Windows firewall disabled + updates not working etc

N

NickB

New member
I hope you can help on the following - I have tried to fix this but seem to be getting nowhere!

1 It began when my son clicked on what he thought was an image in MSN Messenger which was (I think) a pif file which executed and caused various problems. I no longer what it was called, I'm afraid

2 It turned off the Windows firewall and it now says "Due to an unidentified problem, Windows cannot display Windows Firewall settings"

3 I have since put Zone Alarm on which appears to work

4 I did various virus checks etc with AVG which I have on the machine and removed what it identifed. It appears to be virus free at present though it will occasionally report three instances of Java/ByteVerify and appear to fix them.

One of the things it defintiely put on the machine was something called _mzu_stonedrv8.exe but I think I managed to get rid of this

At one point the machine would no longer reboot but I managed to get it working again

5 I also tried Prevx on the machine which says the machine is ok (which I don't think is the case!)

6 It will no longer run Windows Updates and will reboot the machine part way through the process

7 When I look Zone Alarm it appears to be blocking incoming and outgoing things but has two 'Generic Host Process for Win32 Services' which appear in programs and appear to be very active - though not always. The machine can receive or send 20 - 40mb of stuff over and above what I am doing regardless of whether I disengage internet activity or not

8 I have scanned the machine in safe mode with spybot and it tells me congratulations it's ok!

9 When I boot the machine it will now often tell me that Windows has recovered from a serious error (it might be this but I don't think it is - "The following boot-start or system-start driver(s) failed to load: szkg")

Here is my hijackthis log

Thank you in anticipation

Logfile of HijackThis v1.99.1
Scan saved at 11:20:58, on 08/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\AOL\1164356621\ee\AOLSoftware.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/home_homeoffice/security_response/threatexplorer/threats.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.madasafish.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {d262e70a-7841-4a85-9aa1-8d66aa593c89} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1164356621\ee\AOLSoftware.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Save to &Xdrive - res://C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.madasafish.com
O16 - DPF: ConferenceRoom Java Client - http://www.ropetalk.net:8000/java/cr.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125130775828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144959150652
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69B043E1-2370-491E-A606-F0799D2AAA5B}: NameServer = 85.255.116.67,85.255.112.90
O17 - HKLM\System\CCS\Services\Tcpip\..\{C14697C9-9005-4519-8ACD-44529AE8E480}: NameServer = 85.255.116.67 85.255.112.90
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
Hi NickB and welcome to Safer Networking Forums :)

You got some infections there...

One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
Thank you for your help so far which is much appreciated

Here are the various logs - I actually ran combofix.exe twice as I couldn't find the log first time; I hope that does't matter. The hijackthis report was run after the combofix


Fixwareout
Last edited 12/06/2006
Post this report in the forums please
...
Prerun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

...
...
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Random Runs removed from HKLM
...
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMCPL.EXE 1,323,008 2003-07-28

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.
...
Postrun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

...

COMBO FIX LOG

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{3CE73184-07C9-2057-0912-02073102002c}
C:\Program Files\Common Files\{3CE73184-07CA-2057-0912-02073102002c}
C:\Program Files\Common Files\{ECE73184-07C9-2057-0912-02073102002c}
C:\Program Files\Common Files\{ECE73184-07CA-2057-0912-02073102002c}


Logfile of HijackThis v1.99.1
Scan saved at 11:52, on 06-12-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1164356621\ee\AOLSoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NoteTab Light\NoteTab.exe
C:\hijack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {d262e70a-7841-4a85-9aa1-8d66aa593c89} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1164356621\ee\AOLSoftware.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Save to &Xdrive - res://C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.madasafish.com
O16 - DPF: ConferenceRoom Java Client - http://www.ropetalk.net:8000/java/cr.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125130775828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144959150652
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69B043E1-2370-491E-A606-F0799D2AAA5B}: NameServer = 85.255.116.67,85.255.112.90
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
Hi :)

That doesn't look like to complete ComboFix log. Please post the full ComboFix log to here. You can find it from C:\Combofix.txt

:bigthumb:
 
This is the second one

Nick Blair - 06-12-09 11:42:13.31 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Nick Blair\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{3CE73184-07C9-2057-0912-02073102002c}
C:\Program Files\Common Files\{3CE73184-07CA-2057-0912-02073102002c}
C:\Program Files\Common Files\{ECE73184-07C9-2057-0912-02073102002c}
C:\Program Files\Common Files\{ECE73184-07CA-2057-0912-02073102002c}


((((((((((((((((((((((((((((((( Files Created from 2006-11-09 to 2006-12-09 ))))))))))))))))))))))))))))))))))

AND THIS IS THE OTHER!

Nick Blair - 06-12-09 11:32:39.65 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Nick Blair\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{3CE73184-07C9-2057-0912-02073102002c}
C:\Program Files\Common Files\{3CE73184-07CA-2057-0912-02073102002c}
C:\Program Files\Common Files\{ECE73184-07C9-2057-0912-02073102002c}
C:\Program Files\Common Files\{ECE73184-07CA-2057-0912-02073102002c}


((((((((((((((((((((((((((((((( Files Created from 2006-11-09 to 2006-12-09 ))))))))))))))))))))))))))))))))))
 
Hi again, we'll continue :)

Ok so those were the complete combofix logs...

You should print these instructions or save these to a text file. Follow these instructions carefully.

Disable PrevX realtime protection
  • Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose Show Management Console..
  • On the Management Console click the Protection Level drop-down menu. You will see three levels:
    • Maximum
    • Off
    • User Defined
  • Disable all protection by setting the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.
  • Click the X on the upper right hand corner to exit the Management console.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Uncheck "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.

==================

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O2 - BHO: (no name) - {d262e70a-7841-4a85-9aa1-8d66aa593c89} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{69B043E1-2370-491E-A606-F0799D2AAA5B}: NameServer = 85.255.116.67,85.255.112.90
O17 - HKLM\System\CCS\Services\Tcpip\..\{C14697C9-9005-4519-8ACD-44529AE8E480}: NameServer = 85.255.116.67 85.255.112.90

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\WINDOWS\SYSTEM32\DMCPL.EXE

Run ATF Cleaner
  • Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      scanavgjk2.jpg
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
- Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt
 
Here are the various reports -

AVG -

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 07:45 06-12-11

+ Scan result:



C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\CuteFTP\advert.dll -> Adware.Aureate : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\CuteFTP\advert.dll -> Adware.Aureate : Cleaned with backup (quarantined).
C:\Documents and Settings\Alexander Blair.HAL\Application Data\Microsoft\Internet Explorer\Quick Launch\Block Checker.lnk -> Adware.BlockChecker : Cleaned with backup (quarantined).
HKU\S-1-5-21-1653462319-1279371858-1987657003-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C2EEB4FA-B6D6-41B9-9CFA-ABA87F862BCB} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Adverts\uninst.exe -> Adware.Lop : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\Applications\Cute\tsad.dll -> Adware.TimeSink : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\CuteFTP\tsad.dll -> Adware.TimeSink : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\Cute\tsad.dll -> Adware.TimeSink : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\CuteFTP\tsad.dll -> Adware.TimeSink : Cleaned with backup (quarantined).
C:\WINDOWS\system32:lzx32.sys -> Hijacker.Costrat.e : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\Applications\john-16w.zip/john-16/run/john-k6.zip/john.exe -> Not-A-Virus.HackTool.Win32.John : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\Applications\john-16w.zip/john-16/run/john-mmx.zip/john.exe -> Not-A-Virus.HackTool.Win32.John : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\Applications\john-16w.zip/john-16/run/john.exe -> Not-A-Virus.HackTool.Win32.John : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\john-16w.zip/john-16/run/john-k6.zip/john.exe -> Not-A-Virus.HackTool.Win32.John : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\john-16w.zip/john-16/run/john-mmx.zip/john.exe -> Not-A-Virus.HackTool.Win32.John : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\john-16w.zip/john-16/run/john.exe -> Not-A-Virus.HackTool.Win32.John : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\john-16w\john-16\run\john-k6.zip/john.exe -> Not-A-Virus.HackTool.Win32.John : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\john-16w\john-16\run\john-mmx.zip/john.exe -> Not-A-Virus.HackTool.Win32.John : Cleaned with backup (quarantined).
C:\Program Files\Cain\Abel.dll -> Not-A-Virus.PSWTool.Win32.Cain.284 : Cleaned with backup (quarantined).
C:\Program Files\Cain\Abel.exe -> Not-A-Virus.PSWTool.Win32.Cain.284 : Cleaned with backup (quarantined).
C:\Program Files\SnadBoy's Revelation v2\Revelation.exe -> Not-A-Virus.PSWTool.Win32.SnadBoy.2011 : Cleaned with backup (quarantined).
C:\Program Files\SnadBoy's Revelation v2\RevelationHelper.dll -> Not-A-Virus.PSWTool.Win32.SnadBoy.2011 : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\vnc-3.3.3r9_x86_win32.zip/vnc_x86_win32/vncviewer/vncviewer.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.333 : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\vnc_x86_win32\vncviewer\vncviewer.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.333 : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick Blair\Desktop\apps\vnc-3.3.3r9_x86_win32.zip/vnc_x86_win32/vncviewer/vncviewer.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.333 : Cleaned with backup (quarantined).
:mozilla.6:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\CookiesXP\nick blair@ad.adition[1].txt -> TrackingCookie.Adition : Cleaned.
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\CookiesXP\nick blair@adorigin[1].txt -> TrackingCookie.Adorigin : Cleaned.
:mozilla.17:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.18:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.30:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.28:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\CookiesXP\nick blair@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\CookiesXP\nick blair@cqcounter[1].txt -> TrackingCookie.Cqcounter : Cleaned.
:mozilla.73:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\CookiesXP\nick blair@www.hightrafficads[1].txt -> TrackingCookie.Hightrafficads : Cleaned.
:mozilla.50:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned.
:mozilla.69:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.52:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\CookiesXP\nick blair@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.71:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.72:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.64:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.35:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.82:C:\Documents and Settings\Nick Blair\Application Data\Mozilla\Firefox\Profiles\phni5tcs.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\Family\Cookies\family@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned.


::Report end

********************************

HIJACK THIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 07:50, on 06-12-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\AOL\1164356621\ee\AOLSoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: URLDetector Class - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1164356621\ee\AOLSoftware.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Save to &Xdrive - res://C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.madasafish.com
O16 - DPF: ConferenceRoom Java Client - http://www.ropetalk.net:8000/java/cr.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125130775828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144959150652
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

****************************

SDF


SDFix: Version 1.45
****************

06-12-11 - 0:41:43.87

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Stage One - Safe Mode

Checking Services...

Service Name:


File Path:



Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

******************************

AND THAT'S IT!
 
Ok looking better :)

How is the computer running at the moment ?

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.
 
When I go on the internet it is still sending and receiving a load of stuff which makes me understand where we are going next I think :)

I would guess about 100kb per second are going in and out at the moment

Thanks for the assistance
 
Hi again - limited success with that tool. When it runs it returns the following but when I do a full scan it picks up various entries when it scans the registry and picks up entries referring to lzx32 when it goes through ControlSet001 / ControlSet002 / ControlSet003 - but when it scans CurrentControlSet the machine reboots! Tried it twice but same result


GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-12 07:53:01
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT pxfsf.sys ZwEnumerateKey
SSDT pxfsf.sys ZwEnumerateValueKey

SYSENTER ? F10FF1B3

Code F10FDC10 pIofCallDriver

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F12342A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F12342A0] vsdatant.sys

---- Services - GMER 1.0.12 ----

Service C:\WINDOWS\system32\lzx32.sys (*** hidden *** ) [SYSTEM] lzx32 <-- ROOTKIT !!!

---- EOF - GMER 1.0.12 ----
 
Hi again :)

You got a rootkit there...

Download
http://www.uploads.ejvindh.net/rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.
 
First thing is I have been logged on for 6 minutes and 172kb has gone out and 89kb back in :) and after 10 mins it's hardly moved

LOGS -

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gcfcokrd

*******************

Script file located at: \??\C:\WINDOWS\system32\vmpuyqxe.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver lzx32 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

+++++++++++++++++++++++++++++++++++++++++++

************************* Rustock.b-fix -- By ejvindh *************************
06-12-12 19:27:30.20


******************* Pre-run Status of system *******************

Rootkit driver lzx32 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
No streams found.


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.


******************************* End of Logfile ********************************


And a hijackthis for fun...

Logfile of HijackThis v1.99.1
Scan saved at 19:57, on 06-12-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\AOL\1164356621\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: URLDetector Class - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1164356621\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Save to &Xdrive - res://C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.madasafish.com
O16 - DPF: ConferenceRoom Java Client - http://www.ropetalk.net:8000/java/cr.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125130775828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144959150652
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C14697C9-9005-4519-8ACD-44529AE8E480}: NameServer = 80.189.92.2 80.189.94.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Thank you again - (a colleague at work suggested a format might have been better but it's been an interesting ride so far)
 
Sorry that last comment might come across wrong that I don't appreciate what you have done - it's not what I meant.
 
Ahh don't worry :)

It is beginning to look better.

Please try to run GMER again, it should now work fine. Post the log to here.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended (if available otherwise Standard)
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
 
GMER log

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-14 01:28:00
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT pxfsf.sys ZwAlertResumeThread
SSDT pxfsf.sys ZwAllocateUserPhysicalPages
SSDT pxfsf.sys ZwAllocateVirtualMemory
SSDT pxfsf.sys ZwClose
SSDT pxfsf.sys ZwCompactKeys
SSDT pxfsf.sys ZwCompressKey
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT pxfsf.sys ZwCreateDirectoryObject
SSDT pxfsf.sys ZwCreateEvent
SSDT pxfsf.sys ZwCreateEventPair
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT pxfsf.sys ZwCreateIoCompletion
SSDT pxfsf.sys ZwCreateJobObject
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT pxfsf.sys ZwCreateMailslotFile
SSDT pxfsf.sys ZwCreateMutant
SSDT pxfsf.sys ZwCreateNamedPipeFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT pxfsf.sys ZwCreateSemaphore
SSDT pxfsf.sys ZwCreateSymbolicLinkObject
SSDT pxfsf.sys ZwCreateThread
SSDT pxfsf.sys ZwCreateTimer
SSDT pxfsf.sys ZwCreateToken
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT pxfsf.sys ZwDeviceIoControlFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT pxfsf.sys ZwEnumerateKey
SSDT pxfsf.sys ZwEnumerateValueKey
SSDT pxfsf.sys ZwFreeUserPhysicalPages
SSDT pxfsf.sys ZwFreeVirtualMemory
SSDT pxfsf.sys ZwImpersonateAnonymousToken
SSDT pxfsf.sys ZwImpersonateThread
SSDT pxfsf.sys ZwLoadDriver
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT pxfsf.sys ZwLoadKey2
SSDT pxfsf.sys ZwLockRegistryKey
SSDT pxfsf.sys ZwLockVirtualMemory
SSDT pxfsf.sys ZwMapViewOfSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT pxfsf.sys ZwOpenKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT pxfsf.sys ZwOpenProcessToken
SSDT pxfsf.sys ZwOpenSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT pxfsf.sys ZwOpenThreadToken
SSDT pxfsf.sys ZwProtectVirtualMemory
SSDT pxfsf.sys ZwQueryInformationProcess
SSDT pxfsf.sys ZwQueryInformationThread
SSDT pxfsf.sys ZwQueryKey
SSDT pxfsf.sys ZwQueryMultipleValueKey
SSDT pxfsf.sys ZwQueryOpenSubKeys
SSDT pxfsf.sys ZwQueryValueKey
SSDT pxfsf.sys ZwQueueApcThread
SSDT pxfsf.sys ZwReadFile
SSDT pxfsf.sys ZwReadVirtualMemory
SSDT pxfsf.sys ZwRenameKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT pxfsf.sys ZwResumeProcess
SSDT pxfsf.sys ZwResumeThread
SSDT pxfsf.sys ZwSaveKey
SSDT pxfsf.sys ZwSaveKeyEx
SSDT pxfsf.sys ZwSaveMergedKeys
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT pxfsf.sys ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT pxfsf.sys ZwSetInformationKey
SSDT pxfsf.sys ZwSetInformationProcess
SSDT pxfsf.sys ZwSetInformationThread
SSDT pxfsf.sys ZwSetSystemInformation
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT pxfsf.sys ZwSuspendProcess
SSDT pxfsf.sys ZwSuspendThread
SSDT pxfsf.sys ZwSystemDebugControl
SSDT pxfsf.sys ZwTerminateJobObject
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT pxfsf.sys ZwTerminateThread
SSDT pxfsf.sys ZwUnloadDriver
SSDT pxfsf.sys ZwUnloadKey
SSDT pxfsf.sys ZwUnloadKeyEx
SSDT pxfsf.sys ZwUnlockVirtualMemory
SSDT pxfsf.sys ZwUnmapViewOfSection
SSDT pxfsf.sys ZwWriteFile
SSDT pxfsf.sys ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + D4 804E2730 24 Bytes [ 79, 58, 5D, F7, 83, 58, 5D, ... ]
.text ntoskrnl.exe!_abnormal_termination + F0 804E274C 6 Bytes [ D0, E0, 28, F1, BF, 58 ]
.text ntoskrnl.exe!_abnormal_termination + F7 804E2753 9 Bytes [ F7, C9, 58, 5D, F7, D3, 58, ... ]
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 60, 6C, 28, F1, E0, CE, 28, ... ]
.text ntoskrnl.exe!_abnormal_termination + 114 804E2770 28 Bytes [ D0, 06, 29, F1, 05, 59, 5D, ... ]
.text ...

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F12982A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F12982A0] vsdatant.sys

---- Files - GMER 1.0.12 ----

ADS C:\bundle\Netscape\Win95_NT\Launcher\Full\about.bmp:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\bundle\Netscape\Win95_NT\Launcher\Full\bitmap\Standard\ADV.BMP:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\bundle\Netscape\Win95_NT\Launcher\Full\bitmap\Standard\ADVD.BMP:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\bundle\Netscape\Win95_NT\Launcher\Full\bitmap\Standard\ADVE.BMP:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\bundle\Netscape\Win95_NT\Launcher\Full\bitmap\Standard\ADVH.BMP:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\bundle\Netscape\Win95_NT\Launcher\Full\bitmap\Standard\BACK.BMP:Q30lsldxJoudresxAaaqpcawXc
ADS C:\bundle\Netscape\Win95_NT\Launcher\Full\bitmap\Standard\BACK.BMP:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\bundle\Netscape\Win95_NT\Launcher\Full\bitmap\Standard\BROWSE.BMP:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\bundle\Netscape\Win95_NT\Launcher\Full\bitmap\Standard\BROWSED.BMP:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\bundle\Netscape\Win95_NT\Launcher\Full\bitmap\Standard\BROWSEE.BMP:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\bundle\Netscape\Win95_NT\Launcher\Full\bitmap\Standard\BROWSEH.BMP:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS ...

---- EOF - GMER 1.0.12 ----
 
KASPERSKY

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
06-12-14 08:14
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 14/12/2006
Kaspersky Anti-Virus database records: 250589
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 216195
Number of viruses found: 13
Number of infected objects: 74 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:55:58

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Adam Blair.HAL\My Documents\FinePrint files\AutoSave\2005-02-16-212125.fp Object is locked skipped
C:\Documents and Settings\Adam Blair.HAL\My Documents\FinePrint files\fp4.sta Object is locked skipped
C:\Documents and Settings\Adam Blair.HAL\Start Menu\Programs\FinePrint 2000\Explore FinePrint files.lnk Object is locked skipped
C:\Documents and Settings\Adam Blair.HAL\Start Menu\Programs\FinePrint 2000\FinePrint Dispatcher.lnk Object is locked skipped
C:\Documents and Settings\Adam Blair.HAL\Start Menu\Programs\FinePrint 2000\FinePrint Help.lnk Object is locked skipped
C:\Documents and Settings\Adam Blair.HAL\Start Menu\Programs\FinePrint 2000\FinePrint Readme.lnk Object is locked skipped
C:\Documents and Settings\Adam Blair.HAL\Start Menu\Programs\FinePrint 2000\Uninstall FinePrint.lnk Object is locked skipped
C:\Documents and Settings\Alexander Blair.HAL\My Documents\FinePrint files\AutoSave\2006-03-20-185007.fp Object is locked skipped
C:\Documents and Settings\Alexander Blair.HAL\My Documents\FinePrint files\AutoSave\2006-03-20-185107.fp Object is locked skipped
C:\Documents and Settings\Alexander Blair.HAL\My Documents\FinePrint files\AutoSave\2006-03-20-185342.fp Object is locked skipped
C:\Documents and Settings\Alexander Blair.HAL\My Documents\FinePrint files\AutoSave\2006-03-20-185407.fp Object is locked skipped
C:\Documents and Settings\Alexander Blair.HAL\My Documents\FinePrint files\AutoSave\2006-04-02-135623.fp Object is locked skipped
C:\Documents and Settings\Alexander Blair.HAL\My Documents\FinePrint files\fp4.ini Object is locked skipped
C:\Documents and Settings\Alexander Blair.HAL\My Documents\FinePrint files\fp4.sta Object is locked skipped
C:\Documents and Settings\Alexander Blair.HAL\Start Menu\Programs\FinePrint 2000\Explore FinePrint files.lnk Object is locked skipped
C:\Documents and Settings\Alexander Blair.HAL\Start Menu\Programs\FinePrint 2000\FinePrint Dispatcher.lnk Object is locked skipped
C:\Documents and Settings\Alexander Blair.HAL\Start Menu\Programs\FinePrint 2000\FinePrint Help.lnk Object is locked skipped
C:\Documents and Settings\Alexander Blair.HAL\Start Menu\Programs\FinePrint 2000\FinePrint Readme.lnk Object is locked skipped
C:\Documents and Settings\Alexander Blair.HAL\Start Menu\Programs\FinePrint 2000\Uninstall FinePrint.lnk Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\ef114da153b822ffda3eb0132247f174_792d0f93-8023-44a8-a122-aa8604db14b9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\Local.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Lynne Blair\My Documents\FinePrint files\AutoSave\2005-01-03-163636.fp Object is locked skipped
C:\Documents and Settings\Lynne Blair\My Documents\FinePrint files\AutoSave\2005-01-03-163727.fp Object is locked skipped
C:\Documents and Settings\Lynne Blair\My Documents\FinePrint files\AutoSave\2005-01-03-164550.fp Object is locked skipped
C:\Documents and Settings\Lynne Blair\My Documents\FinePrint files\fp4.ini Object is locked skipped
C:\Documents and Settings\Lynne Blair\My Documents\FinePrint files\fp4.sta Object is locked skipped
C:\Documents and Settings\Lynne Blair\Start Menu\Programs\FinePrint 2000\Explore FinePrint files.lnk Object is locked skipped
C:\Documents and Settings\Lynne Blair\Start Menu\Programs\FinePrint 2000\FinePrint Dispatcher.lnk Object is locked skipped
C:\Documents and Settings\Lynne Blair\Start Menu\Programs\FinePrint 2000\FinePrint Help.lnk Object is locked skipped
C:\Documents and Settings\Lynne Blair\Start Menu\Programs\FinePrint 2000\FinePrint Readme.lnk Object is locked skipped
C:\Documents and Settings\Lynne Blair\Start Menu\Programs\FinePrint 2000\Uninstall FinePrint.lnk Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Nick Blair\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Nick Blair\Desktop\apps\Remote Administrator\radmin20.exe/R_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Documents and Settings\Nick Blair\Desktop\apps\Remote Administrator\radmin20.exe/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Documents and Settings\Nick Blair\Desktop\apps\Remote Administrator\radmin20.exe/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Documents and Settings\Nick Blair\Desktop\apps\Remote Administrator\radmin20.exe/Radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Documents and Settings\Nick Blair\Desktop\apps\Remote Administrator\radmin20.exe ViseMan: infected - 4 skipped
C:\Documents and Settings\Nick Blair\Desktop\apps\Remote Administrator\radmin20.exe ViseMan: infected - 4 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\Applications\Cute\TSUninstaller.exe Infected: not-a-virus:AdWare.Win32.TimeSink skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\Applications\RevelationV2.zip/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\Applications\RevelationV2.zip/SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\Applications\RevelationV2.zip/SetupRevelationV2.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\Applications\RevelationV2.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\Applications\SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\Applications\SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\Applications\SetupRevelationV2.exe WiseSFX: infected - 2 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\CuteFTP\TSUninstaller.exe Infected: not-a-virus:AdWare.Win32.TimeSink skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\From work\Information\mydocs\njba drive\archive.pst/Personal Folders/Sent Items/08 Mar 1999 16:39 to 'BrianEliot@aol.com':Something of interest/small.exe Infected: not-virus:BadJoke.Win16.Stupid.a skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\From work\Information\mydocs\njba drive\archive.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\From work\Information\njbnick\NICK\My Docs\archive.pst/Personal Folders/Sent Items/08 Mar 1999 16:39 to 'BrianEliot@aol.com':Something of interest/small.exe Infected: not-virus:BadJoke.Win16.Stupid.a skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\From work\Information\njbnick\NICK\My Docs\archive.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\Cute\TSUninstaller.exe Infected: not-a-virus:AdWare.Win32.TimeSink skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\RevelationV2\SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\RevelationV2\SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\RevelationV2\SetupRevelationV2.exe WiseSFX: infected - 2 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\RevelationV2.zip/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\RevelationV2.zip/SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\RevelationV2.zip/SetupRevelationV2.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\RevelationV2.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Applications\SetupRevelationV2.exe WiseSFX: infected - 2 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\CuteFTP\TSUninstaller.exe Infected: not-a-virus:AdWare.Win32.TimeSink skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\From work\Information\mydocs\njba drive\archive.pst/Personal Folders/Sent Items/08 Mar 1999 16:39 to 'BrianEliot@aol.com':Something of interest/small.exe Infected: not-virus:BadJoke.Win16.Stupid.a skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\From work\Information\mydocs\njba drive\archive.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\From work\Information\njbnick\NICK\My Docs\archive.pst/Personal Folders/Sent Items/08 Mar 1999 16:39 to 'BrianEliot@aol.com':Something of interest/small.exe Infected: not-virus:BadJoke.Win16.Stupid.a skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\From work\Information\njbnick\NICK\My Docs\archive.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Remote Administrator\radmin20.exe/R_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Remote Administrator\radmin20.exe/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Remote Administrator\radmin20.exe/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Remote Administrator\radmin20.exe/Radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Remote Administrator\radmin20.exe ViseMan: infected - 4 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Fromwork2\stuff\Personal\Remote Administrator\radmin20.exe ViseMan: infected - 4 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\mIRC\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.582 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\cd2\Nickprofile\Nick Blair\Desktop\Desktop Folders\antispam\BSM18.exe Infected: not-a-virus:NetTool.Win32.BSM.18 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\cd2\Nickprofile\Nick Blair\Desktop\Desktop Folders\fromwork\mydocs\njba drive\archive.pst/Personal Folders/Sent Items/08 Mar 1999 16:39 to 'BrianEliot@aol.com':Something of interest/small.exe Infected: not-virus:BadJoke.Win16.Stupid.a skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\cd2\Nickprofile\Nick Blair\Desktop\Desktop Folders\fromwork\mydocs\njba drive\archive.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\cd2\Nickprofile\Nick Blair\Desktop\Desktop Folders\fromwork\njbnick\NICK\My Docs\archive.pst/Personal Folders/Sent Items/08 Mar 1999 16:39 to 'BrianEliot@aol.com':Something of interest/small.exe Infected: not-virus:BadJoke.Win16.Stupid.a skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\cd2\Nickprofile\Nick Blair\Desktop\Desktop Folders\fromwork\njbnick\NICK\My Docs\archive.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\fromwork\mydocs\njba drive\archive.pst/Personal Folders/Sent Items/08 Mar 1999 16:39 to 'BrianEliot@aol.com':Something of interest/small.exe Infected: not-virus:BadJoke.Win16.Stupid.a skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\fromwork\mydocs\njba drive\archive.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\fromwork\njbnick\NICK\My Docs\archive.pst/Personal Folders/Sent Items/08 Mar 1999 16:39 to 'BrianEliot@aol.com':Something of interest/small.exe Infected: not-virus:BadJoke.Win16.Stupid.a skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\fromwork\njbnick\NICK\My Docs\archive.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\mirc\backup\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.56 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\mirc\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.571 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\work2\work\From work\Information\mydocs\njba drive\archive.pst/Personal Folders/Sent Items/08 Mar 1999 16:39 to 'BrianEliot@aol.com':Something of interest/small.exe Infected: not-virus:BadJoke.Win16.Stupid.a skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\work2\work\From work\Information\mydocs\njba drive\archive.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\work2\work\From work\Information\njbnick\NICK\My Docs\archive.pst/Personal Folders/Sent Items/08 Mar 1999 16:39 to 'BrianEliot@aol.com':Something of interest/small.exe Infected: not-virus:BadJoke.Win16.Stupid.a skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\work2\work\From work\Information\njbnick\NICK\My Docs\archive.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\Nick Blair\Desktop\plugins\ca_setup.exe/WISE0023.BIN Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\Documents and Settings\Nick Blair\Desktop\plugins\ca_setup.exe/WISE0025.BIN Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\Documents and Settings\Nick Blair\Desktop\plugins\ca_setup.exe WiseSFX: infected - 2 skipped
 
C:\Documents and Settings\Nick Blair\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/09 Nov 2006 22:14 from tech_service@visa.com:Order ID : 37679041/TRS-20067720.exe Infected: Trojan-Downloader.Win32.Small.dep skipped
C:\Documents and Settings\Nick Blair\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\Nick Blair\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Nick Blair\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Nick Blair\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nick Blair\Local Settings\History\History.IE5\MSHist012006121420061215\index.dat Object is locked skipped
C:\Documents and Settings\Nick Blair\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nick Blair\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Nick Blair\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Prevx1\lclbrk.cache Object is locked skipped
C:\Program Files\Prevx1\log\px-log.txt Object is locked skipped
C:\Program Files\Prevx1\paws.cache Object is locked skipped
C:\Program Files\Prevx1\prevx.cache Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP36\A0026186.dll Infected: not-a-virus:AdWare.Win32.TimeSink skipped
C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP36\A0026187.dll Infected: not-a-virus:AdWare.Win32.TimeSink skipped
C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP36\A0026188.dll Infected: not-a-virus:AdWare.Win32.TimeSink skipped
C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP36\A0026189.dll Infected: not-a-virus:AdWare.Win32.TimeSink skipped
C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP36\A0026190.dll Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP36\A0026191.dll Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP36\A0026192.exe Infected: not-a-virus:AdWare.Win32.Lop.ai skipped
C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP36\A0026193.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP36\A0026194.dll Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP36\A0026195.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP36\A0026196.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP36\A0026197.dll Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP38\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallQ308387$\autolfn.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308387$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308387$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ308402$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308402$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ308402$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\userenv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\termsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\syssetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\netsetup.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\ssdpapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\ssdpsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\upnp.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\HAL.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\ZLT020ba.TMP Object is locked skipped
C:\WINDOWS\temp\ZLT034a5.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed
 
Hi again :)

Kaspersky found some hoax email messages and bunch of other "tools".

You have Installed the following programs on purpose rigth ?

C:\Documents and Settings\Nick Blair\Desktop\apps\Remote Administrator\radmin20.exe/R_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\Applications\Cute\TSUninstaller.exe Infected: not-a-virus:AdWare.Win32.TimeSink skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\Applications\RevelationV2.zip/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\From Work\Personal\CuteFTP\TSUninstaller.exe Infected: not-a-virus:AdWare.Win32.TimeSink skipped
C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\cd2\Nickprofile\Nick Blair\Desktop\Desktop Folders\antispam\BSM18.exe Infected: not-a-virus:NetTool.Win32.BSM.18 skipped
C:\Documents and Settings\Nick Blair\Desktop\plugins\ca_setup.exe/WISE0023.BIN Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped

How are things running ?
 
Remote Administraator I never got round to using but know what it is
Cute I know about
Revelation I used to use on site sometimes when people had forgotten their passwords
Cain and Abel I used for a tryout and believe is OK (unless you know different!)

Not sure about this one -

C:\Documents and Settings\Nick Blair\Desktop\OldFiles\Nick\cd2\Nickprofile\Nick Blair\Desktop\Desktop Folders\antispam\BSM18.exe Infected: not-a-virus:NetTool.Win32.BSM.18 skipped

Apart from that the machine is behaving - apart from the Windows Firewall is not enabled. Should I try and get it re-enabled? IS the following link ok - http://windowsxp.mvps.org/sharedaccess.htm as a fix?

Am I safe to resume normal usage?
 
You must log in or register to reply here.
Back
Top