# Solved: Trojan cn911.exe



## thedivingdog (Mar 28, 2007)

Dear peeps

I picked up a trojan last week; I think from someone else's USB memory stick.

It resulted in a dos dialog box opening up just after windows loaded with the message:

16 bit MS-DOS Subsystem 
C:\DOCUME~1\JACKIE~1\LOCALS~1\Temp\Cn911.exe
The NTVDM CPU has encountered an illegal instruction.
XX:YYYX XX:YYXY XX: YY YY YY YY YY Chose 'Close to terminate the application or Ignore.

None of the anti-virus software I used detected any threat (including Norton, Windows Defender, Ad-Aware, Spybot).

I was also unable to restore my computer to a previous restore point.

I then found some information on cn911.exe and cn912.exe files on the Elder Geek forum....
http://www.theeldergeek.com/forum/in...howtopic=23573
which had links to several anti-virus packages including Sysclean.

Sysclean found the trojan but it was unable to do anything with it (move, delete or clean). Finally I ran Sysclean in SAFE MODE and the infected file was deleted (so I'm now missing ODBCJET.EXE).

My computer now seems fine (although it is slower).....I no longer have the dos box with cn911.exe just after windows loads and everything else seems to be OK?! But I don't REALLY know what I'm doing so........

Does anyone know what else I can do to check that I am now completely clean. Mosaic1 from a previous thread recommended I look for autorun.inf and autorun.* files.

I have 6 of these but have no idea what I'm looking for! They are as follows:

autorun.inf c:\drivers\drivers
autorun.exe c:\works\msworks
autorun.inf c:\documents and settings\divingdog\local settings\temp\NAV (norton?)
autorun.inf c:\documents and settings\divingdog\local settings\temp\NIS10.2.0.30
autorun.ico c:\drivers\drivers\8081\AUDIO\CMEDIA\w2kXP
autorun.inf c:\drivers\drivers\8081\AUDIO\CMEDIA\w2kXP

Any advice would be much appreciated.

Many thanks

thedivingdog


----------



## Glaswegian (Dec 5, 2004)

Hi

Please follow these instructions - this tool will produce 2 logs that will allow me to take a closer look at your system.

Download *Deckard's System Scanner (DSS)* to your *Desktop* . Note: You must be logged onto an account with administrator privileges.
*Close* all applications and windows.
*Double-click* on *dss.exe* to run it, and follow the prompts.
When the scan is complete, two text files will open - minimised > *extra.txt* and maximised > *main.txt*.
Copy *(Ctrl+A then Ctrl+C)* and paste *(Ctrl+V)* the contents of *main.txt* back in this thread *(do not attach it). *
Please *attach* *extra.txt* to your post.

To attach a file to a new post, simply

Click the[*Manage Attachments*] button under *Additional Options > Attach Files* on the post composition page, and
*copy and paste* the following into the "*Upload File from your Computer*" box: *C:\Deckard\System Scanner\extra.txt*​
 Click *Upload.*


----------



## thedivingdog (Mar 28, 2007)

Dear Glaswegian

A big thank you for your help.

Copied main.txt and extra attached:

Deckard's System Scanner v20070328.36
Run by Jackie Hill on 2007-03-29 at 09:40:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
13: 2007-03-29 08:40:39 UTC - RP521 - Deckard's System Scanner Restore Point
12: 2007-03-28 12:58:45 UTC - RP520 - Software Distribution Service 2.0
11: 2007-03-28 12:26:43 UTC - RP519 - Installed iTunes
10: 2007-03-28 09:32:08 UTC - RP518 - Software Distribution Service 2.0
9: 2007-03-27 15:54:21 UTC - RP517 - Restore Operation

-- First Restore Point -- 
1: 2007-03-27 10:35:03 UTC - RP509 - Restore Operation

Performed disk cleanup.

-- HijackThis (run as Jackie Hill.exe) -----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 09:43:52, on 29/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\NALNTSRV.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\Jackie Hill\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Jackie Hill.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qmul.ac.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - @	8ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - *?	A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O2 - BHO: (no name) - Ð?	BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [WL] C:\WINDOWS\System32\WL.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [ODBCJET] C:\WINDOWS\system32\ODBCJET.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174993211829
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/546...img/operations/symbizpr/xcontrol/SymDlBrg.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B0E235C-067C-4BB1-A256-20A7E8825D5A}: NameServer = 192.168.1.245
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld (file missing)
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\system32\NALNTSRV.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

-- File Associations -----------------------------------------------------------

.scr - STATISTICAScrollsheet - shell\open\command - C:\STAT\sta_fil.exe %1 /t

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NICM (Novell InterService Communication Driver) - c:\windows\system32\drivers\nicm.sys
R0 NWFILTER (Novell UNC Path Filter) - c:\windows\system32\netware\nwfilter.sys
R1 SRTSPX - c:\windows\system32\drivers\srtspx.sys
R1 vobcom - c:\windows\system32\drivers\vobcom.sys
R1 vobiw - c:\windows\system32\drivers\vobiw.sys
R2 MTC0003_STDSB (Scroll Bar Driver) - c:\windows\system32\stdsb.sys
R2 NetwareWorkstation (Novell Client for Windows) - c:\windows\system32\netware\nwfs.sys
R2 NWDHCP (Novell DHCP Inform Client) - c:\windows\system32\netware\nwdhcp.sys
R2 NwlnkIpx (NWLink IPX/SPX/NetBIOS Compatible Transport Protocol) - c:\windows\system32\drivers\nwlnkipx.sys
R2 NwlnkNb (NWLink NetBIOS) - c:\windows\system32\drivers\nwlnknb.sys
R2 NwlnkSpx (NWLink SPX/SPXII Protocol) - c:\windows\system32\drivers\nwlnkspx.sys
R2 NWSIPX32 (Novell NetWare IPX/SPX Transport Interface) - c:\windows\system32\netware\nwsipx32.sys
R2 RESMGR (Novell NetWare Resource Manager) - c:\windows\system32\netware\resmgr.sys
R2 SRVLOC (Novell Service Location) - c:\windows\system32\netware\srvloc.sys
R3 ASAPIW2K - c:\windows\system32\drivers\asapiw2k.sys
R3 Bridge (MAC Bridge) - c:\windows\system32\drivers\bridge.sys
R3 cdrdrv - c:\windows\system32\drivers\cdrdrv.sys
R3 cmuda (C-Media WDM Audio Interface) - c:\windows\system32\drivers\cmuda.sys
R3 FETNDISB (VIA Rhine Family Fast Ethernet Adapter Driver Service) - c:\windows\system32\drivers\fetnd5b.sys
R3 ialm - c:\windows\system32\drivers\ialmnt5.sys
R3 Mtlmnt5 - c:\windows\system32\drivers\mtlmnt5.sys
R3 NWDNS (Novell DNS Name Space Service Provider) - c:\windows\system32\netware\nwdns.sys
R3 NWHOST (Novell Host File Name Space Service Provider) - c:\windows\system32\netware\nwhost.sys
R3 NWSAP (Novell SAP Name Space Provider) - c:\windows\system32\netware\nwsap.sys
R3 NWSLP (Novell SLP Name Space Service Provider) - c:\windows\system32\netware\nwslp.sys
R3 Slntamr (SmartLink AMR_PCI Driver) - c:\windows\system32\drivers\slntamr.sys
R3 SlWdmSup - c:\windows\system32\drivers\slwdmsup.sys
R3 SRTSP - c:\windows\system32\drivers\srtsp.sys
R3 w70n51 (Intel(R) PRO/Wireless 7100 Adapter Driver) - c:\windows\system32\drivers\w70n51.sys

S3 alcan5wn (SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)) - c:\windows\system32\drivers\alcan5wn.sys
S3 alcaudsl (SpeedTouch ADSL Modem ATM Transport) - c:\windows\system32\drivers\alcaudsl.sys
S3 BridgeMP (MAC Bridge Miniport) - c:\windows\system32\drivers\bridge.sys
S3 gv3 (Intel GV3 Processor Driver) - c:\windows\system32\drivers\gv3.sys
S3 Mtlstrm - c:\windows\system32\drivers\mtlstrm.sys
S3 NtMtlFax - c:\windows\system32\drivers\ntmtlfax.sys
S3 NTSIM - c:\windows\system32\ntsim.sys
S3 NWSNS (Novell Simple Naming Services) - c:\windows\system32\netware\nwsns.sys
S3 RecAgent - c:\windows\system32\drivers\recagent.sys
S3 SlNtHal - c:\windows\system32\drivers\slnthal.sys
S3 SRTSPL - c:\windows\system32\drivers\srtspl.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 NALNTSERVICE (Novell Application Launcher) - c:\windows\system32\nalntsrv.exe
R2 SLService (SmartLinkService) - slserv.exe

S2 MySql - c:\mysql\bin\mysqld (file missing)
S3 cusrvc (Client Update Service for Novell) - c:\windows\system32\cusrvc.exe

-- Scheduled Tasks -------------------------------------------------------------

2007-03-29 09:28:24 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job<MPSCHE~1.JOB>
2007-03-28 13:22:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>
2007-02-26 21:23:46 634 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Jackie Hill.job<NORTON~1.JOB>

-- Files created between 2007-02-28 and 2007-03-29 -----------------------------

2007-03-28 13:21:59 0 d-------- C:\Program Files\Apple Software Update<APPLES~1>
2007-03-27 14:35:34 127208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-03-27 13:19:11 0 d-------- C:\Documents and Settings\Jackie Hill\DoctorWeb<DOCTOR~1>
2007-03-26 13:07:51 0 d-------- C:\Documents and Settings\Jackie Hill\.housecall6.6<HOUSEC~1.6>
2007-03-23 18:59:19 0 d-------- C:\Sysclean
2007-03-23 15:56:28 0 d-------- C:\Program Files\Windows Defender<WIFD1F~1>
2007-03-21 21:50:11 0 d-------- C:\Documents and Settings\Jackie Hill\Application Data\Lavasoft
2007-03-21 21:48:18 0 d-------- C:\Program Files\Lavasoft
2007-03-21 21:47:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>

-- Find3M Report ---------------------------------------------------------------

2007-03-29 09:43:37 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-03-28 13:29:57 0 d-------- C:\Program Files\iTunes
2007-03-28 13:29:45 0 d-------- C:\Program Files\iPod
2007-03-28 13:25:30 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-16 19:51:38 0 d-------- C:\Documents and Settings\Jackie Hill\Application Data\EndNote
2007-02-25 15:48:18 0 d-------- C:\Documents and Settings\Jackie Hill\Application Data\Yahoo!
2007-02-25 15:47:44 0 d-------- C:\Program Files\Yahoo!
2007-02-22 13:14:42 0 d-------- C:\Program Files\Norton Internet Security<NORTON~2>
2007-02-22 13:14:19 0 d-------- C:\Program Files\Symantec
2007-02-22 13:14:18 48776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-02-22 13:04:53 0 d-------- C:\Program Files\Norton AntiVirus<NORTON~1>
2007-02-22 12:59:10 0 d-------- C:\Documents and Settings\Jackie Hill\Application Data\Symantec
2007-02-06 14:47:22 0 d-------- C:\Program Files\EPSON
2007-02-02 10:33:16 0 d-------- C:\Program Files\Google
2007-01-10 03:47:38 242320 --a------ C:\WINDOWS\system32\SymRedir.dll
2007-01-10 03:47:38 624784 --a------ C:\WINDOWS\system32\SymNeti.dll
2007-01-08 20:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"InstantTray"="C:\\Program Files\\Pinnacle\\Shared Files\\InstantCDDVD\\PCLETray.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BluetoothAuthenticationAgent"="rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"STDSB"="C:\\WINDOWS\\System32\\STDSB.exe"
"WL"="C:\\WINDOWS\\System32\\WL.exe"
"PinnacleDriverCheck"="C:\\WINDOWS\\System32\\PSDrvCheck.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NDPS"="C:\\WINDOWS\\system32\\dpmw32.exe"
"NWTRAY"="NWTRAY.EXE"
"EPSON Stylus C46 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0T1.EXE /P23 \"EPSON Stylus C46 Series\" /O6 \"USB001\" /M \"Stylus C46\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"ODBCJET"="C:\\WINDOWS\\system32\\ODBCJET.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=dword:00000001

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{96e19760-1b18-11db-8d71-000423874841}]
Shell\Auto\command	E:\Cn911.exe
Shell\AutoRun\command	C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d3320d51-30c2-11da-8c58-000423874841}]
Shell\AutoRun\command	E:\GizmoSecure\Windows\GizmoSecure30.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST

-- End of Deckard's System Scanner: finished at 2007-03-29 at 09:44:18 ---------

Many thanks

thedivingdog


----------



## Glaswegian (Dec 5, 2004)

Hi again

My name is Iain and I will be helping you clean your system.

You may wish to *Subscribe* to this thread *(Thread Tools > Subscribe to this thread)* so that you are notified when you receive a reply.

*Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.*

*Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your log is clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.*

*If there is anything you don't understand, please ask BEFORE proceeding with the fixes.*

*Please ensure that you follow the instructions in the order I have them listed.*

*Show Hidden Files*
Go to *My Computer > Tools > Folder Options > View* tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the *Hide protected operating system files* option.

*Downloads*
Please download *Cleanup!* or use this *Alternate Link* if the main link does not work and install it. You will use this later. 
**NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups.* If you have any files in any *TEMP* directory and you need to keep them, then please *MOVE THEM NOW!*

Download *AVG Anti Spyware*

Use the link at the bottom of the page under *"AVG Anti-Spyware Free for Windows"*











Install AVG Anti Spyware
Double-click the icon on Desktop to launch AVG
On the top of the main screen click *Shield*
Click the word *active* to change it to *inactive*
On the top of the main screen click *Update*.
Then click on *Start Update.* The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*".
Under "*Reports*"
Select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"


When you have finished updating, *EXIT AVG Anti Spyware.*

Download *DAFT* and save it to your Desktop.

Double-click the *daft.exe* icon. Read the disclaimer and click OK.
 Click on the *Scan* button.
Place a checkmark next to the following entries:

*.scr*

Click the *Fix* button.
Re-scan and save a logfile. By default, it will save as *daft.txt*.

Post the contents of that file with your next post.

*Disable Windows Defender*
Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and *uncheck* Turn on real-time protection (recommended).
After you uncheck this, click on the *Save* button and close Windows Defender.

*Reboot*
Reboot your system in *Safe Mode*.

Restart the computer. The computer begins processing a set of instructions known as BIOS.
After hearing your computer beep once during startup, but *before* the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
Instead of Windows loading as normal, a menu should appear
Use the arrow key to highlight *Safe Mode* and press *Enter*.

*HijackThis Entries*
Open Hijack This and click on *Scan.* Check the following entries *(if they still exist) (make sure you do not miss any)*

* O2 - BHO: (no name) - @ 8ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - *? A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O2 - BHO: (no name) - Ð? BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O4 - HKLM\..\Run: [ODBCJET] C:\WINDOWS\system32\ODBCJET.exe*

_*Please remember to close all other windows, including browsers then click** Fix checked.*_

*File Deletions*
Delete the following File indicated in *RED* *if it still exists.*

C:\WINDOWS\system32\*ODBCJET.exe*

*Run CleanUp!*
**NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups.* If you have any files in any *TEMP* directory and you need to keep them, then please *MOVE THEM NOW!*

Open *Cleanup!* by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click *Options*
Move the slider button down to *Custom CleanUp!*
Check the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the Temporary Files tab and *uncheck* the box for Scan drives for file matching if its checked.

Click *OK,* Press the *CleanUp!* button to start the program and *DO NOT REBOOT* when prompted.
*Note:* *CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.*

*Run AVG Anti Spyware*
Run *AVG* with it's updated definitions (...it's important that *all windows must be closed*) 
 Click *Scanner*
 Click on the *Scan* tab
 Click *Complete System Scan* to begin scanning.
 When the scan is complete click *Recommended Action* and change it to *Quarantine*
 Then click *Apply all actions*
Once finished, click the *Save report* button, then click *Save Report As* and save it to your desktop.

*NOTE: AVG scan may require an hour.*

*Reboot*
Reboot your system in Normal Mode.

*Online Scan*
Perform an online scan with Internet Explorer with *Panda ActiveScan*

 Click on







located at the bottom of the page.
 A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
 Enter your e-mail address, country, and state & click *"Free Online Scan"*  *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting









 If it finds any malware, it will offer you a report.
 Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
 Click on







then click







* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

*Deckard's System Scanner  Run Again*

*Close* all applications and windows.
*Double-click* on *dss.exe* to run it, and follow the prompts.
When the scan is complete, a text files will open - maximised > *main.txt*.
Copy *(Ctrl+A then Ctrl+C)* and paste *(Ctrl+V)* the contents of *main.txt* back in this thread *(do not attach it). *

*Logs required*
*daft.txt
AVG Log
Panda Log
Main.txt*

Please also let me know how your system is performing now and if you have any specific problems.


----------



## thedivingdog (Mar 28, 2007)

Hi Iain
Huge thannks.....I'm just about to get going with your instructions so will hopefully come back to you when I'm done.
thedivingdog
or Jackie to my friends!


----------



## thedivingdog (Mar 28, 2007)

Hi Iain

All finished! Phew!

I've copied in the Hijack log file but have ATTACHED the other three. If you need me to copy the logs into the post let me know.

You'll see from the Logs that there are a couple of things found....?

No apparent problems.......my computer still seems a bit slow but nothing drastic. (I do still have a ccApp dialog box when I log off from windows but I think this is something to do with Norton Anti-virus so may not be relevant?!).

I also have an icon on my desktop for Thumbs.db which I think was installed sometime today during all the scans and stuff?

Again, many thanks for your time and help......computer numpties like me would be lost without the generosity of others.

Jackie

Logfile of HijackThis v1.99.1
Scan saved at 15:41:41, on 30/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\NALNTSRV.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\Jackie Hill\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\JACKIE~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qmul.ac.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [WL] C:\WINDOWS\System32\WL.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174993211829
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/546...img/operations/symbizpr/xcontrol/SymDlBrg.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B0E235C-067C-4BB1-A256-20A7E8825D5A}: NameServer = 192.168.1.245
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld (file missing)
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\system32\NALNTSRV.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

-- Files created between 2007-02-28 and 2007-03-30 -----------------------------

2007-03-30 14:10:51 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-30 14:10:48 0 d-------- C:\WINDOWS\LastGood
2007-03-30 11:11:09 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-29 15:04:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-03-28 13:21:59 0 d-------- C:\Program Files\Apple Software Update<APPLES~1>
2007-03-27 14:35:34 127208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-03-27 13:19:11 0 d-------- C:\Documents and Settings\Jackie Hill\DoctorWeb<DOCTOR~1>
2007-03-26 13:07:51 0 d-------- C:\Documents and Settings\Jackie Hill\.housecall6.6<HOUSEC~1.6>
2007-03-23 18:59:19 0 d-------- C:\Sysclean
2007-03-23 15:56:28 0 d-------- C:\Program Files\Windows Defender<WIFD1F~1>
2007-03-21 21:50:11 0 d-------- C:\Documents and Settings\Jackie Hill\Application Data\Lavasoft
2007-03-21 21:48:18 0 d-------- C:\Program Files\Lavasoft
2007-03-21 21:47:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>

-- Find3M Report ---------------------------------------------------------------

2007-03-30 15:05:12 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-30 15:03:56 0 d-------- C:\Program Files\Norton Internet Security<NORTON~2>
2007-03-30 15:01:38 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-03-30 15:01:08 0 d-------- C:\Program Files\iTunes
2007-03-30 14:58:19 0 d-------- C:\Program Files\Google
2007-03-30 14:56:03 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-03-30 10:57:00 0 d-------- C:\Program Files\Front Page Express<FRONTP~1>
2007-03-29 16:12:14 0 d-------- C:\Documents and Settings\Jackie Hill\Application Data\EndNote
2007-03-29 14:58:31 1196 --a------ C:\Documents and Settings\Jackie Hill\Application Data\AdobeDLM.log
2007-03-29 14:58:30 6 --a------ C:\Documents and Settings\Jackie Hill\Application Data\dm.ini
2007-03-29 14:57:12 0 d-------- C:\Program Files\Common Files\Adobe
2007-03-29 13:31:05 0 d---s---- C:\Documents and Settings\Jackie Hill\Application Data\Microsoft<MICROS~1>
2007-03-28 13:29:45 0 d-------- C:\Program Files\iPod
2007-02-25 15:48:18 0 d-------- C:\Documents and Settings\Jackie Hill\Application Data\Yahoo!
2007-02-25 15:47:44 0 d-------- C:\Program Files\Yahoo!
2007-02-22 13:14:19 0 d-------- C:\Program Files\Symantec
2007-02-22 13:14:18 48776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-02-22 13:04:53 0 d-------- C:\Program Files\Norton AntiVirus<NORTON~1>
2007-02-22 12:59:10 0 d-------- C:\Documents and Settings\Jackie Hill\Application Data\Symantec
2007-02-06 14:47:22 0 d-------- C:\Program Files\EPSON
2007-01-10 03:47:38 242320 --a------ C:\WINDOWS\system32\SymRedir.dll
2007-01-10 03:47:38 624784 --a------ C:\WINDOWS\system32\SymNeti.dll
2007-01-08 20:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"InstantTray"="C:\\Program Files\\Pinnacle\\Shared Files\\InstantCDDVD\\PCLETray.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BluetoothAuthenticationAgent"="rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"STDSB"="C:\\WINDOWS\\System32\\STDSB.exe"
"WL"="C:\\WINDOWS\\System32\\WL.exe"
"PinnacleDriverCheck"="C:\\WINDOWS\\System32\\PSDrvCheck.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NDPS"="C:\\WINDOWS\\system32\\dpmw32.exe"
"NWTRAY"="NWTRAY.EXE"
"EPSON Stylus C46 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0T1.EXE /P23 \"EPSON Stylus C46 Series\" /O6 \"USB001\" /M \"Stylus C46\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{96e19760-1b18-11db-8d71-000423874841}]
Shell\Auto\command	E:\Cn911.exe
Shell\AutoRun\command	C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d3320d51-30c2-11da-8c58-000423874841}]
Shell\AutoRun\command	E:\GizmoSecure\Windows\GizmoSecure30.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST

-- End of Deckard's System Scanner: finished at 2007-03-30 at 15:42:14 ---------


----------



## Glaswegian (Dec 5, 2004)

Hi again Jackie

That is part of Norton (ccApp). Its not something Ive ever used, but perhaps check your settings etc? You may need to raise that in one of the other Forums once were finished here.

The other file will be from DSS  you can delete it when were finished.

Looks good so far though. Lets run one more online scan, just to be sure.

Establish an internet connection & perform an online scan with *Internet Explorer* at *Kaspersky WebScanner*

Next Click on *Kaspersky Online Scanner* 









A Welcome screen will appear - click 'Accept' at the bottom. You will be prompted to install an ActiveX component from Kaspersky, Click *Yes.*

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on *NEXT*
Now click on *Scan Settings*
In the scan settings make that the following are selected:
*Scan using the following Anti-Virus database:*

*Extended*
*Scan Options:*

*Scan Archives*
*Scan Mail Bases*
Click *OK*

Now under select a target to scan: Select *My Computer*

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the *Save as Text* button:

Save the file to your desktop.
Copy and paste that information in your next post.
Take note of the name(s) and location(s) of any file(s) it detects but fails to clean.

** Turn off the real time scanner of any existing antivirus program while performing the online scan*

*Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.*

Please post back with the *Kaspersky Log* and a fresh *HijackThis Log*. Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced *only* while in *Normal Mode.*


----------



## thedivingdog (Mar 28, 2007)

Hi Iain

Thanks for your last post. I only managed to pick it up this morning as I've been working away from home for that last few days.

Anyway!....I've just run the kaspersky programme but have loads of locked files in the report. I had turned off the autoprotection on my Norton but think I need to disable AVG spyware as well. Will do this and rerun....probably tomorrow evening..so will get back to you soon after.

Many thanks

Jackie


----------



## Glaswegian (Dec 5, 2004)

Jackie

Kaspersky will show locked files - you won't be able to do anything to change that. Just post the log - I've a small routine that will exclude any locked files and leave me with only the ones that matter.


----------



## thedivingdog (Mar 28, 2007)

Hi Iain

Kaspersky log below.

Many thanks

Jackie

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 03, 2007 3:20:45 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 3/04/2007
Kaspersky Anti-Virus database records: 290425
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 66102
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:07:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03232007-145655.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-04-03_Log.ALUSchedulerSvc.LiveUpdate	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\66824896.TMP	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\EFD001F8.TMP	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx	Object is locked	skipped
C:\Documents and Settings\Jackie Hill\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\Jackie Hill\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\Jackie Hill\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Jackie Hill\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Jackie Hill\Local Settings\History\History.IE5\MSHist012007040320070404\index.dat	Object is locked	skipped
C:\Documents and Settings\Jackie Hill\Local Settings\Temp\~DFF29C.tmp	Object is locked	skipped
C:\Documents and Settings\Jackie Hill\Local Settings\Temp\~DFF6EC.tmp	Object is locked	skipped
C:\Documents and Settings\Jackie Hill\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Jackie Hill\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\Jackie Hill\NTUSER.DAT.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log	Object is locked	skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log	Object is locked	skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log	Object is locked	skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log	Object is locked	skipped
C:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
C:\System Volume Information\_restore{14314BD7-3D90-4EC8-A5EE-49F4129BFADE}\RP522\change.log	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\itircl.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\osk.exe	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\user32.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\win32k.sys	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\dao360.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\expsrv.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\msexch40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\msexcl40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\msjet40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\msjetol1.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\msjetoledb40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\msjint40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\msjter40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\msjtes40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\msltus40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\mspbde40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\msrd2x40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\msrd3x40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\msrepl40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\mstext40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\mswdat10.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\mswstr10.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\msxbde40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB829558$\vbajet32.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx	Object is locked	skipped
C:\WINDOWS\$NtUninstallQ828026$\wmp.dll	Object is locked	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{CA69CCEC-E7EA-4DC9-9677-DA8E42BD692D}.bin	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\edb.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\default	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\Internet.evt	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\system	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\system32\novell\nici\SYSTEM\XMGRCFG.KS2	Object is locked	skipped
C:\WINDOWS\system32\novell\nici\SYSTEM\XMGRCFG.KS3	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped

Scan process completed.


----------



## Glaswegian (Dec 5, 2004)

Hi again Jackie

All clean from Kaspersky and your other logs are clean as well. Any more problems? If not well just tidy up and Ill let you go, along with my recommendations for staying safe and secure.

You can go ahead and delete any special tools we used (SmitRem, SmitfraudFix, ComboFix, etc). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and there is therefore no need to keep them.

*Reset Hidden/System Files*
To reset your hidden and system files:

Click *Start.*
Open *My Computer.*
Select the *Tools menu* and click *Folder Options.*
Select the *View* tab.
_Deselect_ the *Show hidden files and folders* option.
_Select_ the *Hide file extensions for known types* option.
_Select_ the *Hide protected operating system files* option.
Click *Yes* to confirm.
Click *OK.*

*System Restore*
*To turn off System Restore* click Start > Right Click My Computer > Properties. Click the System Restore tab and *Check "Turn off System Restore"* or *"Turn off System Restore on all drives"* Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

*To turn on System Restore* by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. *Uncheck "Turn off System Restore"* or *"Turn off System Restore on all drives."* Click Apply, and then OK.

This will create a new Restore Point.

Now that you are clean, to help protect your computer in the future I recommend that you get the following *free* programs:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here.

*
Ad-aware*
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here.

*IE-SPYAD*
IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here.

*
SnoopFree*
SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is *only* for XP systems.
*

MVPS Hosts File*
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. *Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.*

*
Alternate Browsers*
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera
Maxthon

*
Firewalls*
A good firewall will monitor incoming *and* outgoing traffic. *NOTE:* Microsoft's Firewall *does not* monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use:
Comodo Personal Firewall
Sygate Personal Firewall
ZoneAlarm
*

Anti Virus Software*
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners:
Anti-Spyware Tutorial

Here are three very good free Antivirus products which are available:
BitDefender Free
Avast!
AVG

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
*

Other Protection*
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?.
Making Internet Explorer Safer.

Keep *clean* and *safe* and enjoy your computing!

*You can mark this thread resolved using Thread Tools at the top of the page.*


----------



## thedivingdog (Mar 28, 2007)

Hi Iain

Finally I've done the last bits you suggested.

My computer seems to be behaving itself thank goodness. And the person who gave me the trojan found it on his USB stick so won't be passing it on to anyone else!

Many thanks for the software recommendations for keeping my computer safe....I've downloaded them. And I'm going to be a bit more wary about who sticks what in my computer in future!!!

THANK YOU SO MUCH for all your help......I really would have been stuffed without your knowledge, expertise and generosity. Wish I could return the favour but unless you need to know something about lobsters (I'm a marine biologist) there's not much I can help you with!!!

Jackie


----------



## Glaswegian (Dec 5, 2004)

My pleasure Jackie.:up: 

Remember to mark this thread as resolved.

Mmmm....lobster......


----------

