDOWS\system32\rnginterstitialclient.dll
2007-07-17 18:57 189,952 --a------ C:\WINDOWS\qcard32.dll
2007-07-15 10:57 <DIR> d-------- C:\DOCUME~1\Kris\APPLIC~1\iWin
2007-07-15 08:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SpinTop Games
2007-07-09 18:55 <DIR> d-------- C:\DOCUME~1\Kris\APPLIC~1\GameBlend
2007-07-09 18:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GameBlend
2007-07-09 18:37 802,816 --a------ C:\WINDOWS\feedingfrenzy.scr
2007-07-04 08:12 <DIR> d-------- C:\DOCUME~1\Kris\APPLIC~1\pixelStorm
2007-07-02 09:00 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-07-02 09:00 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-07-02 09:00 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-07-02 09:00 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-07-02 08:54 7,168 --a--c--- C:\WINDOWS\system32\dllcache\hccoin.dll
2007-07-02 08:54 7,168 --a------ C:\WINDOWS\system32\hccoin.dll
2007-07-02 08:54 46,464 --a--c--- C:\WINDOWS\system32\dllcache\gagp30kx.sys
2007-07-02 08:54 46,464 --a------ C:\WINDOWS\system32\drivers\GAGP30KX.SYS
2007-07-02 08:54 27,165 --a--c--- C:\WINDOWS\system32\dllcache\fetnd5.sys
2007-07-02 08:54 27,165 --a------ C:\WINDOWS\system32\drivers\fetnd5.sys
2007-07-02 08:54 26,624 --a--c--- C:\WINDOWS\system32\dllcache\usbehci.sys
2007-07-02 08:54 26,624 --a------ C:\WINDOWS\system32\drivers\usbehci.sys
2007-07-01 19:43 <DIR> d-------- C:\DOCUME~1\Kris\APPLIC~1\EA
2007-07-01 18:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Zylom


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-29 18:15 36488 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-22 13:35 --------- d-------- C:\Program Files\Common Files\Real
2007-08-05 02:46 --------- d-------- C:\Program Files\Starcraft
2007-07-02 09:26 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-02 08:53 --------- d-------- C:\Program Files\Google
2007-07-01 18:05 --------- d-------- C:\Program Files\MySpace
2007-07-01 18:03 --------- d-------- C:\Program Files\Maestro Learning
2007-07-01 18:03 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-01 17:52 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-01 17:52 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-06-21 21:54 1086952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-03-11 19:57 774144 --a------ C:\Program Files\RngInterstitial.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX4600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.exe" [2004-03-04 04:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-29 14:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys

*Newly Created Service* - CATCHME
*Newly Created Service* - GTNDIS5

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 08:41:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-30 8:43:41
C:\ComboFix-quarantined-files.txt ... 2007-08-30 08:43

--- E O F ---


Now Rapport...


SmitFraudFix v2.217

Scan done at 8:56:12.02, Thu 08/30/2007
Run from C:\Documents and Settings\Kris\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kris


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kris\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Kris\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Linksys Wireless-G PCI Adapter #2 - Packet Scheduler Miniport
DNS Server Search Order: 68.87.69.146
DNS Server Search Order: 68.87.85.98

Description: Linksys Wireless-G PCI Adapter #2 - Packet Scheduler Miniport
DNS Server Search Order: 68.87.69.146
DNS Server Search Order: 68.87.85.98

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4C9328EC-17EE-4DFB-A0CC-C4EEE3F5ED3C}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A17A06C8-2AA1-45CC-BC94-1E75BB72E155}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4C9328EC-17EE-4DFB-A0CC-C4EEE3F5ED3C}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A17A06C8-2AA1-45CC-BC94-1E75BB72E155}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4C9328EC-17EE-4DFB-A0CC-C4EEE3F5ED3C}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A17A06C8-2AA1-45CC-BC94-1E75BB72E155}: DhcpNameServer=68.87.69.146 68.87.85.98


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



Now HijackThis..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:19 AM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\explorer.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 3843 bytes


Thanks!!

[amateur]

Hi,

Go to Start>Control Panel>Add/Remove Programs and remove if Kaspersky online scanner is present prior to downloading the most up-to-date one.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop in txt format.

Copy and paste that information from Kapersky in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Or use Firefox with IE-Tab plugin

Also let me know how the computer is running now.

[viper2g1]

Hello, the computer is running better now, I can at least open the control panel... here is the kaspersky scan information...


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, August 30, 2007 6:09:57 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 31/08/2007
Kaspersky Anti-Virus database records: 400484
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 51006
Number of viruses found: 3
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 01:52:29

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Kris\Application Data\Mozilla\Firefox\Profiles\ge07wasu.default\cert8.db Object is locked skipped
C:\Documents and Settings\Kris\Application Data\Mozilla\Firefox\Profiles\ge07wasu.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Kris\Application Data\Mozilla\Firefox\Profiles\ge07wasu.default\history.dat Object is locked skipped
C:\Documents and Settings\Kris\Application Data\Mozilla\Firefox\Profiles\ge07wasu.default\key3.db Object is locked skipped
C:\Documents and Settings\Kris\Application Data\Mozilla\Firefox\Profiles\ge07wasu.default\parent.lock Object is locked skipped
C:\Documents and Settings\Kris\Application Data\Mozilla\Firefox\Profiles\ge07wasu.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Kris\Application Data\Mozilla\Firefox\Profiles\ge07wasu.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Kris\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kris\Desktop\SmitfraudFix\Reboot.exe Object is locked skipped
C:\Documents and Settings\Kris\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Kris\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Kris\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Mozilla\Firefox\Profiles\ge07wasu.default\Cache\63329BDCd01/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Mozilla\Firefox\Profiles\ge07wasu.default\Cache\63329BDCd01/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Mozilla\Firefox\Profiles\ge07wasu.default\Cache\63329BDCd01 RarSFX: infected - 2 skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Mozilla\Firefox\Profiles\ge07wasu.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Mozilla\Firefox\Profiles\ge07wasu.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Mozilla\Firefox\Profiles\ge07wasu.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Application Data\Mozilla\Firefox\Profiles\ge07wasu.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kris\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kris\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kris\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Sandlot Shared\slghex.dll Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1F059B04-58F0-42D6-A9B4-658C2A89D598}\RP169\A0018476.exe Object is locked skipped
C:\System Volume Information\_restore{1F059B04-58F0-42D6-A9B4-658C2A89D598}\RP204\A0026910.ini Infected: Backdoor.Win32.Small.rb skipped
C:\System Volume Information\_restore{1F059B04-58F0-42D6-A9B4-658C2A89D598}\RP205\A0026948.exe Object is locked skipped
C:\System Volume Information\_restore{1F059B04-58F0-42D6-A9B4-658C2A89D598}\RP205\A0026950.exe Object is locked skipped
C:\System Volume Information\_restore{1F059B04-58F0-42D6-A9B4-658C2A89D598}\RP205\A0026954.ini Infected: Backdoor.Win32.Small.rb skipped
C:\System Volume Information\_restore{1F059B04-58F0-42D6-A9B4-658C2A89D598}\RP206\A0026961.exe Object is locked skipped
C:\System Volume Information\_restore{1F059B04-58F0-42D6-A9B4-658C2A89D598}\RP206\A0026962.exe Object is locked skipped
C:\System Volume Information\_restore{1F059B04-58F0-42D6-A9B4-658C2A89D598}\RP211\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\COUGAR.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.20070829-155740.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT05e6d.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT05e74.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

[amateur]

Hi,

Open notepad (it must be notepad, not wordpad, or it won't work) and copy/paste the text inside the quotebox (starting from file::) below into it:

Code:

file::
C:\Program Files\Common Files\Sandlot Shared\slghex.dll
C:\WINDOWS\system32\drivers\etc\hosts.20070829-155740.backup
C:\Documents and Settings\Kris\Desktop\SmitfraudFix

Save this as CFScript.txt



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.

==================================

Please download HostsXpert .

• Unzip HostsXpert. to your desktop
• Open up the HostsXpert program.
• Make sure that the "make hosts writable?" button in the upper right corner is enabled.
• Click back up Host files
• then click Restore original host files
• Close program when complete.

Warning: if you use a customized hosts file to block certain sites then this will overwrite all those entries as well and you will need to re enter them

[viper2g1]

here is the log file, also I did the hosts thing too...


ComboFix 07-08-30.3 - "Kris" 2007-08-30 21:23:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.45 [GMT -7:00]
Command switches used :: C:\Documents and Settings\Kris\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Program Files\Common Files\Sandlot Shared\slghex.dll
C:\WINDOWS\system32\drivers\etc\hosts.20070829-155740.backup
C:\Documents and Settings\Kris\Desktop\SmitfraudFix


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Sandlot Shared\slghex.dll
C:\WINDOWS\system32\drivers\etc\hosts.20070829-155740.backup


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 )))))))))))))))))))))))))))))))


2007-08-30 18:34 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll
2007-08-30 18:34 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2007-08-30 16:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-30 16:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-30 08:56 1,952 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-30 08:55 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-30 08:55 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-30 08:55 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-30 08:35 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-29 19:06 <DIR> d-------- C:\Deckard
2007-08-29 19:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-29 18:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-29 18:13 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-08-29 18:13 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-08-29 18:13 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-08-29 18:13 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-08-29 18:13 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-08-29 18:12 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2007-08-29 18:12 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2007-08-29 18:12 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-08-29 18:12 19,328 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-08-29 18:12 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-08-29 18:12 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-08-29 18:00 6,016 --a--c--- C:\WINDOWS\system32\dllcache\msfsio.sys
2007-08-29 18:00 51,328 --a--c--- C:\WINDOWS\system32\dllcache\msdv.sys
2007-08-29 18:00 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2007-08-29 18:00 49,024 --a--c--- C:\WINDOWS\system32\dllcache\mstape.sys
2007-08-29 18:00 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
2007-08-29 18:00 22,016 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
2007-08-29 18:00 2,944 --a--c--- C:\WINDOWS\system32\dllcache\msmpu401.sys
2007-08-29 18:00 17,280 --a--c--- C:\WINDOWS\system32\dllcache\mraid35x.sys
2007-08-29 18:00 12,416 --a--c--- C:\WINDOWS\system32\dllcache\msriffwv.sys
2007-08-29 17:57 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-08-29 17:57 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2007-08-29 17:57 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2007-08-29 17:57 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-08-29 17:57 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-08-29 17:57 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2007-08-29 17:47 314,752 --a--c--- C:\WINDOWS\system32\dllcache\camdro21.sys
2007-08-29 17:47 223,232 --a--c--- C:\WINDOWS\system32\dllcache\camdrv21.sys
2007-08-29 17:47 171,264 --a--c--- C:\WINDOWS\system32\dllcache\camdrv30.sys
2007-08-29 17:41 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-08-29 14:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-29 13:01 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-08-29 13:01 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-08-29 13:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-29 12:59 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-08-22 21:57 <DIR> d-------- C:\My Games
2007-08-11 21:36 <DIR> d-------- C:\DOCUME~1\Kris\APPLIC~1\My Games
2007-08-10 17:52 <DIR> d-------- C:\DOCUME~1\Kris\APPLIC~1\RealArcade
2007-07-24 02:26 <DIR> d-------- C:\DOCUME~1\Kris\APPLIC~1\Nokia
2007-07-24 02:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite
2007-07-24 02:24 <DIR> d-------- C:\Program Files\DIFX
2007-07-24 02:24 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-07-24 02:24 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-07-24 02:24 <DIR> d-------- C:\DOCUME~1\Kris\APPLIC~1\PC Suite
2007-07-24 02:23 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-07-24 02:23 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-07-24 02:23 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-07-24 02:23 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-07-24 02:23 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-07-24 02:23 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-07-24 02:23 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-07-24 02:23 <DIR> d-------- C:\Program Files\Nokia
2007-07-24 02:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Installations
2007-07-17 18:57 49,152 --a------ C:\WINDOWS\system32\rnginterstitialclient.dll
2007-07-17 18:57 189,952 --a------ C:\WINDOWS\qcard32.dll
2007-07-15 10:57 <DIR> d-------- C:\DOCUME~1\Kris\APPLIC~1\iWin
2007-07-15 08:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SpinTop Games
2007-07-09 18:55 <DIR> d-------- C:\DOCUME~1\Kris\APPLIC~1\GameBlend
2007-07-09 18:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GameBlend
2007-07-09 18:37 802,816 --a------ C:\WINDOWS\feedingfrenzy.scr
2007-07-04 08:12 <DIR> d-------- C:\DOCUME~1\Kris\APPLIC~1\pixelStorm
2007-07-02 09:00 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-07-02 09:00 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-07-02 09:00 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-07-02 09:00 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-07-02 08:54 7,168 --a--c--- C:\WINDOWS\system32\dllcache\hccoin.dll
2007-07-02 08:54 7,168 --a------ C:\WINDOWS\system32\hccoin.dll
2007-07-02 08:54 46,464 --a--c--- C:\WINDOWS\system32\dllcache\gagp30kx.sys
2007-07-02 08:54 46,464 --a------ C:\WINDOWS\system32\drivers\GAGP30KX.SYS
2007-07-02 08:54 27,165 --a--c--- C:\WINDOWS\system32\dllcache\fetnd5.sys
2007-07-02 08:54 27,165 --a------ C:\WINDOWS\system32\drivers\fetnd5.sys
2007-07-02 08:54 26,624 --a--c--- C:\WINDOWS\system32\dllcache\usbehci.sys
2007-07-02 08:54 26,624 --a------ C:\WINDOWS\system32\drivers\usbehci.sys
2007-07-01 19:43 <DIR> d-------- C:\DOCUME~1\Kris\APPLIC~1\EA
2007-07-01 18:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Zylom


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-30 21:27 --------- d-------- C:\Program Files\Common Files\Sandlot Shared
2007-08-30 19:21 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-22 13:35 --------- d-------- C:\Program Files\Common Files\Real
2007-08-05 02:46 --------- d-------- C:\Program Files\Starcraft
2007-07-02 09:26 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-02 08:53 --------- d-------- C:\Program Files\Google
2007-07-01 18:05 --------- d-------- C:\Program Files\MySpace
2007-07-01 18:03 --------- d-------- C:\Program Files\Maestro Learning
2007-07-01 18:03 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-01 17:52 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-03-11 19:57 774144 --a------ C:\Program Files\RngInterstitial.dll


((((((((((((((((((((((((((((( snapshot_2007-08-30_ 84251.58 )))))))))))))))))))))))))))))))))))))))))

----a-w 820,928 2007-08-31 01:34:18 C:\WINDOWS\system32\drivers\avg7core.sys
----a-w 4,224 2007-08-31 01:34:18 C:\WINDOWS\system32\drivers\avg7rsw.sys
----a-w 27,776 2007-08-31 01:34:18 C:\WINDOWS\system32\drivers\avg7rsxp.sys
----a-w 3,968 2007-08-31 01:34:18 C:\WINDOWS\system32\drivers\avgclean.sys
----a-w 19,904 2007-08-31 01:34:18 C:\WINDOWS\system32\drivers\avgmfx86.sys
----a-w 213,048 2005-05-24 18:27:16 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
----a-w 94,208 2007-02-22 00:48:18 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
----a-w 946,176 2007-02-22 00:49:08 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll

----a-w 821,536 2007-08-29 21:24:34 C:\WINDOWS\system32\drivers\avg7core.sys
----a-w 4,224 2007-08-29 20:05:13 C:\WINDOWS\system32\drivers\avg7rsw.sys
----a-w 27,776 2007-08-29 21:22:21 C:\WINDOWS\system32\drivers\avg7rsxp.sys
----a-w 3,968 2007-08-29 20:05:15 C:\WINDOWS\system32\drivers\avgclean.sys
----a-w 19,904 2007-08-29 21:24:34 C:\WINDOWS\system32\drivers\avgmfx86.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX4600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.exe" [2004-03-04 04:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-30 18:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-08-30 18:34 9216 C:\WINDOWS\system32\avgwlntf.dll

S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys

*Newly Created Service* - GTNDIS5

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 21:32:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-30 21:36:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-30 21:36
C:\ComboFix2.txt ... 2007-08-30 08:43

--- E O F ---

[amateur]

Hi,

How is the computer now? You know that you are a little low on memory.

Quote:

Total Physical Memory: 224 MiB (512 MiB recommended).

Otherwise, it's looking good. Please post a fresh HijackThis log for a last check. We are almost done, just a few more things.

[viper2g1]

everything is running great now!! here is the log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:28 AM, on 8/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 3982 bytes

[amateur]

Hi,

Great. The log is clean. You're all set to go as soon as you complete the following:

Please remove/delete all the tools I asked you to download. Also delete the following folders:

C:\QooBox
C:\Combofix

and empty the recycle bin.

Create a new System Restore point to prevent reinfection from old restore points.

Go to Start>Run and type sysdm.cpl. Press Enter

• Select the System Restore Tab
• Place a check in "Turn off System Restore on all drives"
• Click Apply
• next, uncheck the same checkbox.
• Click Apply
• Click OK

You can also find instructions on how to disable and re enable system restore here:
Windows XP System Restore Guide

==================================================

A colleague of ours has excellent information and tips on the prevention of malware here and more on improving speed/system performance after malware removal here .
If you want to fight back the Malware Writers, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing!

[viper2g1]

I've done everything you've suggested and the system is running better than ever. Thanks!!! Your help is very much appreciated!!

[amateur]

You're very welcome. Glad we could help. Stay safe!