PDA

View Full Version : Cobalt Blue Asks for Help removing Virtumonde and Smitfraud - C, Please



Cobalt Blue
2007-11-25, 03:19
Hi, Support,

Need your help Please. I have a personal machine that was hit with virtumonde. Spybot could not completely remove it and it now has also been hit with Smitfraud-C.

I initially posted for help and Windows IE was erroring out so I could not run Kaspersky Online Scanner to completion. System is running VERY slowly at best. I was able to load the non-IE version completed a session with a lot of bad things removed, see below report. The HJT log is in the next post as it is to large for one posting.

Any help would be greatly appreciated. I know my system was very much out of date and probably opened up for this attack. BR, ...Cobalt Blue :sick:

KAV report 1.txt 11/24/07 for Cobalt Blue
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bpn File: C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\00211555.exe.bac_a09840//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bpn File: C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\00211556.exe.bac_a09840//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bpn File: C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\isamini.exe.bac_a09252//CryptFF.b
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bpn File: C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\isamntr.exe.bac_a09252//CryptFF.b
deleted: Trojan program Trojan.Win32.Agent.qt File: C:\Documents and Settings\Administrator\Local Settings\Temp\mst10.tmp//PE_Patch.PECompact//PecBundle//PECompact
deleted: Trojan program Trojan-Dropper.Win32.Agent.chq File: C:\Documents and Settings\Administrator\Local Settings\Temp\silverstar.exe
deleted: Trojan program Trojan-Downloader.Java.Agent.f File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\07LFMAJX\jvmsecman[1].jar/vlocal.class
deleted: Trojan program Trojan-Downloader.Win32.Agent.emo File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\07LFMAJX\tsitra[1].exe
deleted: Trojan program Trojan-Downloader.Win32.Agent.fhv File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CHER8LQV\mrofinu[1].zip/mrofinu.exe//PE_Patch.Upolyx//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Downloader.Win32.Tiny.zh File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DNPFXUJ5\good[1].php//Packman//#//PE_Patch.UPX//UPX
deleted: Trojan program Trojan.Win32.Dialer.qn File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DNPFXUJ5\image1[1].gif//PE_Patch.PECompact//PecBundle//PECompact
deleted: malware not-virus:Hoax.Win32.Renos.hx File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DNPFXUJ5\image20[1].gif
deleted: Trojan program Trojan-Downloader.Win32.Alphabet.gen File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DNPFXUJ5\startseitelsls[1].gif//PE_Patch.PECompact//PecBundle//PECompact
deleted: Trojan program Trojan-Downloader.Win32.Agent.fhv File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GH6JO9QR\17PHolmes[1].cmt//PE_Patch.Upolyx//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Downloader.Win32.Zlob.ejm File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HL1JYEZE\image27[1].gif//UPX
deleted: Trojan program Trojan-Downloader.Win32.Alphabet.gen File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LMW6B1P4\hlpsrv[1].exe//PE_Patch.PECompact//PecBundle//PECompact
deleted: Trojan program Trojan-Downloader.Win32.Alphabet.gen File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LMW6B1P4\hlpsrv[2].exe//PE_Patch.PECompact//PecBundle//PECompact
deleted: Trojan program Trojan-Downloader.Win32.Alphabet.gen File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LMW6B1P4\image30[1].gif//PE_Patch.PECompact//PecBundle//PECompact
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\Customers\CPU-10~2.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\Customers\AIRNET\MORROW.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\Customers\AIRNET\OPTIONS.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\Customers\AIRNET\RESTOCK.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\Customers\LITTONDS\BD963062.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\Customers\MOTOROLA\20VT_ENV.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\Customers\MOTOROLA\SBUSPID.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\Customers\SCI\BD963060.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\Human Resources\96TRAIN.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\MEETINGS\AREA0796.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\STAFF\BDOLAN\NUTD.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\STAFF\DAVE\96REVIEW.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\STAFF\Henry Chun\96REVIEW.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\STAFF\JoAnne Rosandich\96REVIEW.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\STAFF\Kirk Davis\96REVIEW.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\STAFF\Tom Yenny\EMPPREP.DOC
disinfected: virus Virus.MSWord.Concept File: C:\Force Backups\My Documents 12 18 04\My Documents\STAFF\TOM.G\96REVIEW.DOC
deleted: Trojan program Trojan-Downloader.Win32.Alphabet.gen File: C:\Program Files\269850484.exe//PE_Patch.PECompact//PecBundle//PECompact
deleted: adware not-a-virus:AdWare.Win32.TTC.a File: C:\Program Files\TTC.dll
deleted: Trojan program Trojan-Downloader.Win32.Zlob.ejm File: C:\Program Files\fafaxolq\vqfsbyby.dll
deleted: malware HackTool.Win32.Clearlog.c File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\728E025A.exe//CryptFF
deleted: adware not-a-virus:AdWare.Win32.PurityScan.fk File: C:\Program Files\Outerinfo\OiUninstaller.exe//data0002//PE_Patch.UPX//UPX
deleted: adware not-a-virus:AdWare.Win32.ZenoSearch.ad File: C:\Program Files\Outerinfo\FF\components\FF.dll
deleted: Trojan program Trojan-Downloader.Win32.Small.gkh File: C:\RECYCLER\NPROTECT\00398320.DLL
deleted: Trojan program Trojan-Downloader.Win32.Small.buy File: C:\RECYCLER\NPROTECT\00399549.EXE//UPX
deleted: Trojan program Trojan.Win32.Pakes.akr File: C:\RECYCLER\NPROTECT\00399735.dll
deleted: Trojan program Trojan-Downloader.Win32.Agent.fhv File: C:\WINNT\17PHolmes572.exe//PE_Patch.Upolyx//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Downloader.Win32.Agent.fhv File: C:\WINNT\mrofinu.exe//PE_Patch.Upolyx//PE_Patch.UPX//UPX
deleted: Trojan program Trojan.Win32.Agent.bck File: C:\WINNT\system32\apcjqxhf.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.art File: C:\WINNT\system32\cbxxuuv.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.art File: C:\WINNT\system32\ddcdcca.dll
deleted: adware not-a-virus:AdWare.Win32.PurityScan.gl File: C:\WINNT\system32\doo.dll//PE_Patch.PECompact//PecBundle//PECompact
deleted: Trojan program Trojan-Downloader.Win32.Tiny.id File: C:\WINNT\system32\iikgwfax.exe
deleted: Trojan program Trojan-Downloader.Win32.Small.gkh File: C:\WINNT\system32\ldcore.dll_tobedeleted_old
deleted: Trojan program Trojan.Win32.Obfuscated.kp File: C:\WINNT\system32\nwjrxfxm.exe
deleted: Trojan program Trojan.Win32.Agent.bck File: C:\WINNT\system32\sdjwgsed.exe
deleted: Trojan program Trojan.Win32.Agent.bck File: C:\WINNT\system32\spvobywk.exe
deleted: Trojan program Trojan.Win32.Agent.bck File: C:\WINNT\system32\sxpndykx.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.app File: C:\WINNT\system32\tuvutsq.dll
deleted: Trojan program Trojan.Win32.Agent.bck File: C:\WINNT\system32\tvcvqdop.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.art File: C:\WINNT\system32\urqqrpn.dll
deleted: Trojan program Trojan.Win32.Agent.bck File: C:\WINNT\system32\yjyfnocr.exe
deleted: adware not-a-virus:AdWare.Win32.TTC.a File: C:\WINNT\system32\e2\caws83122.exe//data0002
deleted: Trojan program Trojan-Downloader.Win32.Small.gks File: C:\WINNT\system32\x22\c124wvr.exe//PE_Patch.Upolyx//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Downloader.Win32.Alphabet.gen File: C:\WINNT\Temp\win7C.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact



Logfile of Trend Micro HijackThis v2.0.2 to follow with next post(to long for one post)

Cobalt Blue
2007-11-25, 03:21
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:18 PM, on 11/24/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\NovaStor\NOVABA~1\NSENGINE.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\PROGRA~1\IOGEAR\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\X10HOM~1\X10COM32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07695667-6AAF-422F-B609-AD240BF4B536} - C:\WINNT\system32\xxyvu.dll (file missing)
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Gtxxgoak\ocfkdnjh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINNT\system32\urqnkih.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [CardScan AutoSync] "C:\Program Files\Corex\CardScan\System\csynccfg.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Internet Security\isamntr.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: X10 Communications Link.lnk = C:\Program Files\X10 Home Control\X10BURST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://supportcenter.rr.com/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail2.roundrockisd.org/iNotes6W.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O20 - Winlogon Notify: winnum32 - C:\WINNT\
O20 - Winlogon Notify: xxyvu - C:\WINNT\
O22 - SharedTaskScheduler: chitosan - {ceca6f2b-247b-4ece-9b7a-d0135c8036fc} - C:\WINNT\system32\onwtj.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - LxrJD31s.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\system32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 14164 bytes

pskelley
2007-12-02, 14:13
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You have a bit of a mess here and I am not even sure how bad it is yet. You are probably right about the infections. You have a Vundo infection which can be very hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help. If you wish to proceed, read and follow the directions carefully.

1) This junk will download more, you need to stay offline except when you are troubleshooting until you are clean.

2) You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp

C:\Program Files\Norton SystemWorks\Norton AntiVirus\
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\
(uninstall one of those)

3) The Kaspersky scan we request is from the online scanner, please do not scan and post again until I request it and give you detailed instructions.

4) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Restart the computer and post the C:\rapport.txt and a new HJT log running one antivirus program.

Thanks

Cobalt Blue
2007-12-04, 02:05
Dear PSKELLEY,

Thanks for your help. Below are my replies:
1) Stay off line - Yes I will.
2) Running 2 virus programs -
2 are loaded in memory at the moment. Norton has not been running since 2004, is part of "System Works" and I can not remove it. I loaned Kaspersky 30 day trial after I killed the other program that did not prevent the infection (name omitted). I can remove Kaspersky 7.0 if you wish, but then I have no protection. Please advise your wishes.

3) Online scanner - I could not get the online scanner to run as directed because Internet Explorer keeps crashing after it opens. So, I loaded the full Kaspersky and it removed a lot of bad things (40?). IE still crashes though...

4) Loaded and ran SmitfraudFix.exe - scan attached.

Thank you for your help to restore my system!!
Sincerely, Cobalt Blue :sick:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:35 PM, on 12/3/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\Corex\CardScan\System\csynccfg.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\X10HOM~1\X10COM32.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINNT\system32\WISPTIS.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07695667-6AAF-422F-B609-AD240BF4B536} - C:\WINNT\system32\xxyvu.dll (file missing)
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Gtxxgoak\ocfkdnjh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINNT\system32\urqnkih.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [CardScan AutoSync] "C:\Program Files\Corex\CardScan\System\csynccfg.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Internet Security\isamntr.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: X10 Communications Link.lnk = C:\Program Files\X10 Home Control\X10BURST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://supportcenter.rr.com/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail2.roundrockisd.org/iNotes6W.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O20 - Winlogon Notify: winnum32 - C:\WINNT\
O20 - Winlogon Notify: xxyvu - C:\WINNT\
O22 - SharedTaskScheduler: chitosan - {ceca6f2b-247b-4ece-9b7a-d0135c8036fc} - C:\WINNT\system32\onwtj.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - LxrJD31s.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\system32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 14386 bytes

Next post for SmitfraudFix file. ;)

Cobalt Blue
2007-12-04, 02:06
SmitFraudFix v2.257

Scan done at 17:23:00.45, Mon 12/03/2007
Run from C:\temp\Virus Nov 07\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\Corex\CardScan\System\csynccfg.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\X10HOM~1\X10COM32.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINNT\system32\WISPTIS.EXE
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ceca6f2b-247b-4ece-9b7a-d0135c8036fc}"="chitosan"

[HKEY_CLASSES_ROOT\CLSID\{ceca6f2b-247b-4ece-9b7a-d0135c8036fc}\InProcServer32]
@="C:\WINNT\system32\onwtj.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ceca6f2b-247b-4ece-9b7a-d0135c8036fc}\InProcServer32]
@="C:\WINNT\system32\onwtj.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: VIA Rhine II Fast Ethernet Adapter
DNS Server Search Order: 192.168.0.1

Description: VIA Rhine II Fast Ethernet Adapter
DNS Server Search Order: 63.240.76.198
DNS Server Search Order: 204.127.199.8

Description: Bluetooth PAN Driver
DNS Server Search Order: 192.168.0.1

Description: Ralink Technology Inc.
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3B2987C6-1193-42BF-8998-02F24EB524C5}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9BF0C91C-3DD4-43BF-A609-0A844FFAB5C0}: DhcpNameServer=63.240.76.198 204.127.199.8
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A48A1713-BE32-4F12-8FD9-27D2F6367984}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D67E5E42-5175-4752-8954-8015EA99A345}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{DEC3C174-5F43-4C63-A378-57A424049B4C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3B2987C6-1193-42BF-8998-02F24EB524C5}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9BF0C91C-3DD4-43BF-A609-0A844FFAB5C0}: DhcpNameServer=63.240.76.198 204.127.199.8
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A48A1713-BE32-4F12-8FD9-27D2F6367984}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D67E5E42-5175-4752-8954-8015EA99A345}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DEC3C174-5F43-4C63-A378-57A424049B4C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3B2987C6-1193-42BF-8998-02F24EB524C5}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9BF0C91C-3DD4-43BF-A609-0A844FFAB5C0}: DhcpNameServer=63.240.76.198 204.127.199.8
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A48A1713-BE32-4F12-8FD9-27D2F6367984}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D67E5E42-5175-4752-8954-8015EA99A345}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DEC3C174-5F43-4C63-A378-57A424049B4C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

...Cobalt Blue :sick:

pskelley
2007-12-04, 02:34
Thanks for returning your information and the feedback. You said:

2 are loaded in memory at the moment. Norton has not been running since 2004, is part of "System Works" and I can not remove it. I loaned Kaspersky 30 day trial after I killed the other program that did not prevent the infection (name omitted). I can remove Kaspersky 7.0 if you wish, but then I have no protection. Please advise your wishes.Did you read the information I posted from Symantec, Microsoft and others? I don't know what you are saying about System Works, does it do more than antivirus protection? If that is the case, why did you install Kapspersky to start with.
What we need to do is have one antivirus program, one firewall and at least one good spyware program that runs in real time. For starters you need to addess the issues of having two antivirus programs running at the same time.
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe G
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I can not make your decisions for you, but if you want my help, you need to decide how you are going to run one antivirus program and one firewall for starters. I should not even be looking at this after I posted instructions to uninstall one. Please decide what you are going to do and do it before you post another HJT log so I know as I troubleshoot, this problem does not exist.
___________________________________________________

http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial if needed

Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Post the C:\rapport.txt and a new HJT log.

Thanks

Cobalt Blue
2007-12-04, 05:05
[QUOTE=pskelley;141800]Thanks for returning your information and the feedback. You said:
Did you read the information I posted from Symantec, Microsoft and others? I don't know what you are saying about System Works, does it do more than antivirus protection? If that is the case, why did you install Kapspersky to start with.

Yes, I read the articles and am trying to comply (and think I have). I bought and installed Norton System Works years ago which contains multiple Norton products (including Antivirus) all in one package. Since 2003 the Norton products that run are Norton Ghost, Norton Password Manager, Norton Cleanup, but have selected Norton Antivirus to be "OFF" for several years. Norton System Work's Main screen shows the last scan from Norton Antivirus to be in 2003. It is not "running" in the system and I have not had the problems your articles describe.

I turned it off before I installed the Antivirus from my network provider in 2003, but that did not prevent this problem. So, I uninstall that Antivirus (and it's gone) and installed the Kaspersky 7.0.

Norton Antivirus may be loaded in memory according to the printouts, but it is not running according to anything I see. The definition files are also dated 2003. Only Kaspersky 7.0 is "running" that I can tell.

Again, I cannot find a way to uninstall only the Norton Antivirus piece without taking out all the rest of Norton which I'm reluctant to do unless I have to. Even then, the uninstall SW function is also not working correctly.

Does this help explain my situation? I want and desparatly need your help. If you feel we have to, can you help me delete the Norton Antivirus if you believe it to be running?

Thanks for your help, Cobalt Blue.

Cobalt Blue
2007-12-04, 08:22
SmitFraudFix v2.257

Scan done at 0:08:05.62, Tue 12/04/2007
Run from C:\temp\Virus Nov 07\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ceca6f2b-247b-4ece-9b7a-d0135c8036fc}"="chitosan"

[HKEY_CLASSES_ROOT\CLSID\{ceca6f2b-247b-4ece-9b7a-d0135c8036fc}\InProcServer32]
@="C:\WINNT\system32\onwtj.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ceca6f2b-247b-4ece-9b7a-d0135c8036fc}\InProcServer32]
@="C:\WINNT\system32\onwtj.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3B2987C6-1193-42BF-8998-02F24EB524C5}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9BF0C91C-3DD4-43BF-A609-0A844FFAB5C0}: DhcpNameServer=63.240.76.198 204.127.199.8
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A48A1713-BE32-4F12-8FD9-27D2F6367984}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D67E5E42-5175-4752-8954-8015EA99A345}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{DEC3C174-5F43-4C63-A378-57A424049B4C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3B2987C6-1193-42BF-8998-02F24EB524C5}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9BF0C91C-3DD4-43BF-A609-0A844FFAB5C0}: DhcpNameServer=63.240.76.198 204.127.199.8
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A48A1713-BE32-4F12-8FD9-27D2F6367984}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D67E5E42-5175-4752-8954-8015EA99A345}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DEC3C174-5F43-4C63-A378-57A424049B4C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3B2987C6-1193-42BF-8998-02F24EB524C5}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9BF0C91C-3DD4-43BF-A609-0A844FFAB5C0}: DhcpNameServer=63.240.76.198 204.127.199.8
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A48A1713-BE32-4F12-8FD9-27D2F6367984}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D67E5E42-5175-4752-8954-8015EA99A345}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DEC3C174-5F43-4C63-A378-57A424049B4C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

pskelley
2007-12-04, 14:05
Thanks for taking the time to assure me you are aware of the issues that can be caused when antivirus programs conflict. I will say here that Kaspersky is one of the very best but if it is only a trial and you need free antivirus protection, here are three that are available.
http://free.grisoft.com/freeweb.php/doc/2/
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/

It looks like Smitfraudfix remove the infection it is for, now I need the HJT log I requested so I can see what, if anything, is left.

Post the C:\rapport.txt and a new HJT log.

Thanks

Cobalt Blue
2007-12-05, 21:59
Thank you. Will get through to the end of the cleaning and either buy Kaspersky or use one of the free ones you referenced. Here is the latest HJT log. Thanks for everything. ...Cobalt Blue

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:16 PM, on 12/5/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\Corex\CardScan\System\csynccfg.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\PROGRA~1\IOGEAR\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07695667-6AAF-422F-B609-AD240BF4B536} - C:\WINNT\system32\xxyvu.dll (file missing)
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Gtxxgoak\ocfkdnjh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINNT\system32\urqnkih.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [CardScan AutoSync] "C:\Program Files\Corex\CardScan\System\csynccfg.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://supportcenter.rr.com/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail2.roundrockisd.org/iNotes6W.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O20 - Winlogon Notify: winnum32 - C:\WINNT\
O20 - Winlogon Notify: xxyvu - C:\WINNT\
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - LxrJD31s.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\system32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 13102 bytes

pskelley
2007-12-05, 22:26
Thanks for returning you information and the feedback, we have a way to go yet.

1) Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

(wait until you finish to post reports and logs)

2) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Vundofix.txt, combofix log and a new HJT log.

Thanks

Cobalt Blue
2007-12-07, 03:02
Here we go!

VundoFix V6.6.2

Checking Java version...

Sun Java not detected
Scan started at 9:03:36 PM 12/5/2007

Listing files found while scanning....

C:\WINNT\system32\urqnkih.dll

Beginning removal...

Performing Repairs to the registry.
Done!
-----------------

Had trouble getting ComboFix to run to completion. Took 3 attempts but it finally got there without halting.

ComboFix 07-12-02.7 - Administrator 2007-12-06 17:48:19.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.86 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\t\
.
---- Previous Run -------
.
C:\Documents and Settings\Administrator\My Documents\PPPATC~1
C:\Documents and Settings\Administrator\My Documents\PPPATC~1\c?rss.exe
C:\Documents and Settings\Administrator\My Documents\SSTEM3~1
C:\Documents and Settings\Administrator\My Documents\SSTEM3~1\s?stem32\
C:\Documents and Settings\Administrator\My Documents\SSTEM3~1\tracert.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Outerinfo.dll
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\Temp\fCOe
C:\Temp\fCOe\tOasF.log
C:\temp\tn3
C:\WINNT\system32\a13
C:\WINNT\system32\e2
C:\WINNT\system32\fibagbia
C:\WINNT\system32\fibagbia\bg1.gif
C:\WINNT\system32\fibagbia\bgtop.gif
C:\WINNT\system32\fibagbia\bottom1.gif
C:\WINNT\system32\fibagbia\essentials.gif
C:\WINNT\system32\fibagbia\fibagbia1.exe
C:\WINNT\system32\fibagbia\fibagbia2.exe
C:\WINNT\system32\fibagbia\fibagbia3.exe
C:\WINNT\system32\fibagbia\icon1.ico
C:\WINNT\system32\fibagbia\install1.gif
C:\WINNT\system32\fibagbia\left1.gif
C:\WINNT\system32\fibagbia\li.gif
C:\WINNT\system32\fibagbia\logo.gif
C:\WINNT\system32\fibagbia\main.htm
C:\WINNT\system32\fibagbia\mainframe.htm
C:\WINNT\system32\fibagbia\reinstall1.gif
C:\WINNT\system32\fibagbia\right1.gif
C:\WINNT\system32\fibagbia\s1.htm
C:\WINNT\system32\fibagbia\s2.htm
C:\WINNT\system32\fibagbia\s3.htm
C:\WINNT\system32\fibagbia\SMTop1.gif
C:\WINNT\system32\fibagbia\SMTop2.gif
C:\WINNT\system32\fibagbia\SMTop3.gif
C:\WINNT\system32\fibagbia\SMTop4.gif
C:\WINNT\system32\fibagbia\soft1_off.gif
C:\WINNT\system32\fibagbia\soft1_off_ext.gif
C:\WINNT\system32\fibagbia\soft1_on.gif
C:\WINNT\system32\fibagbia\soft1_on_ext.gif
C:\WINNT\system32\fibagbia\soft2_off.gif
C:\WINNT\system32\fibagbia\soft2_off_ext.gif
C:\WINNT\system32\fibagbia\soft2_on.gif
C:\WINNT\system32\fibagbia\soft2_on_ext.gif
C:\WINNT\system32\fibagbia\soft3_off.gif
C:\WINNT\system32\fibagbia\soft3_off_ext.gif
C:\WINNT\system32\fibagbia\soft3_on.gif
C:\WINNT\system32\fibagbia\soft3_on_ext.gif
C:\WINNT\system32\fibagbia\softbottom_off.gif
C:\WINNT\system32\fibagbia\softbottom_on.gif
C:\WINNT\system32\fibagbia\softleft_off.gif
C:\WINNT\system32\fibagbia\softleft_on.gif
C:\WINNT\system32\fibagbia\top1.gif
C:\WINNT\system32\fibagbia\top2.gif
C:\WINNT\system32\fibagbia\turnoff1.gif
C:\WINNT\system32\fibagbia\turnon1.gif
C:\WINNT\system32\i8
C:\WINNT\system32\i8\taldrvr11.exe
C:\WINNT\system32\ldinfo.ldr
C:\WINNT\system32\pac.txt
C:\WINNT\system32\wnsapiicom.exe
C:\WINNT\system32\x22
C:\WINNT\t\

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE




((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
.

2007-12-06 17:56 . 07-12-06 17:56 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3e0.dat
2007-12-05 21:03 . 07-12-05 21:03 <DIR> d-------- C:\VundoFix Backups
2007-12-04 11:24 . 07-12-05 20:23 644,956 ---h----- C:\WINNT\ShellIconCache
2007-12-03 17:23 . 07-12-04 00:08 3,962 --a------ C:\WINNT\system32\tmp.reg
2007-12-03 17:21 . 07-12-03 17:40 <DIR> d-------- C:\temp\Virus Nov 07
2007-12-03 15:14 . 07-12-03 15:14 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-12-01 19:39 . 07-12-01 19:39 <DIR> d-------- C:\WINNT\system32\Windows Media
2007-12-01 19:30 . 07-12-01 19:30 <DIR> d-------- C:\WINNT\msiinst.tmp
2007-12-01 19:30 . 07-12-01 19:31 <DIR> d--h-c--- C:\WINNT\$NtUpdateRollupPackUninstall$
2007-12-01 19:09 . 07-12-01 19:09 <DIR> d--h-c--- C:\WINNT\$SQLUninstallMDAC27SP1-KB927779-x86-ENU$
2007-12-01 18:20 . 07-12-01 18:20 957 --a------ C:\WINNT\setup.inf
2007-12-01 18:20 . 07-12-01 18:20 283 --a------ C:\WINNT\setup.rpt
2007-11-30 11:01 . 06-07-11 01:19 631,056 -----c--- C:\WINNT\system32\dllcache\oleaut32.dll
2007-11-30 10:53 . 06-11-02 11:31 1,011,774 --a------ C:\WINNT\system32\mfc42u.dll
2007-11-30 10:53 . 06-11-02 11:31 1,011,774 -----c--- C:\WINNT\system32\dllcache\mfc42u.dll
2007-11-30 10:46 . 05-01-12 13:40 239,888 --a------ C:\WINNT\system32\wow32.dll
2007-11-30 10:46 . 05-04-08 05:51 186,640 --a------ C:\WINNT\system32\WINLOGON.EXE
2007-11-30 10:46 . 05-01-12 13:39 167,184 --a------ C:\WINNT\system32\WINTRUST.DLL
2007-11-30 10:46 . 05-04-08 05:54 146,192 --a------ C:\WINNT\system32\WLDAP32.DLL
2007-11-30 10:46 . 05-04-08 05:54 146,192 -----c--- C:\WINNT\system32\dllcache\WLDAP32.DLL
2007-11-30 10:46 . 04-12-01 21:03 146,192 -----c--- C:\WINNT\system32\dllcache\wins.exe
2007-11-30 10:46 . 04-11-07 09:54 88,576 -----c--- C:\WINNT\system32\dllcache\write32.wpc
2007-11-30 10:46 . 05-04-08 05:54 57,104 --a------ C:\WINNT\system32\wlnotify.dll
2007-11-30 10:46 . 04-04-04 21:16 57,104 --a------ C:\WINNT\system32\w32tm.exe
2007-11-30 10:46 . 05-04-08 05:54 57,104 -----c--- C:\WINNT\system32\dllcache\wlnotify.dll
2007-11-30 10:45 . 05-04-08 05:54 399,120 --a------ C:\WINNT\system32\USERENV.DLL
2007-11-30 10:45 . 05-01-12 13:40 322,832 -----c--- C:\WINNT\system32\dllcache\untfs.dll
2007-11-30 10:45 . 05-04-08 05:54 48,400 --a------ C:\WINNT\system32\w32time.dll
2007-11-30 10:45 . 05-02-07 23:21 29,456 --a------ C:\WINNT\system32\VDMDBG.DLL
2007-11-30 10:44 . 05-04-08 04:34 973,072 --a------ C:\WINNT\system32\sfcfiles.dll
2007-11-30 10:44 . 04-11-09 00:24 770,710 -----c--- C:\WINNT\system32\dllcache\system.adm
2007-11-30 10:44 . 05-04-08 05:51 92,944 -----c--- C:\WINNT\system32\dllcache\services.exe
2007-11-30 10:44 . 05-07-14 06:24 74,384 -----c--- C:\WINNT\system32\dllcache\scsiport.sys
2007-11-30 10:44 . 04-12-02 07:07 63,280 -----c--- C:\WINNT\system32\dllcache\udfs.sys
2007-11-30 10:44 . 05-04-08 05:54 17,680 --a------ C:\WINNT\system32\seclogon.dll
2007-11-30 10:43 . 05-01-12 13:39 531,216 -----c--- C:\WINNT\system32\dllcache\rasdlg.dll
2007-11-30 10:43 . 05-01-12 13:39 261,904 --a------ C:\WINNT\system32\scesrv.dll
2007-11-30 10:43 . 05-04-08 05:54 200,464 -----c--- C:\WINNT\system32\dllcache\rasapi32.dll
2007-11-30 10:43 . 04-12-28 10:33 196,880 -----c--- C:\WINNT\system32\dllcache\osloader.exe
2007-11-30 10:43 . 05-04-08 05:54 117,520 --a------ C:\WINNT\system32\PSBASE.DLL
2007-11-30 10:43 . 05-01-12 13:39 114,448 --a------ C:\WINNT\system32\scecli.dll
2007-11-30 10:43 . 05-01-12 13:39 63,248 -----c--- C:\WINNT\system32\dllcache\rasscrpt.dll
2007-11-30 10:43 . 05-01-12 13:39 29,968 --a------ C:\WINNT\system32\profmap.dll
2007-11-30 10:43 . 05-01-12 13:39 29,968 -----c--- C:\WINNT\system32\dllcache\profmap.dll
2007-11-30 10:42 . 05-02-28 02:38 613,136 -----c--- C:\WINNT\system32\dllcache\nntp_nntpsvc.dll
2007-11-30 10:42 . 04-05-03 04:24 222,384 -----c--- C:\WINNT\system32\dllcache\nscm.exe
2007-11-30 10:42 . 05-03-01 22:54 143,872 -----c--- C:\WINNT\system32\dllcache\nsisapi.exe
2007-11-30 10:42 . 05-01-12 13:39 136,976 -----c--- C:\WINNT\system32\dllcache\nntp_nntpfs.dll
2007-11-30 10:42 . 05-02-22 06:25 69,392 --a------ C:\WINNT\system32\olecli32.dll
2007-11-30 10:42 . 05-03-01 04:32 31,808 -----c--- C:\WINNT\system32\dllcache\nspmon.exe
2007-11-30 10:42 . 04-05-03 03:24 16,784 -----c--- C:\WINNT\system32\dllcache\nsiislog.dll
2007-11-30 10:42 . 05-01-12 13:39 14,096 --a------ C:\WINNT\system32\ntvdmd.dll
2007-11-30 10:41 . 03-09-20 04:26 785,680 -----c--- C:\WINNT\system32\dllcache\netmon.exe
2007-11-30 10:41 . 05-01-12 13:39 549,136 --a------ C:\WINNT\system32\netcfgx.dll
2007-11-30 10:41 . 05-01-12 13:39 549,136 -----c--- C:\WINNT\system32\dllcache\netcfgx.dll
2007-11-30 10:41 . 05-04-08 05:54 366,864 --a------ C:\WINNT\system32\NETLOGON.DLL
2007-11-30 10:41 . 05-01-12 13:39 218,896 --a------ C:\WINNT\system32\mstask.dll
2007-11-30 10:41 . 04-09-07 09:59 122,128 --a------ C:\WINNT\system32\mstask.exe
2007-11-30 10:41 . 05-01-12 13:39 114,448 --a------ C:\WINNT\system32\newdev.dll
2007-11-30 10:41 . 02-08-11 12:27 44,032 -----c--- C:\WINNT\system32\dllcache\msxml3r.dll
2007-11-30 10:40 . 05-03-31 01:10 844,560 -----c--- C:\WINNT\system32\dllcache\msdxm.ocx
2007-11-30 10:40 . 05-01-12 13:39 438,544 -----c--- C:\WINNT\system32\dllcache\mqqm.dll
2007-11-30 10:40 . 05-01-12 13:39 400,656 -----c--- C:\WINNT\system32\dllcache\mqsnap.dll
2007-11-30 10:40 . 05-04-08 05:54 338,704 --a------ C:\WINNT\system32\MSGINA.DLL
2007-11-30 10:40 . 05-01-12 13:39 110,864 -----c--- C:\WINNT\system32\dllcache\mqutil.dll
2007-11-30 10:40 . 05-04-08 04:34 102,672 -----c--- C:\WINNT\system32\dllcache\mqrt.dll
2007-11-30 10:40 . 05-01-12 13:39 70,928 -----c--- C:\WINNT\system32\dllcache\mqsec.dll
2007-11-30 10:40 . 05-01-12 13:40 64,784 -----c--- C:\WINNT\system32\dllcache\msmq.cpl
2007-11-30 10:40 . 03-09-19 22:53 64,512 -----c--- C:\WINNT\system32\dllcache\msiexec.exe
2007-11-30 10:40 . 05-01-12 13:39 23,824 -----c--- C:\WINNT\system32\dllcache\mqupgrd.dll
2007-11-30 10:38 . 05-01-12 13:40 255,248 --a------ C:\WINNT\system32\h323.tsp
2007-11-30 10:38 . 05-01-12 13:39 247,056 -----c--- C:\WINNT\system32\dllcache\httpext.dll
2007-11-30 10:38 . 05-01-12 13:39 163,088 -----c--- C:\WINNT\system32\dllcache\h323msp.dll
2007-11-30 10:38 . 05-01-12 13:39 122,640 -----c--- C:\WINNT\system32\dllcache\iischema.dll
2007-11-30 10:38 . 04-08-11 16:42 67,344 -----c--- C:\WINNT\system32\dllcache\ipnat.sys
2007-11-30 10:38 . 05-02-22 02:42 57,104 -----c--- C:\WINNT\system32\dllcache\iisext.dll
2007-11-30 10:36 . 04-12-02 10:37 693,520 -----c--- C:\WINNT\system32\dllcache\clussvc.exe
2007-11-30 10:35 . 05-01-12 13:39 248,080 -----c--- C:\WINNT\system32\dllcache\adsiis.dll
2007-11-30 10:35 . 05-04-08 05:54 134,928 -----c--- C:\WINNT\system32\dllcache\adsldpc.dll
2007-11-30 10:35 . 05-04-08 05:54 134,928 --a------ C:\WINNT\system32\adsldpc.dll
2007-11-30 10:35 . 05-04-08 05:54 130,832 -----c--- C:\WINNT\system32\dllcache\adsldp.dll
2007-11-30 10:35 . 05-04-08 05:54 130,832 --a------ C:\WINNT\system32\adsldp.dll
2007-11-30 10:35 . 05-01-13 03:09 63,760 -----c--- C:\WINNT\system32\dllcache\adsmsext.dll
2007-11-30 10:35 . 05-01-13 03:09 63,760 --a------ C:\WINNT\system32\adsmsext.dll
2007-11-30 10:28 . 06-08-28 02:44 530,192 --a------ C:\WINNT\system32\comctl32.dll
2007-11-30 10:12 . 05-06-29 01:30 246,032 -----c--- C:\WINNT\system32\dllcache\icm32.dll
2007-11-30 10:09 . 07-04-23 00:22 939,280 --a------ C:\WINNT\system32\ntdsa.dll
2007-11-30 10:09 . 07-04-23 00:22 939,280 --a--c--- C:\WINNT\system32\dllcache\ntdsa.dll
2007-11-30 10:08 . 06-12-07 19:02 2,174,976 -----c--- C:\WINNT\system32\dllcache\wmvcore.dll
2007-11-30 10:05 . 07-03-06 05:17 381,200 --a------ C:\WINNT\system32\USER32.DLL
2007-11-30 10:05 . 07-03-06 05:17 381,200 --a--c--- C:\WINNT\system32\dllcache\USER32.DLL
2007-11-30 10:04 . 07-03-06 05:17 38,160 --a------ C:\WINNT\system32\mf3216.dll
2007-11-30 10:04 . 07-03-06 05:17 38,160 --a--c--- C:\WINNT\system32\dllcache\mf3216.dll
2007-11-30 09:58 . 05-08-16 02:35 100,112 --a------ C:\WINNT\system32\netman.dll
2007-11-30 09:58 . 05-08-16 02:35 100,112 -----c--- C:\WINNT\system32\dllcache\netman.dll
2007-11-30 09:51 . 07-03-05 09:52 1,735,808 --a--c--- C:\WINNT\system32\dllcache\NTKRPAMP.EXE
2007-11-30 09:51 . 07-03-05 09:51 1,714,496 --a--c--- C:\WINNT\system32\dllcache\NTKRNLMP.EXE
2007-11-30 09:51 . 04-12-02 07:07 89,328 -----c--- C:\WINNT\system32\dllcache\mup.sys
2007-11-28 13:11 . 05-04-21 08:16 38,912 -----c--- C:\WINNT\system32\dllcache\hhsetup.dll
2007-11-28 13:11 . 05-04-14 19:08 10,752 -----c--- C:\WINNT\system32\dllcache\hh.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-06 23:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-06 23:38 --------- d-----w C:\Program Files\Plaxo
2007-12-03 21:14 --------- d-----w C:\Program Files\Common Files\Real
2007-12-03 21:13 --------- d-----w C:\Program Files\Google
2007-11-24 17:06 --------- d-----w C:\Program Files\Webroot
2007-11-06 20:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-11-05 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\FileOpen
2007-11-05 21:10 --------- d-----w C:\Documents and Settings\Administrator\Application Data\FileOpen
2007-11-05 19:42 --------- d-----w C:\Program Files\CyberDefender
2007-11-05 18:59 --------- d-----w C:\Program Files\Trend Micro
2007-11-05 18:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdwareAlert
2007-11-05 18:33 --------- d-----w C:\Program Files\MSXML 4.0
2007-10-15 14:28 --------- d-----w C:\Program Files\MSN Messenger
2007-09-30 21:56 1,664 ----a-w C:\Documents and Settings\Administrator\Application Data\ViewerApp.dat
2007-08-27 08:38 5,037,072 ----a-w C:\Documents and Settings\Denny Tower Shared Documents\spybotsd14.exe
2006-05-31 17:33 24,192 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2006-05-31 17:33 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2005-12-06 14:49 1,428,125 ----a-w C:\Documents and Settings\Denny Tower Shared Documents\VistaPrint Electronic Business Card.exe
2005-04-11 18:26 26,301 ----a-w C:\Program Files\Deploy.log
2005-01-17 07:07 271 ---h--w C:\Program Files\desktop.ini
2005-01-17 07:07 21,952 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot@Thu 2007-12-06_ 3.21.53.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-06 08:58:54 4,092,960 --sha-w C:\WINNT\system32\drivers\fidbox.dat
+ 2007-12-06 23:53:52 4,092,960 --sha-w C:\WINNT\system32\drivers\fidbox.dat
- 2007-12-06 09:11:54 91,424 --sha-w C:\WINNT\system32\drivers\fidbox2.dat
+ 2007-12-06 23:57:23 104,480 --sha-w C:\WINNT\system32\drivers\fidbox2.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07695667-6AAF-422F-B609-AD240BF4B536}]
C:\WINNT\system32\xxyvu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200D0AAD-71B1-51C9-DDB0-092BA4662A54}]
07-11-16 17:27 114688 --a------ C:\Program Files\Gtxxgoak\ocfkdnjh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.exe" [99-12-07 06:00 C:\WINNT\system32\rundll32.exe]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" [04-09-09 20:12 ]
"PopUpStopperProfessional"="C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE" [05-06-02 17:06 ]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe" []
"CardScan AutoSync"="C:\Program Files\Corex\CardScan\System\csynccfg.exe" [03-12-01 01:44 ]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [07-09-04 15:40 ]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [06-11-16 12:42 ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [07-04-27 15:17 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 13:05 C:\WINNT\system32\mobsync.exe]
"NvCplDaemon"="RUNDLL32.exe" [99-12-07 06:00 C:\WINNT\system32\rundll32.exe]
"nwiz"="nwiz.exe" [03-10-06 17:16 C:\WINNT\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [99-12-07 06:00 C:\WINNT\system32\rundll32.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [05-07-14 21:16 ]
"SymTray - Norton SystemWorks"="C:\Program Files\Common Files\Symantec Shared\Symtray.exe" [04-11-03 23:19 ]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [04-11-02 18:59 ]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [05-05-01 13:50 ]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe" [02-11-22 13:49 ]
"Ulead Photo Express Calendar Checker"="C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe" [03-09-19 22:23 ]
"NovaBackup 7 Tray Control"="C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe" [04-01-09 18:14 ]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [05-01-03 13:41 ]
"AcctMgr"="C:\Program Files\Norton Password Manager\AcctMgr.exe" [04-08-18 16:41 ]
"WUSB54Gv4"="C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [04-04-19 09:19 ]
"eFax 4.2"="C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [06-07-14 14:36 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-10-25 18:58 ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07-12-03 15:12 ]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [07-06-28 12:51 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SymTray - Norton SystemWorks"="C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe" [04-09-02 02:58 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 13:05 ]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
X10 Communications Link.lnk - C:\Program Files\X10 Home Control\X10BURST.EXE [2005-10-04 10:22:38]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 22:37:56]
Bluetooth.lnk - C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe [2005-05-31 13:29:16]
MUPS.lnk - C:\Program Files\Belkin Bulldog Plus\MUPS.exe [2004-08-10 20:25:22]
Norton GoBack.lnk - C:\Program Files\Norton GoBack\GBTray.exe [2004-12-21 12:19:00]
Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2005-05-05 12:51:01]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2005-05-05 12:50:55]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-01-19 10:00:13]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9C0ADB68-353A-61DD-ED09-1D8003A61111}"= C:\WINNT\system32\kb1111p.dll [98-12-31 18:01 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winnum32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvu]

continued in next post because of size limit.

Cobalt Blue
2007-12-07, 03:05
Combofix continued...

R0 GBDevice;GBDevice;C:\WINNT\system32\drivers\GBDevice.sys
R0 GoBack2K;GoBack2K;C:\WINNT\system32\drivers\GoBack2K.sys
R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINNT\system32\DRIVERS\SONYPVM1.SYS
R1 Asapi;Asapi;C:\WINNT\system32\drivers\Asapi.sys
R1 CorexCardScan;CardScan USB Scanner;C:\WINNT\system32\drivers\slcorex.sys
R2 BCMNTIO;BCMNTIO;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys
R2 GBFSHook;GBFSHook;C:\WINNT\system32\drivers\GBFSHook.sys
R2 MAPMEM;MAPMEM;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys
R2 PAR1284;PAR1284;\??\C:\WINNT\system32\Drivers\PAR1284.SYS
R2 PPNT;PPNT;\??\C:\WINNT\system32\Drivers\PPNT.SYS
R3 BT2KNDFL;Bluetooth LAN Access Server Driver - Filter;C:\WINNT\system32\DRIVERS\bt2kndfl.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINNT\system32\DRIVERS\klim5.sys
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINNT\system32\Drivers\NPDRIVER.SYS
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
R3 US30Kbd;US30Kbd;\??\C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Kbd2K.sys
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
R3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;C:\WINNT\system32\DRIVERS\rt2500usb.sys
S2 Nmpdrv_N;PogoProducts Nmpdrv_N USB Controller Service;C:\WINNT\system32\DRIVERS\Nmpdrv_N.sys
S3 FVNETusb;Linksys Wireless-B USB Network Adapter v2.8 Driver;C:\WINNT\system32\DRIVERS\vnet58lx.sys
S3 InCDFat;Ahead InCDFat File System Driver;\??\C:\WINNT\system32\Drivers\InCDFat.sys
S3 SDdriver;SDdriver;\??\C:\WINNT\system32\Drivers\sddriver.sys
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;C:\WINNT\system32\DRIVERS\netusb.sys
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 02:00:00 C:\WINNT\Tasks\Norton AntiVirus - Scan my computer - Administrator.job"
- C:\PROGRA~1\NORTON~2\NORTON~3\Navw32.exeh/task:
"2007-12-06 08:00:00 C:\WINNT\Tasks\Quest Full Backup.job"
- C:\WINNT\system32\NTBACKUP.EXE
"2007-12-06 06:00:00 C:\WINNT\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
"2007-11-25 15:18:02 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 17:57:13
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe?=C:\Program Files\Common Files?COMPUTERNAM

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-06 18:00:05 - machine was rebooted
.
--- E O F ---
-------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:29 PM, on 12/6/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\PROGRA~1\NovaStor\NOVABA~1\NSENGINE.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\Corex\CardScan\System\csynccfg.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\PROGRA~1\IOGEAR\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\X10HOM~1\X10COM32.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07695667-6AAF-422F-B609-AD240BF4B536} - C:\WINNT\system32\xxyvu.dll (file missing)
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Gtxxgoak\ocfkdnjh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [CardScan AutoSync] "C:\Program Files\Corex\CardScan\System\csynccfg.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: X10 Communications Link.lnk = C:\Program Files\X10 Home Control\X10BURST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://supportcenter.rr.com/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail2.roundrockisd.org/iNotes6W.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O20 - Winlogon Notify: winnum32 - C:\WINNT\
O20 - Winlogon Notify: xxyvu - C:\WINNT\
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - LxrJD31s.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\system32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 14347 bytes

pskelley
2007-12-07, 03:25
Thanks for returning your information, read and follow the directions carefully.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Start > Control Panel > Add Remove programs and uninstall this if there: Gtxxgoak

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {07695667-6AAF-422F-B609-AD240BF4B536} - C:\WINNT\system32\xxyvu.dll (file missing)
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Gtxxgoak\ocfkdnjh.dll
(next two are resource waster related to Alexa toolbar, if you don't use Alexa, remove them)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O20 - Winlogon Notify: winnum32 - C:\WINNT\
O20 - Winlogon Notify: xxyvu - C:\WINNT\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program Files\Gtxxgoak\ <<< delete that folder and contents

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log and some feedback.

Thanks

Cobalt Blue
2007-12-07, 11:34
Thanks! Progress for sure but only partial success with these tasks this iteration. Feedback as follows:

Step 1.) make files visible (already were but repeated steps to confirm)

Step 2.) Download ATF - done

Step 3.) Remove Gtxxgoak - Unsuccessful as Add Remove Programs screed opens for a brief moment and closes.

Step 4.) Hijack and remove selected entries - done

Step 5.) Delete Gtxxgoak directory - Unsuccessful due to "Source file still in use" message as a result of step 3.

Step 6.) Run ATF - Done. Message was that "No files were removed"

Post HJT Log - to follow.

Thanks for your help! The system is much more deterministic now and not going off on it's own. Once booted it is running very slow, much slower than it was one or 2 iterations ago before some of the cleaning. Not sure why. Drive light used to be on all the time in the beginning and now is rarely on and just for an instant. Thanks again!! ...Cobalt Blue :sick:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:14 AM, on 12/7/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\PROGRA~1\NovaStor\NOVABA~1\NSENGINE.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\Corex\CardScan\System\csynccfg.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\IOGEAR\BLUETO~1\BTSTAC~1.EXE
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\X10HOM~1\X10COM32.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBackup\NbkCtrl.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [CardScan AutoSync] "C:\Program Files\Corex\CardScan\System\csynccfg.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: X10 Communications Link.lnk = C:\Program Files\X10 Home Control\X10BURST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://supportcenter.rr.com/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail2.roundrockisd.org/iNotes6W.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - LxrJD31s.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\system32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Everstrike Software\Universal Shield 3.1\US30Service.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 13664 bytes

pskelley
2007-12-07, 16:11
Thanks for the feedback, I use ATF-Cleaner all of the time and on almost all repairs. Unless you just ran something like CleanManger or CCleaner or another tool, it is very unlikely ATF-Cleaner would find nothing to remove. If this is the case, you may want to look at the instructions again.

Your HJT log is clean:bigthumb: I would like to look at a alternate scan to your resident Kaspersky and you may need to turn it off to run the scan. Before you scan, please remove all tools from your computer we used (the exception is ATF-Cleaner, you may keep that small program if you wish) be sure to delete the C:\qoobox\quarantine\ folder and the C:\Vundofix Backups\ then follow these directions.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

Cobalt Blue
2007-12-08, 09:57
System not running that well. Results:

1.) ATF-Cleaner - Yes, I had run the Norton cleaner earlier as we started. I was making space for the programs we were going to use. I reread the directions, I find nothing out of the ordinary.

2.) HJT clean - Great!! What about the other programs and contents of the Gtxxgoak that I could not delete before? Do we still need to get rid of those? I did delete the other programs and folders you suggested.

3.) Unable to run IE to get Kaspersky scanner to run at all as it crashes in about 4 seconds. So I tried using Windows Explorer and was successful loading the scanner and starting the scan with your paramaters. That crashed after about 5 hours with about 10% of "My Computer" scanned. Found 2 viruses in e-mail I think. Now, I can't get that to run either. Both IE and WE crash quickly.

What next? Thanks in advance !! ...Cobalt Blue

pskelley
2007-12-08, 12:30
Sounds like you have Operating System problems that I will not be able to help with. Are you receiving any error messages when you have these problems? "crash" is such a generic work, means nothing to me. Could you mention how old this system is.

I am interested in how much RAM you have installed on this computer. Right click MyComputer, then click on Properties. RAM total will be in the bottom right.
Now Doubleclick MyComputer and right click Local Disk (C:)
then Properties. Tell me how much Free Space you have.

Another suggestion is a free diagnostic here: http://www.pcpitstop.com/pcpitstop/
Your questions will be answered here: http://pcpitstop.invisionzone.com/index.php?showforum=6
I would be glad to look at the Test Results if you post a link.

You might want to try a repair install of your Operating System.
http://www.google.com/search?hl=en&q=Windows+2000+repair+install&btnG=Search

Thanks

Cobalt Blue
2007-12-08, 17:59
Thanks for the advice, first things first are answers to your questions about the system itself.

System is about 3 years old, 392M Ram, AMD 3Gig processor speed. 5.08Gig disk space now available on C:

I will take a look at the suggestions for diagnostics and OS repair that you posted. I will run those and will post results tomorrow if I can get them.

What about that Gtxxgoak ??

Thanks again, have a great weekend. ...Cobalt Blue :cleaning:

Cobalt Blue
2007-12-08, 18:09
Sorry, forgot something. When Explorer "Crashes" there is no error message or indication other than the screen closes abruptly and the task is gone completely.

The system is operating at less than 1/3 speed from earlier. Takes about 10 minutes to boot instead of 3 as well. This was not the case before the last set of deletes, it was much faster, but not as fast as before the virus. Before with viruses the disk light was on all the time, now it is not.

Thanks again, I'm trying to figure out how to get the analysis tool loaded on my second system (running XP) so I can USB it over to my other system not able to run Explorer.

...Cobalt Blue :D:

pskelley
2007-12-08, 18:17
What about that Gtxxgoak ??
Boot into Safe Mode and delete it there:
http://spyware-free.us/tutorials/safemode/

If that does not work, let me know. Let's hope the PCPitStop diagnostic report will show us something.

If I have not done so, I suggest you try updating to IE7 for the additional security and stability.
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx

http://ask-leo.com/how_much_memory_do_i_really_need_for_windows_xp.html
http://www.crucial.com/support/howmuch.aspx
My WindowsXP machine has 1.25 GB

Post #14 deleted nothing that should have effected your performance.

Thanks again, I'm trying to figure out how to get the analysis tool loaded on my second system (running XP) so I can USB it over to my other system not able to run Explorer.That is not going to work, I am sure it has to be run on the system it is diagnosing.

Thanks

Cobalt Blue
2007-12-12, 02:42
Hi Pskelley.

Thanks for your last reply. I've tried to get the pcpitstop tools to run with no success. They asked me to load firefox to see if I could gain internet access, and I am using that now on the 'personal' system that I'm trying to fix. Great to have access again.

However, pcpitstop will not run. It also crashes after a second. They have not responded with any additional suggestions yet, still waiting. They put me in their virus forum as they think they might have more experience with this type of problem.

I do understand that nothing we deleted would cause the computer to run slow, just reporting a symptom that I can't explain at the moment.

I did try the Windows repair you supplied information on (thank you!) - no success. The repair diagnostic does not recognize the disk as having a successful install and wants to delete the partition and start over with a new install - NOT YET, thank you mam!!! :alien:

I will try to delete Gtxxgoak as you suggest later tonight.

Thanks a Ton! for all your help, be back later. ...Cobalt Blue out

pskelley
2007-12-21, 16:12
Some closing information for you in case it helps:

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Cobalt Blue
2007-12-26, 18:11
Dear Pskelley,

Cobalt Blue is back and doing much better thanks to you.!! :bigthumb:

The other website you referred me to did not answer my request for help. I was able to delete something that was causing problems by using the start:programs:then individual uninstall commands for a few programs. Not sure what was causing the problems as I deleted several of the tasks like my UPS watchdog and some things I did not need. Then my IE started working again (version 6 as V7 needs higher than the W2000 I'm running) as did my control panel function.

I also defragged my drive that was in really bad shape. I also loaded all the windows updates for my system and will keep it updated from now on.

Your last post had recommendations on staying clean that I will now investigate for how to stay clean and safe online.

Now for my last question. You said you recommended 3 things to protect a system (virus scanner, firewall, etc). I don't believe I installed a firewall (or did I)? Would you please give me a list of your current recommendations of all 3 things? I'll go get one of each category on my system. (a.k.a. Kaspersky has expired, etc.)

Many thanks for all your help!!! :beerbeerb: I will make a "donation" for all the great help and support you and your team have given me. You saved my system from the scrap heap! It's not much be it's all I have...

Thanks a TON!! and BR, ...Cobalt Blue :cleaning:

pskelley
2007-12-26, 19:54
Thanks for the feedback, and I apologize for not noting you were running Win2000. I don't see that Operating System much.

If you need a free firewall, here are some to choose from, and I believe they all work on your system:
http://www.personalfirewall.comodo.com/
http://www.jetico.com/index.htm#/jpfirewall.htm
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

since the computer is running better, give that diagnostic at PCPitStop another try. I scan my Windows98SE computer on it, so I know it will work with your system.

Thanks...Phil

Cobalt Blue
2007-12-26, 23:24
Thanks, Pskelley,

I was able to run the PC PitStop tools. That is where I knew the disk was badly fragmented, etc. I fixed everything I could from the reports including the security issues from IE. I just ran it again and the results were the same asking for an upgraded disk and the rest of the results were average or better. I'll try to attach that report here for you to review. Not sure how to make a full text report so you can see expanded results of all the individual tests.

Thanks again, ...Cobalt Blue

Note! You have run this test anonymously. It will only be visible for the duration of your current browser session. To create an account so you can return to this report, click here.
Test Results Summary
Computer Name: DENNYTOWER
Date Tested: Wed Dec 26 15:19:06 CST 2007

This system performs well on our benchmarks, and should have plenty of power for most applications. You may be able to add a few system upgrades or tweak some Windows settings to improve performance. Regular system maintenance is also important to keep your system running in top condition.

This is your customized advice based on PC Pitstop's tests. Click on an item at left to find out what it means and what to do. Customized Tune-up Tips
• Clean up disk space (Drive C)
• Upgrade disk space (Drive C)
• Sub Optimal Internet Performance
• Defragment files (Drive C)
• Install more memory
• Adjust IE browser cache size
• Auto-filling Forms with IE May Present a Security Risk
• Saving Web Page Passwords with Firefox May Present a Security Risk
• Auto-filling Forms with Firefox May Present a Security Risk
• Setup a Free User Account
• Install Backup Software

Configuration Summary: Our analysis was based on the data collected from this computer. A summary of the data collected is shown below. Click on any of the subsystem names or flags in the table below to see more information, or use the test details to see all the data on one page. For a list of programs running on your computer, including spyware, see the Windows details page. The test history page has a summary of previous tests for this configuration. See how your system compares to others we've tested.

Subsystem Status Description
System AMD Sempron 2500+, 1733 MHz
Memory 384MB RAM
Disk Drives C, D, E
Video NVIDIA GeForce FX 5200
Internet MSIE 6.0; .NET CLR 1.1.4322
Windows Windows 2000 Pro SP4
Security
Compare

Serious
Problem Minor
Problem A Winner! • Suggestion Your Score?
Click Here


Attention: You are running as Administrator.
Thank you for testing at PC Pitstop. Important: Before leaving the PC Pitstop site, please shut down this instance of Internet Explorer that is running as Administrator.
Attention: You are running unprotected.
Thank you for testing at PC Pitstop. Important: Before leaving the PC Pitstop site, please shut down this instance of Internet Explorer that is running with Protected Mode disabled.


View/change PC use and connection info

pskelley
2007-12-26, 23:36
There is too much information in the diagnostic report to copy/paste it all here, you can read the information and benefit from it. I will not be able to see it unless you register "free" so you can post a link to the "Test Results". Please do not copy/paste any infomation here except the link I requested. Every line in the report is a link to more information.

This is NOT your information, just an example like so you can see what I need.
http://www.pcpitstop.com/pcpitstop/Summary.asp?TechExpress=VJRBSWRV9LVSKBRV

Thanks

Cobalt Blue
2007-12-27, 18:10
Hi Pskelley,

Hope you had a Merry Christmas or Happy Holiday (which ever applies)!!

Thanks again. My first scan using PC Pitstop was done earlier than the 12/23. My second scan was on the 23rd and I registered to save results from that point forward.

Here is the link to my results:
http://www.pcpitstop.com/techexpress.asp?id=ASQ3SW7XZ9VS3Z7G

I also used the browser tuner exam. My new FireFox crashes late in test 2 with a script error (array test I think but it only blinks up for an instant), my new IE passes through the full suite of tests.

Thanks again! ...Cobalt Blue

pskelley
2007-12-27, 19:06
I will comment briefly of the results, I am sure you have looked and are well aware there are major issues, especially with your Hard Disk.

Drive C has 2012MB of junk files, which is 3 percent of all the space available on the drive

Drive C:\ has only 5 percent of its space available.

About Fragmentation: You can improve your disk drive performance by defragmenting it on a regular basis.
http://support.microsoft.com/kb/314848

Install more memory >>> http://www.crucial.com/support/howmuch.aspx

Click all those links and learn from the information, the folks will answer questions here:
http://pcpitstop.invisionzone.com/index.php?showforum=6

I can tell you this, you have a major problem with Disk space that will unlikely be resolved by anything less than a bigger hard drive. You can try to remove some stuff, but it is unlikely you will be able to remove enough to make a difference and you must have space to download critical stuff from Windows.

You also have a maintenance problems only you can solve.

I have 1.25 GB's of memory and consider that enough, you have the absolute minimum for basic computing. Don't even think about being able to run intense games, etc. It is not going to happen.

My suggestion would be to think about a new computer, with a hugh hard drive and a load of RAM.

Good luck with your decisions.

Thanks...Phil

Cobalt Blue
2007-12-27, 21:04
Phil, Thanks again for your time and expertise.

I hear you loud and clear on the disk issues. That is what I'm working on now. I am puzzled by the report of "junk" files from PC Pitstop. I already deleted all my recycle bin and IE and Firefox cache files. I also had these cache sizes pretty large initially and early on made them much smaller, toward the minimum recommended limit.

I do think that previous installs did not clean up after themselves and I need a heavy duty cleaner to figure that out. The cleaning utility they sell on the site will not run on my system as the OS needs to be NT 5.1 or higher. Any suggestions on getting rid of these files?

I have a second physical disk (D & E) that is partitioned for my backups. I need a better strategy to do it. Would appreciate any suggestions of what SW to use and things to read.

My system is only used for business and not for gaming so I have CPU and graphics power to spare for my use.

Thanks again for your help. ...Cobalt Blue...

pskelley
2007-12-27, 21:55
I would not buy anything, here is a good free cleaner, but if you use it download the basic clean only, not all of the junk and eye candy.
http://www.ccleaner.com/
I would wait on it though until you are sure you have room for it. I would use ATF-Cleaner making sure you clean everything it will clean and CleanManager which should be part of Windows2000:
http://spyware-free.us/tutorials/cleanmgr/

You can run the diagnostic as often as you with to see if you are making progress. As far as partitioning, that is not my forte, I can only suggest you google for the information you need.

http://www.google.com/search?hl=en&q=how+to+partition&btnG=Search

Hope that helps

Cobalt Blue
2007-12-31, 07:54
Dear Phil,

Thanks for everything!!! CCleaner worked great. I also loaded their beta defrag program and it worked great as well. I now have over 10% free drive space and things look fine.

I also bought a NAS device to use (e-Bay for ~$40) to off load a bunch of music, video, and pictures so that should help a lot as well. Should get to 30% free or more. :2thumb:

I also decided to get Kaspersky's full suite which was on sale at a terrific price at a retailer over Christmas.

Thanks again for everything!!! I could not have done it without you!!!

Sincerely, ...Denny