Hi,

I already noticed several threads concerning this malware, and it looks like I have a similar issue, with slightly different symptoms through.

Here is the current report by SpyBot:

--- Report generated: 2009-09-29 13:16 ---

Win32.TDSS.rtk: [SBI $CC549FA0] File (Fichier, nothing done)
C:\WINDOWS\system32\drivers\gasfkyjmugxoma.sys
Properties.size=0
Properties.md5=7C60161D5D4CB4B811614832AFEE1927

Win32.TDSS.rtk: [SBI $44B45F45] File (Fichier, nothing done)
C:\WINDOWS\system32\gasfkygkivvlyg.dll
Properties.size=0
Properties.md5=C84F4FDEAA90F5E992580AA8D4FF4EB3

Win32.TDSS.rtk: [SBI $44B45F45] File (Fichier, nothing done)
C:\WINDOWS\system32\gasfkykooaadnd.dll
Properties.size=0
Properties.md5=042DDC293DE706CF66F0C3A371223F16

Win32.TDSS.rtk: [SBI $44B45F45] File (Fichier, nothing done)
C:\WINDOWS\system32\gasfkyxuhtacpp.dll
Properties.size=0
Properties.md5=8966EB3F8A03C014426DEF4449312EA2

Win32.TDSS.rtk: [SBI $4277AD41] File (Fichier, nothing done)
C:\WINDOWS\temp\gasfkyexhmtwbvtg.tmp
Properties.size=0
Properties.md5=8966EB3F8A03C014426DEF4449312EA2

Win32.TDSS.rtk: [SBI $4430B36D] File (Fichier, nothing done)
C:\WINDOWS\system32\gasfkylhsdlqsx.dat
Properties.size=0
Properties.md5=72DB5CCBCEFC46083D972D2E53955419

Win32.TDSS.rtk: [SBI $4430B36D] File (Fichier, nothing done)
C:\WINDOWS\system32\gasfkywfloyxtq.dat
Properties.size=0
Properties.md5=B7B5182DD4032CA2A59F1F89CA83A0C7


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-05-06 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-09-07 advcheck.dll (1.6.4.18)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-09-22 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-09-22 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-09-22 Includes\HijackersC.sbi (*)
2009-09-22 Includes\Keyloggers.sbi (*)
2009-09-22 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-08-19 Includes\Malware.sbi (*)
2009-09-22 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-09-22 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-09-22 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-09-22 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-09-15 Includes\Trojans.sbi (*)
2009-09-22 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

I tried to remove those threats by booting my machine in safe mode, and then running spybot. Some specific removal commands have been added and launched at boot time in this case. Though, the report remains the same after this action.

Furthermore, none of the files reported is visible in the corresponding folders, even with the option to see hidden files.

Last but not least: the scans performed by Norton internet Security now abort. On C: it looks like only files scanned all have dummy names. On other disks none of the file is scanned. Other functions (protection of the ports, anti-spam, ... ) are still working.

I tried two more things thus, after I ran HijackThis as well (see report below):
- I ran SDFix.exe in safe mode tool
- I ran the windows tool MRT.exe
Both detected and removed a few more files.

I am currently running a scan with Kapersky 7.0 online. It is not complete yet, but already detected some infected files: some are in the AV quarantine, but one seems to correspond to the files detected by Spybot.

Notice also that the system restore is disabled on my machine for a while now ...

The current report by HijackThis is the following one:

Logfile of HijackThis v1.99.1
Scan saved at 16:37:30, on 29/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
U:\Program Files\Autres\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\PROGRA~1\Wanadoo\TaskBarIcon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\Wanadoo\GestionnaireInternet.exe
C:\PROGRA~1\Wanadoo\ComComp.exe
C:\PROGRA~1\Wanadoo\Toaster.exe
C:\PROGRA~1\Wanadoo\Inactivity.exe
C:\PROGRA~1\Wanadoo\PollingModule.exe
C:\PROGRA~1\Wanadoo\Watch.exe
C:\PROGRA~1\Wanadoo\GestionnaireInternet.exe
C:\PROGRA~1\Wanadoo\ComComp.exe
C:\PROGRA~1\Wanadoo\PollingModule.exe
C:\PROGRA~1\Wanadoo\Watch.exe
U:\Program Files\Autres\Firefox\firefox.exe
U:\Program Files\Security\Spybot\SpybotSD.exe
U:\Program Files\Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Orange
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Fichiers communs\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - U:\PROGRA~1\Security\Spybot\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Afficher Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Fichiers communs\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\GestMaj.exe TaskBarIcon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] U:\Program Files\Security\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [WOOKIT] C:\PROGRA~1\Wanadoo\GestMaj.exe GestionnaireInternet.exe
O4 - HKCU\..\Run: [FreeRAM XP] "U:\Program Files\Autres\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://U:\Program Files\Games\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://U:\Program Files\Games\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://U:\Program Files\Games\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://U:\Program Files\Games\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - U:\PROGRA~1\Security\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - U:\PROGRA~1\Security\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messager Wanadoo - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\WANADO~2\Wanadoo Messager.exe
O9 - Extra 'Tools' menuitem: Messager Wanadoo - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\WANADO~2\Wanadoo Messager.exe
O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.orange.fr (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.zebulon.fr/outils/antivirus/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.zebulon.fr/scan8/oscan8.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{050354DC-1506-4331-BB1C-7EB44CFBB160}: NameServer = 80.10.246.1 81.253.149.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{050354DC-1506-4331-BB1C-7EB44CFBB160}: NameServer = 80.10.246.1 81.253.149.2
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Validation de mot de passe Symantec IS (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Planificateur LiveUpdate automatique - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Assistant Retrospect (Retrospect Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe

Any help will be appreciated,

Thanks

Hello,

A few more inputs:

Kapersky online scan:
The scan completed detecting a couple of infected objects. Unfortunately I made a wrong manipulation hile saving the full report. I thus only rescanned the guilty parts of the computer, meaning critical parts and doc&settings (otherwise it is quite a long time!):

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, September 29, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, September 29, 2009 16:23:14
Records in database: 2934985
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - Critical areas:
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
C:\Documents and Settings\Vincent\Menu Démarrer\Programmes\Démarrage
C:\Program Files
C:\WINDOWS

Scan statistics:
Objects scanned: 58436
Threats found: 1
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 00:38:56


File name / Threat / Threats count
globalroot\systemroot\system32\gasfkyxuhtacpp.dll/globalroot\systemroot\system32\gasfkyxuhtacpp.dll Infected: Packed.Win32.TDSS.z 2

Selected area has been scanned.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, September 29, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, September 29, 2009 16:23:14
Records in database: 2934985
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - Folder:
C:\Documents and Settings

Scan statistics:
Objects scanned: 11319
Threats found: 4
Infected objects found: 5
Suspicious objects found: 0
Scan duration: 00:10:05


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A8F675B.tmp Infected: Worm.Win32.Feebs.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0E4056A4.tmp Infected: Email-Worm.Win32.NetSky.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\262A16E1.exe Infected: P2P-Worm.Win32.Polip.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3F6C24E4.tmp Infected: Worm.Win32.Feebs.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\57C60CEA.tmp Infected: Email-Worm.Win32.Mabutu.a 1

Selected area has been scanned.

--------

Besides this, my norton antivirus detected the backdoor.tidserv threats this morning. Several files were moved in quarantine. It then stated I had to reboot. Though I am not quite sure that Norton is really sane at the moment.

I also forgot to mention that I get a frequent message stating that /globalroot\systemroot\system32\gasfkyxuhtacpp.dll is not a valid image for windows, especially after a session is started.

Regards

Hello again,

As a new symptom, ccsvchost.exe is now running in an abnormal way, as soon as I start a session. It consumes arounf 40% of the CPU. It alos looks like Norton is performing lot of updates...

Alos, when spybot still detects the Win32.TDSS.rtk files, the resident is complaining at fix time, asking if modification should be done or not. In the log of the resident I get things like:

30/09/2009 11:38:23 Refusé(e) (based on user decision) value "SpybotDeletingD5295" (new data: "cmd.exe /c del "C:\WINDOWS\system32\drivers\gasfkyjmugxoma.sys_old"") ajouté(e) in System Startup user entry!
30/09/2009 11:38:24 Refusé(e) (based on user decision) value "SpybotDeletingB8189" (new data: "command.com /c del "C:\WINDOWS\system32\drivers\gasfkyjmugxoma.sys"") ajouté(e) in System Startup user entry!
30/09/2009 11:38:33 Refusé(e) (based on user decision) value "SpybotDeletingD3408" (new data: "cmd.exe /c del "C:\WINDOWS\system32\drivers\gasfkyjmugxoma.sys"") ajouté(e) in System Startup user entry!
30/09/2009 11:38:34 Refusé(e) (based on user decision) value "SpybotDeletingA4239" (new data: "command.com /c del "C:\WINDOWS\system32\drivers\gasfkyjmugxoma.sys_old"") ajouté(e) in System Startup global entry!
30/09/2009 11:38:43 Refusé(e) (based on user decision) value "SpybotDeletingC2468" (new data: "cmd.exe /c del "C:\WINDOWS\system32\drivers\gasfkyjmugxoma.sys_old"") ajouté(e) in System Startup global entry!
30/09/2009 11:38:44 Refusé(e) (based on user decision) value "SpybotDeletingA4292" (new data: "command.com /c del "C:\WINDOWS\system32\drivers\gasfkyjmugxoma.sys"") ajouté(e) in System Startup global entry!
...

For the time being it seems that best thing to do is to stop using this machine!

Regards

Hello BB25187,

Due to the volume of posts to your own topic, it would appear to volunteer analysts that you were already being assisted as they look for topics with no response. :eek:

Please start a new topic providing only the HJT log (version 2.0.2) as per forum FAQ, "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) and include a link back to this thread. :)

Best regards.

Hello tashi,

Thanks a lot for the reply and advice!
I do this asap!

Regards

New topic: http://forums.spybot.info/showthread.php?t=52268 :)