Tech Support Forum banner
Status
Not open for further replies.
1 - 5 of 5 Posts

· Registered
Joined
·
58 Posts
Discussion Starter · #1 ·
I run McAfee which today identified a trojan on my computer. I ran a scan and it showed six problems. After I cleaned/removed the problems I noticed that McAfee virus scan is no longer enabled and I can't seem to enable it. Pls see if my HJT log shows anything out of the ordinary. Ad-Aware picked up nothing. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 5:44:23 PM, on 09/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\inKline Global\Modem Booster\ModemBtr.exe
C:\Program Files\inKline Global\PC Booster\PCBooster.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\hibkc.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Zing Software\Port Monster\pm.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Modem Booster] C:\Program Files\inKline Global\Modem Booster\ModemBtr.exe
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\PCBooster.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WINDOWS] C:\hibkc.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Startup: Port Monster.LNK = C:\Program Files\Zing Software\Port Monster\pm.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .BMP: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/1...L/PhPSetup.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} - http://mirror.worldwinner.com/games/v55/cubis/cubis.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - https://td.nortonconfidenceonline.co...n/NCO/WSAS.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
 

· Registered
Joined
·
58 Posts
Discussion Starter · #3 ·
Sry it's taken so long to reply but i've just now gotten my pc stable enough to get back online. I;ve followed the steps to the letter and the logs are below.
ComboFix 06-12-01.2W-BetaE - Running from: "C:\Documents and Settings\my name\desktop"
Command switches used :: /v rpcc

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\w.exe
C:\WINDOWS\system32\w.exe.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
C:\Documents and Settings\Philippe Fader\Desktop\Internet Explorer.lnk
C:\WINDOWS\emdat.tm
C:\WINDOWS\emdat.tmp
C:\WINDOWS\system32\vbuzip10.dll
C:\WINDOWS\system32\vbzip11.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\dembat.tm
C:\WINDOWS\system32\zlbw.dll
C:\WINDOWS\system32\se.exe.exe
C:\WINDOWS\system32\ss.exe.exe
C:\WINDOWS\system32\google.png.exe
C:\WINDOWS\system32\kernels1118.exe
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\Downloaded Program Files\rave


((((((((((((((((((((((((((((((( Files Created from 2006-11-17 to 2006-12-17 ))))))))))))))))))))))))))))))))))


2006-12-17 01:00 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-12-17 01:00 <DIR> d-------- C:\Program Files\Grisoft
2006-12-15 07:51 16,287,680 --a------ C:\20061214-017-x86.exe
2006-12-15 07:43 91,856 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2006-12-15 07:43 123,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2006-12-15 07:40 <DIR> d-------- C:\Program Files\Symantec
2006-12-15 07:39 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2006-12-15 07:39 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-15 07:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2006-12-15 07:34 <DIR> dr-h----- C:\Documents and Settings\Philippe Fader\Recent
2006-12-15 06:55 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2006-12-15 06:55 12,160 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mouhid.sys
2006-12-12 23:17 6,239 --a------ C:\WINDOWS\SYSTEM32\eN3dWev.exe
2006-12-12 23:16 6,239 --a------ C:\Documents and Settings\Philippe Fader\nqnCc5h.exe
2006-12-12 23:16 20,480 --a------ C:\WINDOWS\SYSTEM32\z3884.dll
2006-12-12 23:04 20,480 --a------ C:\WINDOWS\SYSTEM32\z3908.dll
2006-12-12 23:00 3,072 --a------ C:\WINDOWS\SYSTEM32\z2810468163.exe
2006-12-12 22:59 3,072 -r-hs---- C:\WINDOWS\SYSTEM32\z2810435756.exe
2006-12-12 22:55 6,239 --a------ C:\WINDOWS\SYSTEM32\INtUDd3.exe
2006-12-12 22:54 20,480 --a------ C:\WINDOWS\SYSTEM32\z3752.dll
2006-12-12 22:42 6,239 --a------ C:\Documents and Settings\Philippe Fader\E17p3o3.exe
2006-12-12 22:41 20,480 --a------ C:\WINDOWS\SYSTEM32\z3579.dll
2006-12-12 22:38 65,568 --a------ C:\WINDOWS\SYSTEM32\lzx32.sys
2006-12-12 22:37 6,239 --a------ C:\Documents and Settings\Philippe Fader\KWJGg18.exe
2006-12-12 22:36 20,480 --a------ C:\WINDOWS\SYSTEM32\z3924.dll
2006-12-12 22:34 6,239 --a------ C:\Documents and Settings\Philippe Fader\IG4jA51.exe
2006-12-12 22:34 20,480 --a------ C:\WINDOWS\SYSTEM32\z3224.dll
2006-12-12 22:22 20,480 --a------ C:\WINDOWS\SYSTEM32\z3644.dll
2006-12-12 22:19 45,056 --a------ C:\Documents and Settings\Philippe Fader\wpcem.exe
2006-12-12 22:19 20,480 --a------ C:\WINDOWS\SYSTEM32\z3248.dll
2006-12-12 22:13 13,824 --a------ C:\WINDOWS\SYSTEM32\dial23.exe
2006-12-12 22:10 89,088 --a------ C:\WINDOWS\SYSTEM32\qfyqakn.dll
2006-12-12 22:10 34,997 --a------ C:\WINDOWS\SYSTEM32\ptrch32.dll
2006-12-12 22:09 8,609 --a------ C:\WINDOWS\SYSTEM32\z2418.exe
2006-12-12 22:09 8,609 --a------ C:\WINDOWS\SYSTEM32\cmd32.exe
2006-12-12 22:09 6,239 --a------ C:\WINDOWS\SYSTEM32\z13.exe
2006-12-12 22:09 6,176 --a------ C:\WINDOWS\SYSTEM32\z12.exe
2006-12-12 22:09 393 --a------ C:\WINDOWS\SYSTEM32\z16.exe
2006-12-12 22:09 3,648 --a------ C:\WINDOWS\SYSTEM32\z2851.exe
2006-12-12 22:09 23,552 --a------ C:\WINDOWS\SYSTEM32\z11.exe
2006-12-12 22:09 200,704 --a------ C:\WINDOWS\SYSTEM32\z14.exe
2006-12-12 22:09 160,768 --a------ C:\WINDOWS\SYSTEM32\xnfn.dll
2006-12-12 22:09 10,333 --a------ C:\WINDOWS\SYSTEM32\z15.exe
2006-12-12 22:08 23,552 --a------ C:\WINDOWS\SYSTEM32\z2784.exe
2006-12-12 22:05 6,239 --a------ C:\WINDOWS\SYSTEM32\L660vI8.exe
2006-12-12 22:05 0 --a------ C:\WINDOWS\SYSTEM32\syspools.exe
2006-12-12 22:04 81,920 --a------ C:\WINDOWS\SYSTEM32\Packet.dll
2006-12-12 22:04 61,440 --a------ C:\WINDOWS\SYSTEM32\WanPacket.dll
2006-12-12 22:04 53,299 --a------ C:\WINDOWS\SYSTEM32\pthreadVC.dll
2006-12-12 22:04 233,472 --a------ C:\WINDOWS\SYSTEM32\wpcap.dll
2006-12-12 22:03 9,804 --a------ C:\WINDOWS\SYSTEM32\z118.exe
2006-12-12 22:03 6,239 --a------ C:\WINDOWS\SYSTEM32\z2103.exe
2006-12-12 22:03 20,480 --a------ C:\WINDOWS\SYSTEM32\z3987.dll
2006-12-12 22:03 13,312 --a------ C:\WINDOWS\SYSTEM32\z2529.exe
2006-12-12 22:03 <DIR> d-------- C:\WINDOWS\inet20000
2006-12-12 22:02 3,584 --a------ C:\WINDOWS\SYSTEM32\msasvc.exe
2006-12-12 22:02 3,072 -r-hs---- C:\jrcfquoh19154833.exe
2006-12-12 22:02 1,024 --a------ C:\kcxhfwlo.exe
2006-12-12 22:02 1,024 --a------ C:\chpsa.exe
2006-12-12 21:20 <DIR> d-------- C:\Documents and Settings\Philippe Fader\Application Data\U3
2006-12-11 16:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2006-12-09 14:21 39,144 --a------ C:\WINDOWS\SYSTEM32\ipv6mons.dll
2006-12-07 12:13 <DIR> d-------- C:\Documents and Settings\Philippe Fader\Application Data\ICQLite
2006-12-05 11:24 <DIR> d-------- C:\Program Files\Yahoo!
2006-12-03 16:45 2,934,920 --a------ C:\Program Files\ymsgr.exe
2006-12-01 19:19 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-18 23:09 <DIR> d-------- C:\Documents and Settings\Philippe Fader\Application Data\Creative
2006-11-18 20:10 41,984 --------- C:\WINDOWS\Ctregrun.exe
2006-11-18 20:09 487,424 --------- C:\WINDOWS\SYSTEM32\msvcp70.dll
2006-11-18 20:09 24,576 --------- C:\WINDOWS\SYSTEM32\msxml3a.dll
2006-11-18 20:09 <DIR> d-------- C:\Program Files\Audible
2006-11-18 20:05 44,032 --------- C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
2006-11-18 20:05 25,088 --------- C:\WINDOWS\SYSTEM32\CTSVCCTL.EXE
2006-11-18 20:01 38,402 --------- C:\WINDOWS\SYSTEM32\DRIVERS\StMp3Rec.sys
2006-11-18 19:59 <DIR> d-------- C:\Program Files\Creative


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-17 00:56 -------- d-------- C:\Program Files\CleanUp!
2006-12-16 20:03 -------- d-------- C:\Program Files\Internet Explorer
2006-12-16 20:01 -------- d-------- C:\Program Files\Outlook Express
2006-12-16 20:01 -------- d-------- C:\Program Files\Common Files\System
2006-12-15 11:30 -------- d-------- C:\Program Files\ewido anti-malware
2006-12-15 11:29 -------- d-------- C:\Program Files\inKline Global
2006-12-15 11:28 -------- d-------- C:\Program Files\SpywareBlaster
2006-12-15 11:28 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-15 11:27 -------- d-------- C:\Program Files\SpywareGuard
2006-12-15 11:20 -------- d-------- C:\Program Files\Lavasoft
2006-12-15 11:20 -------- d-------- C:\Documents and Settings\Philippe Fader\Application Data\Lavasoft
2006-12-15 07:39 -------- d-------- C:\Program Files\Common Files
2006-12-12 22:57 -------- d---s---- C:\Documents and Settings\Philippe Fader\Application Data\Microsoft
2006-12-07 12:30 -------- d-------- C:\Program Files\ICQLite
2006-12-07 11:31 -------- d-------- C:\Program Files\CFPAS_SEPFC_2005
2006-12-06 22:29 2374472 --a------ C:\WINDOWS\SYSTEM32\wmvcore.dll
2006-11-19 18:18 -------- d-------- C:\Program Files\PokerStars
2006-11-18 23:20 -------- d-------- C:\Documents and Settings\Philippe Fader\Application Data\jPodder
2006-11-18 20:08 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-17 21:00 -------- d-------- C:\Program Files\ICQToolbar
2006-11-07 22:06 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-11-04 14:47 -------- d-------- C:\Program Files\Acoustica MP3 To Wave Converter PLUS
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\SYSTEM32\msxml4.dll
2006-10-29 20:18 -------- d-------- C:\Program Files\Google
2006-10-26 15:09 -------- d-------- C:\Documents and Settings\Philippe Fader\Application Data\Google
2006-10-26 04:39 -------- d-------- C:\Program Files\Java
2006-10-19 06:56 713216 --a------ C:\WINDOWS\SYSTEM32\sxs.dll
2006-10-13 05:35 142336 --a--c--- C:\WINDOWS\SYSTEM32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"system spool"="C:\\WINDOWS\\system32\\syspools.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DadApp"="C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe"
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"system spool"="C:\\WINDOWS\\system32\\syspools.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"Microsoft WPCEmail"="C:\\WINDOWS\\inet20000\\svchost.exe "
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
"location"="Common Startup"
"item"="HotSync Manager"
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HotSync Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\HotSync Manager.lnkCommon Startup"
"command"="C:\\Palm\\HOTSYNC.EXE "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="\"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LDMConf.exe\" /start"
"item"="Logitech Desktop Messenger"
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech Desktop Messenger.lnk"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DirectCD"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ati2mdxx"
"hkey"="HKLM"
"command"="Ati2mdxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="quickset"
"hkey"="HKLM"
"command"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSentry"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\DSentry.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\ImageStudio\\ISStart.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\ImageStudio\\LogiTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LVCOMS"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Logitech\\QCDriver3\\LVCOMS.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsgPlus"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnappau"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\MSN Apps\\Updater\\01.02.3000.1001\\en-ca\\msnappau.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TkBellExe"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Monitor"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
Ip6FwHlp


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AACE2F029385A1CE.job

Completion time: 06-12-17 1:08:07.50

--------------------------------------------------------------------------

SDFix: Version 1.48
****************

17/12/2006 - 1:22:18.74

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Stage One - Safe Mode

Checking Services...

Service Name:

MsaSvc

File Path:

C:\WINDOWS\system32\msasvc.exe

MsaSvc Deleted...

Starting Registry Repairs...


Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\CHPSA.EXE
C:\KCXHFWLO.EXE
C:\AAAAAAIF.T
C:\AAAAAAIS.T
C:\DGYRWIPQ.T
C:\FKPUUTPY.T
C:\FKPUUTUQ.T
C:\JSWBHALK.T
C:\JSWBQMBM.T
C:\MYVSNPUG.T
C:\MYVSNQLG.T
C:\MYVSNUBL.T
C:\PFUKKYUW.T
C:\QHDYJRWS.T
C:\TNCQWFGY.T
C:\YXRLBGXD.T
C:\DELL\AAAAAEOX.T
C:\DELL\AAAAAERK.T
C:\DELL\AAAAAYQK.T
C:\DELL\AAAAQNWE.T
C:\DELL\BCIOYSSE.T
C:\DELL\BCIOYWRD.T
C:\DELL\CEQDXLYA.T
C:\DELL\EIHGVWYF.T
C:\DELL\GMXJTIDD.T
C:\DELL\HOGXSABD.T
C:\DELL\IQOMRTLR.T
C:\DELL\IQOMRXME.T
C:\DELL\JSWBQMNX.T
C:\DELL\JSWBQQKF.T
C:\DELL\KUFPGSRG.T
C:\DELL\MYVSNUAS.T
C:\DELL\SLTCHDEF.T
C:\DELL\TNCQWFOQ.T
C:\DELL\UPKFFJPJ.T
C:\DOCUME~1\DONNAF~1\MYDOCU~1\BCIOYWID.T
C:\DOCUME~1\DONNAF~1\MYDOCU~1\DGYRWIQD.T
C:\DOCUME~1\DONNAF~1\MYDOCU~1\EIHGVBOE.T
C:\DOCUME~1\DONNAF~1\MYDOCU~1\HOGXSBQS.T
C:\DOCUME~1\DONNAF~1\MYDOCU~1\LWNEOCXG.T
C:\DOCUME~1\DONNAF~1\MYDOCU~1\ODMVLGFQ.T
C:\DOCUME~1\DONNAF~1\MYDOCU~1\TNCQGVPF.T
C:\DOCUME~1\DONNAF~1\MYDOCU~1\XVJWCSBG.T
C:\WINDOWS\SYSTEM32\Z12.EXE
C:\WINDOWS\SYSTEM32\Z16.EXE
C:\WINDOWS\SYSTEM32\Z15.EXE
C:\WINDOWS\SYSTEM32\Z11.EXE
C:\WINDOWS\SYSTEM32\Z2784.EXE
C:\WINDOWS\SYSTEM32\EN3DWEV.EXE
C:\WINDOWS\SYSTEM32\INTUDD3.EXE
C:\WINDOWS\SYSTEM32\L660VI8.EXE
C:\WINDOWS\SYSTEM32\Z13.EXE
C:\WINDOWS\SYSTEM32\Z2103.EXE
C:\WINDOWS\SYSTEM32\Z118.EXE
C:\WINDOWS\SYSTEM32\Z2851.EXE
C:\WINDOWS\SYSTEM32\Z2529.EXE
C:\WINDOWS\SYSTEM32\CMD32.EXE
C:\WINDOWS\SYSTEM32\Z2418.EXE
C:\WINDOWS\SYSTEM32\Z3224.DLL
C:\WINDOWS\SYSTEM32\Z3248.DLL
C:\WINDOWS\SYSTEM32\Z3579.DLL
C:\WINDOWS\SYSTEM32\Z3644.DLL
C:\WINDOWS\SYSTEM32\Z3752.DLL
C:\WINDOWS\SYSTEM32\Z3884.DLL
C:\WINDOWS\SYSTEM32\Z3908.DLL
C:\WINDOWS\SYSTEM32\Z3924.DLL
C:\WINDOWS\SYSTEM32\Z3987.DLL
C:\WINDOWS\inet20000\121361618.dll
C:\WINDOWS\inet20000\12136440.dll
C:\WINDOWS\inet20000\killer.exe
C:\WINDOWS\inet20000\killer.exe.bak
C:\WINDOWS\inet20000\mm.pid
C:\WINDOWS\inet20000\mmx138.exe
C:\WINDOWS\inet20000\mmx83.exe
C:\WINDOWS\inet20000\mmx830.exe
C:\WINDOWS\inet20000\mmx90.exe
C:\WINDOWS\inet20000\mmx953.exe
C:\WINDOWS\inet20000\mmx970.exe
C:\WINDOWS\inet20000\services.exe
C:\WINDOWS\inet20000\svchost.exe
C:\WINDOWS\inet20000\svchost.exe.bak
C:\WINDOWS\inet20000\wpcem.exe
C:\WINDOWS\inet20000\www.google.com\favicon.ico
C:\WINDOWS\inet20000\www.google.com\index.html
C:\WINDOWS\inet20000\www.google.com\thank.html
C:\WINDOWS\inet20000\www.google.com\Google_files\hp0.gif
C:\WINDOWS\inet20000\www.google.com\Google_files\hp1.gif
C:\WINDOWS\inet20000\www.google.com\Google_files\hp2.gif
C:\WINDOWS\inet20000\www.google.com\Google_files\hp3.gif
C:\WINDOWS\system32\cmd32.exe
C:\WINDOWS\system32\drivers\etc\hosts.tim
C:\WINDOWS\system32\ipv6mons.dll
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\syspools.exe

Backing Up and Removing any Files Found...

Alternate Stream Check:

C:\WINDOWS\system32
:lzx32.sys 65568
:svchost.exe 13526
Total size: 79094 bytes.

Removing ADS

system32: deleted 79094 bytes in 2 streams.

Checking for remaining Streams

C:\WINDOWS\system32
No streams found.
Final Check:

Services:
---------


Authorized Applications Key Export:

Files:
------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\jrcfquoh19154833.exe
C:\I386\cdplayer.exe.manifest
C:\I386\logonui.exe.manifest
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0071772.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0074769.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP552\A0076821.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP553\A0076922.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP553\A0076970.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP554\A0077219.exe
C:\WINDOWS\SYSTEM32\cdplayer.exe.manifest
C:\WINDOWS\SYSTEM32\logonui.exe.manifest
C:\WINDOWS\SYSTEM32\z2810435756.exe
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\Donna Fader\Local Settings\Temp\$b17a2e8.tmp

FINISHED!
--------------------------------------------------------------------------

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:35:28 AM 17/12/2006

+ Scan result:



C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP554\A0077136.dll -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP554\A0077137.dll -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP554\A0077138.dll -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP554\A0077140.exe -> Adware.Spysheriff : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP554\A0077144.exe -> Dialer.GBDialer.i : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\dial23.exe -> Dialer.GBDialer.i : Cleaned with backup (quarantined).
C:\Documents and Settings\Philippe Fader\Local Settings\Application Data\qfyqakn.dll -> Downloader.Busky : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/z2784.exe -> Dropper.Small.atd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP558\A0079657.exe -> Dropper.Small.atd : Cleaned with backup (quarantined).
C:\Documents and Settings\Philippe Fader\wpcem.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/svchost.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/svchost.exe.bak -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/wpcem.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0071751.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0071758.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0071759.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0072751.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0072758.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0072759.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0074751.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0074759.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0074760.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0075751.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0075758.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP552\A0076836.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP553\A0076937.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP553\A0076958.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP554\A0077203.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP554\A0077209.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP556\A0077276.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0078422.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0079446.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0079454.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0079461.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0079471.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP558\A0079567.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP558\A0079574.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP558\A0079688.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP558\A0079689.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0070752.exe -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0071760.exe -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0072760.exe -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0074757.exe -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0075759.exe -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP557\A0077383.exe -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/z11.exe -> Not-A-Virus.Hoax.Win32.Renos.gc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP558\A0079656.exe -> Not-A-Virus.Hoax.Win32.Renos.gc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0068774.dll -> Proxy.Dlena.as : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\xnfn.dll -> Trojan.Agent.pk : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/chpsa.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/kcxhfwlo.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0070769.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0071762.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0072767.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP551\A0074771.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP552\A0076825.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP553\A0076926.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP553\A0076956.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP558\A0079651.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP558\A0079652.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).


::Report end

--------------------------------------------------------------------------

Incident Status Location

Adware:adware/eshopper Not disinfected c:\windows\system32\Eshop.xml
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Philippe Fader\Application Data\Registry Cleaner
Spyware:spyware/safesurf Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Philippe Fader\Desktop\SDFix\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Philippe Fader\Desktop\SDFix.zip[SDFix.exe][SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
--------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:16:19 AM, on 17/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zing Software\Port Monster\pm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: Port Monster.LNK = C:\Program Files\Zing Software\Port Monster\pm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .BMP: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} - http://mirror.worldwinner.com/games/v55/cubis/cubis.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - https://td.nortonconfidenceonline.com/plug-in/NCO/WSAS.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--------------------------------------------------------------------------

Machine is more stable now. Symantec is blocking trojans as designed.
 

· Registered
Joined
·
58 Posts
Discussion Starter · #5 ·
As after last suggestions.
------------------------------------------------------------------------

************************* Rustock.b-fix -- By ejvindh *************************
17/12/2006 12:07:05.84


No Rustock.b-rootkits found


******************************* End of Logfile ********************************
------------------------------------------------------------------------

SmitFraudFix v2.130

Scan done at 12:05:37.89, 17/12/2006
Run from C:\Documents and Settings\Philippe Fader\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Philippe Fader


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Philippe Fader\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PHILIP~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
-------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT
Sunday, December 17, 2006 2:38:17 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 17/12/2006
Kaspersky Anti-Virus database records: 251457


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 62687
Number of viruses found 6
Number of infected objects 13 / 0
Number of suspicious objects 0
Duration of the scan process 01:52:18

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01580000\45DD1E23.VBN Infected: Trojan-Downloader.Win32.CWS.ah skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08140000.VBN Infected: Trojan-Proxy.Win32.Dlena.at skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08140001.VBN Infected: Trojan-Downloader.Win32.CWS.ah skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08140002\4D96E711.VBN Infected: Trojan-Downloader.Win32.Small.dam skipped

C:\Documents and Settings\All Users\Documents\DESKTOP.INI Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Desktop.ini Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst1.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst10.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst11.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst12.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst13.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst14.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst15.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst2.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst3.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst4.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst5.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst6.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst7.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst8.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00092DAA\Plylst9.wpl Object is locked skipped

C:\Documents and Settings\All Users\Documents\My Pictures\Desktop.ini Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Philippe Fader\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Philippe Fader\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Philippe Fader\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Philippe Fader\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Philippe Fader\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Philippe Fader\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Philippe Fader\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Philippe Fader\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Philippe Fader\ntuser.dat Object is locked skipped

C:\Documents and Settings\Philippe Fader\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Program Files\Symantec AntiVirus\SAVRT\0069NAV~.TMP Object is locked skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped

C:\WINDOWS\SYSTEM32\scenicid.exe Infected: Trojan.Win32.StartPage.ame skipped

C:\WINDOWS\SYSTEM32\scenicwu.exe/VVSN_SCNC0704Inst.exe/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\WINDOWS\SYSTEM32\scenicwu.exe/VVSN_SCNC0704Inst.exe/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\WINDOWS\SYSTEM32\scenicwu.exe/VVSN_SCNC0704Inst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\WINDOWS\SYSTEM32\scenicwu.exe InstallCreator: infected - 3 skipped

C:\WINDOWS\SYSTEM32\scenicwu.exe UPX: infected - 3 skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed
--------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:40:26 PM, on 17/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: Port Monster.LNK = C:\Program Files\Zing Software\Port Monster\pm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .BMP: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} - http://mirror.worldwinner.com/games/v55/cubis/cubis.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - https://td.nortonconfidenceonline.com/plug-in/NCO/WSAS.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
 

· Registered
Joined
·
58 Posts
Discussion Starter · #7 ·
One last question: each time I login I get an alert from Windows Security Center that tells me I have no firewall. I am using Symantec antivirus, how can i stop this alert?
Thanks for all your help.
 
1 - 5 of 5 Posts
Status
Not open for further replies.
Top