[SlickNtz]

I have a Trojan/Malware virus that is reloading after being removed with AVG 7.5 Virus scan, AVG Malware scan and Spybot.

I have tried searching through google and several different forums but I cant seem to locate the information I need to remove this bug.
The current problem consist of random timed routine breaks from Internet Explorer or the launch of a secondary browse with numerous different sites/add's.
I have manually removed both the files and reg links to the Iexplorer.dll /dbt but they are respawned after a reboot. I also and not sure what this file is hypdcz.dll This dll file cant be located on a google search or any of the virus database I have searched.
Lastly, if you go into the task manager after closing all open IE windows you will still still IE present.

Any help with the removal would be greatly appreciated.


Here is a copy of my current HJT Log.


Logfile of HijackThis v1.99.1
Scan saved at 10:09:38 PM, on 3/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Nonya\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {48145cb0-177c-4091-9208-ed85f2f31225} - C:\WINDOWS\system32\hypdcz.dll suspected problem
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt known problem not sure of cure
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt same as above
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt same as above
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O20 - Winlogon Notify: hypdcz - C:\WINDOWS\SYSTEM32\hypdcz.dll possible problem???
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Edited by SlickNtz, 19 March 2007 - 10:25 PM.

[Advertisements]

Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.

As I am still in training here, all my posts to you will be cleared by one of the expert staff here, so may cause some minor delays in my replies. Now I will need a bit of time to research your log fully, so please bear with me. In the meantime, please create an Uninstall list for me:

• Open HijackThis and click on the "Open the Misc Tools section" button.
• Click on the "Open Uninstall Manager" button. Click the "Save List" button.
• After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it, then the list should open in notepad.
• Copy and paste that list here.

Also please bookmark this page so that you will get back to it easily.

Regards,
RatHat

[RatHat]

Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.

As I am still in training here, all my posts to you will be cleared by one of the expert staff here, so may cause some minor delays in my replies. Now I will need a bit of time to research your log fully, so please bear with me. In the meantime, please create an Uninstall list for me:

• Open HijackThis and click on the "Open the Misc Tools section" button.
• Click on the "Open Uninstall Manager" button. Click the "Save List" button.
• After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it, then the list should open in notepad.
• Copy and paste that list here.

Also please bookmark this page so that you will get back to it easily.

Regards,
RatHat

[SlickNtz]

Quick update. The AVG Control Center can not be launched as of last night.

Here is the current HJT Log along with the uninstall log.

Logfile of HijackThis v1.99.1
Scan saved at 9:24:14 AM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Nonya\Desktop\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {48145cb0-177c-4091-9208-ed85f2f31225} - C:\WINDOWS\system32\hypdcz.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [adirka] C:\WINDOWS\system32\adirka.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O20 - Winlogon Notify: hypdcz - C:\WINDOWS\SYSTEM32\hypdcz.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



Uninstall log

Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Photoshop CS
Adobe Reader 7.0.8
Adobe Reader Japanese Fonts
Adobe Shockwave Player
Ai Booster
ASUS_Ai_Proactive_Screensaver (E)
AsusUpdate
AVG Anti-Spyware 7.5
AVG Free Edition
Battlefield 2142
Belkin 54g USB Network Adapter
CCleaner (remove only)
CleanUp!
CoffeeCup VisualSite Designer
Data Lifeguard Tools
DivX
DivX Converter
DivX Player
DivX Web Player
DVC5.1 Driver
Eusing Free Registry Cleaner
FileZilla (remove only)
Google Toolbar for Internet Explorer
HijackThis 1.99.1
ICOO Loader 2.5
Invision 2.0 Build 3515
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_04
LimeWire 4.12.6
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
mIRC
NVIDIA Drivers
NvMixer
OpenOffice.org 2.0
PC Probe II
RealPlayer
Realtek AC'97 Audio
Rhapsody Player Engine
Roll
Samsung DVC Media 5.1
Sony DVD Architect 3.0
Sony Media Manager 2.0
Sony Vegas 6.0
Spybot - Search & Destroy 1.4
Starcraft
TeamSpeak 2 RC2
The Cleaner
WD Diagnostics
Windows Resource Kit Tools - SubInAcl.exe
WinRAR archiver

Edited by SlickNtz, 21 March 2007 - 08:32 AM.

[RatHat]

Hey SlickNtz,

OK, a couple of questions first:

1. Is this a shared computer with other user accounts?
2. If so do you have administrative rights?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download VundoFix.exe to your desktop

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt in a reply to this thread, along with the ComboScan log you will run next.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Please download AVG Anti-Spyware so you have the latest version

• Install AVG Anti-Spyware
• Launch the program, there should be an icon on your desktop, double-click it.
• The program will now open to the main screen.
  
  You will need to update AVG Anti-Spyware to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display ("Update successful")
• Exit AVG Anti-Spyware, do not run the scan yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.


2. Once in Safe Mode, Open AVG Anti-Spyware:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close AVG Anti-Spyware and reboot your computer

Now, please post the following logs in your next post:

• vundofix.txt
• AVG Anti-Spyware text report

Regards,
RatHat

[SlickNtz]

1) The computer is not shared. I have multipal accounts setup for different operations of this PC. Each user loads different tools for that account.

2) Yes I have admin rights.


Vundo Log

VundoFix V6.3.17

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 8:00:33 PM 3/21/2007

Listing files found while scanning....

No infected files were found.


Combo Fix Log

"Nonya" - 07-03-21 20:05:32 Service Pack 2
ComboFix 07-03-19 - Running from: "C:\Documents and Settings\Nonya\Desktop"

/wow section not completed - STAGE #6D
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\windows\system32\explorer.exe


((((((((((((((((((((((((((((((( Files Created from 2007-02-21 to 2007-03-21 ))))))))))))))))))))))))))))))))))


2007-03-21 09:33 32,768 --a------ C:\WINDOWS\system32\mp43.exe
2007-03-21 09:33 32,768 --a------ C:\WINDOWS\NOTEDAD.EXE
2007-03-21 09:07 <DIR> d-------- C:\Program Files\Windows Resource Kits
2007-03-20 23:48 697,975 --a------ C:\SDFix.exe
2007-03-20 22:13 8,704 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-20 15:15 <DIR> d-------- C:\Program Files\DeskAlerts
2007-03-19 13:32 <DIR> d-------- C:\Program Files\The Cleaner
2007-03-19 13:29 <DIR> d-------- C:\VundoFix Backups
2007-03-19 13:26 1,352 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-17 09:20 <DIR> d-------- C:\!KillBox
2007-03-17 01:54 32,768 --a------ C:\WINDOWS\system32\svchtoost.exe
2007-03-16 23:49 27,215 --a------ C:\WINDOWS\system32\vtsqo.exe
2007-03-16 23:49 19,654 --------- C:\WINDOWS\system32\hypdcz.dll
2007-03-16 23:44 8,535 --a------ C:\WINDOWS\system32\mljgdda.dll
2007-03-07 20:20 <DIR> d-------- C:\DOCUME~1\Nonya\APPLIC~1\teamspeak2
2007-02-24 20:30 <DIR> d-------- C:\Program Files\Common Files\EasyInfo


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-21 09:33 32768 --a------ C:\WINDOWS\system32\mp43.exe
2007-03-21 09:33 32768 --a------ C:\WINDOWS\notedad.exe
2007-03-21 09:07 -------- d-------- C:\Program Files\windows resource kits
2007-03-21 00:58 1352 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-20 23:48 697975 --a------ C:\SDFix.exe
2007-03-20 23:17 -------- d-------- C:\Program Files\the cleaner
2007-03-20 22:13 8704 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-20 15:15 -------- d-------- C:\Program Files\deskalerts
2007-03-18 13:07 32768 --a------ C:\WINDOWS\system32\svchtoost.exe
2007-03-17 21:55 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-03-16 23:49 27215 --a------ C:\WINDOWS\system32\vtsqo.exe
2007-03-16 23:49 19654 --------- C:\WINDOWS\system32\hypdcz.dll
2007-03-16 23:44 8535 --a------ C:\WINDOWS\system32\mljgdda.dll
2007-03-16 23:40 -------- d-------- C:\Program Files\messenger
2007-03-16 15:05 -------- d-------- C:\DOCUME~1\Nonya\APPLIC~1\openoffice.org2
2007-03-07 20:20 -------- d-------- C:\DOCUME~1\Nonya\APPLIC~1\teamspeak2
2007-03-06 08:31 74 --a------ C:\DOCUME~1\Nonya\APPLIC~1\ftpfile.dat
2007-03-03 22:01 -------- d-------- C:\DOCUME~1\Nonya\APPLIC~1\limewire
2007-02-24 20:11 -------- d--h----- C:\Program Files\installshield installation information
2007-02-18 12:20 278528 --a------ C:\WINDOWS\system32\livesnth.dll
2007-02-11 10:59 -------- d-------- C:\Program Files\sony setup
2007-02-11 10:59 -------- d-------- C:\Program Files\sony
2007-02-11 10:58 -------- d-------- C:\Program Files\vstplugins
2007-02-11 10:58 -------- d-------- C:\DOCUME~1\Nonya\APPLIC~1\publish providers
2007-02-11 10:57 -------- d-------- C:\DOCUME~1\Nonya\APPLIC~1\sony
2007-02-11 10:56 -------- d-------- C:\Program Files\microsoft sql server
2007-02-11 07:15 -------- d-------- C:\Program Files\google
2007-02-11 06:38 -------- d-------- C:\Program Files\samsung
2007-02-07 00:00 -------- d-------- C:\DOCUME~1\Nonya\APPLIC~1\google


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"IESet"="IExplorer.dll .dbt"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Launch Ai Booster"="\"C:\\Program Files\\ASUS\\Ai Booster\\OverClk.exe\""
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"IESet"="IExplorer.dll .dbt"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"IESet"="IExplorer.dll .dbt"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"adirka"="C:\\WINDOWS\\system32\\adirka.exe"
"IESet"="IExplorer.dll .dbt"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hypdcz

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8890ea90-4df0-11db-b86c-806d6172696f}]
Shell\AutoRun\command F:\Autorun.exe


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

cmd.exe [4016]

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 1
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-21 20:06:48
C:\ComboFix2.txt ... 07-03-19 16:20


AVG Spyware Log

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:25:53 PM 3/21/2007

+ Scan result:



C:\Documents and Settings\Nonya\Cookies\nonya@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Nonya\Cookies\nonya@aavalue[2].txt -> TrackingCookie.Aavalue : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][1].txt -> TrackingCookie.Aavalue : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][2].txt -> TrackingCookie.Aavalue : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][2].txt -> TrackingCookie.Aavalue : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][2].txt -> TrackingCookie.Addynamix : No action taken.
C:\Documents and Settings\Nonya\Cookies\nonya@adorigin[2].txt -> TrackingCookie.Adorigin : No action taken.
C:\Documents and Settings\Nonya\Cookies\nonya@adrevolver[1].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][1].txt -> TrackingCookie.Burstbeacon : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Nonya\Cookies\nonya@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][2].txt -> TrackingCookie.Myaffiliateprogram : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][2].txt -> TrackingCookie.Netflame : No action taken.
C:\Documents and Settings\Nonya\Cookies\nonya@overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Nonya\Cookies\nonya@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Nonya\Cookies\nonya@realmedia[2].txt -> TrackingCookie.Realmedia : No action taken.
C:\Documents and Settings\Nonya\Cookies\nonya@revsci[2].txt -> TrackingCookie.Revsci : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][1].txt -> TrackingCookie.Ru4 : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][1].txt -> TrackingCookie.Ru4 : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\Nonya\Cookies\nonya@specificclick[1].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\Nonya\Cookies\nonya@trafficmp[1].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\Nonya\Cookies\nonya@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][1].txt -> TrackingCookie.Valuead : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][1].txt -> TrackingCookie.Webtrends : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Nonya\Cookies\nonya@zedo[1].txt -> TrackingCookie.Zedo : No action taken.


::Report end

Current HJT Log


Logfile of HijackThis v1.99.1
Scan saved at 8:28:03 PM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Documents and Settings\Nonya\Desktop\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {48145cb0-177c-4091-9208-ed85f2f31225} - C:\WINDOWS\system32\hypdcz.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O20 - Winlogon Notify: hypdcz - C:\WINDOWS\SYSTEM32\hypdcz.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


On the AVG LOG it says no action taken. This is not correct. I saved the LOG before deleting all items. All items were deleted with no problems.

If there is anything else you need please let me know.

Edited by SlickNtz, 21 March 2007 - 07:34 PM.

[RatHat]

Hey SlickNtz,

Firstly please do not run any other fixes unless I ask you to. Now, did you run AVG Anti Spyware in safe mode?

Now, I need you to carry out the following, exactly as listed below. It would help if you would print out this page to make sure you can check off each step as you go through it.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download the Killbox by Option^Explicit.

Note: I know you already have Killbox, but this is a new version that I need you to download.

• Save it to your desktop.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


The next steps that I am about to suggest involve modifying the registry. Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry

• Go Here and download ERUNT
  (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
• Install ERUNT by following the prompts
  (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
• Start ERUNT
  (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
• Choose a location for the backup
  (the default location is C:\WINDOWS\ERDNT which is acceptable).
• Make sure that at least the first two check boxes are ticked
• Press OK
• Press YES to create the folder.

Now please download the attached zip file [attachment=13584:Fixreg.zip] and save it to your desktop.

Unzip the file Fixreg.reg to your desktop.
Double click the file Fixreg.reg
At the prompt, click Yes to allow it to merge with your registry, and OK to come out of the dialog.

THIS REGISTRY SCRIPT HAS BEEN WRITTEN SPECIFICALLY FOR THIS USER ONLY - DO NOT RUN THIS SCRIPT ON ANY OTHER COMPUTER

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next, locate Killbox.exe

• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\system32\mp43.exe
  C:\WINDOWS\notedad.exe
  C:\WINDOWS\system32\tmp.reg
  C:\WINDOWS\system32\svchtoost.exe
  C:\WINDOWS\system32\vtsqo.exe
  C:\WINDOWS\system32\hypdcz.dll
  C:\WINDOWS\system32\mljgdda.dll
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


When you have completed all this, please post me a fresh HijackThis log.


Regards,
RatHat

[SlickNtz]

I must have misread your previous directions as I thought you requested a log from everything but HJT which I did prior to any of the other stuff since it had been a few days since I originally posted. In any case here is the log you requested.

Logfile of HijackThis v1.99.1
Scan saved at 1:35:26 AM, on 3/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Nonya\Desktop\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {48145cb0-177c-4091-9208-ed85f2f31225} - C:\WINDOWS\system32\hypdcz.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\yaaayx.dll",setvm (Dont know what this file is sound works fine)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[RatHat]

Hey SlickNtz,

Your log is looking better, but I still want to stay on the safe side. Please print out this post, and go through the following steps:


Please download AVG AntiRootKit Beta and save it to your desktop.

• Double click avgarkt-beta-1.1.0.29.exe to install it on your computer.
• Follow the wizard to install the program, then allow it to reboot your computer.
• Open AVG Anti-Rootkit Beta.
• Click Perform in-depth search.
• Select all your drives.
• Click Search for rootkits.
• If a rootkit is found, make sure everything is selected, then click Remove selected items.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next, run ComboFix. Please download a new version, as I am not sure which version you have.

Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Save this log to your desktop.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now, lets run AVG Anti-Spyware again in Safe Mode

1. You will need to update AVG Anti-Spyware to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display ("Update successful")
• Exit AVG Anti-Spyware, do not run the scan yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.


2. Once in Safe Mode, Open AVG Anti-Spyware:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close AVG Anti-Spyware and reboot your computer

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Lastly, please visit Microsoft Windows Updates and install the latest security updates for your operating system. This is going to be essential to get your machine back to normal again.


OK, when you have completed all these steps, please post the following logs in your next post:

• ComboFix Log
• AVG Anti-Spyware text report
• Fresh HijackThis log

Regards,
RatHat

[SlickNtz]

Logs as requested.

Combo Fix

"Nonya" - 07-03-25 20:43:07 Service Pack 2
ComboFix 07-03-19 - Running from: "C:\Documents and Settings\Nonya\Desktop"

/wow section not completed - STAGE #6D
((((((((((((((((((((((((((((((( Files Created from 2007-02-25 to 2007-03-25 ))))))))))))))))))))))))))))))))))


2007-03-24 09:11 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-03-21 09:07 <DIR> d-------- C:\Program Files\Windows Resource Kits
2007-03-20 23:48 697,975 --a------ C:\SDFix.exe
2007-03-20 22:13 8,704 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-20 15:15 <DIR> d-------- C:\Program Files\DeskAlerts
2007-03-19 13:32 <DIR> d-------- C:\Program Files\The Cleaner
2007-03-19 13:29 <DIR> d-------- C:\VundoFix Backups
2007-03-17 09:20 <DIR> d-------- C:\!KillBox
2007-03-07 20:20 <DIR> d-------- C:\DOCUME~1\Nonya\APPLIC~1\teamspeak2


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-22 18:48 -------- d-------- C:\Program Files\java
2007-03-21 09:07 -------- d-------- C:\Program Files\windows resource kits
2007-03-20 23:48 697975 --a------ C:\SDFix.exe
2007-03-20 23:17 -------- d-------- C:\Program Files\the cleaner
2007-03-20 22:13 8704 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-20 15:15 -------- d-------- C:\Program Files\deskalerts
2007-03-17 21:55 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-03-16 23:40 -------- d-------- C:\Program Files\messenger
2007-03-16 15:05 -------- d-------- C:\DOCUME~1\Nonya\APPLIC~1\openoffice.org2
2007-03-07 20:20 -------- d-------- C:\DOCUME~1\Nonya\APPLIC~1\teamspeak2
2007-03-06 08:31 74 --a------ C:\DOCUME~1\Nonya\APPLIC~1\ftpfile.dat
2007-03-03 22:01 -------- d-------- C:\DOCUME~1\Nonya\APPLIC~1\limewire
2007-02-24 20:11 -------- d--h----- C:\Program Files\installshield installation information
2007-02-18 12:20 278528 --a------ C:\WINDOWS\system32\livesnth.dll
2007-02-11 10:59 -------- d-------- C:\Program Files\sony setup
2007-02-11 10:59 -------- d-------- C:\Program Files\sony
2007-02-11 10:58 -------- d-------- C:\Program Files\vstplugins
2007-02-11 10:58 -------- d-------- C:\DOCUME~1\Nonya\APPLIC~1\publish providers
2007-02-11 10:57 -------- d-------- C:\DOCUME~1\Nonya\APPLIC~1\sony
2007-02-11 10:56 -------- d-------- C:\Program Files\microsoft sql server
2007-02-11 07:15 -------- d-------- C:\Program Files\google
2007-02-11 06:38 -------- d-------- C:\Program Files\samsung
2007-02-07 00:00 -------- d-------- C:\DOCUME~1\Nonya\APPLIC~1\google


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Launch Ai Booster"="\"C:\\Program Files\\ASUS\\Ai Booster\\OverClk.exe\""
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SoundService"="rundll32.exe \"C:\\WINDOWS\\yaaayx.dll\",setvm"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\



********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-25 20:45:01
C:\ComboFix2.txt ... 07-03-22 19:02
C:\ComboFix3.txt ... 07-03-21 20:06

AVG Anti-Spyware Log

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:22:29 PM 3/25/2007

+ Scan result:



C:\Documents and Settings\Nonya\Cookies\nonya@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Nonya\Cookies\nonya@adbrite[1].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Nonya\Cookies\nonya@overture[2].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Nonya\Cookies\nonya@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Nonya\Cookies\nonya@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Nonya\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : No action taken.
C:\Documents and Settings\Nonya\Cookies\nonya@zedo[2].txt -> TrackingCookie.Zedo : No action taken.


::Report end

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 9:26:46 PM, on 3/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Nonya\Desktop\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {48145cb0-177c-4091-9208-ed85f2f31225} - C:\WINDOWS\system32\hypdcz.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\yaaayx.dll",setvm
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[RatHat]

Hey SlickNtz,

Well your log is looking a lot better now, but that yaaayx.dll is still hanging in there, so let see if we can get rid of it this time round:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {48145cb0-177c-4091-9208-ed85f2f31225} - C:\WINDOWS\system32\hypdcz.dll (file missing)
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\yaaayx.dll",setvm

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


Once you have done this, Reboot your computer, and post me a new HijackThis log. Also let me know how your machine is running, and whether you are still experiencing the same problems as when you first posted here, or any other malware related problems that you can see.


Regards,
RatHat

[SlickNtz]

New HJT Log.

Logfile of HijackThis v1.99.1
Scan saved at 2:22:40 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Nonya\Desktop\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

There doesnt seem to be any malware related issues at this time, but all my applications are loading extremely slow now. In some cases I have to start the program and then disable it with the task manager and then restart the program a second time to get it to launch. once the program launches all is well but just getting it to open is the biggest ordeal right now.

[RatHat]

Hey SlickNtz,

Your log is clean of malware, so that part is good!

Now, lets see if we can get your machine to run a bit faster. You already have ATF Cleaner, so please run that and make sure that you check Select All under select files to delete, the click Empty Selected. Run this twice, maybe three times until it frees 0 bytes.

After this, lets run a defrag on your machine:

• Go to Start, then Programs, then Accessories
• Scroll down to System Tools and click Disk Defragmenter
• In the Defrag program, click (C:) to highlight it, the Defragment button.
• Allow that drive to defragment, then repeat for each drive on your system

After this, Reboot, and let me know how your programs are responding.

Regards,
RatHat

[SlickNtz]

Most applications are still loading slow.

After this reboot I noticed several items that use to load are no longer loading on the initial launch of windows.

AVG Anti-Spyware nor the AVG Anti Virus are loading.

AI Booster, an overclocking program for my PC is no longer loading.

There are a couple others as well but they dont concern me that much.

I have gone into the AVG programs and tried to get them to come up on startup but the control panel is no longer accessible for either program. I can run manually scan with them but I can not make any changes to the function of the program since the control panel is no longer availible to me.

I believe I have read somewhere else on the board that another user had an issue with this and was able to correct the problem through the windows services but I have not figured out how to do this.

As far as the AI Boost program goes it appears I will need to reinstall it as the main EXE file was infected somewhere through this ordeal and has been deleted.

Last but not least, do you have any idea what my pc was infected with??? It seems like it had a couple of things Smith Fraud, as well a a Trojan loader but I couldnt ever find out exactly what it was. Any info is greatly appreciated.

[RatHat]

Hey SlickNtz,

OK! Well done, your log is clean again! Now as you no longer have any malware problems, could I please ask you to address the software problems in this forum where experts in that field will be able to help you.

Before we go though, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


First of all lets Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Turn OFF System Restore.

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• Check Turn off System Restore.
• Click Apply, and then click OK.

Restart your computer.

Turn ON System Restore.

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• UN-Check Turn off System Restore.
• Click Apply, and then click OK.

System Restore will now be active again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next, lets reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

Reset Hidden/System Files & Folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
• CHECK the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows

• Click Start.
• Select Settings and then Control Panel.
• Select Automatic Updates.
• Click Automatic (recommended)
• Choose a day and a time when you know the computer will be on and connected to the internet.
• Click Apply then OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. You can run all of these at the same time without any problem or conflicts, so get a couple of the following at least.

Anti Spyware

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
• Spybot Search & Destroy a powerful tool which can "search and destroy" nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
• AdAware another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next lets look at Firewalls. These help to prevent unauthorised access both to and from the internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls

• ZoneLabs Zone Alarm Free Version personal firewall
• Kerio will still work after the thirty day trial period.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


On to personal Anti Virus programs. One AV is a must have! But never more than one, as this can and will cause conflicts and false readings. I have listed three free AV's below which are as good as any paid subscription AV, as long as you allow them to update themselves.

Anti Virus Programs

• AVG AntiVirus version 7.5 is free for personal use.
• avast! 4 Home Edition another very good free AV.
• Avira AntiVir PersonalEdition, yet another good free AV.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers

• Trillian or,
• Miranda-IM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Lastly, it is a good idea to clear out all your temp files evry now and again. This will help your computer from bogging down and slowing. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

Temp File Cleaners

• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Note: Do NOT run this program if you have XP Professional 64 bit edition.
• ATF Cleaner A very powerful cleaning program for XP and Windows 2000 only. Note: You may have this already as part of the fixes you have run.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, all the best, and stay safe!

Best regards,
RatHat