'Computer Infected', Registry Problem, more

tbo27 · Jan 23, 2007

Hello. Im hoping somebody out there can help me out, cause im stuck.

I recently accidentally downloaded a program containing a virus/badware.

Here's the symptoms:

-When i first opened it, my wallpaper on my screen was erased.
-My homepage on explorer was Hijacked.
-The site www.google.com would not work, it would instead go to a search on yahoo. (i read somewhere this might have to do with the lsass virus/hosts file on my pc?)
-My computer is running slower with more Resources taken up.
and
-My Windows Security red icon is present in the taskbar. When i scroll over it, it says 'Your Computer is Infected!' At times, a popup comes up that reads:

Also, when i click on the icon, a window pops up that says Downloading RegistryCleanerSetup.exe, but does not ever start the download.

I ran Norton Antivirus, it found nothing. I ran Ad-Aware, it found WIN32.P2P-WORM.ALCAN.A and REDIRECTED HOSTFILE ENTRY.

I am no longer able to enable Norton auto protection.

-----------------------------------------------------------------------------

Please, if anyone can help me out, it would be GREATLY appreciated!
Heres my HijackThis! log file:

Logfile of HijackThis v1.99.1
Scan saved at 11:03:37 PM, on 1/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\msasvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctpmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\ctpmon.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Me\My Documents\Unzipped\hijackthis\HijackThis.exe
c:\dell\E-center\gtb2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ECenter] "c:\dell\E-Center\gtb.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ctpmon] ctpmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm330YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Again, any help would be greatly appreciated!

fredmh · Jan 23, 2007

Hello tbo27, and welcome to TSF

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools,
then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more
likely additional infections will result.

----------------------------------------

FILE SUBMISSION

Please submit the below file to:

Malware Submission]

Under link to topic where this file was requested copy/paste

http://www.techsupportforum.com/security-center/hijackthis-log-help/136645-computer-infected-registry-problem-more.html

Under Browse to the file you want to submit, copy/paste

c:\wndows\system32\ctpmon.exe

Leave any comments you may wish.

Click on Send File button.

----------------------------------------

DOWNLOADS

CLEANUP! version 4.52 – TEMP FILE CLEANING

Please download Cleanup! and install it. You will use this later.

Alternative link Cleanup Alt

*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.

AVG Anti-Spyware 7.5

Please download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

Install AVG Anti-Spyware 7.5.
Double-click the icon on Desktop to launch AVG A-S 7.5
On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
I also recommend changing the "Update interval" to something more reasonable like 12 hours.

SDFix

Download SDFix and save it to your desktop.

We will use this later.

ComboFix

1. Download this file - You MUST save it to your desktop

COMBOFIX

2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

SAFE MODE RE-BOOT

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O4 - HKCU\..\Run: [ctpmon] ctpmon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm330YYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/Activ...veLauncher.cab

Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------

UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

O4 - HKCU\..\Run: [ctpmon] ctpmon.exe>>>This should be in c:\windows\system32

----------------------------------------

SDFix

Right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file
Report.txt back onto the forum with a new HijackThis log

----------------------------------------

RUNNING SCANNERS

Cleanup

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program and DO NOT reboot when prompted.

AVG Anti-Spyware 7.5

Run AVG A-s with it's updated definitions: (...it's important that all windows must be closed)
This scan can take quite a while to run, so be prepared.
Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine (1),
If not click Recommended Action and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)

When done, click the Save Scan Report button. (4) then click Save Report As and save it to your desktop.

IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Note: DO NOT USE the computer while AVG A/S is scanning. If Explorer or the Control Panel are opened some malware types will
reinfect your system or will not be cleaned properly.

----------------------------------------

SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------

ON-LINE SCANS

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on

located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on

then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------

FOLLOW-UP

Please return and post these items in the order listed:

c:\combofix.txt
SDFix log
AVG A/S
Panda scan
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

Please let me know how your system is behaving.

tbo27 · Jan 24, 2007

Thanks a lot for your help and your quick reply.

My comptuer seems to be running better now, the windows notification of a bad registry is gone, but there is still a notification that my Norton is turned off. When i try to enable it, it still doesnt work. Nothing happens. Im guessing i just need to reinstall Norton, but i'll leave that for you to decide.

Also, you told me to upload c:\wndows\system32\ctpmon.exe to the malware site. I did, but i also uploaded c:\windows\system32\ctpmon.exe, just in case that was a typo.

Again, thanks for your help, here are all the logs you requested:

-----------------------------------------------------------

"Me" - 07-01-23 15:22:32 Service Pack 2
ComboFix 07-01-23.2 - Running from: "C:\Documents and Settings\Me\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-23 to 2007-01-23 ))))))))))))))))))))))))))))))))))

2007-01-23 15:16 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-23 15:16 <DIR> d-------- C:\Program Files\Grisoft
2007-01-23 01:16 <DIR> d-------- C:\Program Files\Registry Mechanic
2007-01-22 23:25 4,052,754 --a------ C:\24 Screensaver v1 by erazboy.scr
2007-01-22 23:25 231,295 --a------ C:\uninstall 24 Screensaver v1 by erazboy.exe
2007-01-22 22:42 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-22 22:34 <DIR> d-------- C:\DOCUME~1\Me\.housecall6.6
2007-01-22 17:05 30,720 --a------ C:\WINDOWS\system32\ctpmon.exe
2007-01-22 17:05 3,584 --a------ C:\WINDOWS\system32\msasvc.exe
2007-01-18 00:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\WinZip
2007-01-11 22:51 <DIR> d-------- C:\DOCUME~1\Me\Application Data\Viewpoint
2007-01-10 02:16 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-07 03:28 <DIR> d--hs---- C:\DOCUME~1\Me\Complete
2007-01-07 03:23 <DIR> d-------- C:\Program Files\LimeWire
2007-01-07 00:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-01-07 00:29 <DIR> d-------- C:\Program Files\Anonymizer
2006-12-30 21:22 94,208 --a------ C:\WINDOWS\system32\LMVAutoLvl.dll
2006-12-30 21:22 94,208 --a------ C:\WINDOWS\system32\LMVAutoInt.dll
2006-12-30 21:22 94,208 --a------ C:\WINDOWS\system32\LMVAutoCont.dll
2006-12-30 21:22 94,208 --a------ C:\WINDOWS\system32\LMISOMux.dll
2006-12-30 21:22 94,208 --a------ C:\WINDOWS\system32\LDECMPG22.dll
2006-12-30 21:22 86,016 --a------ C:\WINDOWS\system32\LMVFramCtrl2.dll
2006-12-30 21:22 86,016 --a------ C:\WINDOWS\system32\LMISODmx.dll
2006-12-30 21:22 81,920 --a------ C:\WINDOWS\system32\lfFAX14n.dll
2006-12-30 21:22 73,728 --a------ C:\WINDOWS\system32\LMMpg2Mx2.dll
2006-12-30 21:22 69,632 --a------ C:\WINDOWS\system32\lfjbg14n.dll
2006-12-30 21:22 65,536 --a------ C:\WINDOWS\system32\LEncAC3Krn.dll
2006-12-30 21:22 65,536 --a------ C:\WINDOWS\system32\lcodc26x2.dll
2006-12-30 21:22 61,440 --a------ C:\WINDOWS\system32\LMMpg1Mx2.dll
2006-12-30 21:22 61,440 --a------ C:\WINDOWS\system32\Lfpct14n.dll
2006-12-30 21:22 61,440 --a------ C:\WINDOWS\system32\lffpx14n.dll
2006-12-30 21:22 45,056 --a------ C:\WINDOWS\system32\LFPTK14n.dll
2006-12-30 21:22 45,056 --a------ C:\WINDOWS\system32\lfpsd14n.dll
2006-12-30 21:22 45,056 --a------ C:\WINDOWS\system32\lfflc14n.dll
2006-12-30 21:22 434,176 --a------ C:\WINDOWS\system32\ltKRN14n.dll
2006-12-30 21:22 425,984 --a------ C:\WINDOWS\system32\LENCMPG4.dll
2006-12-30 21:22 417,792 --a------ C:\WINDOWS\system32\lfCMW14n.dll
2006-12-30 21:22 405,504 --a------ C:\WINDOWS\system32\LEncMPG4Krn.dll
2006-12-30 21:22 401,408 --a------ C:\WINDOWS\system32\LDECAAC.dll
2006-12-30 21:22 40,960 --a------ C:\WINDOWS\system32\lfgif14n.dll
2006-12-30 21:22 393,216 --a------ C:\WINDOWS\system32\lffpx7.dll
2006-12-30 21:22 393,216 --a------ C:\WINDOWS\system32\LDECMPG4.dll
2006-12-30 21:22 364,544 --a------ C:\WINDOWS\system32\lfCMP14n.dll
2006-12-30 21:22 36,864 --a------ C:\WINDOWS\system32\lfXpm14n.dll
2006-12-30 21:22 36,864 --a------ C:\WINDOWS\system32\lfbmp14n.dll
2006-12-30 21:22 36,864 --a------ C:\WINDOWS\system32\lfacs14n.dll
2006-12-30 21:22 356,352 --a------ C:\WINDOWS\system32\LEncH264Krn2.dll
2006-12-30 21:22 331,776 --a------ C:\WINDOWS\system32\LCodcCMP2.dll
2006-12-30 21:22 327,680 --a------ C:\WINDOWS\system32\LDecMPG4Krn.dll
2006-12-30 21:22 323,584 --a------ C:\WINDOWS\system32\LEncAMR.dll
2006-12-30 21:22 32,768 --a------ C:\WINDOWS\system32\Lfwmf14n.dll
2006-12-30 21:22 32,768 --a------ C:\WINDOWS\system32\lfpcx14n.dll
2006-12-30 21:22 32,768 --a------ C:\WINDOWS\system32\lfLMB14n.dll
2006-12-30 21:22 32,768 --a------ C:\WINDOWS\system32\lfiff14n.dll
2006-12-30 21:22 319,488 --a------ C:\WINDOWS\system32\LMVMtnFX.dll
2006-12-30 21:22 299,008 --a------ C:\WINDOWS\system32\LDecVorbis.dll
2006-12-30 21:22 299,008 --a------ C:\WINDOWS\system32\LDecAMR.dll
2006-12-30 21:22 28,672 --a------ C:\WINDOWS\system32\lfXbm14n.dll
2006-12-30 21:22 28,672 --a------ C:\WINDOWS\system32\lftga14n.dll
2006-12-30 21:22 28,672 --a------ C:\WINDOWS\system32\lfsgi14n.dll
2006-12-30 21:22 28,672 --a------ C:\WINDOWS\system32\lfras14n.dll
2006-12-30 21:22 28,672 --a------ C:\WINDOWS\system32\LFPNM14n.dll
2006-12-30 21:22 28,672 --a------ C:\WINDOWS\system32\LFDCR14n.dll
2006-12-30 21:22 278,528 --a------ C:\WINDOWS\system32\LDecAACKrn.dll
2006-12-30 21:22 274,432 --a------ C:\WINDOWS\system32\LMVMiscFX.dll
2006-12-30 21:22 262,144 --a------ C:\WINDOWS\system32\ltDIS14n.dll
2006-12-30 21:22 245,760 --a------ C:\WINDOWS\system32\LMMpgDmxT.dll
2006-12-30 21:22 245,760 --a------ C:\WINDOWS\system32\LMMpgDmxP.dll
2006-12-30 21:22 245,760 --a------ C:\WINDOWS\system32\lfAFP14n.dll
2006-12-30 21:22 241,664 --a------ C:\WINDOWS\system32\ltefx14n.dll
2006-12-30 21:22 24,576 --a------ C:\WINDOWS\system32\lfwmp14n.dll
2006-12-30 21:22 24,576 --a------ C:\WINDOWS\system32\lfpcd14n.dll
2006-12-30 21:22 24,576 --a------ C:\WINDOWS\system32\lfmac14n.dll
2006-12-30 21:22 24,576 --a------ C:\WINDOWS\system32\LFKDC14n.dll
2006-12-30 21:22 229,376 --a------ C:\WINDOWS\system32\H263Encoder2.dll
2006-12-30 21:22 217,088 --a------ C:\WINDOWS\system32\LTStlImgWrt.dll
2006-12-30 21:22 217,088 --a------ C:\WINDOWS\system32\lfJ2k14n.dll
2006-12-30 21:22 217,088 --a------ C:\WINDOWS\system32\LENCMPG2P2.dll
2006-12-30 21:22 200,704 --a------ C:\WINDOWS\system32\LTDvdWrt2.dll
2006-12-30 21:22 200,704 --a------ C:\WINDOWS\system32\LEncH264P2.dll
2006-12-30 21:22 196,608 --a------ C:\WINDOWS\system32\LMOggSpl.dll
2006-12-30 21:22 192,512 --a------ C:\WINDOWS\system32\LTStlImgRd.dll
2006-12-30 21:22 184,320 --a------ C:\WINDOWS\system32\LEncAAC.dll
2006-12-30 21:22 184,320 --a------ C:\WINDOWS\system32\LCMW3.dll
2006-12-30 21:22 180,224 --a------ C:\WINDOWS\system32\LMJ2K2.dll
2006-12-30 21:22 176,128 --a------ C:\WINDOWS\system32\Lfpng14n.dll
2006-12-30 21:22 172,032 --a------ C:\WINDOWS\system32\LMOggMux.dll
2006-12-30 21:22 172,032 --a------ C:\WINDOWS\system32\LENCMPG2KRN2.dll
2006-12-30 21:22 159,744 --a------ C:\WINDOWS\system32\LENCMPG22.dll
2006-12-30 21:22 155,648 --a------ C:\WINDOWS\system32\ltFIL14n.dll
2006-12-30 21:22 155,648 --a------ C:\WINDOWS\system32\lencmpga2.dll
2006-12-30 21:22 151,552 --a------ C:\WINDOWS\system32\LTDVDBrn2.dll
2006-12-30 21:22 151,552 --a------ C:\WINDOWS\system32\LEncAC3.dll
2006-12-30 21:22 147,456 --a------ C:\WINDOWS\system32\LMAPhase.dll
2006-12-30 21:22 147,456 --a------ C:\WINDOWS\system32\lfTIF14n.dll
2006-12-30 21:22 143,360 --a------ C:\WINDOWS\system32\LMVVOvLy2.dll
2006-12-30 21:22 143,360 --a------ C:\WINDOWS\system32\H263Decoder2.dll
2006-12-30 21:22 139,264 --a------ C:\WINDOWS\system32\LCODC26D2.dll
2006-12-30 21:22 135,168 --a------ C:\WINDOWS\system32\LDECMPG2KRN2.dll
2006-12-30 21:22 126,976 --a------ C:\WINDOWS\system32\LMAVol.dll
2006-12-30 21:22 126,976 --a------ C:\WINDOWS\system32\lfkodak.dll
2006-12-30 21:22 122,880 --a------ C:\WINDOWS\system32\LMVHstg2.dll
2006-12-30 21:22 122,880 --a------ C:\WINDOWS\system32\LEncAACKrn.dll
2006-12-30 21:22 122,880 --a------ C:\WINDOWS\system32\LCODCCMW3.dll
2006-12-30 21:22 110,592 --a------ C:\WINDOWS\system32\LMVUsMsk2.dll
2006-12-30 21:22 110,592 --a------ C:\WINDOWS\system32\LMVRot2.dll
2006-12-30 21:22 106,496 --a------ C:\WINDOWS\system32\LMVDblck.dll
2006-12-30 21:22 106,496 --a------ C:\WINDOWS\system32\LCODCJ2K2.dll
2006-12-30 21:22 102,400 --a------ C:\WINDOWS\system32\LMVEdgEnh.dll
2006-12-30 21:22 1,859,584 --a------ C:\WINDOWS\system32\ltmm15_n.dll
2006-12-30 21:22 1,728,512 --a------ C:\WINDOWS\system32\LDecH2643.dll
2006-12-30 21:22 1,703,936 --a------ C:\WINDOWS\system32\LTCLR14n.dll
2006-12-30 21:22 1,429,504 --a------ C:\WINDOWS\system32\ltdic14n.dll
2006-12-30 21:22 1,273,856 --a------ C:\WINDOWS\system32\LEncVorbis.dll
2006-12-30 21:22 1,224,704 --a------ C:\WINDOWS\system32\LEncH2643.dll
2006-12-30 21:22 1,122,304 --a------ C:\WINDOWS\system32\ltimg14n.dll
2006-12-30 21:21 53,248 --a------ C:\WINDOWS\system32\ltserial.dll
2006-12-30 21:21 487,424 --a------ C:\WINDOWS\system32\LtAct14n.dll
2006-12-30 21:21 253,952 --a------ C:\WINDOWS\system32\LMVRGBxf.dll
2006-12-30 21:21 2,519,040 --a------ C:\WINDOWS\system32\LtDicWrt2.dll
2006-12-30 21:21 192,512 --a------ C:\WINDOWS\system32\LMVTOvly2.dll
2006-12-30 21:21 180,224 --a------ C:\WINDOWS\system32\DSKernel2.dll
2006-12-30 21:21 163,840 --a------ C:\WINDOWS\system32\LMVDeitr2.dll
2006-12-30 21:21 159,744 --a------ C:\WINDOWS\system32\LMVRsz2.dll
2006-12-30 21:21 147,456 --a------ C:\WINDOWS\system32\LMAFlng.dll
2006-12-30 21:21 143,360 --a------ C:\WINDOWS\system32\LMVClr.dll
2006-12-30 21:21 139,264 --a------ C:\WINDOWS\system32\ltreg.dll
2006-12-30 21:21 139,264 --a------ C:\WINDOWS\system32\LMAEcho.dll
2006-12-30 21:21 139,264 --a------ C:\WINDOWS\system32\LMAChrs.dll
2006-12-30 21:21 135,168 --a------ C:\WINDOWS\system32\ltact.dll
2006-12-30 21:21 131,072 --a------ C:\WINDOWS\system32\LMVYUVxf.dll
2006-12-30 21:21 131,072 --a------ C:\WINDOWS\system32\LMVEmbs.dll
2006-12-30 21:21 131,072 --a------ C:\WINDOWS\system32\LMVCrop2.dll
2006-12-30 21:21 122,880 --a------ C:\WINDOWS\system32\LMAVUMeter.dll
2006-12-30 21:21 118,784 --a------ C:\WINDOWS\system32\LMVMosc.dll
2006-12-30 21:21 110,592 --a------ C:\WINDOWS\system32\LMVClrRp.dll
2006-12-30 21:21 102,400 --a------ C:\WINDOWS\system32\LMVGamma.dll
2006-12-30 21:21 102,400 --a------ C:\WINDOWS\system32\LMVAdd.dll
2006-12-30 21:21 102,400 --a------ C:\WINDOWS\system32\LMAMpgCnv.dll
2006-12-30 21:21 1,662,976 --a------ C:\WINDOWS\system32\LtDicRd2.dll
2006-12-30 21:21 <DIR> d-------- C:\Program Files\Mý Solutions, Inc
2006-12-30 21:15 131,072 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2006-12-30 21:14 <DIR> d-------- C:\Program Files\Illustrate
2006-12-30 20:49 <DIR> d-------- C:\Program Files\Qualcomm
2006-12-25 09:59 <DIR> d-------- C:\DOCUME~1\Me\Application Data\ArcSoft
2006-12-25 09:54 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll
2006-12-25 09:54 <DIR> d-------- C:\Program Files\SanDisk
2006-12-25 09:54 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2006-12-25 09:39 <DIR> d-------- C:\Program Files\Activision Value

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2007-01-23 11:11 7520 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-01-23 00:13 -------- d-------- C:\Program Files\steam
2007-01-22 19:56 -------- d-------- C:\Program Files\quicktime
2007-01-22 19:56 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-22 17:03 -------- d-------- C:\DOCUME~1\Me\Application Data\adobe
2007-01-22 17:01 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-16 15:33 -------- d-------- C:\DOCUME~1\Me\Application Data\metacafe
2007-01-06 21:31 -------- d-------- C:\Program Files\pdf editor 2
2007-01-02 10:43 -------- d---s---- C:\Program Files\xfire
2007-01-01 20:14 -------- d-------- C:\DOCUME~1\Me\Application Data\xfire
2006-12-30 21:21 -------- d--h----- C:\Program Files\installshield installation information
2006-12-22 17:22 -------- d-------- C:\Program Files\Common Files\aol
2006-12-22 01:32 -------- d-------- C:\Program Files\aim gadgets
2006-12-18 17:31 -------- d-------- C:\Program Files\aim6
2006-12-15 21:20 -------- d-------- C:\Program Files\uniblue
2006-12-15 21:20 -------- d-------- C:\DOCUME~1\Me\Application Data\uniblue
2006-12-13 22:28 -------- d-------- C:\Program Files\alchemy mindworks
2006-12-13 06:37 -------- d-------- C:\Program Files\music alarm clock
2006-12-12 02:29 -------- d-------- C:\Program Files\citrus alarm clock
2006-12-11 21:31 -------- d-------- C:\DOCUME~1\Me\Application Data\ati
2006-12-11 21:28 -------- d-------- C:\Program Files\ati technologies
2006-12-11 19:08 -------- d-------- C:\Program Files\gimp-2.0
2006-12-11 19:07 -------- d-------- C:\Program Files\Common Files\gtk
2006-12-11 19:04 -------- d-------- C:\Program Files\gimpshop
2006-12-10 22:43 56 -r-hs---- C:\WINDOWS\system32\270904286e.sys
2006-12-10 13:15 -------- d-------- C:\Program Files\Common Files\autodesk shared
2006-12-10 13:15 -------- d-------- C:\Program Files\autodesk
2006-12-10 02:12 -------- d-------- C:\Program Files\milkshape 3d 1.7.10
2006-12-08 10:39 -------- d-------- C:\Program Files\rewind
2006-12-08 10:15 -------- d-------- C:\Program Files\videomach-3.5.2
2006-12-06 22:14 2330624 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-04 00:00 -------- d-------- C:\DOCUME~1\Me\Application Data\u3
2006-11-08 01:18 74752 --a------ C:\WINDOWS\cadkasdeinst01e.exe
2006-11-07 23:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-02 07:11 137336 --a------ C:\WINDOWS\system32\metacafe.scr
2006-10-26 07:08 40960 --a------ C:\WINDOWS\system32\frapsvid.dll
2006-10-23 09:43 104 -r-hs---- C:\WINDOWS\system32\0c3cb2623a.sys
2006-10-23 02:03 724992 --a------ C:\WINDOWS\iun6002.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Steam"=""
"ctpmon"="ctpmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"SigmatelSysTrayApp"="stsystra.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ECenter"="\"c:\\dell\\E-Center\\gtb.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_05\\bin\\jusched.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\Quickset.exe"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"Music Alarm Clock"=""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"RegistryMechanic"=""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Quicken Scheduled Updates.lnk"
"backup"="C:\\WINDOWS\\pss\\Quicken Scheduled Updates.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Quicken\\bagent.exe "
"item"="Quicken Scheduled Updates"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Me^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
"path"="C:\\Documents and Settings\\Me\\Start Menu\\Programs\\Startup\\Yahoo! Widget Engine.lnk"
"backup"="C:\\WINDOWS\\pss\\Yahoo! Widget Engine.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Yahoo!\\YAHOO!~1\\YAHOOW~1.EXE "
"item"="Yahoo! Widget Engine"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anonymizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Anonymizer"
"hkey"="HKCU"
"command"="C:\\Program Files\\Anonymizer\\Anonymizer Software\\Anonymizer.exe -nogui"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDLauncher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DesktopWeather"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\The Weather Channel FW\\Desktop Weather\\DesktopWeather.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1154194880\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Music Alarm Clock]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mac"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICA~1\\mac.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="outlook"
"hkey"="HKLM"
"command"="C:\\Program Files\\outlook\\outlook.exe /auto"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyEraser"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Uniblue\\SpyEraser\\SpyEraser.exe\" -m"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
QWAVE REG_MULTI_SZ QWAVE\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
Shell\AutoRun\command E:\setup.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVG_ANTI-SPYWARE_DRIVER
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVG_ANTI-SPYWARE_GUARD

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (TIM-Me).job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Uniblue SpyEraser.job

Completion time: 07-01-23 15:26:56
C:\ComboFix2.txt ... 07-01-22 22:30

------------------------------------

SDFix: Version 1.62

Tue 01/23/2007 - 16:10:05.82

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
MsaSvc

Path:
C:\WINDOWS\system32\msasvc.exe

MsaSvc Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Files will be copied to Backups folder and removed:

C:\WINDOWS\system32\msasvc.exe - Deleted

Alternate Streams Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Rootkit PE386 Found!

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Steam\\SteamApps\\jcfrk27\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\jcfrk27\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1154194880\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1154194880\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1154194880\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1154194880\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Documents and Settings\\Me\\Application Data\\U3\\0000051020032899\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\skype.exe"="C:\\Documents and Settings\\Me\\Application Data\\U3\\0000051020032899\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\skype.exe:*:Enabled:Skype"
"C:\\WINDOWS\\ehome\\ehshell.exe"="C:\\WINDOWS\\ehome\\ehshell.exe:LocalSubNet:Enabled:Media Center"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"
"C:\\Program Files\\Steam\\SteamApps\\jcfrk27\\half-life\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\jcfrk27\\half-life\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Java\\jre1.5.0_05\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_05\\bin\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 9 32-bit"
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"="C:\\Program Files\\Autodesk\\Backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"="C:\\Program Files\\Autodesk\\Backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"="C:\\Program Files\\Autodesk\\Backburner\\server.exe:*:Enabled:backburner 2.3 server"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\NTDETECT.COM
C:\i386\cdplayer.exe.manifest
C:\i386\logonui.exe.manifest
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\i386\0C3CB2623A.sys
C:\i386\KGyGaAvL.sys
C:\WINDOWS\system32\0C3CB2623A.sys
C:\WINDOWS\system32\270904286E.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp

Finished

---------------------

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:32:56 PM 1/23/2007

+ Scan result:

C:\Program Files\PCODEC -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-3729864498-2790405977-3990596297-1005\Software\Internet Security -> Adware.Generic : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00010181.exe -> Downloader.Small.dgk : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00010185.EXE -> Downloader.Small.dgk : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00010175.exe -> Hijacker.Agent.is : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00010154.exe -> Hijacker.Costrat.ae : Cleaned with backup (quarantined).
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned with backup (quarantined).
:mozilla.228:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.67:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.68:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.69:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.70:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.71:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.72:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.73:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.74:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.75:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.76:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.147:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.196:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.197:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.166:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.240:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.15:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.16:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.23:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.24:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.25:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.17:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.176:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.177:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.178:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.35:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.36:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.37:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.28:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.38:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.39:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.40:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.41:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.42:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.43:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.164:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.167:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.168:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.169:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.170:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.214:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.215:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.216:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.171:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.241:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.242:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.135:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.136:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.152:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.153:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.208:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.209:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.210:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.211:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.172:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.173:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.174:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.175:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.150:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.151:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.82:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.83:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.84:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.85:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.86:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.44:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.45:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.46:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.47:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.48:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.49:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.50:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.51:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.52:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.53:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.54:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.55:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.56:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.57:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.58:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.59:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.60:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.61:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.62:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.63:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.161:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.97:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.98:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.99:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.110:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.111:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.112:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.113:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.114:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.115:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.116:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.92:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.237:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.238:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.239:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.64:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.65:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.66:C:\Documents and Settings\Me\Application Data\Netscape\NSB\Profiles\8pawe3nu.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00010176.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00010179.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00010370.dll -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00011041.exe -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00011042.exe -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/msasvc.exe -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).

::Report end

---------------------------------------

Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Me\Desktop\SDFix.zip[SDFix.exe][SDFix\apps\Process.exe]
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Documents and Settings\Me\My Documents\Unzipped\hijackthis\backups\backup-20070123-160510-594.inf
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Me\My Documents\Unzipped\SDFix\SDFix.exe[SDFix\apps\Process.exe]
Virus:Trj/Qhost.gen Disinfected C:\RECYCLER\NPROTECT\00010199
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\NPROTECT\00010344.exe
Virus:Trj/Sinowal.DU Disinfected C:\RECYCLER\NPROTECT\00010369.dll
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\NPROTECT\00010475.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\NPROTECT\00011023.exe
Virus:Trj/Sinowal.DU Disinfected C:\RECYCLER\NPROTECT\00011241.zip[backups/msasvc.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\oldhosts

------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:40:29 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Me\My Documents\Unzipped\hijackthis\HijackThis.exe
c:\dell\E-center\gtb.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ECenter] "c:\dell\E-Center\gtb.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

---------------------------------------

Thanks again.

fredmh · Jan 24, 2007

ComboFix and SDFix both picked up a Rootkit which must be dealt with. Also ctpmon.exe is still present. This is a new infection which
does not like to go quietly. We also have to deal with that as it appears to affect the ability to use Safe Mode.

----------------------------------------

cptmon.exe Deletion

Open Taskmanager
Go to Start>>>run and type in taskmgr
Once in Taskmanager, click on Processes
Right click on cptmon.exe and select End Process Tree
Close Taskmanager

----------------------------------------

RUSTOCK.B FIX

Download RustbFix
...and save it to your desktop.

Double click on rustbfix.exe to run the tool.

If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while,
and perhaps 2 reboots will be needed. But this will happen automatically.

After the reboot 2 logfiles will open (%root%avenger.txt & %root%rustbfixpelog.txt). Post the content of these logfiles along with a new HijackThis
log.

tbo27 · Jan 24, 2007

Thanks again for the quick reply.

ctpmon.exe was not present in my processes when i went to end it.
Norton AutoProtect still is not able to be enabled.

Here are the log files:

pelog.txt
-----------------------------
************************* Rustock.b-fix -- By ejvindh *************************
Tue 01/23/2007 23:26:07.58

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 70570
Total size: 70570 bytes.
Attempting to remove ADS...
system32: deleted 70570 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************************* End of Logfile ********************************

avenger.txt
-----------------------
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\pylxwswj

*******************

Script file located at: \??\C:\r^eascvf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

HijackThis log
-------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:38:30 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Me\My Documents\Unzipped\hijackthis\HijackThis.exe
c:\dell\E-center\gtb.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.40calgames.com/forum
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ECenter] "c:\dell\E-Center\gtb.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

fredmh · Jan 24, 2007

The rootkit is gone. cptmon.exe is not appearing in your HJT log but it is still in Combofix. I'm not convinced that it's entirely
gone, so I would like to run another tool

----------------------------------------

SMITFRAUD FIX

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Double-click smitfraudfix.exe to start the tool.
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

----------------------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\270904286e.sys
C:\WINDOWS\system32\0c3cb2623a.sys

C:\WINDOWS\iun6002.exe

C:\DOCUME~1\Me\Application Data\Viewpoint

If the above resist deletion, boot into Safe Mode and delete

----------------------------------------

Kaspersky - Extended

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
    [*]Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect.
We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------

FOLLOW-UP

Please return and post these items in the order listed:

c:\rapport.txt from SmitFraud
Kaspersky scan

'Computer Infected', Registry Problem, more

tbo27

fredmh

tbo27

fredmh

tbo27

fredmh

Top Contributors this Month