Netsky Worm-Popups-The Three Icons - "Error Cleaner" "Privacy Protector" "Spyware..."

tntsh · Dec 30, 2007

Netsky Worm-Popups-The Three Icons - "Error Cleaner" "Privacy Protector" "Spyware..."

I am infected with this crap and have used the following tools to try to get rid of it:
Windows Defender, Unible PowerSuite (SpeedUpMyPC, Registry Booster & Spyware Protector) and Norton's One Button Checkup and WinDoctor.

Not sure if it's related, but my DISPLAY is locked at 640 X 480.

Atempted the 5 Step Process before posting and Panda ActiveScan froze and crashed after scanning 59253 files, but not before identifying 28 spyware files.

Here's my extra.txt log from Deckard's:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.80GHz
Percentage of Memory in Use: 36%
Physical Memory (total/avail): 1277.95 MiB / 810.39 MiB
Pagefile Memory (total/avail): 1516.89 MiB / 1165.44 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.88 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.21 GiB total, 18.7 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - ST340014A - 37.25 GiB - 1 partition
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 37.21 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton Internet Security v15.0.0.60 (Symantec Corporation)
AV: Norton Internet Security v15.0.0.60 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TRIBASH
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\TRIBASH
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=TRIBASH
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Owner (admin)
Sharon (admin)
Thom (admin)
Robert Christensen (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
Bonus --> MsiExec.exe /I{420F8FCF-8F5E-4518-A5B3-FBBD56B98FEC}
Broadcom 440x 10/100 Integrated Controller --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033
CC_ccProxyExt --> MsiExec.exe /I{779F426C-A8F3-414B-B7AF-B6BDC9B8E040}
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
ccCommon --> MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118}
ccPxyCore --> MsiExec.exe /I{AB70ABEC-771B-47CB-9E41-DF77DE4FFC5C}
CheckIt Diagnostics --> C:\PROGRA~1\CheckIt\DIAGNO~1\UNWISE.EXE C:\PROGRA~1\CheckIt\DIAGNO~1\INSTALL.LOG
CheckIt Diagnostics --> C:\PROGRA~1\CheckIt\DIAGNO~1\UNWISE.EXE C:\PROGRA~1\CheckIt\DIAGNO~1\INSTALL.LOG
CIB --> MsiExec.exe /I{E8176C35-0C2D-4142-9ED4-81861ECAB403}
Component Framework --> MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}
Connection Keep Alive --> MsiExec.exe /I{77364F85-6219-4CB8-AAA0-6D53368D683D}
DAZzle --> C:\PROGRA~1\ENVELO~1\DAZzle\UNWISE32.EXE C:\PROGRA~1\ENVELO~1\DAZzle\INSTALL.LOG
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iTunes --> MsiExec.exe /I{553E56C3-7AA1-45FE-A2FC-2C43DC27F765}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LiveUpdate (Symantec Corporation) --> MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate"
LiveUpdate (Symantec Corporation) --> MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\setup.exe" -l0x9 UNINSTALL
Logitech Harmony Remote Software 7 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C6F884D-680C-448B-B4C9-22296EE1B206}\setup.exe" -l0x9 -removeonly
MGI PhotoSuite 8.1 (Remove Only) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MGI\PhotoSuite 8.1\Uninst.isu" -c"C:\Program Files\MGI\PhotoSuite 8.1\CustomUninstall.dll"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Basic Edition 2003 --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft Office PowerPoint 2003 --> MsiExec.exe /I{90180409-6000-11D3-8CFE-0150048383C9}
Microsoft OpenType Font File Properties Extension --> MsiExec.exe /I{45EA11B5-874D-480E-89B9-2545505BBE3E}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mobipocket Reader 5.2 --> MsiExec.exe /I{20370E2E-E19B-4D8D-A6D4-81C1D268F6EA}
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSRedist --> MsiExec.exe /I{D1725BDB-BA2B-4503-A8CB-F5C835D743FA}
Norton Add-on Pack (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{420F8FCF-8F5E-4518-A5B3-FBBD56B98FEC}_2_0_0_61\Setup.exe" /X
Norton AntiSpam --> MsiExec.exe /I{5677563D-0CB1-485F-9E18-C5025306BB3F}
Norton AntiVirus --> MsiExec.exe /X{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}
Norton AntiVirus Help --> MsiExec.exe /I{D4BB907A-623E-4F07-8787-041ABAE088E4}
Norton AntiVirus Help --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Cleanup --> MsiExec.exe /I{CA31120D-2101-484D-9FF1-195DE96FE346}
Norton Confidential Core --> MsiExec.exe /I{55A6283C-638A-4EE0-B491-51118554BDA2}
Norton GoBack 4.2 --> MsiExec.exe /I{1F76ACFA-22FE-49F6-BC05-F4EC835F48CC}
Norton Internet Security --> MsiExec.exe /I{C1C185CA-C531-49F5-A6FA-B838405A049D}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{C1C185CA-C531-49F5-A6FA-B838405A049D}_15_0_0_60\Setup.exe" /X
Norton Protection Center --> MsiExec.exe /I{62120008-8E1E-4807-860D-A8B48F8552DB}
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
Norton SystemWorks --> MsiExec.exe /I{9E23C48E-5483-4971-BA50-089F2FABCD66}
Norton SystemWorks (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{707D28BF-E145-4a9b-B97E-94FA586D05F3}\{707D28BF-E145-4a9b-B97E-94FA586D05F3}.exe" /X
Norton SystemWorks 2007 --> MsiExec.exe /I{FB55BB78-2BC2-43E9-80FF-517A8D1AE3AD}
Norton SystemWorks Basic Edition --> MsiExec.exe /I{707D28BF-E145-4a9b-B97E-94FA586D05F3}
Norton Utilities --> MsiExec.exe /I{6A7867BA-B7CA-4CC9-ACAB-85BA46865EE5}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Parental Control --> MsiExec.exe /I{66B9BD1F-4189-4f35-BD82-9948720A04CF}
Philips Device Manager --> C:\Program Files\InstallShield Installation Information\{36A9D3F8-3FCF-4FBA-A8AD-3C1CE56C8AF4}\setup.exe -runfromtemp -l0x0009 -removeonly
Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}
Quicken Online Backup --> C:\Program Files\Quicken Online Backup\CBUninst.exe
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Savings Bond Wizard --> C:\WINDOWS\unvise32.exe C:\Program Files\Savings Bond Wizard\uninstal.log
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Uniblue PowerSuite --> "C:\Program Files\Uniblue\unins000.exe"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type35954 / Error
Event Submitted/Written: 12/30/2007 00:45:50 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application explorer.exe, version 6.0.2900.3156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type35952 / Error
Event Submitted/Written: 12/30/2007 00:24:22 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application explorer.exe, version 6.0.2900.3156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type35950 / Error
Event Submitted/Written: 12/30/2007 00:08:02 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application explorer.exe, version 6.0.2900.3156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type35945 / Error
Event Submitted/Written: 12/30/2007 11:52:01 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application explorer.exe, version 6.0.2900.3156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type35943 / Error
Event Submitted/Written: 12/30/2007 11:36:00 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application explorer.exe, version 6.0.2900.3156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type91332 / Error
Event Submitted/Written: 12/30/2007 00:20:38 PM
Event ID/Source: 6161 / Print
Event Description:
http://www.techsupportforum.com/security-center/hijackthis-log-OwnerLexmark X63LEMF330459344240\\TRIBASH232 (0xe8)

Event Record #/Type91252 / Error
Event Submitted/Written: 12/30/2007 09:31:06 AM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type91251 / Error
Event Submitted/Written: 12/30/2007 09:31:06 AM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type91235 / Error
Event Submitted/Written: 12/30/2007 09:24:25 AM / 12/30/2007 09:25:25 AM
Event ID/Source: 1 / sr
Event Description:
The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SrtETmp' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

Event Record #/Type91183 / Error
Event Submitted/Written: 12/30/2007 08:55:37 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

-- End of Deckard's System Scanner: finished at 2007-12-30 13:06:44 ----------
Here's the main.txt log from Deckard's:

Deckard's System Scanner v20071014.68
Run by Owner on 2007-12-30 13:02:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
60: 2007-12-30 19:02:23 UTC - RP853 - Deckard's System Scanner Restore Point
59: 2007-12-30 18:55:37 UTC - RP852 - Software Distribution Service 3.0
58: 2007-12-30 18:53:47 UTC - RP851 - Software Distribution Service 3.0
57: 2007-12-29 18:48:39 UTC - RP850 - Restore Operation
56: 2007-12-29 18:43:18 UTC - RP849 - Restore Operation

-- First Restore Point --
1: 2007-11-07 09:06:27 UTC - RP794 - Software Distribution Service 3.0

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:31 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Quicken Online Backup\AgentSrv.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Norton SystemWorks Basic Edition\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Quicken Online Backup\CBSysTray.exe
C:\WINDOWS\system32\LXAMSP32.EXE
C:\Documents and Settings\Owner\Desktop\Deckards System Scanner.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {82de967b-6db5-4ac2-8450-c732f8358a43} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: The emlkdvo - {9E1833D1-423D-4485-950E-0A417C2C15CA} - C:\WINDOWS\emlkdvo.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Quicken Online Backup TaskBar Icon.LNK = C:\Program Files\Quicken Online Backup\CBSysTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - http://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553545000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O21 - SSODL: bvtqfvx - {C3D19FAE-7651-43EE-B74F-6488FA897FC7} - C:\WINDOWS\bvtqfvx.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Quicken Online Backup\AgentSrv.EXE
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks Basic Edition\Norton GoBack\GBPoll.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10567 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 GBDevice - c:\windows\system32\drivers\gbdevice.sys <Not Verified; Symantec Corporation; Norton GoBack>
R0 GoBack2K - c:\windows\system32\drivers\goback2k.sys <Not Verified; Symantec Corporation; Norton GoBack>
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 BCMNTIO - c:\program files\checkit\diagnostics\bcmntio.sys
R2 GBFSHook - c:\windows\system32\drivers\gbfshook.sys <Not Verified; Symantec Corporation; Norton GoBack>
R2 MAPMEM - c:\program files\checkit\diagnostics\mapmem.sys
R3 WinDriver6 - c:\windows\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver>

S3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
S3 SDdriver - c:\windows\system32\drivers\sddriver.sys <Not Verified; Symantec Corporation; Norton Speed Disk>
S3 USBIO (USBIO Driver (usbio.sys)) - c:\windows\system32\drivers\usbio.sys <Not Verified; Thesycon GmbH, Germany; Universal USB Device Driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AgentSrv (Connected Agent Service) - c:\program files\quicken online backup\agentsrv.exe -asv
R2 Speed Disk service - c:\progra~1\norton~1\norton~1\speedd~1\nopdb.exe <Not Verified; Symantec Corporation; Norton Speed Disk>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_8086&DEV_2562&SUBSYS_01601028&REV_01\3&172E68DD&0&10
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_8086&DEV_2562&SUBSYS_01601028&REV_01\3&172E68DD&0&10
Service:

-- Scheduled Tasks -------------------------------------------------------------

2007-12-30 09:43:13 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-12-29 13:17:52 338 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser.job
2007-12-24 12:00:00 318 --a------ C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
2007-12-24 01:00:00 620 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Thom.job

-- Files created between 2007-11-30 and 2007-12-30 -----------------------------

2007-12-30 13:05:16 0 d-------- C:\Program Files\Trend Micro
2007-12-30 12:43:11 0 d-------- C:\Documents and Settings\Owner\Application Data\Help
2007-12-30 11:40:17 0 d-------- C:\Program Files\SpywareBlaster
2007-12-30 09:51:28 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-30 09:51:27 0 d-------- C:\WINDOWS\LastGood
2007-12-30 09:45:19 0 d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-12-30 00:23:00 0 dr-h----- C:\Documents and Settings\Owner\Recent
2007-12-29 12:50:24 0 d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2007-12-29 12:50:23 0 d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2007-12-29 10:50:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2007-12-28 19:50:00 0 dr-h----- C:\Documents and Settings\Thom\Recent
2007-12-28 18:15:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2007-12-28 18:15:08 0 d-------- C:\Documents and Settings\Thom\Application Data\Uniblue
2007-12-28 18:14:45 0 d-------- C:\Program Files\Uniblue
2007-12-25 21:28:24 77824 --a------ C:\WINDOWS\fvkwdrt.exe
2007-12-25 21:28:24 200704 --a------ C:\WINDOWS\emlkdvo.dll <Not Verified; ; emlkdvo Module>
2007-12-25 21:28:24 208896 --a------ C:\WINDOWS\bvtqfvx.dll
2007-12-25 21:27:26 0 d-------- C:\Program Files\MediaSupplyCodec
2007-12-25 19:00:39 0 d-------- C:\Program Files\Full Tilt Poker.Org
2007-12-23 01:30:04 0 d-------- C:\Program Files\Video Add-on
2007-12-21 21:47:40 0 d-------- C:\Program Files\Nufsoft
2007-12-21 16:27:49 0 d-------- C:\Documents and Settings\Robert Christensen\Application Data\Apple Computer
2007-12-21 11:17:09 0 d-------- C:\Documents and Settings\Robert Christensen\Application Data\Sonic
2007-12-21 11:01:58 0 d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2007-12-21 11:00:25 0 d-------- C:\Program Files\Common Files\AVSMedia
2007-12-21 11:00:20 0 d-------- C:\Program Files\AVSMedia
2007-12-21 11:00:01 0 d-------- C:\Program Files\Common Files\Download Manager
2007-12-21 02:53:20 0 d-------- C:\Documents and Settings\All Users\Application Data\SwiftSwitch
2007-12-21 02:53:16 0 d-------- C:\Program Files\SwiftSwitch
2007-12-10 01:05:05 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-12-09 17:19:11 0 d-------- C:\Documents and Settings\Robert Christensen\Application Data\Datel
2007-12-05 20:07:41 0 d-------- C:\Netgear

-- Find3M Report ---------------------------------------------------------------

2007-12-30 13:05:11 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-30 11:06:34 0 d-------- C:\Program Files\Windows Defender
2007-12-30 11:04:38 0 d-------- C:\Program Files\Norton Internet Security
2007-12-30 11:03:42 0 d-------- C:\Program Files\Quicken Online Backup
2007-12-30 11:03:32 0 d-------- C:\Program Files\Norton SystemWorks Basic Edition
2007-12-30 11:03:16 0 d-------- C:\Program Files\Messenger
2007-12-30 09:48:00 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2007-12-30 09:07:55 0 d-------- C:\Program Files\Datel
2007-12-28 23:42:24 0 d-------- C:\Program Files\Common Files
2007-12-28 23:33:32 0 d-------- C:\Program Files\Yahoo!
2007-12-28 21:16:49 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-28 19:44:25 0 d-------- C:\Program Files\Cheat Engine
2007-12-27 06:50:41 0 d-------- C:\Program Files\RegSweep
2007-12-26 15:03:13 0 d-------- C:\Program Files\RuneHQ_Browser_Bar
2007-12-25 20:15:21 0 d-------- C:\Program Files\Quicken
2007-12-05 16:38:54 0 d-------- C:\Program Files\Symantec
2007-11-29 01:13:28 0 d-------- C:\Program Files\Siber Systems
2007-11-21 23:47:05 0 d-------- C:\Program Files\3D Kit Builder
2007-11-21 22:41:39 1156 --a------ C:\WINDOWS\mozver.dat
2007-11-21 22:38:29 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-13 22:57:54 223744 --a------ C:\WINDOWS\system32\b4fm.dll
2007-10-03 20:35:37 2147483647 --ahs---- C:\gobackio.bin

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
08/24/2007 09:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
10/04/2007 05:43 AM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [08/24/2007 09:51 PM 316784]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/23/2007 04:18 PM]
"lxamsp32.exe"="lxamsp32.exe" [10/21/2001 07:12 PM C:\WINDOWS\system32\LXAMSP32.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 10:24 AM]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [03/24/2007 06:52 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [12/11/2007 10:55 AM]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [12/11/2007 10:55 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Quicken Online Backup TaskBar Icon.LNK - C:\Program Files\Quicken Online Backup\CBSysTray.exe [6/14/2007 11:02:01 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bvtqfvx"= {C3D19FAE-7651-43EE-B74F-6488FA897FC7} - C:\WINDOWS\bvtqfvx.dll [12/25/2007 12:33 PM 208896]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AcBtnMgr_X63.exe.lnk]
backup=C:\WINDOWS\pss\AcBtnMgr_X63.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ACMonitor_X63.exe.lnk]
backup=C:\WINDOWS\pss\ACMonitor_X63.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote Software 7.lnk]
backup=C:\WINDOWS\pss\Logitech Harmony Remote Software 7.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton GoBack.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton GoBack.lnk
backup=C:\WINDOWS\pss\Norton GoBack.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Online Backup TaskBar Icon.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Online Backup TaskBar Icon.LNK
backup=C:\WINDOWS\pss\Quicken Online Backup TaskBar Icon.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LexStart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxamsp32.exe]
lxamsp32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobipocket Reader Notifications]
C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSWosCheck]
C:\Program Files\Norton SystemWorks Basic Edition\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton Internet Security\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhilipsDM]
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe OS_STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegSweep]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue PowerSuite]
C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
"C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
"C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

*Newly Created Service* - COMHOST
*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SDTHOOK

-- End of Deckard's System Scanner: finished at 2007-12-30 13:06:44 ---------

tntsh · Jan 1, 2008

Re: Netsky Worm-Popups-The Three Icons - "Error Cleaner" "Privacy Protector" "Spyware

Bump.

TheBruce1 · Jan 1, 2008

Re: Netsky Worm-Popups-The Three Icons - "Error Cleaner" "Privacy Protector" "Spyware

Hello and welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

========================

Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding.Its important that you follow this through until i give you the all clear,a lack of symptoms does not mean that you are clean.

========================

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

=========================
Downloads

Download this file - http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

* IMPORTANT !!! Place combofix.exe on your DesktopDo not run just yet, we will shortly
------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop. Do not run just yet, we will shortly

===================================

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

______________________________

Double-click on SmitfraudFix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot back into Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
__

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
• "Security Info"
• "Warning Message"
• "Security Desktop"
• "Warning Homepage"
• "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

===============================

Reboot into normal mode

================================

Double-click on SmitfraudFix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

==================================

Go to

→ Run → paste in the single line command & click OK

"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

===============================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

===============================
Logs Required
C:\rapport.txt
C:\Combofix.txt
Hijackthis log

tntsh · Jan 2, 2008

Here are the logs...

OK --

rapport.txt

SmitFraudFix v2.274

Scan done at 19:55:40.04, Tue 01/01/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\Owner\Desktop\Error Cleaner.url Deleted
C:\DOCUME~1\Owner\Desktop\Privacy Protector.url Deleted
C:\DOCUME~1\Owner\Desktop\Spyware?Malware Protection.url Deleted
C:\DOCUME~1\Owner\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\Owner\FAVORI~1\Privacy Protector.url Deleted
C:\DOCUME~1\Owner\FAVORI~1\Spyware?Malware Protection.url Deleted
C:\Program Files\Video Add-on\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6CDBC98C-40EB-4FFA-BA65-03077B9D8F3D}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6CDBC98C-40EB-4FFA-BA65-03077B9D8F3D}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6CDBC98C-40EB-4FFA-BA65-03077B9D8F3D}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

combofix.txt

ComboFix 07-12-30.3 - Owner 2008-01-01 20:23:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.877 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Robert Christensen\Favorites\Error Cleaner.url
C:\Documents and Settings\Robert Christensen\Favorites\Privacy Protector.url
C:\Documents and Settings\Robert Christensen\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\Sharon\Desktop\Error Cleaner.url
C:\Documents and Settings\Sharon\Desktop\Privacy Protector.url
C:\Documents and Settings\Sharon\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Sharon\Favorites\Error Cleaner.url
C:\Documents and Settings\Sharon\Favorites\Privacy Protector.url
C:\Documents and Settings\Sharon\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\Thom\Desktop\Error Cleaner.url
C:\Documents and Settings\Thom\Desktop\Privacy Protector.url
C:\Documents and Settings\Thom\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Thom\Favorites\Error Cleaner.url
C:\Documents and Settings\Thom\Favorites\Privacy Protector.url
C:\Documents and Settings\Thom\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\bvtqfvx.dll
C:\WINDOWS\emlkdvo.dll
C:\WINDOWS\fvkwdrt.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.

2008-01-01 20:23 . 2008-01-01 20:23 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-01-01 20:18 . 2008-01-01 20:18 <DIR> d-------- C:\ie-spyad_zo
2008-01-01 19:55 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-01 19:55 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-01 19:55 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-01 19:55 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-01 19:55 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-01 19:55 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-01 19:55 . 2008-01-01 19:55 1,344 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-30 13:05 . 2007-12-30 13:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 13:01 . 2007-12-30 13:01 <DIR> d-------- C:\Deckard
2007-12-30 11:40 . 2007-12-30 11:40 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-30 09:51 . 2007-12-30 11:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-30 09:51 . 2007-12-30 11:01 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-30 09:51 . 2007-12-30 11:01 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-30 09:51 . 2007-12-30 11:01 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-30 09:45 . 2007-12-30 09:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-12-29 12:50 . 2007-12-30 00:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2007-12-29 12:50 . 2007-12-29 13:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2007-12-29 10:50 . 2007-12-29 12:45 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2007-12-28 18:15 . 2007-12-28 19:41 <DIR> d-------- C:\Documents and Settings\Thom\Application Data\Uniblue
2007-12-28 18:15 . 2007-12-28 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2007-12-28 18:14 . 2007-12-28 18:14 <DIR> d-------- C:\Program Files\Uniblue
2007-12-25 21:27 . 2007-12-29 12:45 <DIR> d-------- C:\Program Files\MediaSupplyCodec
2007-12-25 19:00 . 2007-12-28 21:16 <DIR> d-------- C:\Program Files\Full Tilt Poker.Org
2007-12-21 21:47 . 2007-12-21 21:52 <DIR> d-------- C:\Program Files\Nufsoft
2007-12-21 16:27 . 2007-12-21 16:27 <DIR> d-------- C:\Documents and Settings\Robert Christensen\Application Data\Apple Computer
2007-12-21 11:17 . 2007-12-23 15:58 <DIR> d-------- C:\Documents and Settings\Robert Christensen\Application Data\Sonic
2007-12-21 11:01 . 2007-12-21 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2007-12-21 11:00 . 2007-12-21 11:00 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-12-21 11:00 . 2007-12-21 11:00 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-12-21 11:00 . 2007-12-21 11:15 <DIR> d-------- C:\Program Files\AVSMedia
2007-12-21 11:00 . 2003-05-21 13:50 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-12-21 02:53 . 2007-12-21 03:09 <DIR> d-------- C:\Program Files\SwiftSwitch
2007-12-21 02:53 . 2007-12-21 02:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SwiftSwitch
2007-12-10 01:05 . 2007-12-10 01:05 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-12-09 17:19 . 2007-12-09 17:19 <DIR> d-------- C:\Documents and Settings\Robert Christensen\Application Data\Datel
2007-12-05 20:07 . 2007-12-09 13:17 <DIR> d-------- C:\Netgear

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 01:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-02 01:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-30 17:06 --------- d-----w C:\Program Files\Windows Defender
2007-12-30 17:04 --------- d-----w C:\Program Files\Norton Internet Security
2007-12-30 17:03 --------- d-----w C:\Program Files\Quicken Online Backup
2007-12-30 17:03 --------- d-----w C:\Program Files\Norton SystemWorks Basic Edition
2007-12-30 15:07 --------- d-----w C:\Program Files\Datel
2007-12-29 18:45 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-29 05:33 --------- d-----w C:\Program Files\Yahoo!
2007-12-29 03:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-29 01:44 --------- d-----w C:\Program Files\Cheat Engine
2007-12-27 12:50 --------- d-----w C:\Program Files\RegSweep
2007-12-27 00:45 --------- d-----w C:\Documents and Settings\Robert Christensen\Application Data\Symantec
2007-12-26 21:03 --------- d-----w C:\Program Files\RuneHQ_Browser_Bar
2007-12-26 20:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-12-26 02:15 --------- d-----w C:\Program Files\Quicken
2007-12-05 22:38 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 22:38 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 22:38 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 22:38 --------- d-----w C:\Program Files\Symantec
2007-12-01 05:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 05:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 05:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 05:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 05:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 05:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 05:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 05:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 05:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-29 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\RoboForm
2007-11-29 07:13 --------- d-----w C:\Program Files\Siber Systems
2007-11-29 05:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\FunGames
2007-11-22 16:23 --------- d-----w C:\Documents and Settings\Thom\Application Data\InstallShield
2007-11-22 05:47 --------- d-----w C:\Program Files\3D Kit Builder
2007-11-16 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 21:52 --------- d-----w C:\Documents and Settings\Robert Christensen\Application Data\Leadertech
2007-11-07 03:52 --------- d-----w C:\Documents and Settings\Robert Christensen\Application Data\Yahoo!
2007-10-04 02:35 3,999,989,760 --sha-w C:\gobackio.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 21:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-10-04 05:43 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
{724D43A0-0D85-11D4-9908-00400523E39A}

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 21:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GoBack]
@={1F038B9D-83F5-4b28-BA76-8654EC297DD6}

[HKEY_CLASSES_ROOT\CLSID\{1F038B9D-83F5-4b28-BA76-8654EC297DD6}]
2006-07-19 10:45 607920 -ra------ C:\Program Files\Norton SystemWorks Basic Edition\Norton GoBack\ShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-24 06:52 67128]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-12-11 10:55 1260296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-23 16:18 51048]
"lxamsp32.exe"="lxamsp32.exe" [2001-10-21 19:12 45056 C:\WINDOWS\system32\LXAMSP32.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45 36040]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Quicken Online Backup TaskBar Icon.LNK - C:\Program Files\Quicken Online Backup\CBSysTray.exe [2007-06-14 11:02:01]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AcBtnMgr_X63.exe.lnk]
backup=C:\WINDOWS\pss\AcBtnMgr_X63.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ACMonitor_X63.exe.lnk]
backup=C:\WINDOWS\pss\ACMonitor_X63.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote Software 7.lnk]
backup=C:\WINDOWS\pss\Logitech Harmony Remote Software 7.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton GoBack.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton GoBack.lnk
backup=C:\WINDOWS\pss\Norton GoBack.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Online Backup TaskBar Icon.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Online Backup TaskBar Icon.LNK
backup=C:\WINDOWS\pss\Quicken Online Backup TaskBar Icon.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 10:09 63712 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-10-23 16:18 51048 --a------ C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 01:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 00:04 122933 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-02-10 10:51 118784 --a------ C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-02-10 10:55 155648 --a------ C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-06-01 15:51 257088 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-03-24 06:52 67128 --a------ C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LexStart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxamsp32.exe]
lxamsp32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobipocket Reader Notifications]
2006-06-20 15:54 57344 --a------ C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSWosCheck]
2007-12-03 01:33 25472 --a------ C:\Program Files\Norton SystemWorks Basic Edition\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
2007-08-24 22:53 714608 --a------ C:\Program Files\Norton Internet Security\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhilipsDM]
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe OS_STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
2001-10-21 16:54 36864 --a------ C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegSweep]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
2007-12-15 10:19 160592 --a------ C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
2007-12-15 10:19 160592 --a------ C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 00:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue PowerSuite]
2007-12-11 10:55 3202832 --a------ C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

R0 GBDevice;GBDevice;C:\WINDOWS\system32\drivers\GBDevice.sys [2006-07-19 10:45]
R0 GoBack2K;GoBack2K;C:\WINDOWS\system32\drivers\GoBack2K.sys [2006-07-19 10:45]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 16:09]
R2 GBFSHook;GBFSHook;C:\WINDOWS\system32\drivers\GBFSHook.sys [2006-07-19 10:45]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" [2007-10-23 16:18]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 16:09]
R3 NPDriver;Norton UnErase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2006-10-10 07:17]
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys [2003-08-10 00:17]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2005-11-03 20:43]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-02 02:33:43 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-02 02:30:41 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Thom.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-01-02 02:30:41 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks Basic Edition\OBC.exe
"2007-12-29 19:17:52 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 20:31:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-01 20:36:21 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-02 02:36:12

2007-12-21 05:36:33 --- E O F ---

hijackthis.log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:51 PM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Quicken Online Backup\AgentSrv.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Norton SystemWorks Basic Edition\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Quicken Online Backup\CBSysTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Quicken Online Backup TaskBar Icon.LNK = C:\Program Files\Quicken Online Backup\CBSysTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - http://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553545000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Quicken Online Backup\AgentSrv.EXE
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks Basic Edition\Norton GoBack\GBPoll.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9191 bytes

TheBruce1 · Jan 2, 2008

Re: Netsky Worm-Popups-The Three Icons - "Error Cleaner" "Privacy Protector" "Spyware

Hello again

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

J2SE Runtime Environment 5.0 Update 10

Leave Java(TM) 6 Update 3 installed, reboot when Update 10 has been removed

==================================

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab

Please remember to close all other windows, including browsers then click Fix checked.

====================================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives[*]Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

=================================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

=================================
Logs Required
Kaspersky scan report
Hijackthis log

An update on how your system is behaving.

tntsh · Jan 3, 2008

More log files...

Thanks, for all you help thusfar, TheBruce1. I'm not sure we're there yet. I still can't change the display resolution.

Here's report from Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 02, 2008 8:34:21 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/01/2008
Kaspersky Anti-Virus database records: 501803
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 70013
Number of viruses found: 15
Number of infected objects: 49
Number of suspicious objects: 6
Duration of the scan process: 01:20:14

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-10172007-212817.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{31F182BA-D699-45D1-BBB4-F4317E343F6F}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{708C443B-856A-4F18-95C8-7E84B1C08DF3}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{A2667ACD-6981-4288-95FC-69B55EA7AE72}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{A97ABA31-350E-455D-A5F7-DEABC2FC6171}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-01-02_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{7198DEC8-C4A0-4A86-8CC3-6FFFD82CFAA5}.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{7198DEC8-C4A0-4A86-8CC3-6FFFD82CFAA5}.sds Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\96347924.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Symantec\NPMDataStore\CIMStore.xml Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008010220080103\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFA4F0.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\gobackio.bin Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymcData\ipsdefs\lulock.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymcData\nco1.0defs\lulock.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\L0000002.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\storydb.idx Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\03734B6B.xor Suspicious: Exploit.Win32.IMG-WMF skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09CC4031.htm Infected: Trojan-Downloader.VBS.Mscount.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\10446661.htm Infected: Trojan-Clicker.HTML.IFrame.ey skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\10DE1E01.xor Suspicious: Exploit.Win32.IMG-WMF skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1AB1384E.htm Infected: Trojan-Downloader.VBS.Mscount.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\20204F21.xor Suspicious: Exploit.Win32.IMG-WMF skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\23A92EC8.tmp Infected: Trojan.Java.ClassLoader.ao skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\247F5E94.tmp Infected: Trojan.Java.ClassLoader.ao skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\288712B7.htm Infected: Trojan-Clicker.JS.Agent.h skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\38A801F2.htm Infected: Trojan-Downloader.JS.Agent.bi skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3BB03812.htm Infected: Constructor.Perl.Msdds.b skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3BC00A00.htm Infected: Exploit.JS.CVE-2005-1790.h skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3BC333FC.htm Infected: Exploit.JS.CVE-2005-1790.h skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3BC75DF9.htm Infected: Exploit.JS.CVE-2005-1790.h skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3BCA07F5.htm Infected: Exploit.JS.CVE-2005-1790.h skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3BE701D5.htm Infected: Exploit.JS.CVE-2005-1790.h skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3BEA2BD1.htm Infected: Exploit.JS.CVE-2005-1790.h skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3BF429C6.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3BF429C6.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3BF429C6.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3BF429C6.zip ZIP: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3BF429C6.zip CryptFF: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42712DBF.htm Infected: Trojan-Downloader.VBS.Mscount.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4AC837E1.xor Suspicious: Exploit.Win32.IMG-WMF skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4C872288.tmp Infected: Trojan.Java.ClassLoader.ao skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\575B680F.htm Infected: Trojan-Downloader.JS.Agent.bi skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\57DD777F.htm Infected: Trojan-Downloader.JS.Agent.bi skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\57EE496D.htm Infected: Trojan-Downloader.JS.Agent.bi skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58A14EA7.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58A14EA7.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58A14EA7.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58A14EA7.zip ZIP: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58A14EA7.zip CryptFF: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\65846F4B.htm Infected: Exploit.JS.CVE-2005-1790.h skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\68822739.zip/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\68822739.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\68822739.zip ZIP: infected - 2 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\68822739.zip CryptFF: infected - 2 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6C7A4E35.xor Suspicious: Exploit.Win32.IMG-WMF skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7B412034.htm Infected: Exploit.JS.CVE-2005-1790.h skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7F124EB7.zip/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7F124EB7.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7F124EB7.zip ZIP: infected - 2 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7F124EB7.zip CryptFF: infected - 2 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7FF46F16.xor Suspicious: Exploit.Win32.IMG-WMF skipped
C:\QooBox\Quarantine\C\WINDOWS\bvtqfvx.dll.vir Infected: not-a-virus:AdWare.Win32.Vapsup.wc skipped
C:\QooBox\Quarantine\C\WINDOWS\emlkdvo.dll.vir Infected: not-a-virus:AdWare.Win32.Vapsup.we skipped
C:\QooBox\Quarantine\C\WINDOWS\fvkwdrt.exe.vir Infected: not-a-virus:AdWare.Win32.Vapsup.uh skipped
C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CF9AC647-AC8D-4513-94AC-22CD79D5F154}\RP854\A0249513.dll Infected: not-a-virus:AdWare.Win32.Vapsup.we skipped
C:\System Volume Information\_restore{CF9AC647-AC8D-4513-94AC-22CD79D5F154}\RP854\A0249514.dll Infected: not-a-virus:AdWare.Win32.Vapsup.wc skipped
C:\System Volume Information\_restore{CF9AC647-AC8D-4513-94AC-22CD79D5F154}\RP854\A0249515.exe Infected: not-a-virus:AdWare.Win32.Vapsup.uh skipped
C:\System Volume Information\_restore{CF9AC647-AC8D-4513-94AC-22CD79D5F154}\RP855\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JETACE4.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:56 PM, on 1/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Quicken Online Backup\AgentSrv.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Norton SystemWorks Basic Edition\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Quicken Online Backup\CBSysTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Quicken Online Backup TaskBar Icon.LNK = C:\Program Files\Quicken Online Backup\CBSysTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - http://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553545000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Quicken Online Backup\AgentSrv.EXE
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks Basic Edition\Norton GoBack\GBPoll.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9421 bytes

TheBruce1 · Jan 3, 2008

Re: Netsky Worm-Popups-The Three Icons - "Error Cleaner" "Privacy Protector" "Spyware

Hello again

What the Kaspersky scan found has been neutarlised in one way or another. You may want to clear your Norton Quarantine folder details Here the others that Kaspersky found will be removed when we have finished.

As for your display resolution problem, right-click on your desktop and select Properties>click on the Setting tab, you can change the resolution from there.

tntsh · Jan 4, 2008

Re: Netsky Worm-Popups-The Three Icons - "Error Cleaner" "Privacy Protector" "Spyware

Hello back!

Re-installed the video drivers and that corrected the screen resolution issue.

I'm running Norton's 2007 - and the link did not provide precise directions for this version, but I muddled thru it and I'm pretty sure I got the gist of the quarantined files removed.

What's next?

TheBruce1 · Jan 4, 2008

Re: Netsky Worm-Popups-The Three Icons - "Error Cleaner" "Privacy Protector" "Spyware

Well done,your logs are clean.

Click start>run>type(or copy/paste command into run box):

ComboFix /u

Click ok.

------------

You can also remove Smitfraudfix as well.

==================================

Clear IE7 cookies

*On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab.
*On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too].
*Click OK, and then click OK again.

Clear Firefox cookies/cache

• Select "Tools"
• Select "Options".
• Select "Privacy".
• In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want.
• Click OK.
• In Private area click "Clear Now".

-------------------------------------------------------------------------------------------

MICROSOFT UPDATES

1.Click Start,Run, type sysdm.cpl, and then press OK.
2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended).

Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday".

------------------------------------------------------------------------------------------

Useful Information and Programs to keep you safe.

TrendProtect is a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages:

* Content category
* Phishing scam detection
* Site reputation
* Page reputation

WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites.

WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites.
Note:Only compatible with Firefox 1.5 and higher.

Only install one of the above

--------------------------------------------------------------------------------------

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Avant
Firefox
Opera
K-Meleon

------------------------------------------------------------------------------------------

Free Antispyware Products
SuperAntiSpyware
AVG Antispyware Free
Ad-Aware
Spybot S&D
Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
Download Spyware Guard to catch and block spyware before it can execute.

------------------------------------------------------------------

IE-Spyad™ is a freeware utility that places more than 4000 dubious websites and domains in the Internet Explorer Restricted List.

Download and installation instructions for IE-Spyad™ Here

-----------------------------------------

The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

If your having trouble downloading & extracting,see link below for guidance:
http://www.mvps.org/winhelp2002/hosts2.htm

Once you have extracted the host file,double click on it and a new window will open.

Double-click on mvps.batand follow the prompts

---------------------------------------------------------------

Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

----------------------------------------

SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users.

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

==============================================

Also, please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Please reply to this thread once more, as we may mark this as resolved, thanks.

tntsh · Jan 5, 2008

Re: Netsky Worm-Popups-The Three Icons - "Error Cleaner" "Privacy Protector" "Spyware

Could not "uninstall" ComboFix and SmitfraudFix, but deleted ComboFix.exe and SmitfraudFix.exe.

Otherwise everything looks good -- thanks again for all your help!

TheBruce1 · Jan 5, 2008

Re: Netsky Worm-Popups-The Three Icons - "Error Cleaner" "Privacy Protector" "Spyware

Hi

Since you were unable to run the combofix uninstall command please delete these folders:

C:\Combofix
C:\Qoobox is ComboFix quarantine folder
C:\Deckard is DSS working folder. You can safely delete it. Also delete dss.exe

-------------------

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

-------------------------

Clear & Reset System Restore's Cache

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

Let us know if you have any problems.

tntsh · Jan 6, 2008

Re: Netsky Worm-Popups-The Three Icons - "Error Cleaner" "Privacy Protector" "Spyware

I think the issue is still buried in the system somewhere. I may have it isolated/quarantined by using Uniblue SoyEraser. I am unable to "hold" a home page. Once I reboot and sign back on, the home page is wiped out and I have to type a web adress in the top window (or click a favorite) to access the web.

Uniblue's real time guard will pop-up with a window showing an attempt to change the home page after I go back and manually change it. I don't think this window is generated by my change, but rather by the spyware/worm still attached to a registry file.

I have run both Norton's Sytems Works One Button Checkup and Uniblue's Registry Booster to attempt to clean the system, but one error remains that I am unable to clean. Not sure how to get you info on that error.

Also, cannot print "online". Any print attempts are sent to an offline print queue. When I try to change to online printing, I get an error message saying that the printer is not available.

TheBruce1 · Jan 6, 2008

Re: Netsky Worm-Popups-The Three Icons - "Error Cleaner" "Privacy Protector" "Spyware

When you change your homepage this will get written to the registry, if you are not allowing this change to take place then it will not be changed.

As for registry cleaners, do you really know what you are deleting, removing entries from the registry without knowing what is being removed can cause your system to crash.

You may have to uninstall then reinstall your printer, this could have been caused by using a registry cleaner tool.

tntsh · Jan 7, 2008

Re: Netsky Worm-Popups-The Three Icons - "Error Cleaner" "Privacy Protector" "Spyware

I am making and allowing the change to the home page. After I have made the change I am getting a pop-up that an attempt is being made to change the home page. Each time I re-boot and access the internet, the change that I made has been removed and there is no homepage--no default--nothing except "http:///".

TheBruce1 · Jan 7, 2008

Re: Netsky Worm-Popups-The Three Icons - "Error Cleaner" "Privacy Protector" "Spyware

Ok, lets see if we can restore the defalut settings.

*Open Internet Explorer
*On the Tools menu, click Internet Options.
*Click the Advanced tab, and then click Reset.
*On the Reset Internet Explorer Settings dialog box, click Reset.
*When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.
*Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7.

Reboot, does the same problem occur. If not try to set your own homepage.

*Click on Tools
*Internet Options
*General tab
*Type you desired homepage
*Click on Use Current button
*Click Apply and then the Ok button.

Netsky Worm-Popups-The Three Icons - "Error Cleaner" "Privacy Protector" "Spyware..."

tntsh

Registered

Attachments

tntsh

Registered

TheBruce1

Registered

tntsh

Registered

TheBruce1

Registered

tntsh

Registered

TheBruce1

Registered

tntsh

Registered

TheBruce1

Registered

tntsh

Registered

TheBruce1

Registered

tntsh

Registered

TheBruce1

Registered

tntsh

Registered

TheBruce1

Registered