[fusiondesign]

Hi

My compuer has recently been infected with various malware (Winfixer, ishost...) I have done the following as instructed:

Removed old files with CCleaner
Cleaned with ATF Cleaner
Created a system restore point and deleted previous
Downloaded and run ad-aware SE (quarantined 7 infected files)
Downloaded and run AVG Anti-spyware (quarantined 1 file)

I also have Norton running.

My hard disk light flashes nearly all the time as if malware is running - the computer is running really slow.

HijackThis log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 16:12:06, on 14/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HIJACKTHISFOLDER\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\ttuxyiss.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {75484654-AF92-1881-D730-00A2B5984252} - C:\WINDOWS\system32\vboublf.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt6.dll (file missing)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [pjkwmsk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\pjkwmsk.dll,lorzdae
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.s...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.s...trl/tgctlsr.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.portchest...minal/msrdp.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/installer.exe
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.game...inematycoon.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Is anything malicious running on my computer that shouldn't be???

Kind regards

Mat

[Advertisements]

Hi fusiondesign and Welcome to GeekstoGo!


Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.


Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Restart back in Normal Mode and Please download Combofix to your desktop.
http://download.blee...Bs/combofix.exe

Doubleclick combo.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt

Please post that log in the next reply along with smitfiles.txt

[Wizard]

Hi fusiondesign and Welcome to GeekstoGo!


Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.


Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Restart back in Normal Mode and Please download Combofix to your desktop.
http://download.blee...Bs/combofix.exe

Doubleclick combo.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt

Please post that log in the next reply along with smitfiles.txt

[fusiondesign]

Hi Cretemonster - many thanks for your reply.

SMITFILES.TXT BELOW----


smitRem © log file
version 3.2

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: 18/10/2006
The current time is: 8:05:42.92

Running from
C:\smitrem\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appinitdll check ........ Thank you Grinler!

dumphive.exe ©2000-2004 Markus Stephany
REGEDIT4

[Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

XP Firewall allowed access

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Security Troubleshooting.url


~~~ Favorites ~~~



~~~ system32 folder ~~~

amcompat.tlb
ismini.exe
nscompat.tlb


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 772 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~



~~~ Wininet.dll ~~~

CLEAN!




COMBOFIX.TXT BELOW ---

Matt - 06-10-18 8:14:14.09 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\Matt\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\components


((((((((((((((((((((((((((((((( Files Created from 2006-09-18 to 2006-10-18 ))))))))))))))))))))))))))))))))))


2006-10-14 09:16 0 --a------ C:\WINDOWS\SYSTEM32\ttuxyiss.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-17 02:26 -------- d-------- C:\Program Files\Norton Internet Security
2006-10-15 10:55 -------- d-------- C:\Program Files\Audio Mid Recorder
2006-10-15 09:49 -------- d-------- C:\Program Files\HIJACKTHISFOLDER
2006-10-14 19:50 -------- d-------- C:\Program Files\VSToolbar
2006-10-14 14:37 -------- d-------- C:\Program Files\Grisoft
2006-10-14 13:08 -------- d-------- C:\Documents and Settings\Matt\Application Data\Lavasoft
2006-10-14 13:07 -------- d-------- C:\Program Files\Lavasoft
2006-10-14 12:28 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-14 12:26 -------- d-------- C:\Program Files\Bullfrog
2006-10-14 12:20 -------- d-------- C:\Program Files\Bethesda Softworks
2006-09-14 17:08 5037072 --a------ C:\Program Files\spybotsd14.exe
2006-09-14 16:02 -------- d-------- C:\Program Files\CCleaner
2006-09-13 06:01 1084416 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-09-07 06:15 -------- d-------- C:\Documents and Settings\Matt\Application Data\WholeSecurity
2006-09-06 08:51 692276 --a------ C:\WINDOWS\SYSTEM32\ddccb.dll.vir
2006-08-30 13:11 -------- d-------- C:\Program Files\Symantec
2006-08-25 16:45 617472 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll
2006-08-22 15:34 43520 --a------ C:\WINDOWS\SYSTEM32\CmdLineExt03.dll
2006-08-21 13:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 10:14 128896 --------- C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-16 12:58 100352 --a------ C:\WINDOWS\SYSTEM32\6to4svc.dll
2006-08-07 16:02 534208 --a------ C:\WINDOWS\SYSTEM32\SymNeti.dll
2006-08-07 16:02 161472 --a------ C:\WINDOWS\SYSTEM32\SymRedir.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"pjkwmsk.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\pjkwmsk.dll,lorzdae"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://us.i1.yimg.co...vies/tr_bg.gif"
"SubscribedURL"="http://us.i1.yimg.co...vies/tr_bg.gif"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,a8,00,00,00,1d,01,00,00,58,02,00,00,58,02,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,14,03,00,00,1d,01,00,00,58,02,00,00,58,02,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,f1,01,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\
e7,77,20,10,85,03

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="http://www.stickpage...es/dots_bg.gif"
"SubscribedURL"="http://www.stickpage...es/dots_bg.gif"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,cc,01,00,00,27,00,00,00,4c,00,00,00,f8,00,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,14,02,00,00,27,00,00,00,04,00,00,00,f8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,70,03,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\
e7,77,08,70,1b,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{D3B3C51E-8D11-4667-85B9-0930F519BED7}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00
"NoSetFolders"=dword:00000000
"NoSetTaskbar"=dword:00000000
"NoControlPanel"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoRun"=dword:00000000
"NoFind"=dword:00000000
"NoMultiIE"=dword:00000000
"LWA"=dword:00000000
"LWB"=dword:00000000
"LWC"=dword:00000000
"LWD"=dword:00000000
"LWE"=dword:00000000
"LWF"=dword:00000000
"LWG"=dword:00000000
"LWH"=dword:00000000
"LWI"=dword:00000000
"LWJ"=dword:00000000
"LWK"=dword:00000000
"LWL"=dword:00000000
"LWM"=dword:00000000
"LWN"=dword:00000000
"LWO"=dword:00000000
"LWP"=dword:00000000
"LWQ"=dword:00000000
"LWR"=dword:00000000
"LWS"=dword:00000000
"LWT"=dword:00000000
"LWU"=dword:00000000
"LWV"=dword:00000000
"LWW"=dword:00000000
"LWX"=dword:00000000
"LWY"=dword:00000000
"LWZ"=dword:00000000
"NoDrives"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Matt.job

Completion time: 06-10-18 8:15:42.23
C:\ComboFix.txt ... 06-10-18 08:15


Kind regards

Mat

[Wizard]

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\SYSTEM32\ttuxyiss.dll
  C:\WINDOWS\SYSTEM32\pjkwmsk.dll
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Select Delete on Reboot and Unregister .dll before Deleting
• then Click on the All Files button.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Once rebooted,Open Killbox again and Click Tools--> Delete Temp Files.

Use the drop down box in the middle of the killbox window and delete temp files for all user accounts Killbox list.


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction on the F-Secure page for proper installation.
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

[fusiondesign]

Hi Cretemonster

Tried to do as asked but encountered a couple of problems:

When I ran killbox and pasted in text as requested the program only recognised ttuxyiss.dll. Did rest of instructions as asked.

When i startup my computer I get a prompt saying that pjkwmsk.dll is missing.

Ran F-Secure Online scanner.

First pass found 27 viruses. Automatic cleaning hanged after 23/27 viruses cleaned (Hanged on Tracking Cookie).

Reran again and said it found 16 viruses and 1 item of Malware. Cleaned all items. Log is below:

-----

Scanning Report
Thursday, October 19, 2006 11:50:57 - 12:49:00
Computer name: DOWNSTAIRS
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 17 malware found
Net-Worm.Win32.Nimda (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\2E93000D.HTM (Submitted)
Packed.Win32.Klone.g (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\0AE20278.DLL (Submitted)
Packed.Win32.Klone.k (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\6FC94F6F.DLL (Submitted)
Possible Browser Hijack attempt (spyware)
System (Disinfected)
Trojan-Downloader.Win32.Agent.xa (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\44E87546.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\46971B6C.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\469A4568.EXE (Submitted)
Trojan-Downloader.Win32.IstBar.ma (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\4155777D.EXE (Submitted)
Trojan-Downloader.Win32.Zlob.alf (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\2FF918CC.EXE (Submitted)
Trojan.Win32.Dialer.qs (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\3C7E560B.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\5AF47C86.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\633D30D9.EXE (Submitted)
Trojan.Win32.Pakes (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\1DD54420.EXE (Submitted)
W32/Renos.gen3 (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000003.EXE (Submitted)
W32/Stration.OT@mm (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001028.EXE (Submitted)
not-virus:Hoax.Win32.Renos.ds (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\054F1A8B.DLL (Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\5B393200.DLL (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 28246
System: 4448
Not scanned: 5
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 16
Submitted: 16
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{ADFA4411-0297-4FA8-9ED3-BC26E7999FB9}.BIN
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-10-19
F-Secure Libra: 2.4.1, 2006-10-19
F-Secure Orion: 1.2.37, 2006-10-19
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Draco: 1.0.35, 2006-10-18
F-Secure Pegasus: 1.19.0, 2006-08-29
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.


-----

Kind regards

Mat

[Wizard]

I can live with those results,everything is either in Quarantine or trapped in a restore point.


Restart in Safe Mode and Scan fresh with Combo Fix.


Restart Normal and Please run the Bit Defender Online Scan
http://www.bitdefend...m/scan8/ie.html

You must use Internet Explorer for this scanner.

Install the ActiveX and Click on "Click here to Scan"

Allow it to update and Scan the Machine.

It should disinfect or delete whatever it finds that is infected.

Save the report it generates in a text format please and post it back here along with the new combo fix log.

[fusiondesign]

Hi CreteMonster

Did ComboFix log is below:

-----

Matt - 06-10-18 8:14:14.09 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\Matt\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\components


((((((((((((((((((((((((((((((( Files Created from 2006-09-18 to 2006-10-18 ))))))))))))))))))))))))))))))))))


2006-10-14 09:16 0 --a------ C:\WINDOWS\SYSTEM32\ttuxyiss.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-17 02:26 -------- d-------- C:\Program Files\Norton Internet Security
2006-10-15 10:55 -------- d-------- C:\Program Files\Audio Mid Recorder
2006-10-15 09:49 -------- d-------- C:\Program Files\HIJACKTHISFOLDER
2006-10-14 19:50 -------- d-------- C:\Program Files\VSToolbar
2006-10-14 14:37 -------- d-------- C:\Program Files\Grisoft
2006-10-14 13:08 -------- d-------- C:\Documents and Settings\Matt\Application Data\Lavasoft
2006-10-14 13:07 -------- d-------- C:\Program Files\Lavasoft
2006-10-14 12:28 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-14 12:26 -------- d-------- C:\Program Files\Bullfrog
2006-10-14 12:20 -------- d-------- C:\Program Files\Bethesda Softworks
2006-09-14 17:08 5037072 --a------ C:\Program Files\spybotsd14.exe
2006-09-14 16:02 -------- d-------- C:\Program Files\CCleaner
2006-09-13 06:01 1084416 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-09-07 06:15 -------- d-------- C:\Documents and Settings\Matt\Application Data\WholeSecurity
2006-09-06 08:51 692276 --a------ C:\WINDOWS\SYSTEM32\ddccb.dll.vir
2006-08-30 13:11 -------- d-------- C:\Program Files\Symantec
2006-08-25 16:45 617472 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll
2006-08-22 15:34 43520 --a------ C:\WINDOWS\SYSTEM32\CmdLineExt03.dll
2006-08-21 13:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 10:14 128896 --------- C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-16 12:58 100352 --a------ C:\WINDOWS\SYSTEM32\6to4svc.dll
2006-08-07 16:02 534208 --a------ C:\WINDOWS\SYSTEM32\SymNeti.dll
2006-08-07 16:02 161472 --a------ C:\WINDOWS\SYSTEM32\SymRedir.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"pjkwmsk.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\pjkwmsk.dll,lorzdae"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://us.i1.yimg.co...vies/tr_bg.gif"
"SubscribedURL"="http://us.i1.yimg.co...vies/tr_bg.gif"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,a8,00,00,00,1d,01,00,00,58,02,00,00,58,02,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,14,03,00,00,1d,01,00,00,58,02,00,00,58,02,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,f1,01,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\
e7,77,20,10,85,03

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="http://www.stickpage...es/dots_bg.gif"
"SubscribedURL"="http://www.stickpage...es/dots_bg.gif"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,cc,01,00,00,27,00,00,00,4c,00,00,00,f8,00,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,14,02,00,00,27,00,00,00,04,00,00,00,f8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,70,03,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\
e7,77,08,70,1b,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{D3B3C51E-8D11-4667-85B9-0930F519BED7}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00
"NoSetFolders"=dword:00000000
"NoSetTaskbar"=dword:00000000
"NoControlPanel"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoRun"=dword:00000000
"NoFind"=dword:00000000
"NoMultiIE"=dword:00000000
"LWA"=dword:00000000
"LWB"=dword:00000000
"LWC"=dword:00000000
"LWD"=dword:00000000
"LWE"=dword:00000000
"LWF"=dword:00000000
"LWG"=dword:00000000
"LWH"=dword:00000000
"LWI"=dword:00000000
"LWJ"=dword:00000000
"LWK"=dword:00000000
"LWL"=dword:00000000
"LWM"=dword:00000000
"LWN"=dword:00000000
"LWO"=dword:00000000
"LWP"=dword:00000000
"LWQ"=dword:00000000
"LWR"=dword:00000000
"LWS"=dword:00000000
"LWT"=dword:00000000
"LWU"=dword:00000000
"LWV"=dword:00000000
"LWW"=dword:00000000
"LWX"=dword:00000000
"LWY"=dword:00000000
"LWZ"=dword:00000000
"NoDrives"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Matt.job

Completion time: 06-10-18 8:15:42.23
C:\ComboFix.txt ... 06-10-18 08:15


-------

Ran Online BitDefender - Report below:

------

BitDefender Online Scanner



Scan report generated at: Fri, Oct 20, 2006 - 09:15:33





Scan path: A:\;C:\;D:\;







Statistics

Time
01:19:45

Files
509784

Folders
4451

Boot Sectors
3

Archives
3603

Packed Files
70970




Results

Identified Viruses
16

Infected Files
35

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
65




Engines Info

Virus Definitions
477691

Engine build
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins
13

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\032D128B.tmp=>(Quarantine-2)
Infected with: Trojan.Dialer.ADI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\032D128B.tmp=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\032D128B.tmp=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\054F1A8B.dll=>(Quarantine-2)
Infected with: Trojan.FakeAlert.CX

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\054F1A8B.dll=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\054F1A8B.dll=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A7B33A5.tmp=>(Quarantine-2)
Infected with: Trojan.Dialer.ADI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A7B33A5.tmp=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A7B33A5.tmp=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0AAC0A02.tmp=>(Quarantine-2)
Infected with: Trojan.Dialer.ADI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0AAC0A02.tmp=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0AAC0A02.tmp=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0AE20278.dll=>(Quarantine-2)
Infected with: Trojan.Spy.Agent.AB

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0AE20278.dll=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0AE20278.dll=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0AEC006D.dll=>(Quarantine-2)
Infected with: Trojan.Agent.VX

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0AEC006D.dll=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0AEC006D.dll=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B4B3A78.tmp=>(Quarantine-2)
Infected with: Trojan.Dialer.ADI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B4B3A78.tmp=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B4B3A78.tmp=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0D4528EC.exe=>(Quarantine-2)
Infected with: Trojan.Dialer.Premium

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0D4528EC.exe=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0D4528EC.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1DD54420.exe=>(Quarantine-2)
Infected with: Trojan.Downloader.Agent.XXX

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1DD54420.exe=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1DD54420.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D511B4F.tmp=>(Quarantine-2)
Infected with: Trojan.Dialer.ADI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D511B4F.tmp=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D511B4F.tmp=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2E254C1E.tmp=>(Quarantine-2)
Infected with: Trojan.Dialer.ADI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2E254C1E.tmp=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2E254C1E.tmp=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2E93000D.htm=>(Quarantine-2)=>(JAVASCRIPT 13)
Infected with: JS.Nimda.A

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2E93000D.htm=>(Quarantine-2)=>(JAVASCRIPT 13)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2E93000D.htm=>(Quarantine-2)
Updated

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2E93000D.htm
Update failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2FF918CC.exe=>(Quarantine-2)
Infected with: Trojan.Downloader.Zlob.VU

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2FF918CC.exe=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2FF918CC.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34DD0636.tmp=>(Quarantine-2)=>(NSIS o)=>lzma_solid_nsis0003
Infected with: Trojan.Starter.V

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34DD0636.tmp=>(Quarantine-2)=>(NSIS o)=>lzma_solid_nsis0003
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34DD0636.tmp=>(Quarantine-2)=>(NSIS o)=>lzma_solid_nsis0003
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34DD0636.tmp=>(Quarantine-2)=>(NSIS o)
Update failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\35696F43.tmp=>(Quarantine-2)
Infected with: Trojan.Dialer.ADI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\35696F43.tmp=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\35696F43.tmp=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\39704A8C.tmp=>(Quarantine-2)
Infected with: Trojan.Dialer.ADI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\39704A8C.tmp=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\39704A8C.tmp=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3C7E560B.exe=>(Quarantine-2)
Infected with: Trojan.Dialer.ADI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3C7E560B.exe=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3C7E560B.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4155777D.exe=>(Quarantine-2)
Infected with: Trojan.Downloader.Istbar.MA

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4155777D.exe=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4155777D.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\44E87546.exe=>(Quarantine-2)
Infected with: Trojan.Downloader.Time2Pay

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\44E87546.exe=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\44E87546.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\46971B6C.exe=>(Quarantine-2)
Infected with: Trojan.Downloader.Time2Pay

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\46971B6C.exe=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\46971B6C.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\469A4568.exe=>(Quarantine-2)
Infected with: Trojan.Downloader.Time2Pay

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\469A4568.exe=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\469A4568.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\489740AD.tmp=>(Quarantine-2)
Infected with: Trojan.Java.Classloader.D

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\489740AD.tmp=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\489740AD.tmp=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\58462AE6.tmp=>(Quarantine-2)
Infected with: Trojan.Dialer.ADI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\58462AE6.tmp=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\58462AE6.tmp=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\592A2DA3.tmp=>(Quarantine-2)
Infected with: Trojan.Dialer.ADI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\592A2DA3.tmp=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\592A2DA3.tmp=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5AF47C86.exe=>(Quarantine-2)
Infected with: Trojan.Dialer.ADI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5AF47C86.exe=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5AF47C86.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B393200.dll=>(Quarantine-2)
Infected with: Trojan.FakeAlert.CX

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B393200.dll=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B393200.dll=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5D71625E.tmp=>(Quarantine-2)
Infected with: Trojan.Dialer.ADI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5D71625E.tmp=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5D71625E.tmp=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\605056E8.tmp=>(Quarantine-2)
Infected with: Trojan.Dialer.ADI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\605056E8.tmp=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\605056E8.tmp=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\633D30D9.exe=>(Quarantine-2)
Infected with: Trojan.Dialer.ADI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\633D30D9.exe=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\633D30D9.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A564798.tmp=>(Quarantine-2)
Infected with: Trojan.Dialer.ADI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A564798.tmp=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A564798.tmp=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79DA283C.tmp=>(Quarantine-2)
Infected with: Trojan.Java.Classloader.H

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79DA283C.tmp=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79DA283C.tmp=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7FD03E87.tmp=>(Quarantine-2)
Infected with: Trojan.Dialer.ADI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7FD03E87.tmp=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7FD03E87.tmp=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000004.0XE
Infected with: Trojan.Zlob.EE

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000004.0XE
Disinfection failed

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000004.0XE
Deleted

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001002.0XE
Infected with: Trojan.Zlob.EJ

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001002.0XE
Disinfection failed

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001002.0XE
Deleted

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001015.0XE
Infected with: Generic.Zlob.E0D95258

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001015.0XE
Disinfection failed

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001015.0XE
Deleted

--------

After running BitDefender Norton brought up message that it had removed Trojan.Zlob and Downloader from computer - file automatically deleted.


Kind regards and thanks again for your continuing support.

Mat

Edited by fusiondesign, 20 October 2006 - 06:27 AM.

[Wizard]

Matt - 06-10-18 8:14:14.09 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\Matt\Desktop"


I believe that is the old combo fix log?

[fusiondesign]

Hi - Sorry about that!

Log below:

-----

Administrator - 06-10-20 7:48:13.42 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Combofix"

((((((((((((((((((((((((((((((( Files Created from 2006-09-20 to 2006-10-20 ))))))))))))))))))))))))))))))))))


2006-10-19 09:38 93,184 --a------ C:\KillBox.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-17 02:26 -------- d-------- C:\Program Files\Norton Internet Security
2006-10-15 10:55 -------- d-------- C:\Program Files\Audio Mid Recorder
2006-10-15 10:41 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2006-10-15 09:49 -------- d-------- C:\Program Files\HIJACKTHISFOLDER
2006-10-14 19:50 -------- d-------- C:\Program Files\VSToolbar
2006-10-14 14:37 -------- d-------- C:\Program Files\Grisoft
2006-10-14 13:07 -------- d-------- C:\Program Files\Lavasoft
2006-10-14 12:28 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-14 12:26 -------- d-------- C:\Program Files\Bullfrog
2006-10-14 12:20 -------- d-------- C:\Program Files\Bethesda Softworks
2006-09-14 17:08 5037072 --a------ C:\Program Files\spybotsd14.exe
2006-09-14 16:02 -------- d-------- C:\Program Files\CCleaner
2006-09-13 06:01 1084416 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-09-06 08:51 692276 --a------ C:\WINDOWS\SYSTEM32\ddccb.dll.vir
2006-08-30 13:11 -------- d-------- C:\Program Files\Symantec
2006-08-25 16:45 617472 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll
2006-08-22 15:34 43520 --a------ C:\WINDOWS\SYSTEM32\CmdLineExt03.dll
2006-08-21 13:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 10:14 128896 --------- C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-16 12:58 100352 --a------ C:\WINDOWS\SYSTEM32\6to4svc.dll
2006-08-07 16:02 534208 --a------ C:\WINDOWS\SYSTEM32\SymNeti.dll
2006-08-07 16:02 161472 --a------ C:\WINDOWS\SYSTEM32\SymRedir.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"pjkwmsk.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\pjkwmsk.dll,lorzdae"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{D3B3C51E-8D11-4667-85B9-0930F519BED7}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Matt.job

Completion time: 06-10-20 7:48:50.78
C:\ComboFix.txt ... 06-10-20 07:48
C:\ComboFix2.txt ... 06-10-18 08:15

-----

Kind regards

Mat

[Wizard]

Search for and delete if found

C:\WINDOWS\SYSTEM32\ddccb.dll.vir<--- File


Scan fresh with HijackThis and post that log please.

[fusiondesign]

Hi CreteMonster

Found file and deleted it. Emptied recycle bin. Didn't restart - not sure if I had to.

Ran HiJackThis - log below:

------

Logfile of HijackThis v1.99.1
Scan saved at 09:18:30, on 22/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\HIJACKTHISFOLDER\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\ttuxyiss.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [pjkwmsk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\pjkwmsk.dll,lorzdae
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.s...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.s...trl/tgctlsr.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.portchest...minal/msrdp.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/installer.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Kind regards

Mat

[Wizard]

Hows the Computer acting today?


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\ttuxyiss.dll (file missing)

O4 - HKLM\..\Run: [pjkwmsk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\pjkwmsk.dll,lorzdae

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

[fusiondesign]

Hi CreteMonster.

Definitely less activity from the hard disk. Computer seems faster.

Did Hijack bits as requested.

Did online scan. Results are below:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 22, 2006 9:45:41 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 22/10/2006
Kaspersky Anti-Virus database records: 233853
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 70019
Number of viruses found: 20
Number of infected objects: 59 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:07:29

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-10-22_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\01863D91.tmp Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\032D128B.tmp Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\054F1A8B.dll Infected: not-virus:Hoax.Win32.Renos.ds skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05B932F3.tmp Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A7B33A5.tmp Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0AAC0A02.tmp Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0AE20278.dll Infected: Packed.Win32.Klone.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0AEC006D.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B4B3A78.tmp Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0D4528EC.exe Infected: not-a-virus:[bleep]-Dialer.Win32.InstantAccess.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\105E0382.tmp Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\17A3485F.tmp Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1A5E615E.tmp Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1DD54420.exe Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1E6634EF.tmp Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1F846A46.tmp Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D511B4F.tmp Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2E254C1E.tmp Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2E93000D.htm Infected: Net-Worm.Win32.Nimda skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2FF918CC.exe Infected: Trojan-Downloader.Win32.Zlob.alf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34DD0636.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34DD0636.tmp/stream/data0005 Infected: not-a-virus:AdWare.Win32.Softomate.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34DD0636.tmp/stream/data0007 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34DD0636.tmp/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34DD0636.tmp NSIS: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34DD0636.tmp CryptFF: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\35696F43.tmp Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\377677AA Infected: Trojan-Downloader.Win32.Zlob.apx skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\37874998 Infected: Trojan-Downloader.Win32.Zlob.apx skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\39704A8C.tmp Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3C7E560B.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3EF1171F.tmp Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4155777D.exe Infected: Trojan-Downloader.Win32.IstBar.ma skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\444D305D.tmp Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\44E87546.exe Infected: Trojan-Downloader.Win32.Agent.xa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\46971B6C.exe Infected: Trojan-Downloader.Win32.Agent.xa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\469A4568.exe Infected: Trojan-Downloader.Win32.Agent.xa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\482D54F6.tmp Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\489740AD.tmp Infected: Trojan.Java.ClassLoader.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\58462AE6.tmp Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\592A2DA3.tmp Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5AF47C86.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B393200.dll Infected: not-virus:Hoax.Win32.Renos.ds skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5D71625E.tmp Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\605056E8.tmp Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\633D30D9.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\67DC2156 Infected: Trojan-Downloader.Win32.Zlob.adt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A564798.tmp Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6ADF6EC7.tmp Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6F01123B.tmp Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6F1666FF.tmp Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6FC94F6F.dll Infected: Packed.Win32.Klone.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\71C6292F.tmp Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79DA283C.tmp Infected: Trojan.Java.ClassLoader.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79DC43B6.tmp Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7E62434D.tmp Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7FD03E87.tmp Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Symantec\PendingAlertsQueue.log Object is locked skipped
C:\Documents and Settings\Matt\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Matt\ntuser.dat Object is locked skipped
C:\Documents and Settings\Matt\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0252NAV~.TMP Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0920NAV~.TMP Object is locked skipped
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010004.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0003256.0LL Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Kind regards

Mat

[Wizard]

See if you can locate and empty the Norton Quarantine folder.

Usually you can open Norton Antivirus and Click Reports and there you will see the Quarantine items.


Please Install these 2 to add to the Security of the PC

SpywareBlaster:
http://www.javacools.../downloads.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...2002/hosts2.htm


Is the machine still acting OK?