Thank you for maintaining this forum.
recently this computer was infected with trojan viruses. I reformatted and reinstalled win XP. As the user installed his files from disk he became reinfected. I was able to remove many trojans using ad-aware symantec anti virus, Panda didn't detect anything. the auto-protect feature in symantec keeps being disabled by a process that I can't see. I will bring up the task manager and watch the running processes and have the list ordered by cpu usage, when I enable the auto-protect I watch and see if I can catch a process jump up in the usage. everytime I clean the system and then reboot it returns or gets worse. This logfile is from after the trojans were deleted but the process that is turning off the auto-protect is still running somewhere.

Thanks, Mary Lou

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:52 AM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2579E223-A1AF-45A3-95F4-C8E514174746}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLM\System\CCS\Services\Tcpip\..\{41F29D15-982C-456D-9D29-933BE29FF8C9}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3DDEAF2-D38C-47E0-AF48-44F4B1763032}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.154
O17 - HKLM\System\CS1\Services\Tcpip\..\{2579E223-A1AF-45A3-95F4-C8E514174746}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.154
O17 - HKLM\System\CS2\Services\Tcpip\..\{2579E223-A1AF-45A3-95F4-C8E514174746}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.154
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3963 bytes

Hello and Welcome to Geeks to Go.

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Please give me some time to analyze your log, and I will post back with instructions ASAP.

Hello mlinva,

Download Deckard's System Scanner (DSS) to your Desktop.

• Close all applications and windows.
• Double-click on DSS.exe to run it, and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)


I also see a lot of 017 entires in your HJT log. Please let me know if you recognise the domain as belonging to your ISP or company or if the DNS servers belong to your ISP or company. So in your next reply please post the DSS log and whether or not you know anything about the 017's.

Hi, thank you very much for your help. I am running hJT on my desktop to see if the 17s appear there or are unique to this machine. When I started cleaning this machine the task manager was disabled. I got that working by resetting the flag in the registry. It stayed working but then the attack on symantec started. Unless the 17s have to do with my wireless router they are unique to this machine. Only 1 17 appeared on my desktop and it is associated with 4.2.2.0,24.51.159.130. when i boot this machine svchost requests access to the internet from zone alarm about 3 times.

Mary Lou



Deckard's System Scanner v20070711.54
Run by Administrator on 2007-07-17 at 13:22:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-07-17 17:22:03 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:48 PM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2579E223-A1AF-45A3-95F4-C8E514174746}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLM\System\CCS\Services\Tcpip\..\{41F29D15-982C-456D-9D29-933BE29FF8C9}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3DDEAF2-D38C-47E0-AF48-44F4B1763032}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.154
O17 - HKLM\System\CS1\Services\Tcpip\..\{2579E223-A1AF-45A3-95F4-C8E514174746}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.154
O17 - HKLM\System\CS2\Services\Tcpip\..\{2579E223-A1AF-45A3-95F4-C8E514174746}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.154
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4031 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>


-- Files created between 2007-06-17 and 2007-07-17 -----------------------------

2007-07-17 04:03:41 0 d-------- C:\Program Files\Trend Micro
2007-07-16 22:18:41 0 d-------- C:\WINDOWS\system32\Panda Software
2007-07-16 19:23:29 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2007-07-14 16:12:48 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7
2007-07-14 03:37:38 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Google
2007-07-14 03:37:36 0 dr------- C:\Documents and Settings\LocalService.NT AUTHORITY\Favorites
2007-07-14 03:30:02 0 --a------ C:\WINDOWS\system32\dllh8jkd1q8.exe
2007-07-14 03:24:39 0 d-------- C:\WINDOWS\pss
2007-07-13 18:52:36 0 d-------- C:\Program Files\Symantec
2007-07-13 18:52:07 0 d-------- C:\Program Files\Symantec AntiVirus
2007-07-13 18:52:07 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-13 18:52:07 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2007-07-07 05:08:40 0 --a------ C:\WINDOWS\system32\kernel32.exe
2007-07-03 09:45:03 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-07-03 09:44:44 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2007-07-03 09:44:17 0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-07-03 09:43:44 0 d-------- C:\WINDOWS\Internet Logs
2007-07-03 09:38:18 0 d-------- C:\Program Files\Lavasoft
2007-07-03 09:38:17 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2007-07-03 09:37:22 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-03 09:23:08 0 d---s---- C:\Documents and Settings\Administrator\UserData
2007-07-03 03:35:03 0 d-------- C:\WINDOWS\system32\LogFiles
2007-07-03 00:43:50 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2007-07-03 00:42:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2007-07-03 00:41:59 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google
2007-07-03 00:41:50 0 d-------- C:\Program Files\Google
2007-07-03 00:04:51 0 d-------- C:\Program Files\Synaptics
2007-07-03 00:01:43 28672 --a------ C:\WINDOWS\system32\msiosd32.dll
2007-07-03 00:01:43 65536 --a------ C:\WINDOWS\system32\Msikbd.dll <Not Verified; Netropa Corp.; MSIKBD Dynamic Link Library>
2007-07-03 00:01:43 163840 --a------ C:\WINDOWS\DellMMKb.exe <Not Verified; Netropa Corp.; Netropa Hot Key>
2007-07-03 00:01:43 0 d-------- C:\Program Files\Netropa
2007-07-03 00:00:28 53248 --a------ C:\WINDOWS\system32\DellSys.dll <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation Lite>
2007-07-03 00:00:17 17153 --a------ C:\WINDOWS\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
2007-07-03 00:00:17 0 d-------- C:\Program Files\Dell
2007-07-02 22:48:57 0 d-------- C:\winxp-8180(166)
2007-07-02 22:46:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2007-07-02 22:44:43 0 d-------- C:\Program Files\ATI Technologies
2007-07-02 22:44:28 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-07-02 22:12:36 0 d-------- C:\WINDOWS\setup.pss
2007-07-02 22:11:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-07-02 22:10:39 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-07-02 22:10:39 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-07-02 22:10:39 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-07-02 22:10:39 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-07-02 22:10:39 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-07-02 22:10:39 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-07-02 22:10:39 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-07-02 22:10:39 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-07-02 22:10:38 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-07-02 22:10:38 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-07-02 22:10:38 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-07-02 22:10:38 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-07-02 22:10:38 1835008 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-07-02 22:10:22 0 d-------- C:\WINDOWS\SoftwareDistribution
2007-07-02 22:10:16 0 d--h----- C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings
2007-07-02 22:10:16 0 d---s---- C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies
2007-07-02 22:10:16 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data
2007-07-02 22:10:16 0 d---s---- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Microsoft
2007-07-02 22:10:15 262144 --ah----- C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT
2007-07-02 22:03:17 262144 --ah----- C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT
2007-07-02 22:03:17 0 d--h----- C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings
2007-07-02 22:03:17 0 d---s---- C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies
2007-07-02 22:03:17 0 d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data
2007-07-02 22:03:17 0 d---s---- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Microsoft
2007-07-02 21:54:12 225280 ---h----- C:\Documents and Settings\Default User.WINDOWS\NTUSER.DAT
2007-07-02 21:54:12 0 d-------- C:\DELL
2007-07-02 21:50:50 0 d--hs---- C:\Documents and Settings\All Users.WINDOWS\DRM
2007-07-02 21:46:16 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-07-02 17:32:00 0 d--h----- C:\Documents and Settings\Default User.WINDOWS\Templates
2007-07-02 17:32:00 0 dr------- C:\Documents and Settings\Default User.WINDOWS\Start Menu
2007-07-02 17:32:00 0 dr-h----- C:\Documents and Settings\Default User.WINDOWS\SendTo
2007-07-02 17:32:00 0 d--h----- C:\Documents and Settings\Default User.WINDOWS\Recent
2007-07-02 17:32:00 0 d--h----- C:\Documents and Settings\Default User.WINDOWS\PrintHood
2007-07-02 17:32:00 0 d--h----- C:\Documents and Settings\Default User.WINDOWS\NetHood
2007-07-02 17:32:00 0 d-------- C:\Documents and Settings\Default User.WINDOWS\My Documents
2007-07-02 17:32:00 0 dr-h----- C:\Documents and Settings\Default User.WINDOWS\Local Settings
2007-07-02 17:32:00 0 d-------- C:\Documents and Settings\Default User.WINDOWS\Favorites
2007-07-02 17:32:00 0 d-------- C:\Documents and Settings\Default User.WINDOWS\Desktop
2007-07-02 17:32:00 0 d---s---- C:\Documents and Settings\Default User.WINDOWS\Cookies
2007-07-02 17:32:00 0 d--h----- C:\Documents and Settings\All Users.WINDOWS\Templates
2007-07-02 17:32:00 0 dr------- C:\Documents and Settings\All Users.WINDOWS\Start Menu
2007-07-02 17:32:00 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Favorites
2007-07-02 17:32:00 0 dr------- C:\Documents and Settings\All Users.WINDOWS\Documents
2007-07-02 17:32:00 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Desktop
2007-07-02 17:31:24 0 dr-h----- C:\Documents and Settings\Default User.WINDOWS\Application Data
2007-07-02 17:31:24 0 d---s---- C:\Documents and Settings\Default User.WINDOWS\Application Data\Microsoft
2007-07-02 17:31:23 0 dr-h----- C:\Documents and Settings\All Users.WINDOWS\Application Data
2007-07-02 17:31:23 0 d---s---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft
2007-07-02 17:18:03 0 d-------- C:\WINDOWS\Provisioning
2007-07-02 17:18:03 0 d-------- C:\WINDOWS\PeerNet
2007-07-02 17:18:03 0 d-------- C:\WINDOWS\ehome
2007-07-02 17:18:03 0 d-------- C:\WINDOWS\dell
2007-06-26 21:56:25 0 d-------- C:\Temp
2007-06-26 21:00:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Prism Deploy
2007-06-26 21:00:07 0 d-------- C:\Program Files\Microsoft Works
2007-06-26 20:53:13 0 d-------- C:\WINDOWS\Downloaded Installations
2007-06-26 20:49:10 0 d-------- C:\Program Files\MUSICMATCH
2007-06-26 20:46:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-06-26 20:43:57 0 d-------- C:\WINDOWS\Cache
2007-06-26 20:42:13 0 d---s---- C:\WINDOWS\system32\Microsoft
2007-06-26 20:41:10 0 d-------- C:\Program Files\Common Files\New Boundary
2007-06-26 20:37:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-06-26 20:36:50 0 d--hs---- C:\WINDOWS\Installer
2007-06-26 20:36:43 0 d-------- C:\Program Files\Common Files\InstallShield
2007-06-26 20:36:23 0 d-------- C:\Program Files\SIFXINST
2007-06-26 20:36:23 0 d-------- C:\Program Files\Phoenix Technologies Ltd
2007-06-26 20:36:22 0 d-------- C:\Program Files\Common Files\Lanovation
2007-06-26 20:35:50 0 d-------- C:\Documents and Settings\Owner\Application Data\Identities
2007-06-26 20:35:00 0 d-------- C:\CABS
2007-06-26 20:34:43 0 d-------- C:\Program Files\Gateway
2007-06-26 20:33:37 0 d-------- C:\WUTemp
2007-06-26 20:33:10 0 d--h----- C:\Documents and Settings\Owner\NetHood
2007-06-26 20:33:10 0 dr------- C:\Documents and Settings\Owner\My Documents
2007-06-26 20:33:10 0 d--h----- C:\Documents and Settings\Owner\Local Settings
2007-06-26 20:33:10 0 dr------- C:\Documents and Settings\Owner\Favorites
2007-06-26 20:33:10 0 d-------- C:\Documents and Settings\Owner\Desktop
2007-06-26 20:33:10 0 d---s---- C:\Documents and Settings\Owner\Cookies
2007-06-26 20:33:10 0 dr-h----- C:\Documents and Settings\Owner\Application Data
2007-06-26 20:33:10 0 d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2007-06-26 20:33:09 0 d--h----- C:\Documents and Settings\Owner\Templates
2007-06-26 20:33:09 0 dr------- C:\Documents and Settings\Owner\Start Menu
2007-06-26 20:33:09 0 dr-h----- C:\Documents and Settings\Owner\SendTo
2007-06-26 20:33:09 0 dr-h----- C:\Documents and Settings\Owner\Recent
2007-06-26 20:33:09 0 d--h----- C:\Documents and Settings\Owner\PrintHood
2007-06-26 20:33:09 786432 --ah----- C:\Documents and Settings\Owner\NTUSER.DAT
2007-06-26 20:32:44 0 d--hs---- C:\System Volume Information
2007-06-26 20:32:42 0 d-------- C:\WINDOWS\Prefetch
2007-06-26 20:32:40 233472 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2007-06-26 20:32:40 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2007-06-26 20:32:40 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2007-06-26 20:32:40 0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-06-26 20:32:40 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-06-26 20:32:39 233472 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-06-26 20:32:39 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2007-06-26 20:32:39 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2007-06-26 20:32:39 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-06-26 20:32:39 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-06-26 20:26:52 0 d-------- C:\WINDOWS\system32\xircom
2007-06-26 20:26:52 0 d-------- C:\Program Files\microsoft frontpage
2007-06-26 20:26:18 233472 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-06-26 20:24:49 0 d-------- C:\WINDOWS\RegisteredPackages
2007-06-26 20:22:57 0 -rahs---- C:\MSDOS.SYS
2007-06-26 20:22:57 0 -rahs---- C:\IO.SYS
2007-06-26 20:22:57 0 --a------ C:\CONFIG.SYS
2007-06-26 20:22:57 0 --a------ C:\AUTOEXEC.BAT
2007-06-26 20:20:54 0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-06-26 20:20:33 0 dr------- C:\WINDOWS\Offline Web Pages
2007-06-26 20:20:33 0 d---s---- C:\WINDOWS\Downloaded Program Files
2007-06-26 20:19:37 0 d-------- C:\WINDOWS\system32\DirectX
2007-06-26 20:18:55 0 d---s---- C:\WINDOWS\Tasks
2007-06-26 20:18:53 0 d-------- C:\Program Files\Common Files\MSSoap
2007-06-26 20:18:47 0 d-------- C:\WINDOWS\system32\Macromed
2007-06-26 20:18:47 0 d-------- C:\WINDOWS\srchasst
2007-06-26 20:18:45 0 d-------- C:\Program Files\Movie Maker
2007-06-26 20:18:40 0 d-------- C:\WINDOWS\system32\Restore
2007-06-26 20:18:40 0 d-------- C:\WINDOWS\PCHealth
2007-06-26 20:17:52 0 d-------- C:\WINDOWS\Registration
2007-06-26 20:16:49 0 d--h----- C:\Program Files\WindowsUpdate
2007-06-26 20:16:48 0 d-------- C:\Program Files\Online Services
2007-06-26 20:16:38 0 d-------- C:\Program Files\Messenger
2007-06-26 20:16:33 0 d-------- C:\Program Files\MSN Gaming Zone
2007-06-26 20:15:43 0 d-------- C:\Program Files\Windows NT
2007-06-26 20:15:39 0 d-------- C:\WINDOWS\system32\MsDtc
2007-06-26 20:15:39 0 d-------- C:\WINDOWS\system32\Com
2007-06-26 15:08:33 0 d-------- C:\Program Files\Common Files\ODBC
2007-06-26 15:08:28 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-06-26 15:08:27 0 dr------- C:\Program Files
2007-06-26 15:07:57 0 d--h----- C:\Documents and Settings\Default User\Templates
2007-06-26 15:07:57 0 dr------- C:\Documents and Settings\Default User\Start Menu
2007-06-26 15:07:57 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-06-26 15:07:57 0 d--h----- C:\Documents and Settings\Default User\Recent
2007-06-26 15:07:57 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2007-06-26 15:07:57 0 d--h----- C:\Documents and Settings\Default User\NetHood
2007-06-26 15:07:57 0 d-------- C:\Documents and Settings\Default User\My Documents
2007-06-26 15:07:57 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2007-06-26 15:07:57 0 d-------- C:\Documents and Settings\Default User\Favorites
2007-06-26 15:07:57 0 d-------- C:\Documents and Settings\Default User\Desktop
2007-06-26 15:07:57 0 d---s---- C:\Documents and Settings\Default User\Cookies
2007-06-26 15:07:57 0 d--h----- C:\Documents and Settings\All Users\Templates
2007-06-26 15:07:57 0 dr------- C:\Documents and Settings\All Users\Start Menu
2007-06-26 15:07:57 0 d-------- C:\Documents and Settings\All Users\Favorites
2007-06-26 15:07:57 0 dr------- C:\Documents and Settings\All Users\Documents
2007-06-26 15:07:57 0 d-------- C:\Documents and Settings\All Users\Desktop
2007-06-26 15:07:38 0 d-------- C:\WINDOWS\system32\CatRoot2
2007-06-26 15:07:38 0 d-------- C:\WINDOWS\system32\CatRoot
2007-06-26 15:07:33 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-06-26 15:07:33 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-06-26 15:07:32 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-06-26 15:07:32 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-06-26 15:07:06 0 d-------- C:\Documents and Settings
2007-06-26 15:02:39 0 d-------- C:\WINDOWS\OemDir
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\WinSxS
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\twain_32
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\usmt
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\oobe
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\npp
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\mui
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\inetsrv
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\IME
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\icsxml
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\ias
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\export
2007-06-26 15:02:35 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\3com_dmi
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\3076
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\2052
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\1054
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\1042
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\1041
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\1037
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\1033
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\1031
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\1028
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\system32\1025
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\security
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\Resources
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\mui
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\msapps
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\ime
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\Driver Cache
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\Debug
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\Connection Wizard
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\AppPatch
2007-06-26 15:02:35 0 d-------- C:\WINDOWS\addins
2007-06-26 15:02:34 0 d-------- C:\WINDOWS
2007-06-26 15:02:34 0 dr------- C:\WINDOWS\Web
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\system32
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\system32\wins
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\system32\wbem
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\system32\spool
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\system32\ShellExt
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\system32\Setup
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\system32\ras
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\system32\drivers
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\system32\drivers\etc
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\system32\dhcp
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\system32\config
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\system
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\repair
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\msagent
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\Media
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\java
2007-06-26 15:02:34 0 d--h----- C:\WINDOWS\inf
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\Help
2007-06-26 15:02:34 0 dr--s---- C:\WINDOWS\Fonts
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\Cursors
2007-06-26 15:02:34 0 d-------- C:\WINDOWS\Config


-- Find3M Report ---------------------------------------------------------------

2007-07-02 17:32:00 62 --ahs---- C:\Documents and Settings\Administrator\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"DellTouch"="C:\\WINDOWS\\DELLMMKB.EXE"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kernelwind32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\kernelwind32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\



-- End of Deckard's System Scanner: finished at 2007-07-17 at 13:25:13 ---------

Deckard's System Scanner v20070711.54
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 60%
Physical Memory (total/avail): 383.4 MiB / 152.12 MiB
Pagefile Memory (total/avail): 922.08 MiB / 715.99 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1965.32 MiB

C: is Fixed (NTFS) - 18.62 GiB total, 15.16 GiB free.
D: is CDROM (CDFS)


-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Firewall v7.0.337.000 (Check Point, LTD.)
AV: Symantec AntiVirus Corporate Edition v10.0.1.1000 (Symantec Corporation) Disabled

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GOTHEM-
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\GOTHEM-
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0806
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=GOTHEM-
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /X{46AC899A-9ECB-43DC-85DE-272E0D116A1E}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver Utilities --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
DellTouch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{706D5382-7381-4680-9DD0-161832578252}\setup.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Panda NanoScan --> C:\WINDOWS\system32\Panda Software\NanoScan\nanounst.exe
Panda TotalScan --> C:\WINDOWS\system32\Panda Software\ActiveScan2\ascuninst.exe
Symantec AntiVirus --> MsiExec.exe /I{3248E093-5288-4CA9-B3AB-11A675FEA1F9}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- End of Deckard's System Scanner: finished at 2007-07-17 at 13:25:13 ---------

Hey mlinva,

1)Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\pss
  C:\WINDOWS\system32\dllh8jkd1q8.exe
  C:\WINDOWS\\system32\kernelwind32.exe
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum along with a fresh HJT Log. Reboot into Normal Mode.

Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection services will require them.

The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

2)Backing Up Your Registry
Go to Start > Run
Type:

regedit

Click OK.

• On the leftside, click to highlight My Computer at the top.
• Go up to "File > Export"
  Make sure in that window there is a tick next to "All" under Export Branch.
  Leave the "Save As Type" as "Registration Files".
  Under "Filename" put backup
• Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
• Click save and then go to File > Exit.

This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.
Registry Modifications

Open Notepad, and copy the contents of the following box to a new file.



Save it as fix.reg
Save as type: "All files"
Save it to your desktop.
It should look like this:
Go to your desktop and double-click "fix.reg" and merge the infomation with the registry.
The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
(In case you are unsure how to create a reg file, take a look here with screenshots.)


3)Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log

These instructions are basically for home users.

4)In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Hi,
I had already removed the kernelwind.exe so it wasn't found. Thank you again for your help. I am not sure what settings you wanted me to write down. Here is the OTM log and the new higjackthis log.

C:\WINDOWS\pss moved successfully.
C:\WINDOWS\system32\dllh8jkd1q8.exe moved successfully.
File/Folder C:\WINDOWS\\system32\kernelwind32.exe not found.

Created on 07/18/2007 02:21:49

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:09 AM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2579E223-A1AF-45A3-95F4-C8E514174746}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLM\System\CCS\Services\Tcpip\..\{41F29D15-982C-456D-9D29-933BE29FF8C9}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3DDEAF2-D38C-47E0-AF48-44F4B1763032}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.154
O17 - HKLM\System\CS1\Services\Tcpip\..\{2579E223-A1AF-45A3-95F4-C8E514174746}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.154
O17 - HKLM\System\CS2\Services\Tcpip\..\{2579E223-A1AF-45A3-95F4-C8E514174746}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.154
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3997 bytes

Don't worry about the settings.

Could you also please post the report.txt from FixWareout.

The new logs after step 3


Username "Administrator" - 2007-07-18 3:04:09 [Fixwareout edited 2007/07/05]

»»»»»Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.115.46 85.255.112.154" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{2579E223-A1AF-45A3-95F4-C8E514174746}
"nameserver"="85.255.115.46,85.255.112.154" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{41F29D15-982C-456D-9D29-933BE29FF8C9}
"nameserver"="85.255.115.46,85.255.112.154" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F3DDEAF2-D38C-47E0-AF48-44F4B1763032}
"nameserver"="85.255.115.46,85.255.112.154" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{2579E223-A1AF-45A3-95F4-C8E514174746}
"DhcpNameServer"="85.255.115.46,85.255.112.154" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
C:\WINDOWS\System32\kernel32.exe Deleted
....
»»»»» Checking for older varients.
....

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"DellTouch"="C:\\WINDOWS\\DELLMMKB.EXE"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:09:20 AM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3123 bytes

Hi,

Did you also complete step 4?

HI, I made it back, I am on a wireless network so I used the repair wireless connection and windows flushed the dns for me. It did stop working and I had to shut down my firewall to get windows to repair the connection. Does this satisify step 4?

Mary Lou

Hello again,

Yes it does account for step 4.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report, a fresh HJT log, and let me know how everything is running along with any more problems

HI,

I ran the panda scan and have the results. The things that have happened to the computer are that ad-aware cannot update current definitions and symantec auto-portect will still not work. It is disabled, when I enable it it immediately is disabled. thanks for your ongoing help.

Mary Lou

Incident Status Location

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[2].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@anm.co[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@counter10.sextracker[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@cs.sexcounter[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@sextracker[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tradedoubler[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:28 PM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3247 bytes

Hello again,

Please double-click OTMoveIt.exe to run it.

• Click the Clean up button
• Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
• Click NO to the reboot, and just delete the OTmove it program from your desktop

--------------------------------------------------------------------------------------------------------------


Nice job your log is clean !
How is it running ?
Please use the following suggestion to help prevent reinfection.

First let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

Go to Start Menu then to Help and Support Click Undo changes to your computer with System Restore

When System Restore opens click Create A Restore Point then Next , Name it and press Create

Then go to Start Menu and to Run and type Cleanmgr

When Disk Cleanup opens goto the More Options Tab then press Clean Up on the System Restore area which removes all the restore points except the latest one which was just created.

I highly recommend downloading the following programs, to keep nasties of your computer to begin with.
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
**Tutorial on installing & using this product can be found HERE**

Ad-Aware 2007 Free - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
**Tutorial on installing & using this product can be found HERE**

SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
**Tutorial on installing & using this product can be found HERE**

SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
**Tutorial on installing & using this product can be found HERE**

IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
**Tutorial on installing & using this product can be found HERE**

ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

AntiVirus Program An AntiVirus program is a must in today's digital world! I reccommend Active Virus Shield, AVG, or Anti-Vir.
DO NOT install more than one antivirus program. They will conflict, and provide less protection, not more.
**Tutorial on installing & using Active Virus Shield can be found HERE**

Firewall A firewall is definatley a must have to protect your computer from hackers. I reccomend Comodo, Zone Alarm, or Outpost.
**Tutorial on Firewalls can be found HERE**

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

You must stay on top of your updates at all times, for the above mentioned applications.

It is vitaly important to stay on top of your critical updates provided by microsoft.

And finally a little How did I get infected in the first place?(by Tony Klein)

Good luck and safe surfing

Hi,

Thank you for your diligent assistance. When everything was finished Ad-Aware couldn't update the virus signatures and Symantec could not enable auto-protect. I uninstalled Zone Alarm, Ad_aware and Symantec Virus program and reinstalled all 3. So far everything seems to be working perfectly. Thank you again.

now, eat your dinner and get some sleep!!

Mary LouLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:06 AM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3723 bytes


current hijack this scan

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.