System32 Folder is Inaccessible; Can't Boot Normal Mode

Ok AVG Anti-Spy cleaned a nice amount of infections...

Can't you just ban the spammers ?

Here is a new scanner to run in safe mode, try if the computer runs in normal mode after this:

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Run a scan with Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, you should now mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable
  • After the scan, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot the computer in Normal Mode,
  • Post the Cure-it report and a fresh HijackThis log

:bigthumb:
 
Hei Mr_JAk3,

My PC still won't boot into Normal Mode. It crashes at the same point every time. :sad:

Logs to follow...

Any more ideas?

Thanks,
P
 
DrWeb.csv

00011824.exe;C:\RECYCLED\NPROTECT;Trojan.MulDrop.4521;Deleted.;
00011825.exe;C:\RECYCLED\NPROTECT;Trojan.DownLoader.15764;Deleted.;
00011883.EXE;C:\RECYCLED\NPROTECT;Trojan.DownLoader.15764;Deleted.;
00011885.exe;C:\RECYCLED\NPROTECT;Trojan.DownLoader.15764;Deleted.;
00011887.EXE;C:\RECYCLED\NPROTECT;Trojan.DownLoader.15764;Deleted.;
00012066.exe;C:\RECYCLED\NPROTECT;Trojan.MulDrop.4521;Deleted.;
00012067.exe;C:\RECYCLED\NPROTECT;Trojan.DownLoader.15764;Deleted.;
00012072.exe;C:\RECYCLED\NPROTECT;Trojan.DownLoader.15764;Deleted.;
00012073.exe;C:\RECYCLED\NPROTECT;Trojan.DownLoader.15764;Deleted.;
00012074.EXE;C:\RECYCLED\NPROTECT;Trojan.DownLoader.15764;Deleted.;
00012075.exe;C:\RECYCLED\NPROTECT;Trojan.DownLoader.15764;Deleted.;
00012080.EXE;C:\RECYCLED\NPROTECT;Trojan.DownLoader.15764;Deleted.;
00012084.EXE;C:\RECYCLED\NPROTECT;Trojan.DownLoader.15764;Deleted.;
00012088.exe;C:\RECYCLED\NPROTECT;Win32.HLLW.Recod;Deleted.;
00012090.EXE;C:\RECYCLED\NPROTECT;Trojan.DownLoader.15764;Deleted.;
00012257.EXE;C:\RECYCLED\NPROTECT;Trojan.Fakealert;Deleted.;
00012259.exe;C:\RECYCLED\NPROTECT;Trojan.Killer;Deleted.;
00012267.dll;C:\RECYCLED\NPROTECT;Trojan.PWS.Snap;Deleted.;
00012286.chm\DLLGeneral.html;C:\RECYCLED\NPROTECT\00012286.chm;Modification of BAT.Wed.4730;;
00012286.chm;C:\RECYCLED\NPROTECT;Archive contains infected objects;Moved.;
aspi1438212.exe;C:\WINDOWS\SYSTEM32;Trojan.Spambot;Deleted.;
aspi1454312.exe;C:\WINDOWS\SYSTEM32;Trojan.Spambot;Deleted.;
aspi149112.exe;C:\WINDOWS\SYSTEM32;Trojan.Spambot;Deleted.;
svchost.com;C:\Documents and Settings\pbroenen\Local Settings\Temp;Trojan.DownLoader.15198;Deleted.;
Process.exe;C:\Documents and Settings\Administrator\Desktop\SDFix\SDFix\apps;Tool.Prockill;Moved.;
 
HijackThis.txt

Logfile of HijackThis v1.99.1
Scan saved at 9:37:20 PM, on 12/21/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP OfficeJet Series 700] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700 NT\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 700\Install"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\USBMonit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunOnce: [SDFix] C:\DOCUME~1\ADMINI~1\DESKTOP\SDFIX\SDFIX\RUNTHIS.BAT /second
O4 - Global Startup: Office Startup.lnk = C:\Program Files\MSOffice\Office\OSA.EXE
O4 - Global Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\Realdownload.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gtfc.com,gtservicing.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gtfc.com,gtservicing.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gtfc.com,gtservicing.com
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
O23 - Service: WMP54GSVC - Unknown owner - C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe" "WMP54G.exe (file missing)
 
Puffy said:
Hei Mr_JAk3,

My PC still won't boot into Normal Mode. It crashes at the same point every time. :sad:
P
Click to expand...
Moi :D:

Ok that's bad news.

Let's see what we can find out....

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
ComboFix.txt

Administrator - Fri 12/22/2006 18:22:10.80 Service Pack 4
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Administrator\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-22 to 2006-12-22 ))))))))))))))))))))))))))))))))))


2006-12-21 18:23 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2006-12-19 21:09 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-12-19 21:09 <DIR> d-------- C:\Program Files\Grisoft
2006-12-18 18:26 <DIR> d-------- C:\FOUND.006
2006-12-17 08:57 <DIR> d-------- C:\HiJackThis
2006-12-16 22:45 <DIR> d-------- C:\fixwareout
2006-12-16 16:17 <DIR> d-------- C:\FOUND.005
2006-12-16 15:39 <DIR> d-------- C:\WINDOWS\Minidump
2006-12-16 15:39 <DIR> d-------- C:\FOUND.004
2006-12-14 22:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\drv32dta
2006-12-14 22:20 38,912 --a------ C:\WINDOWS\SYSTEM32\aspi1470512.exe
2006-12-14 22:14 81,920 --a------ C:\WINDOWS\SYSTEM32\Packet.dll
2006-12-14 22:14 61,440 --a------ C:\WINDOWS\SYSTEM32\WanPacket.dll
2006-12-14 22:14 53,299 --a------ C:\WINDOWS\SYSTEM32\pthreadVC.dll
2006-12-14 22:14 32,512 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\npf.sys
2006-12-14 22:14 233,472 --a------ C:\WINDOWS\SYSTEM32\wpcap.dll
2006-12-14 21:58 46,592 --a------ C:\WINDOWS\SYSTEM32\zlbw.dll
2006-12-14 21:55 393 --a------ C:\WINDOWS\SYSTEM32\z16.exe
2006-12-14 21:55 391 --a------ C:\WINDOWS\SYSTEM32\z14.exe
2006-12-14 21:54 5,120 --a------ C:\WINDOWSsystem32alg.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required



(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SystemTray"="SysTray.Exe"
"Synchronization Manager"="mobsync.exe /logon"
"HP OfficeJet Series 700"="\"C:\\Program Files\\Hewlett-Packard\\HP OfficeJet Series 700 NT\\bin\\ktchnsnk.exe\" -reg \"Software\\Hewlett-Packard\\OfficeJet Series 700\\Install\""
"ConMgr.exe"="\"C:\\Program Files\\EarthLink 5.0\\ConMgr.exe\""
"UpdateMgr.exe"="\"C:\\Program Files\\EarthLink 5.0\\updatemgr.exe\" /NOCM"
"RFX_auto_upgrade"=""
"IW Controlcenter"="C:\\PROGRA~1\\INSTAN~1\\INSTAN~1\\IWCTRL.EXE"
"HPAIO_PrintFolderMgr"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\hpoopm07.exe"
"Gene USB Monitor"="C:\\WINDOWS\\system32\\USBMonit.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TangoManager"="C:\\PROGRA~1\\FRONTI~1\\FRONTI~1\\app\\TANGOM~1.EXE"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SDFix"="C:\\DOCUME~1\\ADMINI~1\\DESKTOP\\SDFIX\\SDFIX\\RUNTHIS.BAT /second"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c4,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,b5,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\DELL\\channel\\DESKTOP\\Index.htm"
"SubscribedURL"="C:\\DELL\\channel\\DESKTOP\\Index.htm"
"FriendlyName"=""
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,aa,01,00,00,9b,00,00,00,a6,00,00,00,3d,01,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,aa,01,00,00,9b,00,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,aa,01,00,00,9b,00,00,00,a6,00,00,00,3d,01,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="131A6951-7F78-11D0-A979-00C04FD705A2"
"SubscribedURL"="131A6951-7F78-11D0-A979-00C04FD705A2"
"FriendlyName"="Internet Explorer Channel Bar"
"Flags"=dword:00000003
"Position"=hex:2c,00,00,00,50,01,00,00,1f,00,00,00,80,00,00,00,76,00,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,00,03,00,00,13,00,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,00,03,00,00,13,00,00,00,54,00,00,00,aa,01,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061219-212152-963
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
backup-20061219-212152-718
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
backup-20061219-212152-764
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd0.dll
backup-20061219-212152-392
O4 - HKLM\..\Run: [rock] rock.exe
backup-20061219-212152-675
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
backup-20061219-212152-497
O4 - HKLM\..\Run: [SDFix] C:\DOCUME~1\ADMINI~1\Desktop\SDFix\SDFix\RunThis.bat /second
backup-20061219-212152-801
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
backup-20061219-212152-757
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
backup-20061219-212152-436
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
backup-20061219-212152-128
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
backup-20061219-212152-678
O21 - SSODL: CDRecorder026 - {A3BC5E20-0235-1ABF-9CE1-00AA00512026} - C:\WINDOWS\system32\baagf32.dll (file missing)
backup-20061219-212152-139
O21 - SSODL: LIJKE - {07CE0A0D-AD64-A0A7-9BB6-58AA4D7D07D8} - C:\WINDOWS\system32\jhuiq.dll (file missing)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Tune-up Application Start.job
C:\WINDOWS\tasks\Maintenance-Defragment programs.job
C:\WINDOWS\tasks\Maintenance-Disk cleanup.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - pbroenen.job

Completion time: Fri 2006-12-22 18:22:45.51
C:\ComboFix.txt ... 06-12-22 18:22
 
rootkit

Mr_JAk3,

I Googled the above message regarding rootkit (in red) and found a message on GeeksToGo.com. The message said to download and run rustbfix.exe. I did this. The PC automatically rebooted a couple of times, did some magic, and came up in Normal Mode! :bigthumb:

Logs to follow...

Please advise whether there is more that I should do to cleanse my PC and to prepare it for networking safely.

Thanks!
P
 
pelog.txt

************************* Rustock.b-fix -- By ejvindh *************************
Fri 12/22/2006 18:40:44.64

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
No streams found.

Looking for Rustock.b-files in the System32-folder:
system32\lzx32.sys FOUND!
attempting to delete lzx32.sys from system32-folder


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************
 
avenger.txt

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\umnlqicw

*******************

Script file located at: \??\C:\Documents and Settings\diuviftd.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.
 
report.txt

SDFix: Version 1.49
****************

Mon 12/18/2006 - 19:45:03.67

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\DOCUME~1\ADMINI~1\Desktop\SDFix\SDFix

Stage One - Safe Mode

Checking Services...

Service Name:


File Path:



Starting Registry Repairs...


Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\WINDOWS\system32\aspi149112.exe
C:\WINDOWS\SYSTEM32\Z16.EXE
C:\WINDOWS\SYSTEM32\Z2524.EXE
C:\WINDOWS\SYSTEM32\Z14.EXE
C:\WINDOWS\SYSTEM32\MDMEX7.EXE
C:\WINDOWS\SYSTEM32\Z2333.EXE
C:\WINDOWS\SYSTEM32\Z16.EXE
C:\WINDOWS\SYSTEM32\Z2524.EXE
C:\WINDOWS\SYSTEM32\Z14.EXE
C:\WINDOWS\SYSTEM32\MDMEX7.EXE
C:\WINDOWS\SYSTEM32\Z2333.EXE
C:\WINDOWS\emdat.tm
C:\WINDOWS\emdat.tmp
C:\WINDOWS\system32\drivers\etc\hosts.tim
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\ws386.ini

Backing Up and Removing any Files Found...

Alternate Stream Check:

C:\WINDOWS\system32
No streams found.
Final Check:

Services:
---------


Files:
------

Backups Folder: - C:\DOCUME~1\ADMINI~1\Desktop\SDFix\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\ZZ.EXE
C:\IO.SYS
C:\LOGO.SYS
C:\redir.sys
C:\PAGEFILE.SYS
C:\WINDOWS\page files\maxmeg.sys
C:\Documents and Settings\pbroenen\Local Settings\Temp\~WRL2141.tmp
C:\Documents and Settings\pbroenen\Local Settings\Temp\~WRL1097.tmp
C:\Documents and Settings\pbroenen\Local Settings\Temp\~WRL3732.tmp
C:\Documents and Settings\pbroenen\Local Settings\Temp\~WRL2424.tmp
C:\Documents and Settings\pbroenen\Local Settings\Temp\~WRL2834.tmp
C:\Documents and Settings\pbroenen\Local Settings\Temp\~WRL3170.tmp
C:\Documents and Settings\pbroenen\Local Settings\Temp\~WRL1211.tmp
C:\Documents and Settings\pbroenen\Local Settings\Temp\~WRL0428.tmp
C:\Documents and Settings\pbroenen\Local Settings\Temp\~WRL0341.tmp
C:\Documents and Settings\pbroenen\Local Settings\Temp\~WRL3036.tmp
C:\Documents and Settings\pbroenen\Local Settings\Temp\$b17a2e8.tmp
C:\My Documents\~WRL1065.tmp
C:\My Documents\~WRL1939.tmp
C:\My Documents\~WRL2728.tmp
C:\My Documents\~WRL1539.tmp
C:\My Documents\~WRL0203.tmp
C:\My Documents\Resume\~WRL3695.tmp
C:\My Documents\I T P\~WRL3162.tmp
C:\My Documents\I T P\Ph.D\~WRL0379.tmp
C:\My Documents\I T P\Ph.D\~WRL2708.tmp
C:\My Documents\I T P\Ph.D\~WRL2998.tmp
C:\My Documents\I T P\Ph.D\~WRL1099.tmp
C:\My Documents\I T P\Ph.D\~WRL0628.tmp
C:\My Documents\I T P\Ph.D\~WRL4093.tmp
C:\My Documents\I T P\Ph.D\~WRL1517.tmp
C:\My Documents\I T P\Ph.D\~WRL1824.tmp
C:\My Documents\I T P\Ph.D\~WRL1056.tmp
C:\My Documents\I T P\Ph.D\~WRL2273.tmp
C:\My Documents\I T P\Ph.D\~WRL2519.tmp
C:\My Documents\I T P\Ph.D\~WRL3562.tmp
C:\My Documents\I T P\Ph.D\~WRL0937.tmp
C:\My Documents\I T P\Ph.D\~WRL0597.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2448.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2931.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3694.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1440.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1429.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0510.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0552.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0158.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3361.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3512.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1561.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL4002.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3970.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3018.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3568.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1381.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1000.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3360.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3976.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2865.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2845.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2686.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1899.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1230.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3235.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1791.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0600.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0661.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3024.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0362.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0993.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3594.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1937.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0115.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0615.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3398.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0721.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1586.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3435.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1331.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2050.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3335.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1794.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2654.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2687.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1653.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2812.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0027.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3943.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3772.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2517.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2128.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1407.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3497.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2730.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1307.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1455.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3502.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1018.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0147.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3126.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2012.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2287.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1577.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3336.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3560.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1198.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0928.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0761.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3214.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0965.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3587.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3358.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3663.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2651.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2274.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0535.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2500.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0858.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2024.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0750.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3574.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2650.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0599.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL2652.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3908.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0582.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3321.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0430.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3697.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL1068.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0198.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3189.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0697.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL0712.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL3192.tmp
C:\My Documents\I T P\Ph.D\965 - Doctoral Research and Process\~WRL4033.tmp
C:\My Documents\I T P\Ph.D\Dissertation\~WRL1267.tmp
C:\My Documents\I T P\Ph.D\Dissertation\~WRL1641.tmp
C:\My Documents\I T P\MA\M600 Intro to Transpersonal\~WRL0977.tmp
C:\My Documents\I T P\MA\M600 Intro to Transpersonal\~WRL2221.tmp
C:\My Documents\IntegriData\ETAK\~WRL1791.tmp

FINISHED!
 
hijackthis.txt

Logfile of HijackThis v1.99.1
Scan saved at 7:03:05 PM, on 12/22/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\WINDOWS\system32\USBMonit.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TangoManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSOffice\Office\Osa.exe
C:\Program Files\Greetings Workshop\Gwremind.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\MSOffice\Office\Findfast.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\HPOSTS07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\HPOFXM07.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP OfficeJet Series 700] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700 NT\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 700\Install"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\USBMonit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: Office Startup.lnk = C:\Program Files\MSOffice\Office\OSA.EXE
O4 - Global Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\Realdownload.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gtfc.com,gtservicing.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gtfc.com,gtservicing.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gtfc.com,gtservicing.com
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corp
 
Very well done :D: :D:

The rustbfix & sdfix were exactly what I would have recommended next.
But please follow my instructions....

Now please run ComboFix again and post it's log along with a fresh HijackThis log to here. (the last HjT log wasn't complete)

Then we'll clear the rest :bigthumb:
 
Last edited:
Thanks, Mr_JAk3,

Sorry for jumping ahead. And sorry for the truncated HJT log. Fresh logs to follow.

BTW, when logged in in Normal Mode, I now have a desktop background blurbing about Active Desktop Recovery. I suspect that this is not legitimate. I also have a dodgy looking icon in my system tray that says "Updates are ready for you computer. Click here to install these updates." I am not at all inclined to ;)

P
 
ComboFix.txt

Administrator - Sat 12/23/2006 21:18:59.60 Service Pack 4
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Administrator\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-23 to 2006-12-23 ))))))))))))))))))))))))))))))))))


2006-12-22 18:53 <DIR> d-------- C:\avenger
2006-12-22 18:40 <DIR> d-------- C:\Rustbfix
2006-12-21 18:23 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2006-12-19 21:09 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-12-19 21:09 <DIR> d-------- C:\Program Files\Grisoft
2006-12-18 18:26 <DIR> d-------- C:\FOUND.006
2006-12-17 08:57 <DIR> d-------- C:\HiJackThis
2006-12-16 22:45 <DIR> d-------- C:\fixwareout
2006-12-16 16:17 <DIR> d-------- C:\FOUND.005
2006-12-16 15:39 <DIR> d-------- C:\WINDOWS\Minidump
2006-12-16 15:39 <DIR> d-------- C:\FOUND.004
2006-12-14 22:20 38,912 --a------ C:\WINDOWS\SYSTEM32\aspi1470512.exe
2006-12-14 22:14 81,920 --a------ C:\WINDOWS\SYSTEM32\Packet.dll
2006-12-14 22:14 61,440 --a------ C:\WINDOWS\SYSTEM32\WanPacket.dll
2006-12-14 22:14 53,299 --a------ C:\WINDOWS\SYSTEM32\pthreadVC.dll
2006-12-14 22:14 32,512 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\npf.sys
2006-12-14 22:14 233,472 --a------ C:\WINDOWS\SYSTEM32\wpcap.dll
2006-12-14 21:58 46,592 --a------ C:\WINDOWS\SYSTEM32\zlbw.dll
2006-12-14 21:54 5,120 --a------ C:\WINDOWSsystem32alg.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))




(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SystemTray"="SysTray.Exe"
"Synchronization Manager"="mobsync.exe /logon"
"RFX_auto_upgrade"=""
"IW Controlcenter"="C:\\PROGRA~1\\INSTAN~1\\INSTAN~1\\IWCTRL.EXE"
"HPAIO_PrintFolderMgr"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\hpoopm07.exe"
"Gene USB Monitor"="C:\\WINDOWS\\system32\\USBMonit.exe"
"TangoManager"="C:\\PROGRA~1\\FRONTI~1\\FRONTI~1\\app\\TANGOM~1.EXE"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"SSC_UserPrompt"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c4,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,b5,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\DELL\\channel\\DESKTOP\\Index.htm"
"SubscribedURL"="C:\\DELL\\channel\\DESKTOP\\Index.htm"
"FriendlyName"=""
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,aa,01,00,00,9b,00,00,00,a6,00,00,00,3d,01,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,aa,01,00,00,9b,00,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,aa,01,00,00,9b,00,00,00,a6,00,00,00,3d,01,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="131A6951-7F78-11D0-A979-00C04FD705A2"
"SubscribedURL"="131A6951-7F78-11D0-A979-00C04FD705A2"
"FriendlyName"="Internet Explorer Channel Bar"
"Flags"=dword:00000003
"Position"=hex:2c,00,00,00,50,01,00,00,1f,00,00,00,80,00,00,00,76,00,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,00,03,00,00,13,00,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,00,03,00,00,13,00,00,00,54,00,00,00,aa,01,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Tune-up Application Start.job
C:\WINDOWS\tasks\Maintenance-Defragment programs.job
C:\WINDOWS\tasks\Maintenance-Disk cleanup.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - pbroenen.job

Completion time: Sat 2006-12-23 21:19:49.48
C:\ComboFix2.txt ... 06-12-22 18:22
C:\ComboFix.txt ... 06-12-23 21:19
 
HijackThis.txt

Logfile of HijackThis v1.99.1
Scan saved at 9:23:01 PM, on 12/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\WINDOWS\system32\USBMonit.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSOffice\Office\Osa.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TangoManager.exe
C:\Program Files\MSOffice\Office\Findfast.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\HPOSTS07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\HPOFXM07.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\USBMonit.exe
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: Office Startup.lnk = C:\Program Files\MSOffice\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
O23 - Service: WMP54GSVC - Unknown owner - C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe" "WMP54G.exe (file missing)
 
Ok let's get you cleaned :D:

You should print these instructions or save these to a text file. Follow these instructions carefully.

Update AVG Anti-Spyware.

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

==================

Backup your registry:
  • Start
  • Run
  • Type the following to the box and hit Ok: regedit
  • A window opens, click on File
  • Choose Export form the menu
  • Change the save location to C:\
  • Give the filename, RegBackUp
  • Make sure that the filetype is set to Registryfiles (*.reg)
  • Click on Save and Close the window


Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Click to expand...
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\SYSTEM32\aspi1470512.exe
C:\WINDOWS\SYSTEM32\zlbw.dll
C:\WINDOWSsystem32alg.exe
Click to expand...
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.

Run ATF Cleaner
  • Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      scanavgjk2.jpg
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

:bigthumb:
 
HijackThis.txt

Logfile of HijackThis v1.99.1
Scan saved at 3:46:41 PM, on 12/24/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\USBMonit.exe
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: Office Startup.lnk = C:\Program Files\MSOffice\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
O23 - Service: WMP54GSVC - Unknown owner - C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe" "WMP54G.exe (file missing)
 
AVG Report-Scan

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:44:43 PM 12/24/2006

+ Scan result:



C:\RECYCLED\NPROTECT\00012323.sys -> Hijacker.Costrat.l : Cleaned with backup (quarantined).


::Report end
 
Merry Christmas

Merry Christmas, Mr_JAk3 :D:

I followed your instructions--no more, no less. (Please see logs above.) What's next...?
P
 
Merry Christmas to you too :D:

Ok it is looking good now.

Please post a one more HijackThis log so that I can verify that you're clean.
(The last HijackThis log was taken in safe mode so please post a log from normal mode)

:bigthumb:
 
You must log in or register to reply here.
Back
Top