# [email protected]



## peterrcanavan (Oct 15, 2007)

Hi all,

I seem to have picked up a trojan that I can not remove.

I have downloaded and use spybot which removed 14 infections.

I have downloaded and run adaware which found no infections.

I have downloaded and run HijackThis which I will post a log for.

My web browser home page hase been changed to about:blank and the website that I am taken to is http://asafetyprocedure.com/ and a popup appears explaining that I have the infection. Please assist and advise further action required.

Logfile of HijackThis v1.99.1
Scan saved at 8:09:17 PM, on 15/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Video Add-on\isfmntr.exe
C:\Program Files\Video Add-on\icthis.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Video Add-on\icmntr.exe
C:\Program Files\Video Add-on\isfmm.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\Utility\Application\QMICM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Peter Canavan\My Documents\My Documents\Antivirus\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row-rel&channel=au&ibd=6070909
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell.com/content/default.aspx?c=au&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/default.aspx?c=au&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row-rel&channel=au&ibd=6070909
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: (no name) - {CFE15135-C591-4000-A55E-A50E5F9F82BC} - C:\Program Files\Video Add-on\isfmdl.dll
O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\bpwbb2ad.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: IE Custom Tools - {23ED2206-856D-461A-BBCF-1C2466AC5AE3} - C:\Program Files\Video Add-on\ictmdl.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigPondWirelessBroadbandCM] "C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe" -tsr
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\biolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\biolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\biolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\biolsp.dll
O20 - AppInit_DLLs: wxvault.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Unknown owner - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Thanks in advance
Peter


----------



## sjpritch25 (Sep 8, 2005)

Welcome to TSG 

Download *SmitfraudFix (by S!Ri)* to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe
http://siri.geekstogo.com/SmitfraudFix.exe

*Reboot your computer in "SAFE MODE" using the F8 *method so Windows will start with minimal drivers and running processes. To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". See How to Boot in "SAFE MODE" tutorial if needed.
Double-click on SmitfraudFix.exe.
Select *2* and hit *Enter* to delete the infected files










You will be prompted: *Do you want to clean the registry?* answer *Y* (yes) and hit *Enter* in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found): *Replace Infected file?* answer *Y* (yes) and hit *Enter* to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at *C:\rapport.txt*
In your next reply, please include a fresh Hijackthis log and rapport log.

=======================================

Please perform a scan with *Panda ActiveScan* - ActiveScan does not remove adware/spyware but will autoclean for viruses & worms.
Click "*Scan Your PC*". 
A new window will open. Click "*Check Now*!".
Fill in your registration and click "*Scan Now!*".
You may receive an alert on the address bar that "*This site might require the following ActiveX control...Click here to install...*". Click on that alert and then *Click Install ActiveX component*. 
A new window will appear asking "*Do you want to install this software?"*" Name: *asinst.cab*. 
Select "*Install*" to download the ActiveX controls that allows ActiveScan to run. 
If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "*Allow*". 
Select a device to scan: Click on "*Local Disks*" [allow it to Auto Clean]. 
 When the scan completes, if anything malicious is detected, click the "*See Report button*", then "*Save Report*" to your desktop. 10. Post back the results of your scan and any infected files that are found but not deleted.


----------



## peterrcanavan (Oct 15, 2007)

Hey Sjpritch25

Thank you so much for your assisstance. It is very considerate and appreciated.

I did everything you asked and here are the reports.

Logfile of HijackThis v1.99.1
Scan saved at 4:29:02 PM, on 17/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Peter Canavan\My Documents\My Documents\Antivirus\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row-rel&channel=au&ibd=6070909
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\bpwbb2ad.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: IE Custom Tools - {23ED2206-856D-461A-BBCF-1C2466AC5AE3} - C:\Program Files\Video Add-on\ictmdl.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigPondWirelessBroadbandCM] "C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe" -tsr
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\biolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\biolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\biolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\biolsp.dll
O20 - AppInit_DLLs: wxvault.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Unknown owner - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

SmitFraudFix v2.240

Scan done at 16:24:30.60, Wed 17/10/2007
Run from C:\Documents and Settings\Peter Canavan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{f0c5ef8b-f4bb-4612-9ea8-361fff3da3d5}"="designers"

[HKEY_CLASSES_ROOT\CLSID\{f0c5ef8b-f4bb-4612-9ea8-361fff3da3d5}\InProcServer32]
@="C:\WINDOWS\system32\sttwrd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{f0c5ef8b-f4bb-4612-9ea8-361fff3da3d5}\InProcServer32]
@="C:\WINDOWS\system32\sttwrd.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\PETERC~1\FAVORI~1\Online Security Test.url Deleted
C:\Program Files\AntiVirGear 3.8\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{f0c5ef8b-f4bb-4612-9ea8-361fff3da3d5}"="designers"

[HKEY_CLASSES_ROOT\CLSID\{f0c5ef8b-f4bb-4612-9ea8-361fff3da3d5}\InProcServer32]
@="C:\WINDOWS\system32\sttwrd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{f0c5ef8b-f4bb-4612-9ea8-361fff3da3d5}\InProcServer32]
@="C:\WINDOWS\system32\sttwrd.dll"

»»»»»»»»»»»»»»»»»»»»»»»» End

Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Peter Canavan\Cookies\peter [email protected][2].txt 
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Peter Canavan\Cookies\peter [email protected][1].txt 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Peter Canavan\Cookies\peter [email protected][1].txt 
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Peter Canavan\Cookies\peter [email protected][2].txt 
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Peter Canavan\Cookies\peter [email protected][1].txt 
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Peter Canavan\Cookies\peter [email protected][2].txt 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Peter Canavan\Desktop\SmitfraudFix\Process.exe 
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Peter Canavan\Desktop\SmitfraudFix\Reboot.exe 
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Peter Canavan\Desktop\SmitfraudFix\restart.exe 
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Peter Canavan\Desktop\SmitfraudFix.exe 
Adware:Adware/PC-Prot Not disinfected C:\Program Files\Video Add-on\icmntr.exe 
Adware:Adware/WinSecureDisc Not disinfected C:\Program Files\Video Add-on\icthis.exe 
Adware:Adware/WinSecureDisc Not disinfected C:\Program Files\Video Add-on\ictmdl.dll 
Adware:Adware/PC-Prot Not disinfected  C:\Program Files\Video Add-on\ictun.exe 
Adware:Adware/VideoAddon Not disinfected C:\Program Files\Video Add-on\icun.exe 
Adware:Adware/PC-Prot Not disinfected C:\Program Files\Video Add-on\isfmdl.dll 
Adware:Adware/PC-Prot Not disinfected C:\Program Files\Video Add-on\isfmntr.exe

Thanks again
Peter


----------



## sjpritch25 (Sep 8, 2005)

Download *Combofix* and save it to your desktop.

***Note: It is important that it is saved directly to your desktop***

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on *combofix.exe* & follow the prompts. 
When finished, it will produce a report for you.
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


----------



## peterrcanavan (Oct 15, 2007)

Combofix downloaded and run. Here are the txt filoes as requested.

ComboFix 07-10-17.8 - Peter Canavan 2007-10-17 21:04:59.1 - NTFSx86 
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.408 [GMT 10:00]
Running from: C:\Documents and Settings\Peter Canavan\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.

2007-10-17 21:04	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-10-17 16:40 d--------	C:\WINDOWS\system32\ActiveScan
2007-10-17 16:24	4,796	--a------	C:\WINDOWS\system32\tmp.reg
2007-10-17 16:20 d--------	C:\WINDOWS\pss
2007-10-15 19:38 d--------	C:\Program Files\Lavasoft
2007-10-15 18:52 d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-15 07:17 d--------	C:\Program Files\WinSecureAv
2007-10-15 07:17	24,064	--a------	C:\WINDOWS\system32\msxml3a.dll
2007-10-15 07:00 d-a------	C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-15 06:56 d--------	C:\Program Files\Video Add-on
2007-10-12 07:33	584,192	---------	C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-11 10:23 d--------	C:\WINDOWS\Sun
2007-10-11 09:29	31,616	--a------	C:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-11 09:29	31,616	--a------	C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-10-11 09:20 d--------	C:\Program Files\Telstra
2007-10-09 11:48 d--------	C:\MDT
2007-10-09 11:40 d--------	C:\Documents and Settings\Peter Canavan\Application Data\CyberLink
2007-10-09 11:40 d--------	C:\Documents and Settings\All Users\Application Data\CyberLink
2007-09-24 15:23	17,664	--a------	C:\WINDOWS\system32\drivers\sermouse.sys
2007-09-24 15:23	17,664	--a------	C:\WINDOWS\system32\dllcache\sermouse.sys
2007-09-21 21:21	17,920	--a------	C:\WINDOWS\system32\mdimon.dll
2007-09-21 21:20 d--------	C:\Program Files\Microsoft ActiveSync
2007-09-21 21:19 d--------	C:\WINDOWS\SHELLNEW
2007-09-21 21:19 d--------	C:\Program Files\Microsoft.NET
2007-09-17 20:07	128,896	---------	C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-09-17 20:07	23,040	---------	C:\WINDOWS\system32\dllcache\fltmc.exe
2007-09-17 20:07	16,896	---------	C:\WINDOWS\system32\dllcache\fltlib.dll
2007-09-17 20:06 d--------	C:\Program Files\MSXML 4.0
2007-09-17 19:31 d--------	C:\Program Files\Common Files\Adobe
2007-09-17 19:19 d--------	C:\Program Files\Symantec AntiVirus
2007-09-17 19:19 d--------	C:\Program Files\Symantec
2007-09-17 19:19 d--------	C:\Program Files\Common Files\Symantec Shared
2007-09-17 19:19 d--------	C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-17 19:19	110,952	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-17 19:19	48,768	--a------	C:\WINDOWS\system32\S32EVNT1.DLL
2007-09-17 19:13 d--------	C:\Peters
2007-09-17 18:50 d--------	C:\Documents and Settings\Peter Canavan\Application Data\Dell
2007-09-17 18:49 d--------	C:\Documents and Settings\Peter Canavan\Application Data\Wave Systems Corp
2007-09-17 18:49 d--------	C:\Documents and Settings\Peter Canavan\Application Data\InstallShield
2007-09-17 18:49 d--h-----	C:\Documents and Settings\Peter Canavan\Application Data\GTek
2007-09-17 18:49 d--------	C:\Documents and Settings\Peter Canavan\Application Data\ATI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 07:25	---------	d-----w	C:\Program Files\Wave Systems Corp
2007-10-17 07:23	---------	d-----w	C:\Program Files\Google
2007-10-17 07:23	---------	d-----w	C:\Program Files\Digital Line Detect
2007-10-17 07:23	---------	d-----w	C:\Program Files\DellSupport
2007-10-17 07:19	---------	d-----w	C:\Program Files\Apoint
2007-09-21 06:25	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Gtek
2007-09-17 09:23	805	----a-w	C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-09-17 09:23	8,014	----a-w	C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-09-08 22:53	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-09-08 22:53	---------	d-----w	C:\Program Files\Roxio
2007-09-08 22:53	---------	d-----w	C:\Program Files\CyberLink
2007-09-08 22:53	---------	d-----w	C:\Program Files\Common Files\SureThing Shared
2007-09-08 22:53	---------	d-----w	C:\Program Files\Common Files\InstallShield
2007-09-08 22:53	---------	d-----w	C:\Documents and Settings\All Users\Application Data\InstallShield
2007-09-08 22:53	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Dell
2007-09-08 22:52	---------	d-----w	C:\Program Files\Common Files\Sonic Shared
2007-09-08 22:52	---------	d-----w	C:\Program Files\Common Files\Roxio Shared
2007-09-08 22:52	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Sonic
2007-09-08 22:48	---------	d-----w	C:\Program Files\Broadcom
2007-09-08 22:47	---------	d-----w	C:\Program Files\ATI Technologies
2007-09-08 22:46	---------	d-----w	C:\Program Files\DIFX
2007-09-08 22:41	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
2007-09-08 22:41	---------	d-----w	C:\Documents and Settings\All Users\Application Data\NTRU Cryptosystems
2007-09-08 22:40	---------	d-----w	C:\Program Files\NTRU Cryptosystems
2007-09-08 22:37	---------	d-----w	C:\Program Files\Dell
2007-09-08 22:36	---------	d-----w	C:\Program Files\SigmaTel
2007-09-08 22:36	---------	d-----w	C:\Program Files\NetWaiting
2007-09-08 22:36	---------	d-----w	C:\Program Files\Modem Diagnostic Tool
2007-09-08 22:36	---------	d-----w	C:\Program Files\CONEXANT
2007-09-08 22:33	---------	d-----w	C:\Program Files\Java
2007-09-08 22:32	---------	d-----w	C:\Program Files\Common Files\Java
2007-09-08 22:14	6,159	----a-w	C:\WINDOWS\system32\drivers\1028_Dell_LAT_D531.mrk
2007-08-22 13:12	96,256	------w	C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12	658,944	------w	C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12	615,424	------w	C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12	55,808	------w	C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12	532,480	------w	C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12	474,112	------w	C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12	449,024	------w	C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12	39,424	------w	C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12	357,888	------w	C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12	3,058,176	------w	C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12	251,392	------w	C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12	205,312	------w	C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12	16,384	------w	C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12	151,040	------w	C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12	146,432	------w	C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12	1,494,528	------w	C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12	1,054,208	------w	C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12	1,022,976	------w	C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30	18,432	------w	C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15	683,520	----a-w	C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15	683,520	------w	C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-07-30 09:19	92,504	----a-w	C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 09:19	92,504	----a-w	C:\WINDOWS\system32\cdm.dll
2007-07-30 09:19	549,720	----a-w	C:\WINDOWS\system32\wuapi.dll
2007-07-30 09:19	549,720	----a-w	C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 09:19	53,080	----a-w	C:\WINDOWS\system32\wuauclt.exe
2007-07-30 09:19	53,080	----a-w	C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 09:19	43,352	----a-w	C:\WINDOWS\system32\wups2.dll
2007-07-30 09:19	325,976	----a-w	C:\WINDOWS\system32\wucltui.dll
2007-07-30 09:19	325,976	----a-w	C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 09:19	203,096	----a-w	C:\WINDOWS\system32\wuweb.dll
2007-07-30 09:19	203,096	----a-w	C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 09:19	1,712,984	----a-w	C:\WINDOWS\system32\wuaueng.dll
2007-07-30 09:19	1,712,984	----a-w	C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 09:18	33,624	----a-w	C:\WINDOWS\system32\wups.dll
2007-07-30 09:18	33,624	----a-w	C:\WINDOWS\system32\dllcache\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{23ED2206-856D-461A-BBCF-1C2466AC5AE3}"= C:\Program Files\Video Add-on\ictmdl.dll [2007-10-15 06:57 68608]

[HKEY_CLASSES_ROOT\CLSID\{23ED2206-856D-461A-BBCF-1C2466AC5AE3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{23ED2206-856D-461A-BBCF-1C2466AC5AE3}"= C:\Program Files\Video Add-on\ictmdl.dll [2007-10-15 06:57 68608]

[HKEY_CLASSES_ROOT\CLSID\{23ED2206-856D-461A-BBCF-1C2466AC5AE3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-04-15 20:39]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 07:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 15:03]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 05:10]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 01:26 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 16:23]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 17:32]
"SecureUpgrade"="C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 13:53]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 11:12]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 16:05]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 18:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 18:50]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 11:00]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 19:23]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-21 16:13]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-24 09:03]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-30 09:33]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-06-07 06:25]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"BigPondWirelessBroadbandCM"="C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe" [2007-06-26 17:08]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 14:09]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-21 17:13]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-09-09 08:36:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wxvault.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 wvauth

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys
R0 PBADRV;PBADRV;C:\WINDOWS\system32\DRIVERS\PBADRV.sys
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;"C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service
R2 BASFND;BASFND;\??\C:\Program Files\Broadcom\ASFIPMon\BASFND.sys
R2 Wave UCSPlus;Wave UCSPlus;C:\WINDOWS\system32\dllhost.exe /Processid:{BDFEFE06-0F3F-44F4-984D-3BF2A1CA8D75}
R3 cmusbnet;WAN Driver @ 3GPP (6280);C:\WINDOWS\system32\DRIVERS\cmusbnet.sys
R3 cmusbser;%CMUSBSER%;C:\WINDOWS\system32\DRIVERS\cmusbser.sys
R3 DXEC01;DXEC01;C:\WINDOWS\system32\drivers\dxec01.sys
S3 SecureStorageService;SecureStorageService;"C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe"

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 21:06:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-17 21:06:49
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 9:08:13 PM, on 17/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\Utility\Application\QMICM.exe
C:\Documents and Settings\Peter Canavan\My Documents\My Documents\Antivirus\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.bigpond.com/mybigpond/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row-rel&channel=au&ibd=6070909
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\bpwbb2ad.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: IE Custom Tools - {23ED2206-856D-461A-BBCF-1C2466AC5AE3} - C:\Program Files\Video Add-on\ictmdl.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigPondWirelessBroadbandCM] "C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe" -tsr
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\biolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\biolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\biolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\biolsp.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: wxvault.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Unknown owner - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Thank you once again for your assisstance.
Peter


----------



## sjpritch25 (Sep 8, 2005)

Please uninstall the following programs, via *Add/Remove Programs*:
Video Add-on
WinSecureAv

===================

Please download the attached file named CFScript.txt and Save it to your Desktop.










Refering to the picture above, drag CFScript.txt into ComboFix.exe

In your next reply, please post a fresh Combofix log and a fresh Hijackthis log.

*Do not run on any other computer!!!! The Attached file CFScript.txt is created for this specfic computer. Running it on another system could cause it to crash or worse. *


----------



## peterrcanavan (Oct 15, 2007)

Hi,

Firstly, I removed the program Video Add-on through add remove programs. However, WinSecureAv did not appear in the program list.

I saved the txt file and run it through combofix and following are the resultant combofix logs and Hijackthis logs;

ComboFix 07-10-17.8 - Peter Canavan 2007-10-18 14:25:35.2 - NTFSx86 
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.401 [GMT 10:00]
Running from: C:\Documents and Settings\Peter Canavan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Peter Canavan\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Video Add-on
C:\Program Files\Video Add-on\icmntr.exe
C:\Program Files\Video Add-on\icthis.exe
C:\Program Files\Video Add-on\ictmdl.dll
C:\Program Files\Video Add-on\ictun.exe
C:\Program Files\Video Add-on\icun.exe
C:\Program Files\Video Add-on\isfmdl.dll
C:\Program Files\Video Add-on\isfmm.exe
C:\Program Files\Video Add-on\isfmntr.exe
C:\Program Files\Video Add-on\isfun.exe
C:\Program Files\Video Add-on\ot.ico
C:\Program Files\Video Add-on\ts.ico
C:\Program Files\WinSecureAv

.
((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 )))))))))))))))))))))))))))))))
.

2007-10-17 21:33 d--------	C:\Program Files\Telstra
2007-10-17 21:04	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-10-17 16:40 d--------	C:\WINDOWS\system32\ActiveScan
2007-10-17 16:24	4,796	--a------	C:\WINDOWS\system32\tmp.reg
2007-10-17 16:20 d--------	C:\WINDOWS\pss
2007-10-15 19:38 d--------	C:\Program Files\Lavasoft
2007-10-15 18:52 d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-15 07:17	24,064	--a------	C:\WINDOWS\system32\msxml3a.dll
2007-10-15 07:00 d-a------	C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-12 07:33	584,192	---------	C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-11 10:23 d--------	C:\WINDOWS\Sun
2007-10-11 09:29	31,616	--a------	C:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-11 09:29	31,616	--a------	C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-10-09 11:48 d--------	C:\MDT
2007-10-09 11:40 d--------	C:\Documents and Settings\Peter Canavan\Application Data\CyberLink
2007-10-09 11:40 d--------	C:\Documents and Settings\All Users\Application Data\CyberLink
2007-09-24 15:23	17,664	--a------	C:\WINDOWS\system32\drivers\sermouse.sys
2007-09-24 15:23	17,664	--a------	C:\WINDOWS\system32\dllcache\sermouse.sys
2007-09-21 21:21	17,920	--a------	C:\WINDOWS\system32\mdimon.dll
2007-09-21 21:20 d--------	C:\Program Files\Microsoft ActiveSync
2007-09-21 21:19 d--------	C:\WINDOWS\SHELLNEW
2007-09-21 21:19 d--------	C:\Program Files\Microsoft.NET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-18 04:28	---------	d-----w	C:\Program Files\Symantec AntiVirus
2007-10-18 04:16	---------	d-----w	C:\Documents and Settings\Peter Canavan\Application Data\Wave Systems Corp
2007-10-17 07:25	---------	d-----w	C:\Program Files\Wave Systems Corp
2007-10-17 07:23	---------	d-----w	C:\Program Files\Google
2007-10-17 07:23	---------	d-----w	C:\Program Files\Digital Line Detect
2007-10-17 07:23	---------	d-----w	C:\Program Files\DellSupport
2007-10-17 07:21	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2007-10-17 07:19	---------	d-----w	C:\Program Files\Apoint
2007-09-21 06:25	---------	d--h--w	C:\Documents and Settings\Peter Canavan\Application Data\GTek
2007-09-21 06:25	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Gtek
2007-09-17 10:06	---------	d-----w	C:\Program Files\MSXML 4.0
2007-09-17 09:31	---------	d-----w	C:\Program Files\Common Files\Adobe
2007-09-17 09:23	805	----a-w	C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-09-17 09:23	8,014	----a-w	C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-09-17 09:23	110,952	----a-w	C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-17 09:23	---------	d-----w	C:\Program Files\Symantec
2007-09-17 09:19	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-17 08:50	---------	d-----w	C:\Documents and Settings\Peter Canavan\Application Data\Dell
2007-09-08 22:53	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-09-08 22:53	---------	d-----w	C:\Program Files\Roxio
2007-09-08 22:53	---------	d-----w	C:\Program Files\CyberLink
2007-09-08 22:53	---------	d-----w	C:\Program Files\Common Files\SureThing Shared
2007-09-08 22:53	---------	d-----w	C:\Program Files\Common Files\InstallShield
2007-09-08 22:53	---------	d-----w	C:\Documents and Settings\All Users\Application Data\InstallShield
2007-09-08 22:53	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Dell
2007-09-08 22:52	---------	d-----w	C:\Program Files\Common Files\Sonic Shared
2007-09-08 22:52	---------	d-----w	C:\Program Files\Common Files\Roxio Shared
2007-09-08 22:52	---------	d-----w	C:\Documents and Settings\Peter Canavan\Application Data\ATI
2007-09-08 22:52	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Sonic
2007-09-08 22:48	---------	d-----w	C:\Program Files\Broadcom
2007-09-08 22:47	---------	d-----w	C:\Program Files\ATI Technologies
2007-09-08 22:46	---------	d-----w	C:\Program Files\DIFX
2007-09-08 22:41	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
2007-09-08 22:41	---------	d-----w	C:\Documents and Settings\All Users\Application Data\NTRU Cryptosystems
2007-09-08 22:40	---------	d-----w	C:\Program Files\NTRU Cryptosystems
2007-09-08 22:37	---------	d-----w	C:\Program Files\Dell
2007-09-08 22:36	---------	d-----w	C:\Program Files\SigmaTel
2007-09-08 22:36	---------	d-----w	C:\Program Files\NetWaiting
2007-09-08 22:36	---------	d-----w	C:\Program Files\Modem Diagnostic Tool
2007-09-08 22:36	---------	d-----w	C:\Program Files\CONEXANT
2007-09-08 22:36	---------	d-----w	C:\Documents and Settings\Peter Canavan\Application Data\InstallShield
2007-09-08 22:33	---------	d-----w	C:\Program Files\Java
2007-09-08 22:32	---------	d-----w	C:\Program Files\Common Files\Java
2007-09-08 22:14	6,159	----a-w	C:\WINDOWS\system32\drivers\1028_Dell_LAT_D531.mrk
.

((((((((((((((((((((((((((((( [email protected]_21.06.23.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-17 11:34:13	24,190	----a-r	C:\WINDOWS\Installer\{0EEE3193-5E0D-471B-BFB0-0C2034F17B3B}\controlPanelIcon_1.exe
- 2007-06-06 01:36:16	81,536	----a-w	C:\WINDOWS\system32\drivers\cmusbnet.sys
+ 2007-06-21 23:54:32	87,424	----a-w	C:\WINDOWS\system32\drivers\cmusbnet.sys
- 2007-06-06 01:36:16	87,040	----a-w	C:\WINDOWS\system32\drivers\cmusbser.sys
+ 2006-12-13 08:31:56	87,040	----a-w	C:\WINDOWS\system32\drivers\cmusbser.sys
- 2007-10-17 11:01:42	64,262	----a-w	C:\WINDOWS\system32\perfc009.dat
+ 2007-10-18 04:20:04	64,262	----a-w	C:\WINDOWS\system32\perfc009.dat
- 2007-10-17 11:01:42	405,878	----a-w	C:\WINDOWS\system32\perfh009.dat
+ 2007-10-18 04:20:04	405,878	----a-w	C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-04-15 20:39]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 07:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 15:03]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 05:10]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 01:26 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 16:23]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 17:32]
"SecureUpgrade"="C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 13:53]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 11:12]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 16:05]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 18:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 18:50]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 11:00]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 19:23]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-21 16:13]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-24 09:03]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-30 09:33]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-06-07 06:25]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"BigPondWirelessBroadbandCM"="C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe" [2007-09-18 14:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 14:09]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-21 17:13]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-09-09 08:36:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wxvault.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 wvauth

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys
R0 PBADRV;PBADRV;C:\WINDOWS\system32\DRIVERS\PBADRV.sys
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;"C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service
R2 BASFND;BASFND;\??\C:\Program Files\Broadcom\ASFIPMon\BASFND.sys
R2 Wave UCSPlus;Wave UCSPlus;C:\WINDOWS\system32\dllhost.exe /Processid:{BDFEFE06-0F3F-44F4-984D-3BF2A1CA8D75}
R3 cmusbnet;WAN Driver @ 3GPP (6280);C:\WINDOWS\system32\DRIVERS\cmusbnet.sys
R3 cmusbser;%CMUSBSER%;C:\WINDOWS\system32\DRIVERS\cmusbser.sys
R3 DXEC01;DXEC01;C:\WINDOWS\system32\drivers\dxec01.sys
S3 SecureStorageService;SecureStorageService;"C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe"

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-18 14:28:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-18 14:30:33 - machine was rebooted 
C:\ComboFix2.txt ... 2007-10-17 21:06
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 2:33:09 PM, on 18/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Peter Canavan\My Documents\My Documents\Antivirus\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.bigpond.com/mybigpond/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row-rel&channel=au&ibd=6070909
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\bpwbb2ad.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigPondWirelessBroadbandCM] "C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe" -tsr
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\biolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\biolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\biolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\biolsp.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: wxvault.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Unknown owner - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Once again thank you for your assisstance.
Peter


----------



## sjpritch25 (Sep 8, 2005)

Your log is clean!!!! :up:

How is everything running????


----------



## peterrcanavan (Oct 15, 2007)

Perfectly, you are a legend. If you happen to be in Sydney and ever need some math tutuoring, let me know.

Thank you so very much.

Regards
Peter


----------



## sjpritch25 (Sep 8, 2005)

Lets finish up.

You can delete the following:
C:\SmitfraudFix
C:\QooBox
On your Desktop
SmitfraudFix.exe
ComboFix.exe

*Your Java is out of date.* Older versions have vulnerabilities that malware can use to infect your system. *Please follow these steps to remove older version Java components and update.*

*Updating Java:*

Download the latest version of *Java Runtime Environment (JRE) 6u3*.
Scroll down to where it says "_Java Runtime Environment (JRE) 6 Update 3_".
Click the "*Download*" button to the right.
Check the box that says: "*Accept*_ License Agreement_".
The page will refresh.
Click on the link to download _Windows Offline Installation_ with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel* double-click on *Add/Remove* programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the *Remove* or *Change/Remove* button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on *jre-6u3-windowsi586-p.exe* to install the newest version.

Now that your system is clean you should *SET A NEW RESTORE POINT* *to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection*. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To *SET A NEW RESTORE POINT*:
1. Go to *Start* > *Programs* > *Accessories* > *System Tools* and click "*System Restore*".
2. Choose the radio button marked "*Create a Restore Point*" on the first screen then click "*Next*". Give the R.P. a name then click "*Create*". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to *Start* > *Run* and type: *Cleanmgr*
4. Click "*OK*".
5. Click the "*More Options*" Tab.
6. Click "*Clean Up*" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
*How to Create a Restore Point*.
*How to use Cleanmgr*.

======================================

Here is some useful information on keeping your computer clean:
Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
If you don't have a *Firewall* installed, please choose from the following:
*ZoneAlarm Free*
*Kerio Personal Firewall*

If you don't have a *Anti-Virus* installed, please download the following free program:
*AntiVir Personal Edition*

Here are two great Preventive programs:
SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
IESpyads adds a long list of bad sites to your Restricted sites in *Internet Explorer* and protects against drive by downloads.

Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with *Internet Explorer* and *Mozilla Firefox*. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
Red for *Warning*
Yellow for *Use Caution*
Green for *Safe*
Grey for *Unknown*

Here are the link to install SiteAdisor in Internet Explorer and Firefox
Anti-Spyware Programs I Recommend:
Lavasoft's Ad-Aware SE Personal
SuperAnti-Spyware

For Even More Information On Securing Your Computer read *Tony Klein's* So How Did I Get Infected In The First Place]


----------

