# Aggressive Malware Insistance



## comtrain9 (Nov 27, 2007)

While I was browsing, of all things, a site on Archaeology, suddenly my screen was taken over by a site that attempted to download some spyware removal stuff. I refused to download them, but they ran an immediate scan, anyway. I had to shut off my pc, but I was not fast enough. I thought I had removed this aggressive site, but it has continued to plague me every time I log on, eventually redirecting me from whatever site I have chosen to view. My home page has been displaced by this site and I am forced to to manually choose my home page if I want to see news, etc. 

It keeps telling me my computer is infected, and I must download its software. I have Windows XP Service Pack 2 and Norton Security Suite 2007. Norton appears every time this rogue site does, and Norton tells me that it has just successfully blocked Downloader. I must have received that message from Norton at least 100 times by now. The problem started very early this morning, shortly after 2:00 A.M. Also, this site/these sites managed to hijack my Internet Explorer 6 icons and keep flashing them, as if I was getting a legitimate message from Microsoft or IE. 

It keeps telling me that such and such a malware has infected my pc, but I can't find the names they are describing through an internet search. I cannot get these things off my pc, either: Error Cleaner, Privacy Protector, and Spyware and Malware Protection. Those are the names of the things that have also refuse to be removed. My Desktop screen has a huge red screen when I log on, with the medical hazard symbols; you know, the circled devlish looking horns...indicating I'm infected. 

The IE site that I'm automatically directed to, ie, its address is " http//ucleaner.com/main.php?wm(or w, maybe?)id=6010&mid=MjI6Mjo40Q==&l (or t, maybe?)did=2" In the middle of the address I just typed is either wmid (or wwid) and lndid (or tdid); probably the former, in each case.

And then I am redirected to yet another site, "http://scanner.adwareremover2007.com/4/advid=1216" 

And finally, they try to install "http://xpantivirusB.28.exe" which I also cannot find through a search. 

And they say I have these malwares, which I cannot find through search: "Worm.Win32.Womble.a" "Spyware.IEMonster.b" "Zlob.PornAdvertiser.Xplisit" 

My pc has been acting funny for a week or so, before this. Something may have been running in the background, slowing it down, and eventually forcing me to keep bringing back my Favorite Places.

Comtrain9 

Thanks It's a race against time


----------



## comtrain9 (Nov 27, 2007)

So, my friends, anybody figure this thing out, yet? I notice that some people have used Hijack This scans to present on the forum. But I don't know if I should do that or not. Would I disable my Norton Security Suite 2007 first, to permit the download?

Or is there a removal tool or web site I need to access? Thanks, again.

Comtrain9


----------



## comtrain9 (Nov 27, 2007)

bump


----------



## comtrain9 (Nov 27, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:06 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: BDEX System - {059947A2-838E-4773-9EE2-8AB8F53C2EDE} - C:\WINDOWS\dxpvqlmgtv.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: The ensfolr - {7D1AD5EB-9902-4FF0-986F-CA498179A53B} - C:\WINDOWS\ensfolr.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185324752421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1197528901640
O21 - SSODL: bklgvsf - {70CE3EAB-FACF-477A-B360-BAE834DACCF0} - C:\WINDOWS\bklgvsf.dll
O21 - SSODL: ampkfst - {2F97FBEF-4EEB-4A7E-94FB-8BD73FF4180F} - C:\WINDOWS\ampkfst.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 5839 bytes


----------



## comtrain9 (Nov 27, 2007)

This is connected to the bump. I had to cut and paste. The edit word was faded out in HJ. Don't know why. Some of my command icons have dimmed.

Steve


----------



## Cookiegal (Aug 27, 2003)

Please download *SmitfraudFix* (by *S!Ri*)
Extract the content (a folder named *SmitfraudFix*) to your Desktop.

Double-click *smitfraudfix.exe*
Select option #1 - *Search* by typing *1* and press "*Enter*". A text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Warning: Do not run Option #2 until you are instructed to do so. Running option #2 on a non infected computer will remove your Desktop background.


----------



## comtrain9 (Nov 27, 2007)

Dear Cookie Gal;

Please view my latest posting on the Malware site. I posted it a couple of hours ago, I think. It has new information not previously reported.

And I didn't notice your reply until a couple of minutes ago. I had written one of the administrators wondering why no one had gotten back to me. I apologize for not being more observant. 

But please read my new post and the latest Hijack This log. Thank You.

comtrain9


----------



## Cookiegal (Aug 27, 2003)

Please follow my instructions to run SmitFraudFix. If your anti-virus alerts you to something related to the process.exe file, do not block it.


----------



## comtrain9 (Nov 27, 2007)

Dear Cookiegal,

Here is my Smitfraud log you instructed. Did you get a chance to read my latest HJT log? After the Windows remote "fix," some of my problems have changed. I am the chief pc user. My log-in page seems to have the most problems. Anyway, I'm having trouble getting on-line, now.

Well, here is the Smitfraud (as per your instructions, I only entered #1).

SmitFraudFix v2.274

Scan done at 19:04:13.03, Thu 01/10/2008
Run from C:\Documents and Settings\Stephen\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\privacy_danger FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Stephen

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Stephen\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Stephen\FAVORI~1

C:\DOCUME~1\Stephen\FAVORI~1\Error Cleaner.url FOUND !
C:\DOCUME~1\Stephen\FAVORI~1\Privacy Protector.url FOUND !
C:\DOCUME~1\Stephen\FAVORI~1\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\Stephen\Desktop\Error Cleaner.url FOUND !
C:\DOCUME~1\Stephen\Desktop\Privacy Protector.url FOUND !
C:\DOCUME~1\Stephen\Desktop\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:\\WINDOWS\\privacy_danger\\index.htm"
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 65.24.7.3
DNS Server Search Order: 65.24.7.6

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C43FB481-D526-4EF8-A4A1-1AED30565721}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C43FB481-D526-4EF8-A4A1-1AED30565721}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C43FB481-D526-4EF8-A4A1-1AED30565721}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Steve comtraini9


----------



## Cookiegal (Aug 27, 2003)

What do you mean by the *Windows remote "fix"?*

You should print out these instructions or copy them to a Notepad file for reading while in Safe Mode because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in *Safe Mode* by doing the following:
Restart your computer
After hearing your computer beep once during startup but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear
Select the first option, to run Windows in Safe Mode then press "Enter"
Choose your usual account
Once in Safe Mode, double-click *smitfraudfix.exe*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

The tool may need to restart your computer to finish the cleaning process. If it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process. Please copy/paste the content of that report into your next reply *along with a new HijackThis log*. The report can also be found at the root of the system drive, usually at *C:\rapport.txt*


----------



## comtrain9 (Nov 27, 2007)

By remote fix, I meant that overnight, while my computer was on, but not logged on to anyone or hooked up to the net, I received a message, ostensibly from Microsoft, indicating that my pc was infected and that Microsoft had remotely downloaded a software patch or some other fix that had corrected the problem. I noticed after that message, my MSN homepage was restored and I wasn't automatically redirected to the phony malware fighter sites, which was a relief...and I wasn't automatically redirected to those phony sites after I had been browsing the net for a while. 

However, after a while many of the problems resurfaced as I continued browsing. What do you make of all that, cookiegal?

comtrain9


----------



## Cookiegal (Aug 27, 2003)

Microsoft wouldn't do that unless they've been assisting you by remoting into your computer. Even then, they couldn't do it if you weren't on the Internet.


Please carry out my previous instructions.


----------



## comtrain9 (Nov 27, 2007)

Before I communicate the latest back to you....

Yes, you are correct. There is no way they could have done that unless I was somehow logged into the Internet. At the height of my problems, I would browse things like My Documents off-line. And then, quite all of a sudden, I found myself on line, with these rogue sites demanding that I download their stuff. How could they do that? The only way I was spared their abuse was to log off completely. I am pretty sure I was off line.

A few weeks ago, however I checked Yahoo's option of remaining logged on to My Mail through Yahoo for a 2 week period. But when I got off line and went back on a couple of days later, I found that the My Mail 2 week option had been unchecked. So I simply figured that the option had malfunctioned. Unless, of course false impressions are being created. In any event I have been logging out of My Mail in Yahoo from now on, anyway.

Can you think of any advanced systems that could possibly connect a pc to the Net at will, if a person is logged on to his or her own personal Desktop? I'm pretty sure that's what happened. I must be pretty important to someone, if they went to all that trouble...I only wish. What am I saying....!!!!???

Anyway, there are three of us who have User Accounts who use this pc, all family members. We have their own pages, i.e. User Accounts. And all three have Administrator privileges. I am the main administrator, I guess. The PC is in my name.

I first put my account into Safe mode. Because of the rogue Desktop screen, I couldn't be sure that I was actually IN Safe Mode, even though I had hit F8 many, many times. So I logged off, went to another User Account-let's call it B-and decided to use the MSCONFIG option to use SafeMode. I guess it worked, because the dialogue box said I was in...but no white screen. I ran the Smitfraud #2 option Fix and obtained ITS results, first. Then I went back to my own Account-let's call it A-and did the same thing. Before I returned to Normal Mode, I had a chance to see the white screen of Safe Mode not masked by the rogue screen. I HAVE NOT YET RUN ANYTHING YET FOR USER ACCOUNT C. Remember, according to the account information on the Changing Account screen, all of us have administrator privileges. However, I am the only one who uses this pc. But there is something else you should know....On the other side of my home, User B uses its own laptop, but THAT LAPTOP IS WIRELESS AND USES MY DESKTOP PC AS ITS PRIMARY "SOURCE." User B uses a password for latptop use.

Anyway, in the order I did things....first is the SmitFraud for User B, then mine User A, then the latest Hijack This Log, also obtained from, me, or User A.

SmitFraudFix v2.274

Scan done at 23:17:07.06, Thu 01/10/2008
Run from C:\Documents and Settings\Judith\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\privacy_danger\ Deleted
C:\DOCUME~1\Judith\Desktop\Error Cleaner.url Deleted
C:\DOCUME~1\Judith\Desktop\Privacy Protector.url Deleted
C:\DOCUME~1\Judith\Desktop\Spyware?Malware Protection.url Deleted
C:\DOCUME~1\Judith\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\Judith\FAVORI~1\Privacy Protector.url Deleted
C:\DOCUME~1\Judith\FAVORI~1\Spyware?Malware Protection.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 65.24.7.3
DNS Server Search Order: 65.24.7.6

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C43FB481-D526-4EF8-A4A1-1AED30565721}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C43FB481-D526-4EF8-A4A1-1AED30565721}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C43FB481-D526-4EF8-A4A1-1AED30565721}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Ok, next comes my-User A- smitfraud, labeled #1:

SmitFraudFix v2.274

Scan done at 19:04:13.03, Thu 01/10/2008
Run from C:\Documents and Settings\Stephen\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\privacy_danger FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Stephen

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Stephen\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Stephen\FAVORI~1

C:\DOCUME~1\Stephen\FAVORI~1\Error Cleaner.url FOUND !
C:\DOCUME~1\Stephen\FAVORI~1\Privacy Protector.url FOUND !
C:\DOCUME~1\Stephen\FAVORI~1\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\Stephen\Desktop\Error Cleaner.url FOUND !
C:\DOCUME~1\Stephen\Desktop\Privacy Protector.url FOUND !
C:\DOCUME~1\Stephen\Desktop\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:\\WINDOWS\\privacy_danger\\index.htm"
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 65.24.7.3
DNS Server Search Order: 65.24.7.6

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C43FB481-D526-4EF8-A4A1-1AED30565721}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C43FB481-D526-4EF8-A4A1-1AED30565721}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C43FB481-D526-4EF8-A4A1-1AED30565721}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Now, here is the latest Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:04 PM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: BDEX System - {059947A2-838E-4773-9EE2-8AB8F53C2EDE} - C:\WINDOWS\dxpvqlmgtv.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: The ensfolr - {7D1AD5EB-9902-4FF0-986F-CA498179A53B} - C:\WINDOWS\ensfolr.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-2978939541-2891522830-263759242-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Judith')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185324752421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1197528901640
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 5597 bytes

If I need to use SmitFraud on User C, I will. The offending rogue webcleaner icons have disappeared from all three user account Desktops, but I thought I noticed a rogue warning on the Norton toolbar underneath the IE tool bar.

Steve


----------



## Cookiegal (Aug 27, 2003)

You're getting me confused. First you ran option 1 from Stephen's account and then when I told you to run option 2 you ran it from Judith's account. 

Please run *Option 1* of SmitfraudFix on all user accounts and post those logs only (not the HijackThis logs).


----------



## comtrain9 (Nov 27, 2007)

Sorry.

I also noticed that option #1 was run in Normal Mode...I thought I was in Safe Mode. Oh, well. Will follow instructions.

comttarin9


----------



## comtrain9 (Nov 27, 2007)

Ok, Cookiegal,

A.) For some reason, I am having difficulty restarting my pc in Safe Mode. Pressing the F8 button continuously isn't working for me. It's tricky anyway, finding the correct moment. 

So I have tried an alternative method. I tried to utilize the following on-line instructions for getting into Safe Mode from XP.

1) Start>Run>msconfig

2) Boot ini. tab

3)Check SAFEBOOT from Boot Option

4)Pressing Apply

5)Press OK

6)Select Restart

7)System will Reboot in Safe Mode

The problem is that isn't happening as I expected. My dialogue box that appears after I hit msconfig, offers alot of various options. It's not just SAFEBOOT, but it is SAFEBOOT with all services available, or limited services. Secondly, after I hit the Apply button, the OK button disappears and is replaced by a Close button. So I hit that, have to restart my pc, and then go through the process again. When the msconfig dialogue box reappears the second time, the Apply button is faded out, but the OK button has reappeared; so I hit that one, restart my pc the second time, and receive a second message that my pc is in Diagnostic mode. Yet the Desktop background is still there. After this, I must again perform every action twice, to return to Normal Mode completely, when I finally decide to.

And then to complicate matters more, although I am being told by my pc that I am in Diagnostic mode, the Smitfraud program is telling me that it has run a Search and/or a Fix, in Normal mode. 

B.) I seemed to have no problems previously running Smitfraud for either Search or Fix. Now I get a message telling me that it is having trouble running a complete scan or fix, because it has disabled or devices associated with it have not been enabled. Something does run, but I obtain abbreviated Search or Fix reports.

C.) Since User B or C are not really utilizing the pc, when should I alter their accounts to eliminate their Administrator status?

comtrain9


----------



## comtrain9 (Nov 27, 2007)

One other thing,

I kept getting kicked of the net, until I received a message from IE that the following Add-On file was running in the background: File: dxpvqlmgtv.dll. The company name was not specified. The description was that : it wasn't digitally signed.

So I simply disabled it. Should it be removed, and can it be, safely? 

comtrain9


----------



## Cookiegal (Aug 27, 2003)

Do not use the msconfig method to boot to safe mode or your risk getting stuck in an infinite boot loop.

Let's forget SmitfraudFix for now.

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix and make sure you are disconnected from the Internet *after downloading the program and before scanning*.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *ComboFix* and save it to your desktop.

***Note: In the event you already have ComboFix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running ComboFix.

 WARNING: *IF you have not already done so ComboFix will disconnect your machine from the Internet when it starts. *
*Please do not re-connect your machine back to the Internet until ComboFix has completely finished.*
If there is no Internet connection when Combofix has completely finished then restart your computer to restore the connection.

Double-click on *combofix.exe* and follow the prompts. When finished, it will produce a report for you. Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.

***Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall***


----------



## comtrain9 (Nov 27, 2007)

Cookiegal,

As per your instructions....I also notice while I was working with the Symantec Norton Security system, that my phishing protection was already turned off, seemingly had been for quite some time, and could not be re-activated until I downloaded a registry fix from Symantec; the Symantec fix file's name is " NCO_BHO.reg"

Anyway, here are my Combo. fix and Hijack This logs.

ComboFix 08-01-13.1 - Stephen 2008-01-12 19:23:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1611 [GMT -5:00]
Running from: C:\Documents and Settings\Stephen\Desktop\ComboFix.exe
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dat.txt
C:\WINDOWS\dxpvqlmgtv.dll
C:\WINDOWS\ensfolr.dll
C:\WINDOWS\foxflpd.exe
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\_000008_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-12 19:22 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-10 19:04 . 2008-01-12 16:29	1,800	--a------	C:\WINDOWS\system32\tmp.reg
2008-01-10 19:03 . 2007-09-05 23:22	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2008-01-10 19:03 . 2006-04-27 16:49	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2008-01-10 19:03 . 2007-12-20 23:11	81,920	--a------	C:\WINDOWS\system32\IEDFix.exe
2008-01-10 19:03 . 2003-06-05 20:13	53,248	--a------	C:\WINDOWS\system32\Process.exe
2008-01-10 19:03 . 2004-07-31 17:50	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2008-01-10 19:03 . 2007-10-03 23:36	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe
2008-01-09 03:01 . 2008-01-09 03:01	118	--a------	C:\WINDOWS\system32\MRT.INI
2008-01-08 20:14 . 2008-01-08 20:14 d--------	C:\Program Files\Trend Micro
2007-12-13 12:20 . 2007-07-30 19:19	271,224	--a------	C:\WINDOWS\system32\mucltui.dll
2007-12-13 12:20 . 2007-07-30 19:19	30,072	--a------	C:\WINDOWS\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 00:21	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-01-13 00:18	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-05 04:46	805	----a-w	C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 04:46	60,800	----a-w	C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-05 04:46	123,952	----a-w	C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 04:46	10,740	----a-w	C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 04:46	---------	d-----w	C:\Program Files\Symantec
2007-12-01 04:57	43,696	----a-w	C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 04:57	317,616	----a-w	C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 04:57	279,088	----a-w	C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 04:57	10,549	----a-w	C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 04:57	10,549	----a-w	C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 04:57	10,545	----a-w	C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 04:57	1,430	----a-w	C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 04:57	1,421	----a-w	C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 04:57	1,415	----a-w	C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-22 20:00	---------	d-----w	C:\Program Files\ACW
2007-11-16 00:12	---------	d-----w	C:\Program Files\Norton Internet Security
2007-11-13 10:25	20,480	----a-w	C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26	721,920	----a-w	C:\WINDOWS\system32\lsasrv.dll
2007-10-31 00:55	625,032	----a-w	C:\WINDOWS\system32\SymNeti.dll
2007-10-31 00:55	242,056	----a-w	C:\WINDOWS\system32\SymRedir.dll
2007-10-29 22:35	1,287,680	----a-w	C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40	222,720	----a-w	C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-23 23:33 185632]
"SoundMan"="SOUNDMAN.EXE" [2005-06-21 03:42 77824 C:\WINDOWS\SOUNDMAN.EXE]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-02-07 17:39 771704]
"nwiz"="nwiz.exe" [2005-10-11 04:49 1519616 C:\WINDOWS\system32\nwiz.exe]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2005-01-17 20:43 84480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-10-11 04:49 86016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-10-11 04:49 7286784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 21:50 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]

*Newly Created Service* - COMHOST 
*Newly Created Service* - PROCEXP90 
.
Contents of the 'Scheduled Tasks' folder
"2008-01-08 01:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Stephen.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 19:24:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-12 19:24:42
ComboFix-quarantined-files.txt 2008-01-13 00:24:41
.
2008-01-09 08:01:12	--- E O F ---

Now, HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:58 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185324752421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1197528901640
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 5032 bytes

There you go!!! Comtrain/steve


----------



## Cookiegal (Aug 27, 2003)

Now, please remove the version of SmitFraudFix that you have as it is likely damaged and get a new one.

Please download *SmitfraudFix* (by *S!Ri*)
Extract the content (a folder named *SmitfraudFix*) to your Desktop.

Double-click *smitfraudfix.exe*
Select option #1 - *Search* by typing *1* and press "*Enter*". A text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Warning: Do not run Option #2 until you are instructed to do so. Running option #2 on a non infected computer will remove your Desktop background.


----------



## comtrain9 (Nov 27, 2007)

Cookiegal,

Here is my latest exe log from smitfraud. I deleted everything else from the earlier version of smitfraud that I could find through the Search/Find procedure through Start:

SmitFraudFix v2.274

Scan done at 13:05:28.85, Mon 01/14/2008
Run from C:\Documents and Settings\Stephen\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Stephen

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Stephen\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Stephen\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 65.24.7.3
DNS Server Search Order: 65.24.7.6

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C43FB481-D526-4EF8-A4A1-1AED30565721}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C43FB481-D526-4EF8-A4A1-1AED30565721}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C43FB481-D526-4EF8-A4A1-1AED30565721}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

There you go. Comtrain9


----------



## Cookiegal (Aug 27, 2003)

Download and install *AVG Anti-Spyware v7.5*. Note to AVG Free anti-virus program users only: This is not the same program as the one you already have, this is an anti-spyware program so please proceed with the instructions. 

After download, double click on the file to launch the install process. 
Choose a language, click "*OK*" and then click "*Next*". 
Read the "_License Agreement_" and click "*I Agree*". 
Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "*Next*", then click "*Install*". 
After setup completes, click "*Finish*" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray. 
The main "*Status*" menu will appear. Select "_Change state_" to inactivate '*Resident Shield*' and '*Automatic Updates*'. _As AVG Anti-Spyware may interfere with some of our other fixes, we are temporarily disabling its active protection features until your system is clean, then you can re-enable them._ 
Then right click on AVG Anti-Spyware in the system tray and *uncheck* "*Start with Windows*". 
Connect to the Internet, go back to AVG Anti-Spyware, select the "*Update*" button and click "*Start update*". 
Wait until you see the "_Update successful_" message. If you are having problems with the updater, manually download and update with the AVG Anti-Spyware Full database installer. 
Exit AVG Anti-Spyware when done - *DO NOT perform a scan yet*.
*Reboot your computer in SAFE MODE* using the *F8* method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". _(Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them inaccessible for doing a scan. If this happens press Alt + Spacebar. A menu will come open, make sure you select maximize then run the scan. If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)_

*Scan with AVG Anti-Spyware as follows*:
Click on the "*Scanner*" button and choose the "*Settings*" tab.

Under "*How to act?*", click on "*Recommended actions*" and choose "*Quarantine*" to set default action for detected malware. 
Under "*How to Scan? *", "*Possibly unwanted software*", and *What to Scan?*" leave all the default settings. 
Under "*Reports*" select "*Do not automatically generate reports*". 
Click the "*Scan*" tab to return to scanning options. 
Click "*Complete System Scan*" to start. 
When the scan has finished, it should automatically be set to *Quarantine*--if not click on _Recommended Action_ and set it there. 
You will also be presented with a list of infected objects found. Click "*Apply all actions*" to place the files in Quarantine.
_*IMPORTANT!* Do not save the report before you have clicked the :*Apply all actions* button. If you do, the log that is created will indicate "*No action taken*", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button._
Click on "*Save Report*" to view all completed scans. Click on the most recent scan you just performed and select "*Save report as*" - the default file name will be in date/time format as follows: *Report-Scan-20060620-142816.txt*. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\ 
Exit AVG Anti-Spyware when done, reboot normally and post the log report in your next response.
_Note: Close all open windows, programs, and *DO NOT USE the computer while AVG Anti-Spyware is scanning*. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection._

_AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can continue to use as an on-demand scanner or you may purchase a license to use the full version. We are installing AVG Anti-Spyware with its real-time protection disabled. Once your system is clean you may re-enable it so you can continue using this feature for the remainder of the trial period._

Please go *HERE* to run Panda's ActiveScan
You need to use IE to run this scan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

*Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.*


----------



## comtrain9 (Nov 27, 2007)

Cookiegal,

1.) What about the Norton Internet Security Suite 7 that I already have? Am I supposed to de-activate it, first, before I download and run AVG and Panda? I have heard that I shouldn't run different anti-malware programs simultaneously. But should I also deactivate it this time around?

2.) Will AVG and Panda interrupt or interfere with each other, as well as Norton? 

3.) Can you give me another method for entering the Safe Mode beside hitting this F8 button? Doesn't seem to work for me. Recall that when I ran Smitfraud the first time, it said it checked my pc in Normal Mode, even though my pc said it was in diagnostic mode.

4.) Why wasn't/hasn't Norton Security Suite worked properly to prevent the necessity of downloading other anti-malware programs? I got it because it was so highly rated by PC World, when they were still rating different hardware and software stuff by their "experts." In 2006 it came second after McAffee.

5.) What did the latest ComboFix scan and Smitfraud scans show?

6.) What is that big, bold in-red message warning me in Combofix that my computer doesn't have a recovery console?

Please forgive this buzzsaw of questions. I am NOT questioning your judgment or directions. You are the queen supreme, as far as this dude is concerned. I just want some feedback on these six issues. 

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

comtrain9 said:


> Cookiegal,
> 
> 1.) What about the Norton Internet Security Suite 7 that I already have? Am I supposed to de-activate it, first, before I download and run AVG and Panda? I have heard that I shouldn't run different anti-malware programs simultaneously. But should I also deactivate it this time around?


No, it should be fine. I don't want you disabling your anti-virus program as you will still be connected to the Internet for the on-line scan.



> 2.) Will AVG and Panda interrupt or interfere with each other, as well as Norton?


No.



> 3.) Can you give me another method for entering the Safe Mode beside hitting this F8 button? Doesn't seem to work for me. Recall that when I ran Smitfraud the first time, it said it checked my pc in Normal Mode, even though my pc said it was in diagnostic mode.


See next post but in the meantime please run the AVG-AS scan in normal mode.



> 4.) Why wasn't/hasn't Norton Security Suite worked properly to prevent the necessity of downloading other anti-malware programs? I got it because it was so highly rated by PC World, when they were still rating different hardware and software stuff by their "experts." In 2006 it came second after McAffee.


No one program is going to protect against every potential thread that is out there.



> 5.) What did the latest ComboFix scan and Smitfraud scans show?


They indicate a Smitfraud infection.



> 6.) What is that big, bold in-red message warning me in Combofix that my computer doesn't have a recovery console?


It's just a warning that the developer has put into this tool so we know the recovery console hasn't been installed. The recovery console may be needed if a system becomes unbootable for any reason.


----------



## Cookiegal (Aug 27, 2003)

Let's check your safeboot key to see if there's some reason it won't boot to safe mode:


Click Start>Run
Copy the lines in the box below, and paste it in the run box that opens:


> regedit /e c:\safeboot.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot"



Click Ok
Double click the My Computer icon, then your C drive
In there, you will see a file called safeboot.txt. Double click to open it.
Copy and paste the text into a reply to your thread.


----------



## comtrain9 (Nov 27, 2007)

Cookiegal,

I rightclicked on the AVG icon tray at the bottom, but there is nothing that says "Start with Windows," just the usual directions, "open, close, send," etic. So I cannot unclick it. 

I did get to the Status menu and deactivate both the Resident Shield and Automatic Update.

comtrain9


----------



## comtrain9 (Nov 27, 2007)

However, I did get the information about Safe Boot. Here it is:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AVG Anti-Spyware Driver]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AVG Anti-Spyware Guard]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

Is your keyboard USB or PS2?


----------



## comtrain9 (Nov 27, 2007)

It is a Logitech keyboard. My information says it has a PS/2. Officially, it is a Standard 101/102-key or microsfot natural PS/2 keyboard.

By the way, I have an optical mouse that is also logitech and I have this note to post to you about information about it in Notepad:

The currently installed driver for Logitech MouseWare or Logitech iTouch is not compatible with Microsoft Windows XP and will be disabled during the upgrade. You should uninstall the Logitech drivers and software before continuing with the upgrade.

For more information about this driver, visit the manufacturer's Web site at http://go.microsoft.com/fwlink/?linkid=383. Web addresses can change, so you might be unable to connect to this Web site.

For a list of software supported by this version of Microsoft Windows, see the Microsoft Windows XP Compatibility List at http://www.microsoft.com/isapi/redir.dll?prd=whistler&ar=help&sba=compatible.

comtrain9


----------



## Cookiegal (Aug 27, 2003)

The mouse shouldn't matter for booting to safe mode.

On your keyboard there should be an F-lock key, probably on the right side above the number keys. Is that enabled?

Are you tapping F8 before Windows starts to load?


----------



## comtrain9 (Nov 27, 2007)

Cookiegal,

Yes, I have an F lock key. It was NOT enabled. What is the sequence I use now? And, what did the text I emailed you seemed to indicate?

But there is still the issue of what I mentioned earlier, that there didn't seem to be an option of unchecking "START with Windows."

I have downloaded both the exe program for AVG with its multicolored icon that has a white S on it, and another AVG icon that is only 181 kilobytes and is a little square, white and blue looking, desktop with tiny buttons. I first tried to run it, but it said it wasn't a valid Win32 application. Perhaps it was the literature that I was supposed to download in addition to the actual AVG program from the site.

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

Can you get into safe mode now? You have to start tapping the F8 key when you see the DOS type black screen before Windows loads. Then you should get a screen with options to choose from. Chose Safe mode.



> there didn't seem to be an option of unchecking "START with Windows."


I don't understand this. Can you please elaborate what you're reffering to? Where would this option be?


----------



## comtrain9 (Nov 27, 2007)

Cookiegal,

Your direction was in your response to one of my queries. Your response was dated 14-Jan-2008 at 06:54 PM

I copied it and now will past it:

Download and install AVG Anti-Spyware v7.5. Note to AVG Free anti-virus program users only: This is not the same program as the one you already have, this is an anti-spyware program so please proceed with the instructions. 
After download, double click on the file to launch the install process. 
Choose a language, click "OK" and then click "Next". 
Read the "License Agreement" and click "I Agree". 
Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install". 
After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray. 
The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. As AVG Anti-Spyware may interfere with some of our other fixes, we are temporarily disabling its active protection features until your system is clean, then you can re-enable them. 
Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows". 
Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". 
Wait until you see the "Update successful" message. If you are having problems with the updater, manually download and update with the AVG Anti-Spyware Full database installer. 
Exit AVG Anti-Spyware when done - DO NOT perform a scan yet. 

It's in the middle. Can you see it? Secondly, before I try the Safe Mode again, how do I get out of it, safely? 

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

OK. I didn't know you were talking about AVG-AS. Let's forget that for now and run this one instead. Once you boot to safe mode using F8, just reboot the computer and it will start up normally.

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation. 
An icon will be created on your desktop. Double-click that icon to launch the program. 
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._) 
Under "*Configuration and Preferences*", click the *Preferences* button. 
Click the *Scanning Control* tab. 
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._ 
_Scan for tracking cookies._ 
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen. 
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*. 
On the left, make sure you check *C:\Fixed Drive*. 
On the right, under "*Complete Scan*", choose *Perform Complete Scan*. 
Click "*Next*" to start the scan. Please be patient while it scans your computer. 
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*". 
Make sure everything has a checkmark next to it and click "*Next*". 
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu. 
If asked if you want to reboot, click "*Yes*". 
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._ 
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._ 
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._ 
*Please copy and paste the Scan Log results in your next reply with a new hijackthis log.*

Click *Close* to exit the program.


----------



## comtrain9 (Nov 27, 2007)

Dear Cookiegal,

I ran a scan, which detected a few things. After rebooting, I got a Low Security box, ostensibly from Norton, asking if I wanted to update by reconnecting to the net. I did, but got no update, but I was not reconnected to t he Net, nor did I receive any new stuff, I don't think. Then I decided to delete any cookies or temporary internet files.

Afterwards, I decided to perform a second SuperAnti Spyware Scan, which didn't find anything. I have included both logs.

Then I did a Hijack This. I still seem to have this Daemon at start-up. You'll notice it in the middle of HJT. There may be other issues. I don't know. But here are my logs:

First,

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/19/2008 at 02:59 PM

Application Version : 3.9.1008

Core Rules Database Version : 3384
Trace Rules Database Version: 1378

Scan type : Complete Scan
Total Scan Time : 00:39:10

Memory items scanned : 424
Memory threats detected : 0
Registry items scanned : 4384
Registry threats detected : 0
File items scanned : 42112
File threats detected : 28

Adware.Tracking Cookie
C:\Documents and Settings\Stephen\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen\Cookies\[email protected][2].txt
C:\Documents and Settings\Stephen\Cookies\[email protected][1].txt
C:\Documents and Settings\Stephen\Cookies\[email protected][2].txt
C:\Documents and Settings\Elise\Cookies\[email protected][1].txt
C:\Documents and Settings\Elise\Cookies\[email protected][2].txt
C:\Documents and Settings\Elise\Cookies\[email protected][2].txt
C:\Documents and Settings\Elise\Cookies\[email protected][1].txt
C:\Documents and Settings\Elise\Cookies\[email protected][1].txt
C:\Documents and Settings\Elise\Cookies\[email protected][1].txt
C:\Documents and Settings\Elise\Cookies\[email protected][1].txt
C:\Documents and Settings\Judith\Cookies\[email protected][2].txt
C:\Documents and Settings\Judith\Cookies\[email protected][1].txt
C:\Documents and Settings\Judith\Cookies\[email protected][1].txt
C:\Documents and Settings\Judith\Cookies\[email protected][1].txt
C:\Documents and Settings\Judith\Cookies\[email protected][2].txt
C:\Documents and Settings\Judith\Cookies\[email protected][1].txt
C:\Documents and Settings\Judith\Cookies\[email protected][1].txt
C:\Documents and Settings\Judith\Cookies\[email protected][1].txt
C:\Documents and Settings\Judith\Cookies\[email protected][2].txt
C:\Documents and Settings\Judith\Cookies\[email protected][1].txt

Unclassified.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\DXPVQLMGTV.DLL.VIR

Trojan.Unclassified/ENSFOLR
C:\QOOBOX\QUARANTINE\C\WINDOWS\ENSFOLR.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0ED67DC1-6AD9-42BC-9762-8B8E8AD6409D}\RP2\A0000029.DLL

Trojan.Net-MSV/VPS-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0ED67DC1-6AD9-42BC-9762-8B8E8AD6409D}\RP2\A0000028.DLL

Second Scan:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/19/2008 at 03:51 PM

Application Version : 3.9.1008

Core Rules Database Version : 3384
Trace Rules Database Version: 1378

Scan type : Complete Scan
Total Scan Time : 00:39:44

Memory items scanned : 412
Memory threats detected : 0
Registry items scanned : 4391
Registry threats detected : 0
File items scanned : 41297
File threats detected : 0

Now, HIJACK THIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:14 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common

Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer -

{3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program

Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program

Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common

Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader

8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185324

752421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1

197528901640
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation -

C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program

There you go Comtrain9


----------



## comtrain9 (Nov 27, 2007)

Cookiegal,

Let me clarify the beginning of my last message. I received some sort of Security Warning update from Norton that something called SSUpdate was trying to connect with me, and the path was given. Anyway I instructed it to ignore all instances of it trying to connect.
That notification took place after rebooting and superantispyware ran its first scan.

comtrain9


----------



## Cookiegal (Aug 27, 2003)

> and the path was given


Please tell me what the path was. Also. repost your HijackThis log in a readable format. Under Format in Notepad be sure "word wrap" is unchecked.


----------



## comtrain9 (Nov 27, 2007)

I will try to find the path.

Here is HJT again. I unchecked Wordwrap.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:04 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185324752421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1197528901640
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 5897 bytes

Comtrain9


----------



## comtrain9 (Nov 27, 2007)

Cookiegal,

I'm not sure of this path. But I think it was "C:\Documents and Settings\Stephen\UserData"

I decided to go there when I was off-line, and I found there were some files already in that section.

The files were 0IE5J5FB, IHJ20L9, stuff like that.The icons had their own names...things like, "dmtstore[1].xml" and "oWindowsUpdate[1}.xml" and "sn[1].xml" All t hese things were described as XML.Document (s). I did not erase them. I'm not even sure that is the path. There was also wmv video I deleted. Not sure how it got there.

I tried to open the files, but my screen froze for a while, and then I got a message from Windows saying that the files couldn't be accessed but would I like to send an error report? I finally opened them successfully, AFTER I got on line. Nothing much in them. My User Data section also has a DAT folder which I don't think I should be messing with. Again, I'm not sure of the path.

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

It was likely SuperAntiSpyware but there can be malicious files with the same name.

Please do a search for this file and let me know all locations found. Be sure files are unhidden first:

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders".
Click "Apply" then "OK".

Go to Start > Search - All Files and Folders and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

*SSUpdate.exe*


----------



## comtrain9 (Nov 27, 2007)

Ok, Cookiegal, this is what I found after following your instructions: I found three



NAME IN FOLDER SIZE


SSUPDATE C:\Documents and Settings\Stephen\Local Settings\Temp 144KB


TYPE MODIFIED

Application 6/21/2007 2:07 PM



NAME IN FOLDER SIZE TYPE MODIFIED

ssupdate boards.cexx (boards.cexx.org) none none none


NAME IN FOLDER SIZE TYPE MODIFIED

SSUpdate C:\Program Files\SuperAntiSpy... 144KB Application 6/21/2007

Just those three. And when do I restore the original keys you asked me to change?

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

If you're referring to the unhiding of files, you can change it back anytime.


That file is indeed part of SAS.


How are things now?


----------



## comtrain9 (Nov 27, 2007)

Dear Cookiegal,

I sent you the Superantispyware log and the latest HJT log. 

1.) That HJT log still lists some sort of Daemon at Start Up. It's in the middle of the log.

2.) What about the AVG and Panda antispyware that you wanted me to download and run? If you recall, there was some confusion about which version of AVG I had downloaded, because one of your directions couldn't be followed. For example, you told me to download AVG antispyware 7.5, but then you realized I was talking about AVG-AS or something, when I told you one of your directions was unavailable. 

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

Are you referring to this entry?

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

It's part of your Nvidia graphics card. It doesn't need to be running at startup though. You can read about it here:

http://www.castlecops.com/s2547-NvCplDaemon.html

AVG-AS is AVG Anti-Spyware and there's no need to run it now since I had you run SuperAntiSpyware instead. SAS didn't find anything of concern.

I don't think you ever did run the Panda scan so please do this now.

Please go *HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report


----------



## comtrain9 (Nov 27, 2007)

Cookiegal,

Here are the results of my Panda scan:

Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Elise\Cookies\[email protected][2].txt 
Spyware:Cookie/PointRoll  Not disinfected C:\Documents and Settings\Elise\Cookies\[email protected][2].txt 
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Elise\Cookies\[email protected][2].txt 
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Elise\Cookies\[email protected][1].txt 
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Elise\Cookies\[email protected][1].txt 
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Elise\Cookies\[email protected][2].txt 
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Elise\Cookies\[email protected][2].txt 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Stephen\Cookies\[email protected][2].txt 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Stephen\Cookies\[email protected][1].txt 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Stephen\Desktop\ComboFix.exe[nircmd.com] 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Stephen\Desktop\ComboFix.exe[nircmd.cfexe] 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Stephen\Desktop\SmitfraudFix\Process.exe 
Virus:Trj/Rebooter.J  Disinfected C:\Documents and Settings\Stephen\Desktop\SmitfraudFix\Reboot.exe 
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Stephen\Desktop\SmitfraudFix\restart.exe 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe 
Comtrain9


----------



## Cookiegal (Aug 27, 2003)

That's fine.

Are there any problems remaining?


----------



## comtrain9 (Nov 27, 2007)

Dear Cookiegal,

1.) The only problem remaining seems to be that my account is very slow on-line, but the other two accounts (all have administrator rights) seem to be operating at normal speed. I'm supposed to have a pretty powerful computer, so I don't quite understand why all three accounts aren't working like lightning. I have a capacity of at least 233 gigabytes and only about 20 or so are occupied by various pre-loaded programs or hardware that came with this pc, or anything downloaded since then. The malware seemed to be most severe on my account, but I wouldn't swear to that. I have defragmented from time to time, although my pc tells me that I don't need to defragment this small volume.

It seems my pc started slowing down when I began to have problems. Now that I've downloaded all these anti malware programs, and "de-toxed" my pc, my particular account seems to be running at snail's pace. How can that be, and not "be" on the other accounts on-line?


2.) Please tell me what to do about all the free anti-malware I have. Should I buy them once the trial period ends? What do I do for myself in terms of anti-malware to reduce the possiblity of a re-infection? 

3.) My Norton 2007 Security Suite is also good for about another year or so. And I have paid for that. But considering how it failed to prevent the infection, I have mixed feelings about it now. It kept telling me that it had blocked Downloader every time I logged on the net, but I was still infected.

4.) Is there any point in signing up with Major Geeks? 

So, I need some final advice from you, before I thank you and this site with a donation.

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

Please do this from your account.

Why are you asking about signing up to MajorGeeks? Do you mean registering there for assistance?

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.

In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *File String Search* group click *SELECT ALL*
in the *Additional Scans* sections please press select *ALL* and make sure Non-Microsoft only is *UNCHECKED*.
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Please post the resulting log here as an attachment.


----------



## Cookiegal (Aug 27, 2003)

You need to upload it as an attachment, as was specified in the instructions. This is necessary. If there is overlapping, that will interfere with any fix that may need to be created.


----------



## Cookiegal (Aug 27, 2003)

See post no. 63. Please go back and delete all those posts and upload the log as an attachment, which is what the instructions said to do.


----------



## comtrain9 (Nov 27, 2007)

Dear Cookiegal,

I believe I have now deleted all of the lettered posts. Forgive me, but I'm not sure just how to attach the WinPFnd3 text log to a post like this. I don't yet have Outlook Express installed and up and running yet. I do have Yahoo. But is there an Attach button or some set of directions?

Up till now I have been Copying and Pasting smaller logs to you and Techguy. As I said, this one is gigantic, and that's why I delivered it piecemeal. 

So I need a set of directions or website to tell me how to Attach this huge cluster. I think that's what you're asking me to do, right? In spite of its size. Thank you for being so patient.

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

Below the reply dialogue box, click on "manage attachments" then "browse" to locate the file on your computer. Highlight the file and click "open" and then click on "upload". Finally, submit your reply.


----------



## comtrain9 (Nov 27, 2007)

Ok, Cookiegal;

I'm going to try to do this the right this time. Here is the WinPFind3u.exe log text. Let me know if I need to add or modify anything else in my next post to you.

Attaching.....


----------



## comtrain9 (Nov 27, 2007)

Cookiegal,

I don't know if I did it correctly the first time around. So I did it again.

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

I don't see anything there.

Run Kaspersky online virus scan *Kaspersky Online Scanner*.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the *"Extended database" *for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

*Note:* You have to use Internet Explorer to do the online scan.

*Post a new HiJackThis log along with the results from the Kaspersky scan*


----------



## comtrain9 (Nov 27, 2007)

Ok, Cookiegirl,


I am now posting both the Kaspersky and the Hijack This. I'm going to try to Attach these first. Didn't work. I will try, again

Comtrain9


----------



## comtrain9 (Nov 27, 2007)

Cookiegal, I tried to attach both, but Kaspersky didn't attach. I will try again. Comtrain9

Nope, I will have to copy and paste it. It is html. I don't think html is included in the attachments allowed. Here it is...


KASPERSKY ONLINE SCANNER REPORT 
Saturday, January 26, 2008 11:48:00 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/01/2008
Kaspersky Anti-Virus database records: 533802


Scan Settings 
Scan using the following antivirus database extended 
Scan Archives true 
Scan Mail Bases true 

Scan Target My Computer 
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\ 

Scan Statistics 
Total number of scanned objects 47991 
Number of viruses found 3 
Number of infected objects 19 
Number of suspicious objects 0 
Duration of the scan process 00:22:24 

Infected Object Name Virus Name Last Action 
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-01-26_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\039D0ABF.wmf Infected: Exploit.Win32.IMG-WMF.v skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\72EA2C50.TMP Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\8DAE807E.TMP Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped 

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped 

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped 

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped 

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped 

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped 

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped 

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped 

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped 

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped 

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped 

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped 

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped 

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped 

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped 

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped 

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped 

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped 

C:\Documents and Settings\Stephen\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped 

C:\Documents and Settings\Stephen\Cookies\index.dat Object is locked skipped 

C:\Documents and Settings\Stephen\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped 

C:\Documents and Settings\Stephen\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped 

C:\Documents and Settings\Stephen\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped 

C:\Documents and Settings\Stephen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped 

C:\Documents and Settings\Stephen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped 

C:\Documents and Settings\Stephen\Local Settings\History\History.IE5\index.dat Object is locked skipped 

C:\Documents and Settings\Stephen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped 

C:\Documents and Settings\Stephen\NTUSER.DAT Object is locked skipped 

C:\Documents and Settings\Stephen\ntuser.dat.LOG Object is locked skipped 

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped 

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped 

C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped 

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped 

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped 

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped 

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped 

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped 

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped 

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped 

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped 

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped 

C:\QooBox\Quarantine\C\WINDOWS\foxflpd.exe.vir Infected: not-a-virus:AdWare.Win32.Vapsup.acy skipped 

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped 

C:\System Volume Information\_restore{0ED67DC1-6AD9-42BC-9762-8B8E8AD6409D}\RP11\A0000323.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped 

C:\System Volume Information\_restore{0ED67DC1-6AD9-42BC-9762-8B8E8AD6409D}\RP16\change.log Object is locked skipped 

C:\System Volume Information\_restore{0ED67DC1-6AD9-42BC-9762-8B8E8AD6409D}\RP2\A0000030.exe Infected: not-a-virus:AdWare.Win32.Vapsup.acy skipped 

C:\System Volume Information\_restore{0ED67DC1-6AD9-42BC-9762-8B8E8AD6409D}\RP3\A0000105.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped 

C:\System Volume Information\_restore{0ED67DC1-6AD9-42BC-9762-8B8E8AD6409D}\RP3\A0000105.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped 

C:\System Volume Information\_restore{0ED67DC1-6AD9-42BC-9762-8B8E8AD6409D}\RP3\A0000105.exe RarSFX: infected - 2 skipped 

C:\System Volume Information\_restore{0ED67DC1-6AD9-42BC-9762-8B8E8AD6409D}\RP3\A0000107.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped 

C:\System Volume Information\_restore{0ED67DC1-6AD9-42BC-9762-8B8E8AD6409D}\RP3\A0000107.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped 

C:\System Volume Information\_restore{0ED67DC1-6AD9-42BC-9762-8B8E8AD6409D}\RP3\A0000107.exe RarSFX: infected - 2 skipped 

C:\System Volume Information\_restore{0ED67DC1-6AD9-42BC-9762-8B8E8AD6409D}\RP3\A0000109.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped 

C:\System Volume Information\_restore{0ED67DC1-6AD9-42BC-9762-8B8E8AD6409D}\RP3\A0000109.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped 

C:\System Volume Information\_restore{0ED67DC1-6AD9-42BC-9762-8B8E8AD6409D}\RP3\A0000109.exe RarSFX: infected - 2 skipped 

C:\System Volume Information\_restore{0ED67DC1-6AD9-42BC-9762-8B8E8AD6409D}\RP3\A0000120.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped 

C:\System Volume Information\_restore{0ED67DC1-6AD9-42BC-9762-8B8E8AD6409D}\RP3\A0000136.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped 

C:\System Volume Information\_restore{0ED67DC1-6AD9-42BC-9762-8B8E8AD6409D}\RP3\A0000152.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped 

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped 

C:\WINDOWS\SchedLgU.Txt Object is locked skipped 

C:\WINDOWS\SoftwareDistribution\EventCache\{7D2FE39C-A8AD-4763-A104-1456984E40D4}.bin Object is locked skipped 

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped 

C:\WINDOWS\Sti_Trace.log Object is locked skipped 

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped 

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped 

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped 

C:\WINDOWS\system32\config\default Object is locked skipped 

C:\WINDOWS\system32\config\default.LOG Object is locked skipped 

C:\WINDOWS\system32\config\SAM Object is locked skipped 

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped 

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped 

C:\WINDOWS\system32\config\SECURITY Object is locked skipped 

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped 

C:\WINDOWS\system32\config\software Object is locked skipped 

C:\WINDOWS\system32\config\software.LOG Object is locked skipped 

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped 

C:\WINDOWS\system32\config\system Object is locked skipped 

C:\WINDOWS\system32\config\system.LOG Object is locked skipped 

C:\WINDOWS\system32\h323log.txt Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped 

C:\WINDOWS\wiadebug.log Object is locked skipped 

C:\WINDOWS\wiaservc.log Object is locked skipped 

C:\WINDOWS\WindowsUpdate.log Object is locked skipped 

Scan process completed. 

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

Pasting the HijackThis log for easier viewing:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:28 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185324752421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1197528901640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 6162 bytes


----------



## Cookiegal (Aug 27, 2003)

The Kaspersky and HijackThis logs are fine.

*Click here* to download ATF Cleaner by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


*If you use Opera:*
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*
[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


Click *Exit* on the Main menu to close the program.


----------



## comtrain9 (Nov 27, 2007)

Dear Cookiegal,

I have now run the AFT Cleaner. It emptied about 143 megabytes of stuff. Perhaps the slowness has to do with security program that might be running in the background. SuperAntiSpyware logo comes up when I first log on. It does seem that my pc is processing SOMETHING while it searches for internet sites after I log on. 

In any event I have noticed that some sites "don't like" to be accessed and try to download adware or spyware: government agencies, certain online journal sites that are affiliated with global trouble spots-like Haaretz magazine, or the Jerusalem Post, or sites thatt seem to be associated with Hollywood issues or celebrities, or metaphysical or mystical issues. Almost anything that has to do with security concerns of one kind or another. Can a site legally add damaging pc programs that target internet surfers who try to access their site? Is that legal? Who do they think they are, masters of the universe? I'm not even talking about pornography here. 
Why do they offers sites on the web, if they are simply going to use them to infect pcs? Excuse me while I catch my breath. Maybe I'm not on the right track, here.

Anyyway, I noticed in the Kaspersky that there were infected files. But you're telling me that everything is ok. How can that be? What does "locked," mean? Do I need to "unlock" them somehow, and then delete them, or has ATF taken care of that for me. Also, when you say you saw nothing after I ran WinPFind, do you mean you saw nothing harmful? 

Finally, is there anything else I need to run? I didn't receive any new instructions from you to perform a new HJT scan or anything else.

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

The items locked are usually system files or certain types of files that are locked and this is normal and of no concern.

Some files showing as infected are either:

1) In Norton's and ComboFix's quarantine folder so neutralized.

2) Belong to tools we've used so are falsely being flagged.

3) Are in system restore so not a threat unless you do a restore to an earlier date. We will be flushing the restore points out when we're finished so that will eleminate any infections there.

Go to *Start *- *Run *- type in *msconfig *- click OK and click on the startup up tab. Uncheck everything there except your anti-virus (ccApp) and then reboot and let me know if there's any improvement.


----------



## comtrain9 (Nov 27, 2007)

Cookiegal,

I hope I didn't offend you with my last post. I guess anyone these days can feel vulnerable when they surf. You are the expert and the one and only cookiegal. Sorry I vented. Do I need to do anything else, download or upload or run anything else, before we can say problem solved and I make my contribution? 

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

No, I was not offended. I know how frustrating it can be when malware causes problems. 

Did you try my suggestion in my previous post?


----------



## comtrain9 (Nov 27, 2007)

Dear Cookiegirl,

I ran the msconfig, and I get the System Configuration Utility, which initially reported that the General setting showed it was in Diagnostic Mode. I checked the Normal Mode instead and went to the Startup section, unchecked everything except ccApp and then hit Apply. The Ok button disappeared and became Close, which I hit and I got a message saying that some of the changes required a reboot. I then rebooted, and when I logged on, I got a new box telling me that my computer was once again in a Diagnostic Mode and would I like to change it into Regular Mode. I hit ok, got the big System Configuration Utility box again.

Everything was as it had been. The Diagnostic box was checked again, and the Startup window had all the things rechecked that you had told me to uncheck. So I went through it all again...same thing. The third try I decided not to hit the Apply button, just the OK button and again rebooted for the third time, but it made no difference. I even tried the process on the other Accounts. No change.

Even though I get the message that a restart is necessary for the changes to take place, when I do restart, the original Diagnostic settings and items in the Startup tab are restored.


Comtrain9


----------



## comtrain9 (Nov 27, 2007)

My pc is also assaulted quite frequently by "casalmedia" and "tribalfusion." What's the deal on them?

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

Diagnostic mode is what you want. It merely means you've disabled some startup items. When you get that screen again don't tell it you want to start up in normal mode.

Please try again.

casalmedia and tribalfusion are cookies.

You need to clear out all of your cookies.

*Clean your Cache and Cookies in IE:* 
Close all instances of Outlook Express and Internet Explorer 
Go to Control Panel > Internet Options > General tab 
Click the "Delete Cookies" button 
Next to it, Click the "Delete Files" button 
When prompted, place a check in: "Delete all offline content", click OK

and then reset them as follows:

In IE click on Tools - Internet Options - privacy tab and select "advanced". Set First Party cookies to "prompt" and Third Party cookies to either "block" or "prompt" and check "always allow session cookies". Basically, you should refuse all cookies except those from sites you trust or need to log in to.

You can refuse a cookie each time it asks (if you're not sure and don't want to block it all the time) or you can select the option to "apply my decision to all cookies from this website" and then select "block or allow". If you block a cookie and later find it's needed, you can go back into Internet Options, under the privacy tab and click on "sites" and remove it from the list of blocked cookies there or change its designation to "always allow".


----------



## comtrain9 (Nov 27, 2007)

Cookiegal,

I am following your advice about cookies. It seems that when a dialogue box opens up, however, even for this site, and I check allow for the cookie, I have to convince it a few times that I'm serious about allowing the cookie. What I did was check prompt for both 1st and 3rd parties and also Allow all Session cookies. I'm wondering if the pc can detect whether a cookie is good for it or not, without my having to set up a roadblock for every site I choose to visit.

As for the Sytem Configuration Utility, I find that trying to only keep ccApp checked within the Diagnostic Mode is impossible. Everytime I hit Diagnostic Mode, everything either gets checked or unchecked in the Start up tab. If I check only ccApp and return to the General tab, I find that it has reverted to a third option, the Selective Startup selection. Eventually, I have found the only way to have ccApp remaining solely checked is to be in the Selective Startup selection option in the General Tab. When I am in that Selective mode, other little boxes are automatically checked: Process SYSTEM.INI file, WIN.INI file, Load System Services, and Use Original BOOT.INI. 

It does seem that my pc does not like starting up in Diagnostic Mode, whether I want it to or not. And it seems to limit my options depending on my choice of what method of startup I choose.

FYI, my upgraded Norton 07 Security Suite said it found and fixed a Trojan Horse in a registry item whose address ended with the ComboFix name. This happened a few hours ago.

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

For the cookies, if you just click "allow" then you will have to do that every time. The instructions say to click "always allow or block" and doing that you will only have to do it once.

Selective startup is what we want. That means some items are not checked to run at startup. So if you just leave Ccapp and remain in selective startup, does your account run any faster?


----------



## comtrain9 (Nov 27, 2007)

Dear Cookiegal,

Yes, I think so. I am still puzzled, however, why my pc is so selective about which options in Startup will go with which General Settings, and which Settings it seems to prefer, if that is the correct word. Maybe you can address that, or perhaps I should consult a different forum.

I guess I have done just about everything at this point, and I guess I can congratulate you on Fixing my pc. Way to go, and contribution will be on its way shortly! 

What about all the anti-malware stuff I have downloaded so far? Should I just leave it for the time being? Upgrade it? Do the demo versions upgrade, anyway?

If you tell me to keep it and run it, do I disable Norton, first?

And what about AVG? I'm not sure I even downloaded the version you suggested. 

I have other questions, but probably for the General Security forum just below the Malware one.

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

I don't really understand what you're saying about the startup. You should be able to disable anything via msconfig. The only problem is, some functions may not work.

Please list the programs I had you install and I'll tell you whether you should keep them or not.


----------



## comtrain9 (Nov 27, 2007)

Cookiegal,

These are things I have downloaded so far:



Smitfraud.exe, but then deleted as it was corrupted

ComboFix

Smitfraudfix by S!ri

AVG Anti-Spyware v 7.5

SuperAntiSpyware

WinPFind 3U.exe

ATF Cleaner by Atribune

I also ran, but didn't download, Panda Active Scan and Kaspersky Online Scanner.

I receive a message from System Configuration if I am in some mode, any mode, other than Normal Mode and that I can change the mode. If I make any changes at all, I am told that I have to restart my pc for the changes to take effect. When I do, I often see the Configuration screen again, telling me that I am in a mode other than the Normal one. It seems that rather than make the changes during the Restart, the pc might revert to the original configuration I was hoping to change by restarting. 

As a simple non-computer example: Did you see the Bill Murray movie, Groundhog Day? He wakes up the next day, and must relive the same day all over again. If you equate his going to bed after all the changes the other characters have gone through that day with him, and compare that with restarting my pc, the pc "wakes up" and acts as if it actually erased the changes it was telling me would take effect through the startup process. 

I guess what I am saying is that the Restart seems to have erased or undone the changes I made, rather than embed them into the pc operation. I finally checked the box in the System Configuration Utility dialogue box, to not be notified of this, anymore. 

In any event it seems that it takes some time to access web sites in my account, but not in the accounts of the other two users. We all have administrator privileges. Other than that, things seem to be going ok. 

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

I was under the impression that you said everything was fine with your account when disabling everything but your anti-virus in msconfig? 

Also, normal mode means that you have everything checked to startup. The minute you have one thing unchecked, then it's called "selective startup" because you are in effect selecting the things you want to start up from the list. You will always get the configuration utility message if you're starting up in anything other than normal mode unless you check the box to tell it not to alert you anymore. That will only be good for as long as you don't make any other changes though.

You can delete the ComboFix utility and delete this folder, which is where ComboFix stores deleted files as backups:

C:\*Qoobox*

Also, delete Smitfraudfix by S!ri and WinPFind3U (the folder).

Keep only one of either of the following, as they both do the same thing:
AVG Anti-Spyware v 7.5
SuperAntiSpyware

You can keep ATF Cleaner by Atribune if you wish.


----------



## comtrain9 (Nov 27, 2007)

Dear Cookiegal,

For some reason my pc in my own administrator's account appears to be working better now, without delays. The only delay occurs when I am in full desktop screen and I hit my golden-starred Favorites icon in the upper bar to reduce the size of the desktop to allow my Favorites column to appear on the left side of the screen. It is a very extensive list. Maybe that is the reason. 

You have been wonderful. Now watch as I eventually do something I shouldn't have and manage to get myself re-infected. They say this year's flu shot doesn't cover all the strains, either.

Is there any forum on the TechGuy site that talks about future computer trends or technology?

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

That's great. :up:

Now you just have to practice safe surfing. 

There is no forum for future trends as I don't think there would be enough demand for an actual forum but there may be some threads discussing that topic that you may be able to find by searching.

Here are some final instructions for you.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

Delete Temporary Files:

Go to *Start* - *Run* and type in *cleanmgr* and click OK. 
Let it scan your system for files to remove. 
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. 
Press OK to remove them.


----------



## comtrain9 (Nov 27, 2007)

Dear Cookiegal; I have been away for a little while.

I will do as you say. The security post you recommended was last updated in 2006. It lists some anti-malware programs I remember from a couple of years ago. Do I still need them in addition to everything else? 

And I remember an episode I had about a year ago, when I downloaded a bunch of recommended security patches by Microsoft. I couldn't even start my computer properly. I finally had to take it in for technical repairs, and I was told that the patches created an unfixable conflict with my Norton Security Suite 2006 and some essential files were damaged or erased. The result was that I had to get an entirely new hard drive. It was under warranty fortunately, but I'm always wondering if I get patches from Microsoft, whether they will once again destroy my computer, because they conflict with something already present.

I do get updates from MS dealing with system performance. Sometimes they are downloaded automatically. Once, I got a message from them saying that they were downloaded and my pc had to be restarted. This once happened overnight. Interesting. I was pretty sure I wasn't even logged on. I think we had a similar discussion about that mystery in an earlier post.

I've made a contribution through my account.

Comtrain9


----------



## Cookiegal (Aug 27, 2003)

You don't need to get all the programs mentioned in that link.

From time to time there can be some problems with MS updates but they are usually addressed very quickly and resolved. You need to get at the very least the critical ones as they patch security vulnerabilities.

Thanks for the donation. It's very much appreciated.


----------

