Cobalt Blue Asks for Help removing Virtumonde and Smitfraud - C, Please

Status
Not open for further replies.
C

Cobalt Blue

New member
Hi, Support,

Need your help Please. I have a personal machine that was hit with virtumonde. Spybot could not completely remove it and it now has also been hit with Smitfraud-C.

I initially posted for help and Windows IE was erroring out so I could not run Kaspersky Online Scanner to completion. System is running VERY slowly at best. I was able to load the non-IE version completed a session with a lot of bad things removed, see below report. The HJT log is in the next post as it is to large for one posting.

Any help would be greatly appreciated. I know my system was very much out of date and probably opened up for this attack. BR, ...Cobalt Blue :sick:

KAV report 1.txt 11/24/07 for Cobalt Blue
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bpn File: C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\00211555.exe.bac_a09840//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bpn File: C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\00211556.exe.bac_a09840//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bpn File: C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\isamini.exe.bac_a09252//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bpn File: C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\isamntr.exe.bac_a09252//CryptFF.b
deleted: Trojan program Trojan.Win32.Agent.qt File: C:\Documents and Settings\Administrator\Local Settings\Temp\mst10.tmp//PE_Patch.PECompact//PecBundle//PECompact
deleted: Trojan program Trojan-Dropper.Win32.Agent.chq File: C:\Documents and Settings\Administrator\Local Settings\Temp\silverstar.exe
deleted: Trojan program Trojan-Downloader.Java.Agent.f File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\07LFMAJX\jvmsecman[1].jar/vlocal.class
deleted: Trojan program Trojan-Downloader.Win32.Agent.emo File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\07LFMAJX\tsitra[1].exe
deleted: Trojan program Trojan-Downloader.Win32.Agent.fhv File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CHER8LQV\mrofinu[1].zip/mrofinu.exe//PE_Patch.Upolyx//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Downloader.Win32.Tiny.zh File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DNPFXUJ5\good[1].php//Packman//#//PE_Patch.UPX//UPX
deleted: Trojan program Trojan.Win32.Dialer.qn File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DNPFXUJ5\image1[1].gif//PE_Patch.PECompact//PecBundle//PECompact
deleted: malware not-virus:Hoax.Win32.Renos.hx File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DNPFXUJ5\image20[1].gif
deleted: Trojan program Trojan-Downloader.Win32.Alphabet.gen File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DNPFXUJ5\startseitelsls[1].gif//PE_Patch.PECompact//PecBundle//PECompact
deleted: Trojan program Trojan-Downloader.Win32.Agent.fhv File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GH6JO9QR\17PHolmes[1].cmt//PE_Patch.Upolyx//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Downloader.Win32.Zlob.ejm File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HL1JYEZE\image27[1].gif//UPX
deleted: Trojan program Trojan-Downloader.Win32.Alphabet.gen File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LMW6B1P4\hlpsrv[1].exe//PE_Patch.PECompact//PecBundle//PECompact
deleted: Trojan program Trojan-Downloader.Win32.Alphabet.gen File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LMW6B1P4\hlpsrv[2].exe//PE_Patch.PECompact//PecBundle//PECompact
deleted: Trojan program Trojan-Downloader.Win32.Alphabet.gen File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LMW6B1P4\image30[1].gif//PE_Patch.PECompact//PecBundle//PECompact
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\Customers\CPU-10~2.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\Customers\AIRNET\MORROW.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\Customers\AIRNET\OPTIONS.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\Customers\AIRNET\RESTOCK.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\Customers\LITTONDS\BD963062.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\Customers\MOTOROLA\20VT_ENV.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\Customers\MOTOROLA\SBUSPID.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\Customers\SCI\BD963060.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\Human Resources\96TRAIN.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\MEETINGS\AREA0796.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\STAFF\BDOLAN\NUTD.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\STAFF\DAVE\96REVIEW.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\STAFF\Henry Chun\96REVIEW.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\STAFF\JoAnne Rosandich\96REVIEW.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\STAFF\Kirk Davis\96REVIEW.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\STAFF\Tom Yenny\EMPPREP.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\STAFF\TOM.G\96REVIEW.DOC
deleted: Trojan program Trojan-Downloader.Win32.Alphabet.gen File: C:\Program Files\269850484.exe//PE_Patch.PECompact//PecBundle//PECompact
deleted: adware not-a-virus:AdWare.Win32.TTC.a File: C:\Program Files\TTC.dll
deleted: Trojan program Trojan-Downloader.Win32.Zlob.ejm File: C:\Program Files\fafaxolq\vqfsbyby.dll
deleted: malware HackTool.Win32.Clearlog.c File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\728E025A.exe//CryptFF
deleted: adware not-a-virus:AdWare.Win32.PurityScan.fk File: C:\Program Files\Outerinfo\OiUninstaller.exe//data0002//PE_Patch.UPX//UPX
deleted: adware not-a-virus:AdWare.Win32.ZenoSearch.ad File: C:\Program Files\Outerinfo\FF\components\FF.dll
deleted: Trojan program Trojan-Downloader.Win32.Small.gkh File: C:\RECYCLER\NPROTECT\00398320.DLL
deleted: Trojan program Trojan-Downloader.Win32.Small.buy File: C:\RECYCLER\NPROTECT\00399549.EXE//UPX
deleted: Trojan program Trojan.Win32.Pakes.akr File: C:\RECYCLER\NPROTECT\00399735.dll
deleted: Trojan program Trojan-Downloader.Win32.Agent.fhv File: C:\WINNT\17PHolmes572.exe//PE_Patch.Upolyx//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Downloader.Win32.Agent.fhv File: C:\WINNT\mrofinu.exe//PE_Patch.Upolyx//PE_Patch.UPX//UPX
deleted: Trojan program Trojan.Win32.Agent.bck File: C:\WINNT\system32\apcjqxhf.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.art File: C:\WINNT\system32\cbxxuuv.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.art File: C:\WINNT\system32\ddcdcca.dll
deleted: adware not-a-virus:AdWare.Win32.PurityScan.gl File: C:\WINNT\system32\doo.dll//PE_Patch.PECompact//PecBundle//PECompact
deleted: Trojan program Trojan-Downloader.Win32.Tiny.id File: C:\WINNT\system32\iikgwfax.exe
deleted: Trojan program Trojan-Downloader.Win32.Small.gkh File: C:\WINNT\system32\ldcore.dll_tobedeleted_old
deleted: Trojan program Trojan.Win32.Obfuscated.kp File: C:\WINNT\system32\nwjrxfxm.exe
deleted: Trojan program Trojan.Win32.Agent.bck File: C:\WINNT\system32\sdjwgsed.exe
deleted: Trojan program Trojan.Win32.Agent.bck File: C:\WINNT\system32\spvobywk.exe
deleted: Trojan program Trojan.Win32.Agent.bck File: C:\WINNT\system32\sxpndykx.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.app File: C:\WINNT\system32\tuvutsq.dll
deleted: Trojan program Trojan.Win32.Agent.bck File: C:\WINNT\system32\tvcvqdop.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.art File: C:\WINNT\system32\urqqrpn.dll
deleted: Trojan program Trojan.Win32.Agent.bck File: C:\WINNT\system32\yjyfnocr.exe
deleted: adware not-a-virus:AdWare.Win32.TTC.a File: C:\WINNT\system32\e2\caws83122.exe//data0002
deleted: Trojan program Trojan-Downloader.Win32.Small.gks File: C:\WINNT\system32\x22\c124wvr.exe//PE_Patch.Upolyx//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Downloader.Win32.Alphabet.gen File: C:\WINNT\Temp\win7C.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact



Logfile of Trend Micro HijackThis v2.0.2 to follow with next post(to long for one post)
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:18 PM, on 11/24/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\NovaStor\NOVABA~1\NSENGINE.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\PROGRA~1\IOGEAR\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\X10HOM~1\X10COM32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07695667-6AAF-422F-B609-AD240BF4B536} - C:\WINNT\system32\xxyvu.dll (file missing)
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Gtxxgoak\ocfkdnjh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINNT\system32\urqnkih.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [CardScan AutoSync] "C:\Program Files\Corex\CardScan\System\csynccfg.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Internet Security\isamntr.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: X10 Communications Link.lnk = C:\Program Files\X10 Home Control\X10BURST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://supportcenter.rr.com/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail2.roundrockisd.org/iNotes6W.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O20 - Winlogon Notify: winnum32 - C:\WINNT\
O20 - Winlogon Notify: xxyvu - C:\WINNT\
O22 - SharedTaskScheduler: chitosan - {ceca6f2b-247b-4ece-9b7a-d0135c8036fc} - C:\WINNT\system32\onwtj.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - LxrJD31s.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\system32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 14164 bytes
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You have a bit of a mess here and I am not even sure how bad it is yet. You are probably right about the infections. You have a Vundo infection which can be very hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help. If you wish to proceed, read and follow the directions carefully.

1) This junk will download more, you need to stay offline except when you are troubleshooting until you are clean.

2) You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp

C:\Program Files\Norton SystemWorks\Norton AntiVirus\
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\
(uninstall one of those)

3) The Kaspersky scan we request is from the online scanner, please do not scan and post again until I request it and give you detailed instructions.

4) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Restart the computer and post the C:\rapport.txt and a new HJT log running one antivirus program.

Thanks
 
Dear PSKELLEY,

Thanks for your help. Below are my replies:
1) Stay off line - Yes I will.
2) Running 2 virus programs -
2 are loaded in memory at the moment. Norton has not been running since 2004, is part of "System Works" and I can not remove it. I loaned Kaspersky 30 day trial after I killed the other program that did not prevent the infection (name omitted). I can remove Kaspersky 7.0 if you wish, but then I have no protection. Please advise your wishes.

3) Online scanner - I could not get the online scanner to run as directed because Internet Explorer keeps crashing after it opens. So, I loaded the full Kaspersky and it removed a lot of bad things (40?). IE still crashes though...

4) Loaded and ran SmitfraudFix.exe - scan attached.

Thank you for your help to restore my system!!
Sincerely, Cobalt Blue :sick:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:35 PM, on 12/3/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\Corex\CardScan\System\csynccfg.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\X10HOM~1\X10COM32.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINNT\system32\WISPTIS.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07695667-6AAF-422F-B609-AD240BF4B536} - C:\WINNT\system32\xxyvu.dll (file missing)
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Gtxxgoak\ocfkdnjh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINNT\system32\urqnkih.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [CardScan AutoSync] "C:\Program Files\Corex\CardScan\System\csynccfg.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Internet Security\isamntr.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: X10 Communications Link.lnk = C:\Program Files\X10 Home Control\X10BURST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://supportcenter.rr.com/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail2.roundrockisd.org/iNotes6W.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O20 - Winlogon Notify: winnum32 - C:\WINNT\
O20 - Winlogon Notify: xxyvu - C:\WINNT\
O22 - SharedTaskScheduler: chitosan - {ceca6f2b-247b-4ece-9b7a-d0135c8036fc} - C:\WINNT\system32\onwtj.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - LxrJD31s.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\system32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 14386 bytes

Next post for SmitfraudFix file. ;)
 
SmitFraudFix v2.257

Scan done at 17:23:00.45, Mon 12/03/2007
Run from C:\temp\Virus Nov 07\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\Corex\CardScan\System\csynccfg.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\X10HOM~1\X10COM32.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINNT\system32\WISPTIS.EXE
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ceca6f2b-247b-4ece-9b7a-d0135c8036fc}"="chitosan"

[HKEY_CLASSES_ROOT\CLSID\{ceca6f2b-247b-4ece-9b7a-d0135c8036fc}\InProcServer32]
@="C:\WINNT\system32\onwtj.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ceca6f2b-247b-4ece-9b7a-d0135c8036fc}\InProcServer32]
@="C:\WINNT\system32\onwtj.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: VIA Rhine II Fast Ethernet Adapter
DNS Server Search Order: 192.168.0.1

Description: VIA Rhine II Fast Ethernet Adapter
DNS Server Search Order: 63.240.76.198
DNS Server Search Order: 204.127.199.8

Description: Bluetooth PAN Driver
DNS Server Search Order: 192.168.0.1

Description: Ralink Technology Inc.
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3B2987C6-1193-42BF-8998-02F24EB524C5}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9BF0C91C-3DD4-43BF-A609-0A844FFAB5C0}: DhcpNameServer=63.240.76.198 204.127.199.8
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A48A1713-BE32-4F12-8FD9-27D2F6367984}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D67E5E42-5175-4752-8954-8015EA99A345}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{DEC3C174-5F43-4C63-A378-57A424049B4C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3B2987C6-1193-42BF-8998-02F24EB524C5}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9BF0C91C-3DD4-43BF-A609-0A844FFAB5C0}: DhcpNameServer=63.240.76.198 204.127.199.8
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A48A1713-BE32-4F12-8FD9-27D2F6367984}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D67E5E42-5175-4752-8954-8015EA99A345}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DEC3C174-5F43-4C63-A378-57A424049B4C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3B2987C6-1193-42BF-8998-02F24EB524C5}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9BF0C91C-3DD4-43BF-A609-0A844FFAB5C0}: DhcpNameServer=63.240.76.198 204.127.199.8
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A48A1713-BE32-4F12-8FD9-27D2F6367984}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D67E5E42-5175-4752-8954-8015EA99A345}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DEC3C174-5F43-4C63-A378-57A424049B4C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

...Cobalt Blue :sick:
 
Thanks for returning your information and the feedback. You said:
2 are loaded in memory at the moment. Norton has not been running since 2004, is part of "System Works" and I can not remove it. I loaned Kaspersky 30 day trial after I killed the other program that did not prevent the infection (name omitted). I can remove Kaspersky 7.0 if you wish, but then I have no protection. Please advise your wishes.
Click to expand...
Did you read the information I posted from Symantec, Microsoft and others? I don't know what you are saying about System Works, does it do more than antivirus protection? If that is the case, why did you install Kapspersky to start with.
What we need to do is have one antivirus program, one firewall and at least one good spyware program that runs in real time. For starters you need to addess the issues of having two antivirus programs running at the same time.
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe G
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I can not make your decisions for you, but if you want my help, you need to decide how you are going to run one antivirus program and one firewall for starters. I should not even be looking at this after I posted instructions to uninstall one. Please decide what you are going to do and do it before you post another HJT log so I know as I troubleshoot, this problem does not exist.
___________________________________________________

http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial if needed

Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Post the C:\rapport.txt and a new HJT log.

Thanks
 
pskelley said:
Thanks for returning your information and the feedback. You said:
Did you read the information I posted from Symantec, Microsoft and others? I don't know what you are saying about System Works, does it do more than antivirus protection? If that is the case, why did you install Kapspersky to start with.

Yes, I read the articles and am trying to comply (and think I have). I bought and installed Norton System Works years ago which contains multiple Norton products (including Antivirus) all in one package. Since 2003 the Norton products that run are Norton Ghost, Norton Password Manager, Norton Cleanup, but have selected Norton Antivirus to be "OFF" for several years. Norton System Work's Main screen shows the last scan from Norton Antivirus to be in 2003. It is not "running" in the system and I have not had the problems your articles describe.

I turned it off before I installed the Antivirus from my network provider in 2003, but that did not prevent this problem. So, I uninstall that Antivirus (and it's gone) and installed the Kaspersky 7.0.

Norton Antivirus may be loaded in memory according to the printouts, but it is not running according to anything I see. The definition files are also dated 2003. Only Kaspersky 7.0 is "running" that I can tell.

Again, I cannot find a way to uninstall only the Norton Antivirus piece without taking out all the rest of Norton which I'm reluctant to do unless I have to. Even then, the uninstall SW function is also not working correctly.

Does this help explain my situation? I want and desparatly need your help. If you feel we have to, can you help me delete the Norton Antivirus if you believe it to be running?

Thanks for your help, Cobalt Blue.
Click to expand...
 
SmitFraudFix v2.257

Scan done at 0:08:05.62, Tue 12/04/2007
Run from C:\temp\Virus Nov 07\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ceca6f2b-247b-4ece-9b7a-d0135c8036fc}"="chitosan"

[HKEY_CLASSES_ROOT\CLSID\{ceca6f2b-247b-4ece-9b7a-d0135c8036fc}\InProcServer32]
@="C:\WINNT\system32\onwtj.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ceca6f2b-247b-4ece-9b7a-d0135c8036fc}\InProcServer32]
@="C:\WINNT\system32\onwtj.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3B2987C6-1193-42BF-8998-02F24EB524C5}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9BF0C91C-3DD4-43BF-A609-0A844FFAB5C0}: DhcpNameServer=63.240.76.198 204.127.199.8
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A48A1713-BE32-4F12-8FD9-27D2F6367984}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D67E5E42-5175-4752-8954-8015EA99A345}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{DEC3C174-5F43-4C63-A378-57A424049B4C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3B2987C6-1193-42BF-8998-02F24EB524C5}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9BF0C91C-3DD4-43BF-A609-0A844FFAB5C0}: DhcpNameServer=63.240.76.198 204.127.199.8
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A48A1713-BE32-4F12-8FD9-27D2F6367984}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D67E5E42-5175-4752-8954-8015EA99A345}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DEC3C174-5F43-4C63-A378-57A424049B4C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3B2987C6-1193-42BF-8998-02F24EB524C5}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9BF0C91C-3DD4-43BF-A609-0A844FFAB5C0}: DhcpNameServer=63.240.76.198 204.127.199.8
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A48A1713-BE32-4F12-8FD9-27D2F6367984}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D67E5E42-5175-4752-8954-8015EA99A345}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DEC3C174-5F43-4C63-A378-57A424049B4C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
 
Thanks for taking the time to assure me you are aware of the issues that can be caused when antivirus programs conflict. I will say here that Kaspersky is one of the very best but if it is only a trial and you need free antivirus protection, here are three that are available.
http://free.grisoft.com/freeweb.php/doc/2/
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/

It looks like Smitfraudfix remove the infection it is for, now I need the HJT log I requested so I can see what, if anything, is left.
Post the C:\rapport.txt and a new HJT log.
Click to expand...

Thanks
 
Thank you. Will get through to the end of the cleaning and either buy Kaspersky or use one of the free ones you referenced. Here is the latest HJT log. Thanks for everything. ...Cobalt Blue

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:16 PM, on 12/5/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\Corex\CardScan\System\csynccfg.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\PROGRA~1\IOGEAR\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07695667-6AAF-422F-B609-AD240BF4B536} - C:\WINNT\system32\xxyvu.dll (file missing)
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Gtxxgoak\ocfkdnjh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINNT\system32\urqnkih.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [CardScan AutoSync] "C:\Program Files\Corex\CardScan\System\csynccfg.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://supportcenter.rr.com/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail2.roundrockisd.org/iNotes6W.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O20 - Winlogon Notify: winnum32 - C:\WINNT\
O20 - Winlogon Notify: xxyvu - C:\WINNT\
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - LxrJD31s.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\system32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 13102 bytes
 
Thanks for returning you information and the feedback, we have a way to go yet.

1) Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

(wait until you finish to post reports and logs)

2) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Vundofix.txt, combofix log and a new HJT log.

Thanks
 
Here we go!

VundoFix V6.6.2

Checking Java version...

Sun Java not detected
Scan started at 9:03:36 PM 12/5/2007

Listing files found while scanning....

C:\WINNT\system32\urqnkih.dll

Beginning removal...

Performing Repairs to the registry.
Done!
-----------------

Had trouble getting ComboFix to run to completion. Took 3 attempts but it finally got there without halting.

ComboFix 07-12-02.7 - Administrator 2007-12-06 17:48:19.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.86 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\t\
.
---- Previous Run -------
.
C:\Documents and Settings\Administrator\My Documents\PPPATC~1
C:\Documents and Settings\Administrator\My Documents\PPPATC~1\c?rss.exe
C:\Documents and Settings\Administrator\My Documents\SSTEM3~1
C:\Documents and Settings\Administrator\My Documents\SSTEM3~1\s?stem32\
C:\Documents and Settings\Administrator\My Documents\SSTEM3~1\tracert.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Outerinfo.dll
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\Temp\fCOe
C:\Temp\fCOe\tOasF.log
C:\temp\tn3
C:\WINNT\system32\a13
C:\WINNT\system32\e2
C:\WINNT\system32\fibagbia
C:\WINNT\system32\fibagbia\bg1.gif
C:\WINNT\system32\fibagbia\bgtop.gif
C:\WINNT\system32\fibagbia\bottom1.gif
C:\WINNT\system32\fibagbia\essentials.gif
C:\WINNT\system32\fibagbia\fibagbia1.exe
C:\WINNT\system32\fibagbia\fibagbia2.exe
C:\WINNT\system32\fibagbia\fibagbia3.exe
C:\WINNT\system32\fibagbia\icon1.ico
C:\WINNT\system32\fibagbia\install1.gif
C:\WINNT\system32\fibagbia\left1.gif
C:\WINNT\system32\fibagbia\li.gif
C:\WINNT\system32\fibagbia\logo.gif
C:\WINNT\system32\fibagbia\main.htm
C:\WINNT\system32\fibagbia\mainframe.htm
C:\WINNT\system32\fibagbia\reinstall1.gif
C:\WINNT\system32\fibagbia\right1.gif
C:\WINNT\system32\fibagbia\s1.htm
C:\WINNT\system32\fibagbia\s2.htm
C:\WINNT\system32\fibagbia\s3.htm
C:\WINNT\system32\fibagbia\SMTop1.gif
C:\WINNT\system32\fibagbia\SMTop2.gif
C:\WINNT\system32\fibagbia\SMTop3.gif
C:\WINNT\system32\fibagbia\SMTop4.gif
C:\WINNT\system32\fibagbia\soft1_off.gif
C:\WINNT\system32\fibagbia\soft1_off_ext.gif
C:\WINNT\system32\fibagbia\soft1_on.gif
C:\WINNT\system32\fibagbia\soft1_on_ext.gif
C:\WINNT\system32\fibagbia\soft2_off.gif
C:\WINNT\system32\fibagbia\soft2_off_ext.gif
C:\WINNT\system32\fibagbia\soft2_on.gif
C:\WINNT\system32\fibagbia\soft2_on_ext.gif
C:\WINNT\system32\fibagbia\soft3_off.gif
C:\WINNT\system32\fibagbia\soft3_off_ext.gif
C:\WINNT\system32\fibagbia\soft3_on.gif
C:\WINNT\system32\fibagbia\soft3_on_ext.gif
C:\WINNT\system32\fibagbia\softbottom_off.gif
C:\WINNT\system32\fibagbia\softbottom_on.gif
C:\WINNT\system32\fibagbia\softleft_off.gif
C:\WINNT\system32\fibagbia\softleft_on.gif
C:\WINNT\system32\fibagbia\top1.gif
C:\WINNT\system32\fibagbia\top2.gif
C:\WINNT\system32\fibagbia\turnoff1.gif
C:\WINNT\system32\fibagbia\turnon1.gif
C:\WINNT\system32\i8
C:\WINNT\system32\i8\taldrvr11.exe
C:\WINNT\system32\ldinfo.ldr
C:\WINNT\system32\pac.txt
C:\WINNT\system32\wnsapiicom.exe
C:\WINNT\system32\x22
C:\WINNT\t\

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE




((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
.

2007-12-06 17:56 . 07-12-06 17:56 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3e0.dat
2007-12-05 21:03 . 07-12-05 21:03 <DIR> d-------- C:\VundoFix Backups
2007-12-04 11:24 . 07-12-05 20:23 644,956 ---h----- C:\WINNT\ShellIconCache
2007-12-03 17:23 . 07-12-04 00:08 3,962 --a------ C:\WINNT\system32\tmp.reg
2007-12-03 17:21 . 07-12-03 17:40 <DIR> d-------- C:\temp\Virus Nov 07
2007-12-03 15:14 . 07-12-03 15:14 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-12-01 19:39 . 07-12-01 19:39 <DIR> d-------- C:\WINNT\system32\Windows Media
2007-12-01 19:30 . 07-12-01 19:30 <DIR> d-------- C:\WINNT\msiinst.tmp
2007-12-01 19:30 . 07-12-01 19:31 <DIR> d--h-c--- C:\WINNT\$NtUpdateRollupPackUninstall$
2007-12-01 19:09 . 07-12-01 19:09 <DIR> d--h-c--- C:\WINNT\$SQLUninstallMDAC27SP1-KB927779-x86-ENU$
2007-12-01 18:20 . 07-12-01 18:20 957 --a------ C:\WINNT\setup.inf
2007-12-01 18:20 . 07-12-01 18:20 283 --a------ C:\WINNT\setup.rpt
2007-11-30 11:01 . 06-07-11 01:19 631,056 -----c--- C:\WINNT\system32\dllcache\oleaut32.dll
2007-11-30 10:53 . 06-11-02 11:31 1,011,774 --a------ C:\WINNT\system32\mfc42u.dll
2007-11-30 10:53 . 06-11-02 11:31 1,011,774 -----c--- C:\WINNT\system32\dllcache\mfc42u.dll
2007-11-30 10:46 . 05-01-12 13:40 239,888 --a------ C:\WINNT\system32\wow32.dll
2007-11-30 10:46 . 05-04-08 05:51 186,640 --a------ C:\WINNT\system32\WINLOGON.EXE
2007-11-30 10:46 . 05-01-12 13:39 167,184 --a------ C:\WINNT\system32\WINTRUST.DLL
2007-11-30 10:46 . 05-04-08 05:54 146,192 --a------ C:\WINNT\system32\WLDAP32.DLL
2007-11-30 10:46 . 05-04-08 05:54 146,192 -----c--- C:\WINNT\system32\dllcache\WLDAP32.DLL
2007-11-30 10:46 . 04-12-01 21:03 146,192 -----c--- C:\WINNT\system32\dllcache\wins.exe
2007-11-30 10:46 . 04-11-07 09:54 88,576 -----c--- C:\WINNT\system32\dllcache\write32.wpc
2007-11-30 10:46 . 05-04-08 05:54 57,104 --a------ C:\WINNT\system32\wlnotify.dll
2007-11-30 10:46 . 04-04-04 21:16 57,104 --a------ C:\WINNT\system32\w32tm.exe
2007-11-30 10:46 . 05-04-08 05:54 57,104 -----c--- C:\WINNT\system32\dllcache\wlnotify.dll
2007-11-30 10:45 . 05-04-08 05:54 399,120 --a------ C:\WINNT\system32\USERENV.DLL
2007-11-30 10:45 . 05-01-12 13:40 322,832 -----c--- C:\WINNT\system32\dllcache\untfs.dll
2007-11-30 10:45 . 05-04-08 05:54 48,400 --a------ C:\WINNT\system32\w32time.dll
2007-11-30 10:45 . 05-02-07 23:21 29,456 --a------ C:\WINNT\system32\VDMDBG.DLL
2007-11-30 10:44 . 05-04-08 04:34 973,072 --a------ C:\WINNT\system32\sfcfiles.dll
2007-11-30 10:44 . 04-11-09 00:24 770,710 -----c--- C:\WINNT\system32\dllcache\system.adm
2007-11-30 10:44 . 05-04-08 05:51 92,944 -----c--- C:\WINNT\system32\dllcache\services.exe
2007-11-30 10:44 . 05-07-14 06:24 74,384 -----c--- C:\WINNT\system32\dllcache\scsiport.sys
2007-11-30 10:44 . 04-12-02 07:07 63,280 -----c--- C:\WINNT\system32\dllcache\udfs.sys
2007-11-30 10:44 . 05-04-08 05:54 17,680 --a------ C:\WINNT\system32\seclogon.dll
2007-11-30 10:43 . 05-01-12 13:39 531,216 -----c--- C:\WINNT\system32\dllcache\rasdlg.dll
2007-11-30 10:43 . 05-01-12 13:39 261,904 --a------ C:\WINNT\system32\scesrv.dll
2007-11-30 10:43 . 05-04-08 05:54 200,464 -----c--- C:\WINNT\system32\dllcache\rasapi32.dll
2007-11-30 10:43 . 04-12-28 10:33 196,880 -----c--- C:\WINNT\system32\dllcache\osloader.exe
2007-11-30 10:43 . 05-04-08 05:54 117,520 --a------ C:\WINNT\system32\PSBASE.DLL
2007-11-30 10:43 . 05-01-12 13:39 114,448 --a------ C:\WINNT\system32\scecli.dll
2007-11-30 10:43 . 05-01-12 13:39 63,248 -----c--- C:\WINNT\system32\dllcache\rasscrpt.dll
2007-11-30 10:43 . 05-01-12 13:39 29,968 --a------ C:\WINNT\system32\profmap.dll
2007-11-30 10:43 . 05-01-12 13:39 29,968 -----c--- C:\WINNT\system32\dllcache\profmap.dll
2007-11-30 10:42 . 05-02-28 02:38 613,136 -----c--- C:\WINNT\system32\dllcache\nntp_nntpsvc.dll
2007-11-30 10:42 . 04-05-03 04:24 222,384 -----c--- C:\WINNT\system32\dllcache\nscm.exe
2007-11-30 10:42 . 05-03-01 22:54 143,872 -----c--- C:\WINNT\system32\dllcache\nsisapi.exe
2007-11-30 10:42 . 05-01-12 13:39 136,976 -----c--- C:\WINNT\system32\dllcache\nntp_nntpfs.dll
2007-11-30 10:42 . 05-02-22 06:25 69,392 --a------ C:\WINNT\system32\olecli32.dll
2007-11-30 10:42 . 05-03-01 04:32 31,808 -----c--- C:\WINNT\system32\dllcache\nspmon.exe
2007-11-30 10:42 . 04-05-03 03:24 16,784 -----c--- C:\WINNT\system32\dllcache\nsiislog.dll
2007-11-30 10:42 . 05-01-12 13:39 14,096 --a------ C:\WINNT\system32\ntvdmd.dll
2007-11-30 10:41 . 03-09-20 04:26 785,680 -----c--- C:\WINNT\system32\dllcache\netmon.exe
2007-11-30 10:41 . 05-01-12 13:39 549,136 --a------ C:\WINNT\system32\netcfgx.dll
2007-11-30 10:41 . 05-01-12 13:39 549,136 -----c--- C:\WINNT\system32\dllcache\netcfgx.dll
2007-11-30 10:41 . 05-04-08 05:54 366,864 --a------ C:\WINNT\system32\NETLOGON.DLL
2007-11-30 10:41 . 05-01-12 13:39 218,896 --a------ C:\WINNT\system32\mstask.dll
2007-11-30 10:41 . 04-09-07 09:59 122,128 --a------ C:\WINNT\system32\mstask.exe
2007-11-30 10:41 . 05-01-12 13:39 114,448 --a------ C:\WINNT\system32\newdev.dll
2007-11-30 10:41 . 02-08-11 12:27 44,032 -----c--- C:\WINNT\system32\dllcache\msxml3r.dll
2007-11-30 10:40 . 05-03-31 01:10 844,560 -----c--- C:\WINNT\system32\dllcache\msdxm.ocx
2007-11-30 10:40 . 05-01-12 13:39 438,544 -----c--- C:\WINNT\system32\dllcache\mqqm.dll
2007-11-30 10:40 . 05-01-12 13:39 400,656 -----c--- C:\WINNT\system32\dllcache\mqsnap.dll
2007-11-30 10:40 . 05-04-08 05:54 338,704 --a------ C:\WINNT\system32\MSGINA.DLL
2007-11-30 10:40 . 05-01-12 13:39 110,864 -----c--- C:\WINNT\system32\dllcache\mqutil.dll
2007-11-30 10:40 . 05-04-08 04:34 102,672 -----c--- C:\WINNT\system32\dllcache\mqrt.dll
2007-11-30 10:40 . 05-01-12 13:39 70,928 -----c--- C:\WINNT\system32\dllcache\mqsec.dll
2007-11-30 10:40 . 05-01-12 13:40 64,784 -----c--- C:\WINNT\system32\dllcache\msmq.cpl
2007-11-30 10:40 . 03-09-19 22:53 64,512 -----c--- C:\WINNT\system32\dllcache\msiexec.exe
2007-11-30 10:40 . 05-01-12 13:39 23,824 -----c--- C:\WINNT\system32\dllcache\mqupgrd.dll
2007-11-30 10:38 . 05-01-12 13:40 255,248 --a------ C:\WINNT\system32\h323.tsp
2007-11-30 10:38 . 05-01-12 13:39 247,056 -----c--- C:\WINNT\system32\dllcache\httpext.dll
2007-11-30 10:38 . 05-01-12 13:39 163,088 -----c--- C:\WINNT\system32\dllcache\h323msp.dll
2007-11-30 10:38 . 05-01-12 13:39 122,640 -----c--- C:\WINNT\system32\dllcache\iischema.dll
2007-11-30 10:38 . 04-08-11 16:42 67,344 -----c--- C:\WINNT\system32\dllcache\ipnat.sys
2007-11-30 10:38 . 05-02-22 02:42 57,104 -----c--- C:\WINNT\system32\dllcache\iisext.dll
2007-11-30 10:36 . 04-12-02 10:37 693,520 -----c--- C:\WINNT\system32\dllcache\clussvc.exe
2007-11-30 10:35 . 05-01-12 13:39 248,080 -----c--- C:\WINNT\system32\dllcache\adsiis.dll
2007-11-30 10:35 . 05-04-08 05:54 134,928 -----c--- C:\WINNT\system32\dllcache\adsldpc.dll
2007-11-30 10:35 . 05-04-08 05:54 134,928 --a------ C:\WINNT\system32\adsldpc.dll
2007-11-30 10:35 . 05-04-08 05:54 130,832 -----c--- C:\WINNT\system32\dllcache\adsldp.dll
2007-11-30 10:35 . 05-04-08 05:54 130,832 --a------ C:\WINNT\system32\adsldp.dll
2007-11-30 10:35 . 05-01-13 03:09 63,760 -----c--- C:\WINNT\system32\dllcache\adsmsext.dll
2007-11-30 10:35 . 05-01-13 03:09 63,760 --a------ C:\WINNT\system32\adsmsext.dll
2007-11-30 10:28 . 06-08-28 02:44 530,192 --a------ C:\WINNT\system32\comctl32.dll
2007-11-30 10:12 . 05-06-29 01:30 246,032 -----c--- C:\WINNT\system32\dllcache\icm32.dll
2007-11-30 10:09 . 07-04-23 00:22 939,280 --a------ C:\WINNT\system32\ntdsa.dll
2007-11-30 10:09 . 07-04-23 00:22 939,280 --a--c--- C:\WINNT\system32\dllcache\ntdsa.dll
2007-11-30 10:08 . 06-12-07 19:02 2,174,976 -----c--- C:\WINNT\system32\dllcache\wmvcore.dll
2007-11-30 10:05 . 07-03-06 05:17 381,200 --a------ C:\WINNT\system32\USER32.DLL
2007-11-30 10:05 . 07-03-06 05:17 381,200 --a--c--- C:\WINNT\system32\dllcache\USER32.DLL
2007-11-30 10:04 . 07-03-06 05:17 38,160 --a------ C:\WINNT\system32\mf3216.dll
2007-11-30 10:04 . 07-03-06 05:17 38,160 --a--c--- C:\WINNT\system32\dllcache\mf3216.dll
2007-11-30 09:58 . 05-08-16 02:35 100,112 --a------ C:\WINNT\system32\netman.dll
2007-11-30 09:58 . 05-08-16 02:35 100,112 -----c--- C:\WINNT\system32\dllcache\netman.dll
2007-11-30 09:51 . 07-03-05 09:52 1,735,808 --a--c--- C:\WINNT\system32\dllcache\NTKRPAMP.EXE
2007-11-30 09:51 . 07-03-05 09:51 1,714,496 --a--c--- C:\WINNT\system32\dllcache\NTKRNLMP.EXE
2007-11-30 09:51 . 04-12-02 07:07 89,328 -----c--- C:\WINNT\system32\dllcache\mup.sys
2007-11-28 13:11 . 05-04-21 08:16 38,912 -----c--- C:\WINNT\system32\dllcache\hhsetup.dll
2007-11-28 13:11 . 05-04-14 19:08 10,752 -----c--- C:\WINNT\system32\dllcache\hh.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-06 23:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-06 23:38 --------- d-----w C:\Program Files\Plaxo
2007-12-03 21:14 --------- d-----w C:\Program Files\Common Files\Real
2007-12-03 21:13 --------- d-----w C:\Program Files\Google
2007-11-24 17:06 --------- d-----w C:\Program Files\Webroot
2007-11-06 20:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-11-05 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\FileOpen
2007-11-05 21:10 --------- d-----w C:\Documents and Settings\Administrator\Application Data\FileOpen
2007-11-05 19:42 --------- d-----w C:\Program Files\CyberDefender
2007-11-05 18:59 --------- d-----w C:\Program Files\Trend Micro
2007-11-05 18:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdwareAlert
2007-11-05 18:33 --------- d-----w C:\Program Files\MSXML 4.0
2007-10-15 14:28 --------- d-----w C:\Program Files\MSN Messenger
2007-09-30 21:56 1,664 ----a-w C:\Documents and Settings\Administrator\Application Data\ViewerApp.dat
2007-08-27 08:38 5,037,072 ----a-w C:\Documents and Settings\Denny Tower Shared Documents\spybotsd14.exe
2006-05-31 17:33 24,192 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2006-05-31 17:33 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2005-12-06 14:49 1,428,125 ----a-w C:\Documents and Settings\Denny Tower Shared Documents\VistaPrint Electronic Business Card.exe
2005-04-11 18:26 26,301 ----a-w C:\Program Files\Deploy.log
2005-01-17 07:07 271 ---h--w C:\Program Files\desktop.ini
2005-01-17 07:07 21,952 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot@Thu 2007-12-06_ 3.21.53.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-06 08:58:54 4,092,960 --sha-w C:\WINNT\system32\drivers\fidbox.dat
+ 2007-12-06 23:53:52 4,092,960 --sha-w C:\WINNT\system32\drivers\fidbox.dat
- 2007-12-06 09:11:54 91,424 --sha-w C:\WINNT\system32\drivers\fidbox2.dat
+ 2007-12-06 23:57:23 104,480 --sha-w C:\WINNT\system32\drivers\fidbox2.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07695667-6AAF-422F-B609-AD240BF4B536}]
C:\WINNT\system32\xxyvu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200D0AAD-71B1-51C9-DDB0-092BA4662A54}]
07-11-16 17:27 114688 --a------ C:\Program Files\Gtxxgoak\ocfkdnjh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.exe" [99-12-07 06:00 C:\WINNT\system32\rundll32.exe]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" [04-09-09 20:12 ]
"PopUpStopperProfessional"="C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE" [05-06-02 17:06 ]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe" []
"CardScan AutoSync"="C:\Program Files\Corex\CardScan\System\csynccfg.exe" [03-12-01 01:44 ]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [07-09-04 15:40 ]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [06-11-16 12:42 ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [07-04-27 15:17 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 13:05 C:\WINNT\system32\mobsync.exe]
"NvCplDaemon"="RUNDLL32.exe" [99-12-07 06:00 C:\WINNT\system32\rundll32.exe]
"nwiz"="nwiz.exe" [03-10-06 17:16 C:\WINNT\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [99-12-07 06:00 C:\WINNT\system32\rundll32.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [05-07-14 21:16 ]
"SymTray - Norton SystemWorks"="C:\Program Files\Common Files\Symantec Shared\Symtray.exe" [04-11-03 23:19 ]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [04-11-02 18:59 ]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [05-05-01 13:50 ]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe" [02-11-22 13:49 ]
"Ulead Photo Express Calendar Checker"="C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe" [03-09-19 22:23 ]
"NovaBackup 7 Tray Control"="C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe" [04-01-09 18:14 ]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [05-01-03 13:41 ]
"AcctMgr"="C:\Program Files\Norton Password Manager\AcctMgr.exe" [04-08-18 16:41 ]
"WUSB54Gv4"="C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [04-04-19 09:19 ]
"eFax 4.2"="C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [06-07-14 14:36 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-10-25 18:58 ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07-12-03 15:12 ]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [07-06-28 12:51 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SymTray - Norton SystemWorks"="C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe" [04-09-02 02:58 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 13:05 ]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
X10 Communications Link.lnk - C:\Program Files\X10 Home Control\X10BURST.EXE [2005-10-04 10:22:38]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 22:37:56]
Bluetooth.lnk - C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe [2005-05-31 13:29:16]
MUPS.lnk - C:\Program Files\Belkin Bulldog Plus\MUPS.exe [2004-08-10 20:25:22]
Norton GoBack.lnk - C:\Program Files\Norton GoBack\GBTray.exe [2004-12-21 12:19:00]
Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2005-05-05 12:51:01]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2005-05-05 12:50:55]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-01-19 10:00:13]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9C0ADB68-353A-61DD-ED09-1D8003A61111}"= C:\WINNT\system32\kb1111p.dll [98-12-31 18:01 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winnum32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvu]

continued in next post because of size limit.
 
Combofix continued...

R0 GBDevice;GBDevice;C:\WINNT\system32\drivers\GBDevice.sys
R0 GoBack2K;GoBack2K;C:\WINNT\system32\drivers\GoBack2K.sys
R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINNT\system32\DRIVERS\SONYPVM1.SYS
R1 Asapi;Asapi;C:\WINNT\system32\drivers\Asapi.sys
R1 CorexCardScan;CardScan USB Scanner;C:\WINNT\system32\drivers\slcorex.sys
R2 BCMNTIO;BCMNTIO;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys
R2 GBFSHook;GBFSHook;C:\WINNT\system32\drivers\GBFSHook.sys
R2 MAPMEM;MAPMEM;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys
R2 PAR1284;PAR1284;\??\C:\WINNT\system32\Drivers\PAR1284.SYS
R2 PPNT;PPNT;\??\C:\WINNT\system32\Drivers\PPNT.SYS
R3 BT2KNDFL;Bluetooth LAN Access Server Driver - Filter;C:\WINNT\system32\DRIVERS\bt2kndfl.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINNT\system32\DRIVERS\klim5.sys
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINNT\system32\Drivers\NPDRIVER.SYS
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
R3 US30Kbd;US30Kbd;\??\C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Kbd2K.sys
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
R3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;C:\WINNT\system32\DRIVERS\rt2500usb.sys
S2 Nmpdrv_N;PogoProducts Nmpdrv_N USB Controller Service;C:\WINNT\system32\DRIVERS\Nmpdrv_N.sys
S3 FVNETusb;Linksys Wireless-B USB Network Adapter v2.8 Driver;C:\WINNT\system32\DRIVERS\vnet58lx.sys
S3 InCDFat;Ahead InCDFat File System Driver;\??\C:\WINNT\system32\Drivers\InCDFat.sys
S3 SDdriver;SDdriver;\??\C:\WINNT\system32\Drivers\sddriver.sys
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;C:\WINNT\system32\DRIVERS\netusb.sys
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 02:00:00 C:\WINNT\Tasks\Norton AntiVirus - Scan my computer - Administrator.job"
- C:\PROGRA~1\NORTON~2\NORTON~3\Navw32.exeh/task:
"2007-12-06 08:00:00 C:\WINNT\Tasks\Quest Full Backup.job"
- C:\WINNT\system32\NTBACKUP.EXE
"2007-12-06 06:00:00 C:\WINNT\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
"2007-11-25 15:18:02 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 17:57:13
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe?=C:\Program Files\Common Files?COMPUTERNAM

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-06 18:00:05 - machine was rebooted
.
--- E O F ---
-------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:29 PM, on 12/6/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\PROGRA~1\NovaStor\NOVABA~1\NSENGINE.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\Corex\CardScan\System\csynccfg.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\PROGRA~1\IOGEAR\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\X10HOM~1\X10COM32.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07695667-6AAF-422F-B609-AD240BF4B536} - C:\WINNT\system32\xxyvu.dll (file missing)
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Gtxxgoak\ocfkdnjh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [CardScan AutoSync] "C:\Program Files\Corex\CardScan\System\csynccfg.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: X10 Communications Link.lnk = C:\Program Files\X10 Home Control\X10BURST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://supportcenter.rr.com/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail2.roundrockisd.org/iNotes6W.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O20 - Winlogon Notify: winnum32 - C:\WINNT\
O20 - Winlogon Notify: xxyvu - C:\WINNT\
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - LxrJD31s.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\system32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 14347 bytes
 
Thanks for returning your information, read and follow the directions carefully.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Start > Control Panel > Add Remove programs and uninstall this if there: Gtxxgoak

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {07695667-6AAF-422F-B609-AD240BF4B536} - C:\WINNT\system32\xxyvu.dll (file missing)
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Gtxxgoak\ocfkdnjh.dll
(next two are resource waster related to Alexa toolbar, if you don't use Alexa, remove them)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O20 - Winlogon Notify: winnum32 - C:\WINNT\
O20 - Winlogon Notify: xxyvu - C:\WINNT\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program Files\Gtxxgoak\ <<< delete that folder and contents

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log and some feedback.

Thanks
 
Thanks! Progress for sure but only partial success with these tasks this iteration. Feedback as follows:

Step 1.) make files visible (already were but repeated steps to confirm)

Step 2.) Download ATF - done

Step 3.) Remove Gtxxgoak - Unsuccessful as Add Remove Programs screed opens for a brief moment and closes.

Step 4.) Hijack and remove selected entries - done

Step 5.) Delete Gtxxgoak directory - Unsuccessful due to "Source file still in use" message as a result of step 3.

Step 6.) Run ATF - Done. Message was that "No files were removed"

Post HJT Log - to follow.

Thanks for your help! The system is much more deterministic now and not going off on it's own. Once booted it is running very slow, much slower than it was one or 2 iterations ago before some of the cleaning. Not sure why. Drive light used to be on all the time in the beginning and now is rarely on and just for an instant. Thanks again!! ...Cobalt Blue :sick:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:14 AM, on 12/7/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\PROGRA~1\NovaStor\NOVABA~1\NSENGINE.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\Corex\CardScan\System\csynccfg.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\IOGEAR\BLUETO~1\BTSTAC~1.EXE
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\X10HOM~1\X10COM32.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [CardScan AutoSync] "C:\Program Files\Corex\CardScan\System\csynccfg.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: X10 Communications Link.lnk = C:\Program Files\X10 Home Control\X10BURST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://supportcenter.rr.com/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail2.roundrockisd.org/iNotes6W.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - LxrJD31s.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\system32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 13664 bytes
 
Thanks for the feedback, I use ATF-Cleaner all of the time and on almost all repairs. Unless you just ran something like CleanManger or CCleaner or another tool, it is very unlikely ATF-Cleaner would find nothing to remove. If this is the case, you may want to look at the instructions again.

Your HJT log is clean:bigthumb: I would like to look at a alternate scan to your resident Kaspersky and you may need to turn it off to run the scan. Before you scan, please remove all tools from your computer we used (the exception is ATF-Cleaner, you may keep that small program if you wish) be sure to delete the C:\qoobox\quarantine\ folder and the C:\Vundofix Backups\ then follow these directions.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks
 
System not running that well. Results:

1.) ATF-Cleaner - Yes, I had run the Norton cleaner earlier as we started. I was making space for the programs we were going to use. I reread the directions, I find nothing out of the ordinary.

2.) HJT clean - Great!! What about the other programs and contents of the Gtxxgoak that I could not delete before? Do we still need to get rid of those? I did delete the other programs and folders you suggested.

3.) Unable to run IE to get Kaspersky scanner to run at all as it crashes in about 4 seconds. So I tried using Windows Explorer and was successful loading the scanner and starting the scan with your paramaters. That crashed after about 5 hours with about 10% of "My Computer" scanned. Found 2 viruses in e-mail I think. Now, I can't get that to run either. Both IE and WE crash quickly.

What next? Thanks in advance !! ...Cobalt Blue
 
Sounds like you have Operating System problems that I will not be able to help with. Are you receiving any error messages when you have these problems? "crash" is such a generic work, means nothing to me. Could you mention how old this system is.

I am interested in how much RAM you have installed on this computer. Right click MyComputer, then click on Properties. RAM total will be in the bottom right.
Now Doubleclick MyComputer and right click Local Disk (C:)
then Properties. Tell me how much Free Space you have.

Another suggestion is a free diagnostic here: http://www.pcpitstop.com/pcpitstop/
Your questions will be answered here: http://pcpitstop.invisionzone.com/index.php?showforum=6
I would be glad to look at the Test Results if you post a link.

You might want to try a repair install of your Operating System.
http://www.google.com/search?hl=en&q=Windows+2000+repair+install&btnG=Search

Thanks
 
Thanks for the advice, first things first are answers to your questions about the system itself.

System is about 3 years old, 392M Ram, AMD 3Gig processor speed. 5.08Gig disk space now available on C:

I will take a look at the suggestions for diagnostics and OS repair that you posted. I will run those and will post results tomorrow if I can get them.

What about that Gtxxgoak ??

Thanks again, have a great weekend. ...Cobalt Blue :cleaning:
 
Sorry, forgot something. When Explorer "Crashes" there is no error message or indication other than the screen closes abruptly and the task is gone completely.

The system is operating at less than 1/3 speed from earlier. Takes about 10 minutes to boot instead of 3 as well. This was not the case before the last set of deletes, it was much faster, but not as fast as before the virus. Before with viruses the disk light was on all the time, now it is not.

Thanks again, I'm trying to figure out how to get the analysis tool loaded on my second system (running XP) so I can USB it over to my other system not able to run Explorer.

...Cobalt Blue :D:
 
Status
Not open for further replies.
Back
Top