rdriv.sys virus

[ByeJack06]

For the past couple of days I have been getting a dial-up icon for my dsl connection prompting to connect to the internet, which constantly spring up after I click cancel. Then Avast anti-virus catches a rdriv.sys Win32:Trojan-gen {Other}. While the only noticeable problem is that it slows down the startup of my comp, it has infected several System Volume Information, restore files. I've tried all the spyware software and even the Trend Micro Housecall Scanner, and followed their directions to get rid of the TROJ_ROOTKIT.E virus, but that still didn't work. So here's the HijackThis log. Thanks for your time. Logfile of HijackThis v1.99.1
Scan saved at 9:14:20 PM, on 7/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\setup\avast.setup
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\wkssvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ann Dinh\My Documents\My Software\anti spy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - C:\WINDOWS\pxwma.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\DINH MAN\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\DINH MAN\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/315e80ad...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120597614125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/act...a/SymAData.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B99730E0-A037-4E04-9604-8BF95F620334}: NameServer = 206.141.192.60 206.141.193.55
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

[sUBs]

Please follow all instructions as specified. Print these instructions to ensure all are followed.

Please download the following programs, but do not run them yet:

* rdrivRem.zip

• Unzip it to your desktop.

* Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be a big E icon on your desktop, double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen
• You will need to update ewido to the latest definition files.
• On the left hand side of the main screen click update
• Click on Start
• The update will start and a progress bar will show the updates being installed
• After the updates are installed exit Ewido.

* CleanUp!

• Install it.

* Killbox by Option^Explicit

• Save it to your desktop.

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.

1. Click [Start]>[Run], type services.msc into the [Open] editbox and click the [Ok] button.
2. Locate the Power Manager (PowerManager) service and double-click on it to open the Properties dialog.
3. Click the [Stop] button.
4. In the [Startup type] dropdown select [Disabled].
5. Click the [Apply] button and then the [Ok] button.
6. Close the Services window
7. Then start HiJackThis & go to [Config] > [Misc.Tools...] > [Delete an NT service...]
   In the popup box that appears, type in PowerManager & click the [OK] button.

1.) Please double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

2.) Double-click the Ewido Security Suite icon to run the program.

• Click on scanner
• Click Complete System Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop
• Exit Ewido

3.) Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

4.) After Cleanup! is finished, run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED:

O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - C:\WINDOWS\pxwma.dll
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Close HiJackThis.

5.)Using KillBox

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

• C:\WINDOWS\pxwma.dll
  C:\WINDOWS\svchost.exe (file missing)

Start KillBox.

1. Go to the [File] menu, and choose [Paste from Clipboard].
   Verify that you've done this properly by clicking the dropdown-arrow next to the [Full Path of File to Delete] field. The filenames you pasted will be found in there.
2. Select/tick the following:
   • "Delete on Reboot"
   • "End Explorer Shell While Killing File"
   • "Unregister.dll Before Deleting" if it's not grayed out.
3. Click the RED X button.
4. Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.



After computer has restarted continue with the rest of the instructions:

6.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

7.) Run BOTH of these online virus scans (NOT at the same time!):
ActiveScan
TrendMicro's HouseCall - check "Auto Clean"

Save the results from ActiveScan.

I need you to post the contents of rdriv.txt, the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.

[ByeJack06]

It seems like the virus has stopped. But an interesting thing to note is that the Avast! anitvirus supposedly found a virus on Panda' Active Scanner. It detected a Win32:Kuang2 on the imscan.dll file. I just turned off Avast after that. Anyways, here are the results:

1) rdriv.txt


~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!


~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!

2) Ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:48:47 AM, 7/6/2005
+ Report-Checksum: 9300EC0B

+ Scan result:

:mozilla.119:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Adserver : Ignored
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Spyware.WebSearch : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.168:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.227:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Ne : Cleaned with backup
:mozilla.233:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.234:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.235:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.236:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.237:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.246:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\default.2vb\cookies.txt -> Spyware.Cookie.Counted : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\DINH MAN\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.193:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\DINH MAN\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.194:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\DINH MAN\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.195:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\DINH MAN\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.196:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\DINH MAN\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.631:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\DINH MAN\cookies.txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
:mozilla.822:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\DINH MAN\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.823:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\DINH MAN\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.932:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\DINH MAN\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.933:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\DINH MAN\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.934:C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\DINH MAN\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Ne : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Ann Dinh\Application Data\Phoenix\Profiles\The Thriftster\45zl49wh.slt\cookies.txt -> Spyware.Cookie.Counted : Cleaned with backup
C:\Documents and Settings\Ann Dinh\Cookies\ann dinh@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Ann Dinh\My Documents\My Software\cracks\ShowMaker.Pro.2.11_REGFILE-FFF.zip/ShowMaker-Regpatch.exe -> Trojan.Small.cr : Cleaned with backup
C:\Program Files\Avast4\DATA\moved\rdriv.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\Program Files\Showmaker\ShowMaker-Regpatch.exe -> Trojan.Small.cr : Cleaned with backup
C:\WINDOWS\Temp\bw.exe -> TrojanDropper.Small.of : Cleaned with backup


::Report End

3) Active Scan

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/MyWay No disinfected C:\WINDOWS\System32\Xcite.dll
Adware:Adware/nCase No disinfected Windows Registry
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Ann Dinh\Application Data\Lycos
Adware:Adware/InstDollars No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\INF\biH.inf
Adware:Adware/MyWay No disinfected C:\WINDOWS\SYSTEM32\Xcite.dll
Adware:Adware/MyWay No disinfected C:\WINDOWS\SYSTEM32\Xcite.exe

4) HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 4:03:24 PM, on 7/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Ann Dinh\My Documents\My Software\anti spy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\DINH MAN\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\DINH MAN\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/315e80ad...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120597614125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/act...a/SymAData.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B99730E0-A037-4E04-9604-8BF95F620334}: NameServer = 206.141.192.60 206.141.193.55
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Thanks for the help. Please inform if you see other problems that can be fixed.

[sUBs]

1. Click [Start]>[Run], type services.msc into the [Open] editbox and click the [Ok] button.
2. Locate the Workstation Service Library (Microsoft Locator Service) service and double-click on it to open the Properties dialog.
3. Click the [Stop] button.
4. In the [Startup type] dropdown select [Disabled].
5. Click the [Apply] button and then the [Ok] button.
6. Close the Services window
7. Then start HiJackThis & go to [Config] > [Misc.Tools...] > [Delete an NT service...]
   In the popup box that appears, type in Microsoft Locator Service & click the [OK] button.

~~~~~~~~~~~~~~~

Uninstall the following programs, if present, using [Control Panel]>[Add/Remove Programs] :

• Side Search

Locate & delete this folder - C:\Documents and Settings\Ann Dinh\Application Data\Lycos

~~~~~~~~~~~~~~~

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)


~~~~~~~~~~~~~~~

Using KillBox

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

• C:\WINDOWS\INF\biH.inf
  C:\WINDOWS\SYSTEM32\Xcite.dll
  C:\WINDOWS\SYSTEM32\Xcite.exe

Start KillBox.

1. Go to the [File] menu, and choose [Paste from Clipboard].
   Verify that you've done this properly by clicking the dropdown-arrow next to the [Full Path of File to Delete] field. The filenames you pasted will be found in there.
2. Select/tick the following:
   • "Delete on Reboot"
   • "End Explorer Shell While Killing File"
   • "Unregister.dll Before Deleting" if it's not grayed out.
3. Click the RED X button.
4. Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt.

After rebooting, post a new log

[ByeJack06]

Here's the new results.

1) rdriv.text

~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!


~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!

2) Ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:12:47 PM, 7/6/2005
+ Report-Checksum: 40565876

+ Scan result:

No infected objects found.


::Report End

3) Active Scan

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry

4) HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 12:30:57 AM, on 7/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Ann Dinh\My Documents\My Software\anti spy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\DINH MAN\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Ann Dinh\Application Data\Mozilla\Firefox\Profiles\DINH MAN\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/315e80ad...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120597614125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/act...a/SymAData.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B99730E0-A037-4E04-9604-8BF95F620334}: NameServer = 206.141.192.60 206.141.193.55
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Thanks again.

[sUBs]

Well done How does it feel to be clean again?
Do you have any more problems with your computer? If not, you should be set to go.

There still remains a few bits of housekeeping ...

Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewall
• ZoneAlarm

and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.


In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL

Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[ByeJack06]

Thanks for all the help.