[newtonet]

I run McAfee which today identified a trojan on my computer. I ran a scan and it showed six problems. After I cleaned/removed the problems I noticed that McAfee virus scan is no longer enabled and I can't seem to enable it. Pls see if my HJT log shows anything out of the ordinary. Ad-Aware picked up nothing. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 5:44:23 PM, on 09/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\inKline Global\Modem Booster\ModemBtr.exe
C:\Program Files\inKline Global\PC Booster\PCBooster.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\hibkc.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Zing Software\Port Monster\pm.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Modem Booster] C:\Program Files\inKline Global\Modem Booster\ModemBtr.exe
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\PCBooster.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WINDOWS] C:\hibkc.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Startup: Port Monster.LNK = C:\Program Files\Zing Software\Port Monster\pm.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .BMP: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/1...L/PhPSetup.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} - http://mirror.worldwinner.com/games/v55/cubis/cubis.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - https://td.nortonconfidenceonline.co...n/NCO/WSAS.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

 

[fredmh]

Hello newtonet, and welcome to TSF


Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools,
then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more
likely additional infections will result.

----------------------------------------

You have a couple of nasty items in here which we will take care of for you. Let's get started

----------------------------------------

DOWNLOADS


CLEANUP! version 4.52 – TEMP FILE CLEANING


Please download Cleanup! and install it. You will use this later.

*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.



AVG Anti-Spyware 7.5

I see you have Ewido anti-spyware 4.0 installed. Ewido has recently been purchased by Grisoft, makers of AVG Antivirus, and the program is
now known as AVG Anti-Spyware. It is essentially the same program with a new paintjob; Ewido currently can still be updated to the newest
definitions, but this support will likely not last forever. I recommend you uninstall Ewido 4.0, restart your system, then download and install
AVG Anti-Spyware. Update it's definitions as directed below, and run a scan where I have it placed in this fix.



Please download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

1. Install AVG Anti-Spyware 7.5.
2. Double-click the icon on Desktop to launch AVG A-S 7.5
3. On the top of the main screen click Shield
4. Click the word active to change it to inactive
5. On the top of the main screen click Update.
6. Then click on Start Update. The update will start and a progress bar will show the updates being installed.
7. I also recommend changing the "Update interval" to something more reasonable like 12 hours.

SDFix

Download SDFix and save it to your desktop.
We will use it later.




ComboFix



1. Download this file - You MUST save it to your desktop

COMBOFIX

2. 2. Go to <<Start>> then <<Run>> then paste in the single line command then click OK

"%userprofile%\desktop\combofix.exe" /v rpcc


3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

DISABLE ANTI-SPYWARE APPLICATIONS

Please disable these Anti-Spyware programs as they may interfere with this fix. You may re-enable them after we clean your system.


DISABLE SPYWARE GUARD

• Right click the running icon of Spywareguard in the system tray to open the program.
• Then go to Menu, File, and choose Exit. It will automatically restart at next boot.

----------------------------------------

SAFE MODE RE-BOOT

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS


Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O4 - HKLM\..\Run: [WINDOWS] C:\hibkc.exe


Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------

UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\hibkc.exe

----------------------------------------


SDFix

• Right click the SDFix.zip folder and choose Extract All,
• Open the extracted folder and double click RunThis.bat to start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the contents of the results file
  Report.txt back onto the forum with a new HijackThis log

----------------------------------------

RUNNING SCANNERS


Cleanup

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files (if present)
• Cleanup! All Users
• Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program and DO NOT reboot when prompted.


AVG Anti-Spyware 7.5

• Run AVG A-s with it's updated definitions: (...it's important that all windows must be closed)
  This scan can take quite a while to run, so be prepared.
• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  
  
  
  
  
• When the scan is complete click Recommended Action and change it to Quarantine (1),
• If not click Recommended Action and choose Quarantine from the popup menu. (2)
• At the bottom of the window click on the Apply all Actions button. (3)

When done, click the Save Scan Report button. (4) then click Save Report As and save it to your desktop.

IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.



Note: DO NOT USE the computer while AVG A/S is scanning. If Explorer or the Control Panel are opened some malware types will
reinfect your system or will not be cleaned properly.

----------------------------------------

SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------


ON-LINE SCANS

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on
   located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on
  then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------

FOLLOW-UP

Please return and post these items:

c:\combofix.txt
report.txt from SDFix
AVG A/S
Panda scan
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

Please let me know how your system is behaving.

 

[newtonet]

Sry it's taken so long to reply but i've just now gotten my pc stable enough to get back online. I;ve followed the steps to the letter and the logs are below.
ComboFix 06-12-01.2W-BetaE - Running from: "C:\Documents and Settings\my name\desktop"
Command switches used :: /v rpcc

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\w.exe
C:\WINDOWS\system32\w.exe.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
C:\Documents and Settings\Philippe Fader\Desktop\Internet Explorer.lnk
C:\WINDOWS\emdat.tm
C:\WINDOWS\emdat.tmp
C:\WINDOWS\system32\vbuzip10.dll
C:\WINDOWS\system32\vbzip11.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\dembat.tm
C:\WINDOWS\system32\zlbw.dll
C:\WINDOWS\system32\se.exe.exe
C:\WINDOWS\system32\ss.exe.exe
C:\WINDOWS\system32\google.png.exe
C:\WINDOWS\system32\kernels1118.exe
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\Downloaded Program Files\rave


((((((((((((((((((((((((((((((( Files Created from 2006-11-17 to 2006-12-17 ))))))))))))))))))))))))))))))))))


2006-12-17 01:00 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-12-17 01:00 <DIR> d-------- C:\Program Files\Grisoft
2006-12-15 07:51 16,287,680 --a------ C:\20061214-017-x86.exe
2006-12-15 07:43 91,856 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2006-12-15 07:43 123,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2006-12-15 07:40 <DIR> d-------- C:\Program Files\Symantec
2006-12-15 07:39 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2006-12-15 07:39 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-15 07:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2006-12-15 07:34 <DIR> dr-h----- C:\Documents and Settings\Philippe Fader\Recent
2006-12-15 06:55 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2006-12-15 06:55 12,160 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mouhid.sys
2006-12-12 23:17 6,239 --a------ C:\WINDOWS\SYSTEM32\eN3dWev.exe
2006-12-12 23:16 6,239 --a------ C:\Documents and Settings\Philippe Fader\nqnCc5h.exe
2006-12-12 23:16 20,480 --a------ C:\WINDOWS\SYSTEM32\z3884.dll
2006-12-12 23:04 20,480 --a------ C:\WINDOWS\SYSTEM32\z3908.dll
2006-12-12 23:00 3,072 --a------ C:\WINDOWS\SYSTEM32\z2810468163.exe
2006-12-12 22:59 3,072 -r-hs---- C:\WINDOWS\SYSTEM32\z2810435756.exe
2006-12-12 22:55 6,239 --a------ C:\WINDOWS\SYSTEM32\INtUDd3.exe
2006-12-12 22:54 20,480 --a------ C:\WINDOWS\SYSTEM32\z3752.dll
2006-12-12 22:42 6,239 --a------ C:\Documents and Settings\Philippe Fader\E17p3o3.exe
2006-12-12 22:41 20,480 --a------ C:\WINDOWS\SYSTEM32\z3579.dll
2006-12-12 22:38 65,568 --a------ C:\WINDOWS\SYSTEM32\lzx32.sys
2006-12-12 22:37 6,239 --a------ C:\Documents and Settings\Philippe Fader\KWJGg18.exe
2006-12-12 22:36 20,480 --a------ C:\WINDOWS\SYSTEM32\z3924.dll
2006-12-12 22:34 6,239 --a------ C:\Documents and Settings\Philippe Fader\IG4jA51.exe
2006-12-12 22:34 20,480 --a------ C:\WINDOWS\SYSTEM32\z3224.dll
2006-12-12 22:22 20,480 --a------ C:\WINDOWS\SYSTEM32\z3644.dll
2006-12-12 22:19 45,056 --a------ C:\Documents and Settings\Philippe Fader\wpcem.exe
2006-12-12 22:19 20,480 --a------ C:\WINDOWS\SYSTEM32\z3248.dll
2006-12-12 22:13 13,824 --a------ C:\WINDOWS\SYSTEM32\dial23.exe
2006-12-12 22:10 89,088 --a------ C:\WINDOWS\SYSTEM32\qfyqakn.dll
2006-12-12 22:10 34,997 --a------ C:\WINDOWS\SYSTEM32\ptrch32.dll
2006-12-12 22:09 8,609 --a------ C:\WINDOWS\SYSTEM32\z2418.exe
2006-12-12 22:09 8,609 --a------ C:\WINDOWS\SYSTEM32\cmd32.exe
2006-12-12 22:09 6,239 --a------ C:\WINDOWS\SYSTEM32\z13.exe
2006-12-12 22:09 6,176 --a------ C:\WINDOWS\SYSTEM32\z12.exe
2006-12-12 22:09 393 --a------ C:\WINDOWS\SYSTEM32\z16.exe
2006-12-12 22:09 3,648 --a------ C:\WINDOWS\SYSTEM32\z2851.exe
2006-12-12 22:09 23,552 --a------ C:\WINDOWS\SYSTEM32\z11.exe
2006-12-12 22:09 200,704 --a------ C:\WINDOWS\SYSTEM32\z14.exe
2006-12-12 22:09 160,768 --a------ C:\WINDOWS\SYSTEM32\xnfn.dll
2006-12-12 22:09 10,333 --a------ C:\WINDOWS\SYSTEM32\z15.exe
2006-12-12 22:08 23,552 --a------ C:\WINDOWS\SYSTEM32\z2784.exe
2006-12-12 22:05 6,239 --a------ C:\WINDOWS\SYSTEM32\L660vI8.exe
2006-12-12 22:05 0 --a------ C:\WINDOWS\SYSTEM32\syspools.exe
2006-12-12 22:04 81,920 --a------ C:\WINDOWS\SYSTEM32\Packet.dll
2006-12-12 22:04 61,440 --a------ C:\WINDOWS\SYSTEM32\WanPacket.dll
2006-12-12 22:04 53,299 --a------ C:\WINDOWS\SYSTEM32\pthreadVC.dll
2006-12-12 22:04 233,472 --a------ C:\WINDOWS\SYSTEM32\wpcap.dll
2006-12-12 22:03 9,804 --a------ C:\WINDOWS\SYSTEM32\z118.exe
2006-12-12 22:03 6,239 --a------ C:\WINDOWS\SYSTEM32\z2103.exe
2006-12-12 22:03 20,480 --a------ C:\WINDOWS\SYSTEM32\z3987.dll
2006-12-12 22:03 13,312 --a------ C:\WINDOWS\SYSTEM32\z2529.exe
2006-12-12 22:03 <DIR> d-------- C:\WINDOWS\inet20000
2006-12-12 22:02 3,584 --a------ C:\WINDOWS\SYSTEM32\msasvc.exe
2006-12-12 22:02 3,072 -r-hs---- C:\jrcfquoh19154833.exe
2006-12-12 22:02 1,024 --a------ C:\kcxhfwlo.exe
2006-12-12 22:02 1,024 --a------ C:\chpsa.exe
2006-12-12 21:20 <DIR> d-------- C:\Documents and Settings\Philippe Fader\Application Data\U3
2006-12-11 16:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2006-12-09 14:21 39,144 --a------ C:\WINDOWS\SYSTEM32\ipv6mons.dll
2006-12-07 12:13 <DIR> d-------- C:\Documents and Settings\Philippe Fader\Application Data\ICQLite
2006-12-05 11:24 <DIR> d-------- C:\Program Files\Yahoo!
2006-12-03 16:45 2,934,920 --a------ C:\Program Files\ymsgr.exe
2006-12-01 19:19 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-18 23:09 <DIR> d-------- C:\Documents and Settings\Philippe Fader\Application Data\Creative
2006-11-18 20:10 41,984 --------- C:\WINDOWS\Ctregrun.exe
2006-11-18 20:09 487,424 --------- C:\WINDOWS\SYSTEM32\msvcp70.dll
2006-11-18 20:09 24,576 --------- C:\WINDOWS\SYSTEM32\msxml3a.dll
2006-11-18 20:09 <DIR> d-------- C:\Program Files\Audible
2006-11-18 20:05 44,032 --------- C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
2006-11-18 20:05 25,088 --------- C:\WINDOWS\SYSTEM32\CTSVCCTL.EXE
2006-11-18 20:01 38,402 --------- C:\WINDOWS\SYSTEM32\DRIVERS\StMp3Rec.sys
2006-11-18 19:59 <DIR> d-------- C:\Program Files\Creative


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-17 00:56 -------- d-------- C:\Program Files\CleanUp!
2006-12-16 20:03 -------- d-------- C:\Program Files\Internet Explorer
2006-12-16 20:01 -------- d-------- C:\Program Files\Outlook Express
2006-12-16 20:01 -------- d-------- C:\Program Files\Common Files\System
2006-12-15 11:30 -------- d-------- C:\Program Files\ewido anti-malware
2006-12-15 11:29 -------- d-------- C:\Program Files\inKline Global
2006-12-15 11:28 -------- d-------- C:\Program Files\SpywareBlaster
2006-12-15 11:28 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-15 11:27 -------- d-------- C:\Program Files\SpywareGuard
2006-12-15 11:20 -------- d-------- C:\Program Files\Lavasoft
2006-12-15 11:20 -------- d-------- C:\Documents and Settings\Philippe Fader\Application Data\Lavasoft
2006-12-15 07:39 -------- d-------- C:\Program Files\Common Files
2006-12-12 22:57 -------- d---s---- C:\Documents and Settings\Philippe Fader\Application Data\Microsoft
2006-12-07 12:30 -------- d-------- C:\Program Files\ICQLite
2006-12-07 11:31 -------- d-------- C:\Program Files\CFPAS_SEPFC_2005
2006-12-06 22:29 2374472 --a------ C:\WINDOWS\SYSTEM32\wmvcore.dll
2006-11-19 18:18 -------- d-------- C:\Program Files\PokerStars
2006-11-18 23:20 -------- d-------- C:\Documents and Settings\Philippe Fader\Application Data\jPodder
2006-11-18 20:08 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-17 21:00 -------- d-------- C:\Program Files\ICQToolbar
2006-11-07 22:06 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-11-04 14:47 -------- d-------- C:\Program Files\Acoustica MP3 To Wave Converter PLUS
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\SYSTEM32\msxml4.dll
2006-10-29 20:18 -------- d-------- C:\Program Files\Google
2006-10-26 15:09 -------- d-------- C:\Documents and Settings\Philippe Fader\Application Data\Google
2006-10-26 04:39 -------- d-------- C:\Program Files\Java
2006-10-19 06:56 713216 --a------ C:\WINDOWS\SYSTEM32\sxs.dll
2006-10-13 05:35 142336 --a--c--- C:\WINDOWS\SYSTEM32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"system spool"="C:\\WINDOWS\\system32\\syspools.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DadApp"="C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe"
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"system spool"="C:\\WINDOWS\\system32\\syspools.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"Microsoft WPCEmail"="C:\\WINDOWS\\inet20000\\svchost.exe "
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
"location"="Common Startup"
"item"="HotSync Manager"
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HotSync Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\HotSync Manager.lnkCommon Startup"
"command"="C:\\Palm\\HOTSYNC.EXE "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="\"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LDMConf.exe\" /start"
"item"="Logitech Desktop Messenger"
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech Desktop Messenger.lnk"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DirectCD"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ati2mdxx"
"hkey"="HKLM"
"command"="Ati2mdxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="quickset"
"hkey"="HKLM"
"command"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSentry"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\DSentry.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\ImageStudio\\ISStart.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\ImageStudio\\LogiTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LVCOMS"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Logitech\\QCDriver3\\LVCOMS.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsgPlus"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnappau"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\MSN Apps\\Updater\\01.02.3000.1001\\en-ca\\msnappau.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TkBellExe"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Monitor"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
Ip6FwHlp


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AACE2F029385A1CE.job

Completion time: 06-12-17 1:08:07.50

--------------------------------------------------------------------------

SDFix: Version 1.48
****************

17/12/2006 - 1:22:18.74

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Stage One - Safe Mode

Checking Services...

Service Name:

MsaSvc

File Path:

C:\WINDOWS\system32\msasvc.exe

MsaSvc Deleted...

Starting Registry Repairs...


Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\CHPSA.EXE
C:\KCXHFWLO.EXE
C:\AAAAAAIF.T
C:\AAAAAAIS.T
C:\DGYRWIPQ.T
C:\FKPUUTPY.T
C:\FKPUUTUQ.T
C:\JSWBHALK.T
C:\JSWBQMBM.T
C:\MYVSNPUG.T
C:\MYVSNQLG.T
C:\MYVSNUBL.T
C:\PFUKKYUW.T
C:\QHDYJRWS.T
C:\TNCQWFGY.T
C:\YXRLBGXD.T
C:\DELL\AAAAAEOX.T
C:\DELL\AAAAAERK.T
C:\DELL\AAAAAYQK.T
C:\DELL\AAAAQNWE.T
C:\DELL\BCIOYSSE.T
C:\DELL\BCIOYWRD.T
C:\DELL\CEQDXLYA.T
C:\DELL\EIHGVWYF.T
C:\DELL\GMXJTIDD.T
C:\DELL\HOGXSABD.T
C:\DELL\IQOMRTLR.T
C:\DELL\IQOMRXME.T
C:\DELL\JSWBQMNX.T
C:\DELL\JSWBQQKF.T
C:\DELL\KUFPGSRG.T
C:\DELL\MYVSNUAS.T
C:\DELL\SLTCHDEF.T
C:\DELL\TNCQWFOQ.T
C:\DELL\UPKFFJPJ.T
C:\DOCUME~1\DONNAF~1\MYDOCU~1\BCIOYWID.T
C:\DOCUME~1\DONNAF~1\MYDOCU~1\DGYRWIQD.T
C:\DOCUME~1\DONNAF~1\MYDOCU~1\EIHGVBOE.T
C:\DOCUME~1\DONNAF~1\MYDOCU~1\HOGXSBQS.T
C:\DOCUME~1\DONNAF~1\MYDOCU~1\LWNEOCXG.T
C:\DOCUME~1\DONNAF~1\MYDOCU~1\ODMVLGFQ.T
C:\DOCUME~1\DONNAF~1\MYDOCU~1\TNCQGVPF.T
C:\DOCUME~1\DONNAF~1\MYDOCU~1\XVJWCSBG.T
C:\WINDOWS\SYSTEM32\Z12.EXE
C:\WINDOWS\SYSTEM32\Z16.EXE
C:\WINDOWS\SYSTEM32\Z15.EXE
C:\WINDOWS\SYSTEM32\Z11.EXE
C:\WINDOWS\SYSTEM32\Z2784.EXE
C:\WINDOWS\SYSTEM32\EN3DWEV.EXE
C:\WINDOWS\SYSTEM32\INTUDD3.EXE
C:\WINDOWS\SYSTEM32\L660VI8.EXE
C:\WINDOWS\SYSTEM32\Z13.EXE
C:\WINDOWS\SYSTEM32\Z2103.EXE
C:\WINDOWS\SYSTEM32\Z118.EXE
C:\WINDOWS\SYSTEM32\Z2851.EXE
C:\WINDOWS\SYSTEM32\Z2529.EXE
C:\WINDOWS\SYSTEM32\CMD32.EXE
C:\WINDOWS\SYSTEM32\Z2418.EXE
C:\WINDOWS\SYSTEM32\Z3224.DLL
C:\WINDOWS\SYSTEM32\Z3248.DLL
C:\WINDOWS\SYSTEM32\Z3579.DLL
C:\WINDOWS\SYSTEM32\Z3644.DLL
C:\WINDOWS\SYSTEM32\Z3752.DLL
C:\WINDOWS\SYSTEM32\Z3884.DLL
C:\WINDOWS\SYSTEM32\Z3908.DLL
C:\WINDOWS\SYSTEM32\Z3924.DLL
C:\WINDOWS\SYSTEM32\Z3987.DLL
C:\WINDOWS\inet20000\121361618.dll
C:\WINDOWS\inet20000\12136440.dll
C:\WINDOWS\inet20000\killer.exe
C:\WINDOWS\inet20000\killer.exe.bak
C:\WINDOWS\inet20000\mm.pid
C:\WINDOWS\inet20000\mmx138.exe
C:\WINDOWS\inet20000\mmx83.exe
C:\WINDOWS\inet20000\mmx830.exe
C:\WINDOWS\inet20000\mmx90.exe
C:\WINDOWS\inet20000\mmx953.exe
C:\WINDOWS\inet20000\mmx970.exe
C:\WINDOWS\inet20000\services.exe
C:\WINDOWS\inet20000\svchost.exe
C:\WINDOWS\inet20000\svchost.exe.bak
C:\WINDOWS\inet20000\wpcem.exe
C:\WINDOWS\inet20000\www.google.com\favicon.ico
C:\WINDOWS\inet20000\www.google.com\index.html
C:\WINDOWS\inet20000\www.google.com\thank.html
C:\WINDOWS\inet20000\www.google.com\Google_files\hp0.gif
C:\WINDOWS\inet20000\www.google.com\Google_files\hp1.gif
C:\WINDOWS\inet20000\www.google.com\Google_files\hp2.gif
C:\WINDOWS\inet20000\www.google.com\Google_files\hp3.gif
C:\WINDOWS\system32\cmd32.exe
C:\WINDOWS\system32\drivers\etc\hosts.tim
C:\WINDOWS\system32\ipv6mons.dll
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\syspools.exe

Backing Up and Removing any Files Found...

Alternate Stream Check:

C:\WINDOWS\system32
:lzx32.sys 65568
:svchost.exe 13526
Total size: 79094 bytes.

Removing ADS

system32: deleted 79094 bytes in 2 streams.

Checking for remaining Streams

C:\WINDOWS\system32
No streams found.
Final Check:

Services:
---------


Authorized Applications Key Export:

Files:
------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\jrcfquoh19154833.exe
C:\I386\cdplayer.exe.manifest
C:\I386\logonui.exe.manifest
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0071772.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0074769.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP552\A0076821.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP553\A0076922.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP553\A0076970.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP554\A0077219.exe
C:\WINDOWS\SYSTEM32\cdplayer.exe.manifest
C:\WINDOWS\SYSTEM32\logonui.exe.manifest
C:\WINDOWS\SYSTEM32\z2810435756.exe
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\Donna Fader\Local Settings\Temp\$b17a2e8.tmp

FINISHED!
--------------------------------------------------------------------------

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:35:28 AM 17/12/2006

+ Scan result:



C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP554\A0077136.dll -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP554\A0077137.dll -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP554\A0077138.dll -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP554\A0077140.exe -> Adware.Spysheriff : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP554\A0077144.exe -> Dialer.GBDialer.i : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\dial23.exe -> Dialer.GBDialer.i : Cleaned with backup (quarantined).
C:\Documents and Settings\Philippe Fader\Local Settings\Application Data\qfyqakn.dll -> Downloader.Busky : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/z2784.exe -> Dropper.Small.atd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP558\A0079657.exe -> Dropper.Small.atd : Cleaned with backup (quarantined).
C:\Documents and Settings\Philippe Fader\wpcem.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/svchost.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/svchost.exe.bak -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/wpcem.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0071751.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0071758.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0071759.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0072751.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0072758.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0072759.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0074751.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0074759.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0074760.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0075751.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0075758.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP552\A0076836.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP553\A0076937.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP553\A0076958.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP554\A0077203.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP554\A0077209.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP556\A0077276.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0078422.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0079446.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0079454.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0079461.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0079471.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP558\A0079567.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP558\A0079574.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP558\A0079688.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP558\A0079689.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0070752.exe -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0071760.exe -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0072760.exe -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0074757.exe -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0075759.exe -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0077383.exe -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/z11.exe -> Not-A-Virus.Hoax.Win32.Renos.gc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP558\A0079656.exe -> Not-A-Virus.Hoax.Win32.Renos.gc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0068774.dll -> Proxy.Dlena.as : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\xnfn.dll -> Trojan.Agent.pk : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/chpsa.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/kcxhfwlo.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0070769.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0071762.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0072767.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0074771.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP552\A0076825.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP553\A0076926.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP553\A0076956.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP558\A0079651.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP558\A0079652.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).


::Report end

--------------------------------------------------------------------------

Incident Status Location

Adware:adware/eshopper Not disinfected c:\windows\system32\Eshop.xml
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Philippe Fader\Application Data\Registry Cleaner
Spyware:spyware/safesurf Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Philippe Fader\Desktop\SDFix\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Philippe Fader\Desktop\SDFix.zip[SDFix.exe][SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
--------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:16:19 AM, on 17/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zing Software\Port Monster\pm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: Port Monster.LNK = C:\Program Files\Zing Software\Port Monster\pm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .BMP: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} - http://mirror.worldwinner.com/games/v55/cubis/cubis.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - https://td.nortonconfidenceonline.com/plug-in/NCO/WSAS.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--------------------------------------------------------------------------

Machine is more stable now. Symantec is blocking trojans as designed.

 

[fredmh]

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more
likely additional infections will result.

----------------------------------------

We cleaned out a lot on that round, but also brought out a few items which need attention. Let's go to round #2

----------------------------------------

DOWNLOADS


KILLBOX


Download KillBox (it's important that you get version v2.0.0.175)
Do not run it yet.



SMITFRAUD FIX

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.




Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!



RUSTOCK.B FIX


Download RustbFix
...and save it to your desktop.

Double click on rustbfix.exe to run the tool.

If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while,
and perhaps 2 reboots will be needed. But this will happen automatically. If possible, boot into Safe Mode

After the reboot 2 logfiles will open (%root%avenger.txt & %root%rustbfixpelog.txt). Post the content of these logfiles.
----------------------------------------

SAFE MODE RE-BOOT

If able to boot into Safe Mode from Rustock tool, disregard this step

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS



UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.


C:\Program Files\CFPAS_SEPFC_2005

C:\Documents and Settings\Philippe Fader\nqnCc5h.exe

----------------------------------------

KILLBOX


Launch KillBox.exe & select the following options:

• Delete on Reboot
• All files (if available)

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:


C:\WINDOWS\SYSTEM32\z2810468163.exe
C:\WINDOWS\SYSTEM32\z2810435756.exe
C:\Documents and Settings\Philippe Fader\E17p3o3.exe
C:\Documents and Settings\Philippe Fader\KWJGg18.exe
C:\Documents and Settings\Philippe Fader\IG4jA51.exe
C:\WINDOWS\SYSTEM32\dial23.exe
C:\WINDOWS\SYSTEM32\qfyqakn.dll
C:\WINDOWS\SYSTEM32\ptrch32.dll
C:\WINDOWS\SYSTEM32\xnfn.dll
C:\WINDOWS\SYSTEM32\z2784.exe
C:\WINDOWS\SYSTEM32\L660vI8.exe
c:\windows\system32\Eshop.xml
C:\jrcfquoh19154833.exe




In Killbox, go to the File menu, and choose Paste from Clipboard
*Click on the dropdown menu next to Full Path of File to Delete field.
*Verify that the filenames you pasted are found there.

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File

Click the RED X button.

Click Yes at the 'Delete on Reboot' prompt. Click NO at the Pending Operations prompt. (Do not allow reboot)

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid."
when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

----------------------------------------

SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------


ON-LINE SCANS


Kaspersky - Extended

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
      [*]Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect.
  We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan
----------------------------------------

FOLLOW-UP

Please return and post these items in the order listed:

Rustock Logs
c:\rapport.txt from SmitFraud
Kaspersky scan
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

Please let me know how your system is behaving.

 

[newtonet]

As after last suggestions.
------------------------------------------------------------------------

************************* Rustock.b-fix -- By ejvindh *************************
17/12/2006 12:07:05.84


No Rustock.b-rootkits found


******************************* End of Logfile ********************************
------------------------------------------------------------------------

SmitFraudFix v2.130

Scan done at 12:05:37.89, 17/12/2006
Run from C:\Documents and Settings\Philippe Fader\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Philippe Fader


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Philippe Fader\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PHILIP~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
-------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT
Sunday, December 17, 2006 2:38:17 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 17/12/2006
Kaspersky Anti-Virus database records: 251457


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 62687
Number of viruses found 6
Number of infected objects 13 / 0
Number of suspicious objects 0
Duration of the scan process 01:52:18

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01580000\45DD1E23.VBN Infected: Trojan-Downloader.Win32.CWS.ah skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08140000.VBN Infected: Trojan-Proxy.Win32.Dlena.at skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08140001.VBN Infected: Trojan-Downloader.Win32.CWS.ah skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08140002\4D96E711.VBN Infected: Trojan-Downloader.Win32.Small.dam skipped

C:\Documents and Settings\All Users\Documents\DESKTOP.INI Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Desktop.ini Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst1.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst10.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst11.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst12.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst13.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst14.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst15.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst2.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst3.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst4.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst5.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst6.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst7.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst8.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst9.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Pictures\Desktop.ini Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Philippe Fader\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Philippe Fader\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Philippe Fader\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Philippe Fader\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Philippe Fader\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Philippe Fader\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Philippe Fader\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Philippe Fader\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Philippe Fader\ntuser.dat Object is locked skipped

C:\Documents and Settings\Philippe Fader\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Program Files\Symantec AntiVirus\SAVRT\0069NAV~.TMP Object is locked skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped

C:\WINDOWS\SYSTEM32\scenicid.exe Infected: Trojan.Win32.StartPage.ame skipped

C:\WINDOWS\SYSTEM32\scenicwu.exe/VVSN_SCNC0704Inst.exe/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\WINDOWS\SYSTEM32\scenicwu.exe/VVSN_SCNC0704Inst.exe/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\WINDOWS\SYSTEM32\scenicwu.exe/VVSN_SCNC0704Inst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\WINDOWS\SYSTEM32\scenicwu.exe InstallCreator: infected - 3 skipped

C:\WINDOWS\SYSTEM32\scenicwu.exe UPX: infected - 3 skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed
--------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:40:26 PM, on 17/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: Port Monster.LNK = C:\Program Files\Zing Software\Port Monster\pm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .BMP: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} - http://mirror.worldwinner.com/games/v55/cubis/cubis.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - https://td.nortonconfidenceonline.com/plug-in/NCO/WSAS.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

 

[fredmh]

Very good. Just a couple of items to delete

----------------------------------------

SAFE MODE RE-BOOT

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

----------------------------------------


UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.


C:\WINDOWS\SYSTEM32\lzx32.sys

C:\WINDOWS\SYSTEM32\scenicid.exe
C:\WINDOWS\SYSTEM32\scenicwu.exe InstallCreator
C:\WINDOWS\SYSTEM32\scenicwu.exe UPX

----------------------------------------


SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------


Congratulations. Your logs are now clean. Please complete the next "housekeeping" steps and read through the
information below

----------------------------------------

Windows XP - Reset Hidden Files

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

----------------------------------------

Clean-out and Reset System Restore

This will clean out any junk or malicious files left behind in System Restore

• To turn off System Restore click Start > Right Click My Computer > Properties.
• Click the System Restore tab and Check
• "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply.
• When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.
  
  
• Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties.
• Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
• Click Apply, and then OK.

This will create a new Restore Point.

----------------------------------------

RE-ENABLE ANTI-SPYWARE APPLICATIONS

If you were instructed to dis-able Anti-spyware applications during this fix, you may re-enable them

----------------------------------------

Please read through the following information to help protect your computer in the future.


KEEP YOUR OPERATING SYSTEM UPDATED

Please ensure that you have already patched your system against the recent WMF exploit. Go to this page to get the KB912919 patch

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser
up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft
and download all the critical updates to help prevent possible re-infection.


ENABLE WINDOWS AUTO UPDATE

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".


TOOLS TO HELP KEEP YOUR SYSTEM CLEAN

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.

• Install & update SpywareBlaster with the latest definitions.
• After you have updated, click the button - enable protection for all unprotected items

SpywareGuard to catch and block spyware before it can execute.


SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its
TeaTimer option.
This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with
the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


AD-AWARE Download and install Ad-Aware. You should use this program to scan
your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product
can be found here


IE-SPYAD IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.

• Download IE-SpyAD - Extract the contents to a new folder
• From within the folder, double-click install.bat
• Select Option #2 - Install the new IE-SPYAD list.
• Then return to the main menu.
• Select option #4 - Add the old porn sites domain

A tutorial for IE-SPYAD can be found here


MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file
with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to
those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

• Download Host.zip to your desktop.
• From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
  
• Click Next, click Next, select the option:
  "Show Extracted files"
• Click Finish

This will open the newly created hosts folder on your Desktop.

Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated
HOSTS file to the correct location on your machine.


MCAFEE SITE ADVISOR SITE ADVISOR is a free IE plug-in (also suport for Firefox browser)
which is used in conjunction with the Google search engine. It advises which web sites are considered safe and which sites could pose a problem.
It also shows what problems were encountered with each site, such as malicious downloads, spam, and related links.


ANTI-VIRUS AND FIREWALL PROGRAMS


ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine.
This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial

Here are some very good free Antivirus products which are available:

• Avast!
  
• AVG
  

If you do not have a firewall, here are 4 free ones available for personal use:

Understanding and Using Firewalls

• ZoneAlarm
• Avast Antivirus/Firewall
• Tiny Personal Firewall
• OutPost Firewall

INFORMATIONAL READING


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

• PC SAFETY AND SECURITY
• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER
• INVASION OF THE COMPUTER SNATCHERS
• The Cookie Concept

Please respond one more time and let me know you received this post so it can be marked resolved



If you feel that we have helped you, please help us keep this site free for all. Please visit our DONATION PAGE.

 

[newtonet]

One last question: each time I login I get an alert from Windows Security Center that tells me I have no firewall. I am using Symantec antivirus, how can i stop this alert?
Thanks for all your help.

 

[fredmh]

Good Ol' Windows:

I'm not exactly sure how to get into Windows Security. Please post your
question in the Security and Firewalls forum. Someone in there should be able to help.

 

[newtonet]

I'll do that. Thanks for all your help, I've learned a lot and things are running much better.

Happy Holidays