controll panel

Unknown

my computer has picked up a virus or worm i have lost the controll panel
i can get it if i boot in safe mode but when i try to change any thing i get
a message that there is restriction by adminastrator. i ran adaware and spy
bot but it is still there did the on line scans the log are posted below
also the hjt log
thanks

---

KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 12, 2007 5:23:33 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/12/2007
Kaspersky Anti-Virus database records: 481021

---

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan Statistics:
Total number of scanned objects: 82995
Number of viruses found: 12
Number of infected objects: 54
Number of suspicious objects: 0
Duration of the scan process: 01:34:36
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\setings.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\system.exe Infected: Trojan.Win32.Qhost.uu skipped
C:\Documents and Settings\Administrator.YOUR-27E1513D96\Start Menu\Programs\Startup\setings.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\Documents and Settings\Administrator.YOUR-27E1513D96.000\Start Menu\Programs\Startup\setings.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\LightningSand.CFD Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\E704E55E.TMP Object is locked skipped
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\startup.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\Documents and Settings\Compaq_Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\MSHist012007120320071210\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\MSHist012007121220071213\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Compaq_Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\setings.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ron\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ron\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ron\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ron\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ron\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ron\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ron\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ron\Start Menu\Programs\Startup\setings.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\hp\bin\wbug\CompaqPresario_Spring06.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
C:\hp\bin\wbug\CompaqPresario_Spring06.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
C:\hp\bin\wbug\CompaqPresario_Spring06.exe WiseSFX: infected - 2 skipped
C:\hp\bin\wbug\CompaqPresario_Spring06.exe WiseSFXDropper: infected - 2 skipped
C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\L0000010.FCS Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Compaq Connections\5577497\Users\Default\Data\storydb.idx Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0394NAV~.TMP Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0809NAV~.TMP Object is locked skipped
C:\SDFix\backups(2)\backups.zip/backups/autorun.exe Infected: Trojan.Win32.Qhost.uu skipped
C:\SDFix\backups(2)\backups.zip/backups/printer.exe Infected: Trojan.Win32.Qhost.uu skipped
C:\SDFix\backups(2)\backups.zip/backups/WinAvXX.exe Infected: Trojan.Win32.Qhost.uu skipped
C:\SDFix\backups(2)\backups.zip ZIP: infected - 3 skipped
C:\SDFix\backups(3)\backups.zip/backups/autorun.exe Infected: Trojan.Win32.Qhost.uu skipped
C:\SDFix\backups(3)\backups.zip/backups/printer.exe Infected: Trojan.Win32.Qhost.uu skipped
C:\SDFix\backups(3)\backups.zip/backups/WinAvXX.exe Infected: Trojan.Win32.Qhost.uu skipped
C:\SDFix\backups(3)\backups.zip ZIP: infected - 3 skipped
C:\SDFix\backups_old1\HOSTS Infected: Trojan.Win32.Qhost.my skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0000313.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0000314.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0000327.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0000328.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0000335.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0000345.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0000346.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0000347.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0000373.exe Infected: Trojan.Win32.Qhost.xx skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0000374.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0000375.exe Infected: Trojan-Proxy.Win32.Wopla.ap skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0000376.exe Infected: Trojan-Spy.Win32.BZub.bun skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0000377.exe Infected: Trojan-Proxy.Win32.Wopla.ap skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0000378.exe Infected: Trojan-Spy.Win32.KeyLogger.rp skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0000379.exe Infected: Trojan-Downloader.Win32.Agent.dyn skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP2\A0000439.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP2\A0000440.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP2\A0000441.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP2\A0000453.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP2\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\drabste.exe Infected: Email-Worm.Win32.Zhelatin.ml skipped
C:\WINDOWS\ModemLog_PCI Data Fax SoftModem with SmartCP.txt Object is locked skipped
C:\WINDOWS\Prefetch\layout.ini Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\Download\89b70ceab9c1882c80e33e4e8d6798ba\BIT28.tmp Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1E2F9088-D4FC-47F6-B7BE-50FE8BDA8A4F}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\msanton.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\WINDOWS\system32\timoty.exe Infected: not-virus:Hoax.Win32.Renos.vj skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\xlavra3.exe Infected: Trojan-Downloader.Win32.Wixud.b skipped
D:\I386\Apps\APP16119\src\CompaqPresario_Spring06.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
D:\I386\Apps\APP16119\src\CompaqPresario_Spring06.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
D:\I386\Apps\APP16119\src\CompaqPresario_Spring06.exe WiseSFX: infected - 2 skipped
D:\I386\Apps\APP16119\src\CompaqPresario_Spring06.exe WiseSFXDropper: infected - 2 skipped
D:\I386\Apps\APP16119\src\HPPavillion_Spring06.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
D:\I386\Apps\APP16119\src\HPPavillion_Spring06.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
D:\I386\Apps\APP16119\src\HPPavillion_Spring06.exe WiseSFX: infected - 2 skipped
D:\I386\Apps\APP16119\src\HPPavillion_Spring06.exe WiseSFXDropper: infected - 2 skipped
Scan process completed.


Incident Status Location
Adware:Adware/VirusAlarma Not disinfected C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\setings.exe
Adware:Adware/VirusAlarma Not disinfected C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\system.exe
Adware:Adware/VirusAlarma Not disinfected C:\Documents and Settings\Administrator.YOUR-27E1513D96\Start Menu\Programs\Startup\setings.exe
Adware:Adware/VirusAlarma Not disinfected C:\Documents and Settings\Administrator.YOUR-27E1513D96.000\Start Menu\Programs\Startup\setings.exe
Adware:Adware/VirusAlarma Not disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\startup.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Compaq_Owner\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix\restart.exe
Hacktool:HackTool/KillProcWin.A Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0C.dat[simple_killw.exe]
Adware:Adware/VirusAlarma Not disinfected C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\setings.exe
Adware:Adware/VirusAlarma Not disinfected C:\Documents and Settings\ron\Start Menu\Programs\Startup\setings.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Spyware:Spyware/PeoplePC Not disinfected C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Adware:Adware/VirusAlarma Not disinfected C:\SDFix\backups(2)\backups.zip[backups/autorun.exe]
Adware:Adware/VirusAlarma Not disinfected C:\SDFix\backups(2)\backups.zip[backups/printer.exe]
Adware:Adware/VirusAlarma Not disinfected C:\SDFix\backups(2)\backups.zip[backups/WinAvXX.exe]
Adware:Adware/VirusAlarma Not disinfected C:\SDFix\backups(3)\backups.zip[backups/autorun.exe]
Adware:Adware/VirusAlarma Not disinfected C:\SDFix\backups(3)\backups.zip[backups/printer.exe]
Adware:Adware/VirusAlarma Not disinfected C:\SDFix\backups(3)\backups.zip[backups/WinAvXX.exe]
Adware:Adware/WinAntiVirus2007 Not disinfected C:\SDFix\backups_old1\HOSTS
Adware:Adware/VirusAlarma Not disinfected C:\WINDOWS\system32\msanton.exe
Adware:Adware/VirusAlarma Not disinfected C:\WINDOWS\system32\timoty.exe


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:28 PM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\msanton.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: control.lnk = C:\WINDOWS\control.ini
O4 - Startup: setings.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: startup.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{025056E4-ED8C-4D97-BE08-178D48F8D486}: NameServer = 64.179.43.190 69.95.31.250
O17 - HKLM\System\CS1\Services\Tcpip\..\{025056E4-ED8C-4D97-BE08-178D48F8D486}: NameServer = 64.179.43.190 69.95.31.250
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 7490 bytes

Veka

Hello fellowesman. I'll check your logs and answer ASAP. Please wait.

Veka

Print out these instructions or save them into a text file.


Step 1

Please download

Killbox


Step 2

Remove old Java

• Close any programs you have running - especially web browser.
• Go to Start > Control Panel,double-click on Add/Remove Programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.

Step 3

Start HijackThis and click Do system scan only.[SIZE=-1]

When the scan is complete, check the following entries

[/SIZE]F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - Startup: control.lnk = C:\WINDOWS\control.ini
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

Close web browser and all other open programs/windows.

After that, click Fix Checked.


Step 4

Remove harmful files with Killbox

• Run KillBox
• Select the option "Delete on Reboot"
• Click All Files (important, it should flash in green)
• Copy the red text below by highlighting it and pressing Ctrl+C:
  
  C:\WINDOWS\system32\msanton.exe
  C:\WINDOWS\system32\timoty.exe
  C:\WINDOWS\system32\timoty.exe
  C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\system.exe
  C:\WINDOWS\drabste.exe
  C:\WINDOWS\xlavra3.exe
  

• Return to Killbox, go to the File menu
• Choose "Paste from Clipboard".
• Click the red-and-white Delete File button.
• Click Yes at the Delete on Reboot prompt.
• Click OK at the Pending Operations prompt if you get one.
• If the computer does not reboot by itself, do it manually.

Step 5

Post a fresh HijackThis log.

fellowesman

VEKARPPE
i can not change anything in control panel. when i click on add or remove programs i get a message "this operation has been cancelled due to restrictions in effect on this computer. please contact your system administator"

thanks

Veka

Oh, sorry. My mistake. Can you do other steps ( 1 and 3-5 ) ?

fellowesman

vekarppe
did the steps outlined and rebooted and ran a hjt and log posted below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:00 PM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\timoty.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: control.lnk = C:\WINDOWS\control.ini
O4 - Startup: setings.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: startup.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 7277 bytes

Veka

Thank you. I will give further instructions soon.

Veka

Ok. Let's continue...

Please download ComboFix to your Desktop.

• Double click on Combofix.exe & follow the prompts.
• When the scan has finished, it shall produce a log for you. Post that log in your next reply.

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

fellowesman

vekarppe
did the scan and the log is below

fellowesman

opps
theres the log

ComboFix 07-12-16.4 - Compaq_Owner 2007-12-17 5:24:16.2 - NTFSx86
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.
2007-12-17 05:20 . 2007-12-17 05:20 <DIR> d

---

C:\WINDOWS\LastGood
2007-12-12 16:55 . 2007-02-28 04:10 2,180,352

---

C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-12-12 16:55 . 2007-02-28 04:08 2,136,064

---

C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-12-12 16:55 . 2007-02-28 03:38 2,057,600

---

C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-12-12 16:55 . 2007-02-28 03:38 2,015,744

---

C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-12-09 17:09 . 2007-12-09 17:09 <DIR> d

---

C:\Program Files\Trend Micro
2007-12-09 13:39 . 2007-12-09 13:39 <DIR> d

---

C:\WINDOWS\system32\Kaspersky Lab
2007-12-09 13:39 . 2007-12-09 13:39 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-09 07:57 . 2007-12-12 18:22 <DIR> d

---

C:\WINDOWS\system32\ActiveScan
2007-12-09 07:57 . 2007-12-12 17:25 30,590 --a

---

C:\WINDOWS\system32\pavas.ico
2007-12-09 07:57 . 2007-12-12 17:25 2,550 --a

---

C:\WINDOWS\system32\Uninstall.ico
2007-12-09 07:57 . 2007-12-12 17:25 1,406 --a

---

C:\WINDOWS\system32\Help.ico
2007-12-08 22:33 . 2005-12-13 05:54 <DIR> d

---

C:\Documents and Settings\ron\WINDOWS
2007-12-08 22:33 . 2005-12-13 06:15 <DIR> d

---

C:\Documents and Settings\ron\Application Data\Symantec
2007-12-08 22:33 . 2005-12-13 05:55 <DIR> d

---

C:\Documents and Settings\ron\Application Data\Intuit
2007-12-08 20:51 . 2007-12-08 20:51 <DIR> d

---

C:\Documents and Settings\Administrator.YOUR-27E1513D96.000\Application Data\SUPERAntiSpyware.com
2007-12-08 20:25 . 2007-12-08 20:25 <DIR> d

---

C:\Documents and Settings\Administrator.YOUR-27E1513D96.000\Application Data\Lavasoft
2007-12-08 19:58 . 2005-12-13 05:54 <DIR> d

---

C:\Documents and Settings\Administrator.YOUR-27E1513D96.000\WINDOWS
2007-12-08 19:58 . 2005-12-13 06:15 <DIR> d

---

C:\Documents and Settings\Administrator.YOUR-27E1513D96.000\Application Data\Symantec
2007-12-08 19:58 . 2005-12-13 05:55 <DIR> d

---

C:\Documents and Settings\Administrator.YOUR-27E1513D96.000\Application Data\Intuit
2007-12-08 19:50 . 2004-08-04 07:00 221,184 --a

---

C:\WINDOWS\system32\wmpns.dll
2007-12-08 19:50 . 2007-11-22 05:02 6,144 --a

---

C:\WINDOWS\system32\timoty.exe
2007-12-08 19:50 . 2007-11-22 05:02 6,144 --a

---

C:\WINDOWS\system32\msanton.exe
2007-12-08 19:48 . 2007-12-08 19:49 1,866 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_EL426AA-ABA SR1710NX NA610_YC_0Pres_QMXF603_E61NAheRED1_48_IAmberine M_SASUSTek Computer INC._V1.03_B3.13_T051115_WXH2_L409_M223_J100_7AMD_8Sempron_91.99_#060310_N10EC8139_Z14F12F20_G10025954.MRK
2007-12-08 19:47 . 2005-12-13 05:54 <DIR> d

---

C:\Documents and Settings\Compaq_Owner\WINDOWS
2007-12-08 19:47 . 2007-12-08 19:50 <DIR> d

---

C:\Documents and Settings\Compaq_Owner\Application Data\Symantec
2007-12-08 19:47 . 2005-12-13 05:55 <DIR> d

---

C:\Documents and Settings\Compaq_Owner\Application Data\Intuit
2007-12-08 19:46 . 2005-12-13 05:54 <DIR> d

---

C:\WINDOWS\system32\config\systemprofile\WINDOWS
2007-12-08 16:04 . 2007-12-08 16:04 <DIR> d

---

C:\Documents and Settings\Administrator.YOUR-27E1513D96\Application Data\Lavasoft
2007-12-07 23:00 . 2007-12-07 23:01 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-06 22:10 . 2007-12-06 22:10 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-06 22:09 . 2007-12-06 22:09 <DIR> d

---

C:\Program Files\Common Files\Wise Installation Wizard
2007-12-06 21:22 . 2005-12-13 05:54 <DIR> d

---

C:\Documents and Settings\Administrator.YOUR-27E1513D96\WINDOWS
2007-12-06 21:22 . 2005-12-13 06:15 <DIR> d

---

C:\Documents and Settings\Administrator.YOUR-27E1513D96\Application Data\Symantec
2007-12-06 21:22 . 2005-12-13 05:55 <DIR> d

---

C:\Documents and Settings\Administrator.YOUR-27E1513D96\Application Data\Intuit
2007-12-01 06:22 . 2005-12-13 05:54 <DIR> d

---

C:\Documents and Settings\Administrator.HOME.001\WINDOWS
2007-12-01 06:22 . 2005-12-13 06:15 <DIR> d

---

C:\Documents and Settings\Administrator.HOME.001\Application Data\Symantec
2007-12-01 06:22 . 2005-12-13 05:55 <DIR> d

---

C:\Documents and Settings\Administrator.HOME.001\Application Data\Intuit
2007-11-30 19:43 . 2007-11-30 19:43 <DIR> d

---

C:\Documents and Settings\Compaq_Owner\Application Data\MSNInstaller
2007-11-30 18:21 . 2007-11-30 18:21 <DIR> d

---

C:\Documents and Settings\Administrator.HOME.000\Application Data\Lavasoft
2007-11-30 05:13 . 2007-11-30 19:38 <DIR> d

---

C:\cmdcons(3)
2007-11-30 04:33 . 2007-11-27 00:06 283 --ah

---

C:\boot.ini.SAB
2007-11-29 18:35 . 2007-12-08 20:52 <DIR> d

---

C:\Program Files\SUPERAntiSpyware
2007-11-29 18:35 . 2007-11-29 18:35 <DIR> d

---

C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2007-11-27 18:07 . 2007-11-27 18:07 <DIR> d

---

C:\Documents and Settings\Compaq_Owner\Application Data\MSNInstaller(2)
2007-11-27 00:26 . 2007-11-27 00:26 <DIR> d

---

C:\Documents and Settings\Administrator.HOME\Application Data\Lavasoft
2007-11-27 00:05 . 2007-11-30 19:44 <DIR> d

---

C:\cmdcons(2)
2007-11-26 04:15 . 2007-11-26 04:15 <DIR> d

---

C:\Documents and Settings\Administrator\WINDOWS
2007-11-26 04:15 . 2007-11-26 04:15 <DIR> d

---

C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-26 04:15 . 2007-11-26 04:15 <DIR> d

---

C:\Documents and Settings\Administrator\Application Data\Intuit
2007-11-25 18:24 . 2007-11-25 18:25 <DIR> d

---

C:\WINDOWS\ERUNT
2007-11-25 16:49 . 2007-11-25 16:50 <DIR> d

---

C:\Documents and Settings\Compaq_Owner\Application Data\Netscape
2007-11-25 15:12 . 2007-11-25 15:12 <DIR> d

---

C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2007-11-25 15:11 . 2007-11-25 15:11 <DIR> d

---

C:\Program Files\Lavasoft
2007-11-17 09:47 . 2007-11-17 09:47 <DIR> d

---

C:\Program Files\Windows Sidebar
2007-11-17 09:47 . 2007-11-17 09:55 <DIR> d

---

C:\Program Files\Norton AntiVirus
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"froody"="C:\WINDOWS\system32\timoty.exe" [2007-11-22 05:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-09 07:49]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCDrProfiler"="" []
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-03-04 11:40]
"URLLSTCK.exe"="c:\Program Files\Norton Internet Security\UrlLstCk.exe" [2005-03-29 19:03]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 12:41]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 09:11]
"version"="C:\WINDOWS\system32\timoty.exe" [2007-11-22 05:02]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-12-13 05:12:52]
setings.exe [2007-11-22 05:02:43]
C:\Documents and Settings\ron\Start Menu\Programs\Startup\
setings.exe [2007-11-22 05:02:43]
C:\Documents and Settings\Administrator.HOME.001\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-12-13 05:12:52]
C:\Documents and Settings\Administrator.YOUR-27E1513D96\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-12-13 05:12:52]
setings.exe [2007-11-22 05:02:43]
C:\Documents and Settings\Administrator.YOUR-27E1513D96.000\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-12-13 05:12:52]
C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\
Compaq Organize.lnk - C:\Program Files\Hewlett-Packard\Compaq Organize\bin\displayAgent.exe [2005-12-13 05:59:23]
control.lnk - C:\WINDOWS\control.ini [2005-06-25 00:32:00]
setings.exe [2007-11-22 05:02:43]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-12-13 06:00:06]
startup.exe [2007-11-22 05:02:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-09 00:49:16 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exef/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Easy Internet signup\StartEIS.aml
"2007-12-17 01:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Compaq_Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
"2005-12-13 11:17:48 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 05:27:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-17 5:28:26
C:\ComboFix2.txt ... 2007-12-17 05:01
.
2007-12-17 09:22:26 --- E O F ---

Veka

Hello, how's it going?


Step 1

Please open notepad and copy & paste the text in the code box below into it:

File:: 
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\setings.exe 
C:\Documents and Settings\Administrator.YOUR-27E1513D96\Start Menu\Programs\Startup\setings.exe 
C:\Documents and Settings\Administrator.YOUR-27E1513D96.000\Start Menu\Programs\Startup\setings.exe 
C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\setings.exe 
C:\Documents and Settings\ron\Start Menu\Programs\Startup\setings.exe 
C:\WINDOWS\system32\msanton.exe 
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\system.exe 
C:\WINDOWS\drabste.exe 
C:\WINDOWS\xlavra3.exe 
C:\WINDOWS\system32\timoty.exe 
 
Registry:: 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
"froody"=- 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
"version"=-

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


Step 2

After rebooting, start HijackThis.

Click Do system scan only.[SIZE=-1]

When the scan is complete, check the following entries

[/SIZE] F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O4 - Startup: control.lnk = C:\WINDOWS\control.ini
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

Close web browser and all other open programs/windows.

Click Fix Checked.


Step 3

Post Combofix log (Combofix.txt) and a HijackThis log. Thank you.

fellowesman

vekarppe
heres the logs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:24 PM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\NPC\npcLUStb.exe
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\luall.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 4820 bytes




ComboFix 07-12-16.4 - Compaq_Owner 2007-12-17 15:52:20.3 - NTFSx86
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Documents and Settings\Administrator.YOUR-27E1513D96.000\Start Menu\Programs\Startup\setings.exe
C:\Documents and Settings\Administrator.YOUR-27E1513D96\Start Menu\Programs\Startup\setings.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\setings.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\setings.exe
C:\Documents and Settings\ron\Start Menu\Programs\Startup\setings.exe
C:\WINDOWS\drabste.exe
C:\WINDOWS\system32\msanton.exe
C:\WINDOWS\system32\timoty.exe
C:\WINDOWS\xlavra3.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator.YOUR-27E1513D96\Start Menu\Programs\Startup\setings.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\setings.exe
C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\setings.exe
C:\Documents and Settings\ron\Start Menu\Programs\Startup\setings.exe
C:\WINDOWS\system32\msanton.exe
C:\WINDOWS\system32\timoty.exe
.
((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.
2007-12-17 06:31 . 2007-12-17 06:45 <DIR> d

---

C:\WINDOWS\LastGood
2007-12-17 06:30 . 2007-12-17 09:04 123,952 --a

---

C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-17 06:30 . 2007-12-17 09:04 60,800 --a

---

C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-17 06:30 . 2007-12-17 09:04 10,740 --a

---

C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-17 06:30 . 2007-12-17 09:04 805 --a

---

C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-12 16:55 . 2007-02-28 04:10 2,180,352

---

C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-12-12 16:55 . 2007-02-28 04:08 2,136,064

---

C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-12-12 16:55 . 2007-02-28 03:38 2,057,600

---

C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-12-12 16:55 . 2007-02-28 03:38 2,015,744

---

C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-12-09 17:09 . 2007-12-09 17:09 <DIR> d

---

C:\Program Files\Trend Micro
2007-12-09 07:57 . 2007-12-12 17:25 2,550 --a

---

C:\WINDOWS\system32\Uninstall.ico
2007-12-09 07:57 . 2007-12-12 17:25 1,406 --a

---

C:\WINDOWS\system32\Help.ico
2007-12-08 22:33 . 2005-12-13 05:54 <DIR> d

---

C:\Documents and Settings\ron\WINDOWS
2007-12-08 22:33 . 2005-12-13 06:15 <DIR> d

---

C:\Documents and Settings\ron\Application Data\Symantec
2007-12-08 22:33 . 2005-12-13 05:55 <DIR> d

---

C:\Documents and Settings\ron\Application Data\Intuit
2007-12-08 20:51 . 2007-12-08 20:51 <DIR> d

---

C:\Documents and Settings\Administrator.YOUR-27E1513D96.000\Application Data\SUPERAntiSpyware.com
2007-12-08 20:25 . 2007-12-08 20:25 <DIR> d

---

C:\Documents and Settings\Administrator.YOUR-27E1513D96.000\Application Data\Lavasoft
2007-12-08 19:58 . 2005-12-13 05:54 <DIR> d

---

C:\Documents and Settings\Administrator.YOUR-27E1513D96.000\WINDOWS
2007-12-08 19:58 . 2005-12-13 06:15 <DIR> d

---

C:\Documents and Settings\Administrator.YOUR-27E1513D96.000\Application Data\Symantec
2007-12-08 19:58 . 2005-12-13 05:55 <DIR> d

---

C:\Documents and Settings\Administrator.YOUR-27E1513D96.000\Application Data\Intuit
2007-12-08 19:50 . 2004-08-04 07:00 221,184 --a

---

C:\WINDOWS\system32\wmpns.dll
2007-12-08 19:48 . 2007-12-08 19:49 1,866 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_EL426AA-ABA SR1710NX NA610_YC_0Pres_QMXF603_E61NAheRED1_48_IAmberine M_SASUSTek Computer INC._V1.03_B3.13_T051115_WXH2_L409_M223_J100_7AMD_8Sempron_91.99_#060310_N10EC8139_Z14F12F20_G10025954.MRK
2007-12-08 19:47 . 2005-12-13 05:54 <DIR> d

---

C:\Documents and Settings\Compaq_Owner\WINDOWS
2007-12-08 19:47 . 2007-12-08 19:50 <DIR> d

---

C:\Documents and Settings\Compaq_Owner\Application Data\Symantec
2007-12-08 19:47 . 2005-12-13 05:55 <DIR> d

---

C:\Documents and Settings\Compaq_Owner\Application Data\Intuit
2007-12-08 19:46 . 2005-12-13 05:54 <DIR> d

---

C:\WINDOWS\system32\config\systemprofile\WINDOWS
2007-12-08 16:04 . 2007-12-08 16:04 <DIR> d

---

C:\Documents and Settings\Administrator.YOUR-27E1513D96\Application Data\Lavasoft
2007-12-07 23:00 . 2007-12-07 23:01 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-06 22:10 . 2007-12-06 22:10 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-06 22:09 . 2007-12-06 22:09 <DIR> d

---

C:\Program Files\Common Files\Wise Installation Wizard
2007-12-06 21:22 . 2005-12-13 05:54 <DIR> d

---

C:\Documents and Settings\Administrator.YOUR-27E1513D96\WINDOWS
2007-12-06 21:22 . 2005-12-13 06:15 <DIR> d

---

C:\Documents and Settings\Administrator.YOUR-27E1513D96\Application Data\Symantec
2007-12-06 21:22 . 2005-12-13 05:55 <DIR> d

---

C:\Documents and Settings\Administrator.YOUR-27E1513D96\Application Data\Intuit
2007-12-01 06:22 . 2005-12-13 05:54 <DIR> d

---

C:\Documents and Settings\Administrator.HOME.001\WINDOWS
2007-12-01 06:22 . 2005-12-13 06:15 <DIR> d

---

C:\Documents and Settings\Administrator.HOME.001\Application Data\Symantec
2007-12-01 06:22 . 2005-12-13 05:55 <DIR> d

---

C:\Documents and Settings\Administrator.HOME.001\Application Data\Intuit
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a

---

C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a

---

C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a

---

C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a

---

C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a

---

C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a

---

C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a

---

C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a

---

C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a

---

C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-30 19:43 . 2007-11-30 19:43 <DIR> d

---

C:\Documents and Settings\Compaq_Owner\Application Data\MSNInstaller
2007-11-30 18:21 . 2007-11-30 18:21 <DIR> d

---

C:\Documents and Settings\Administrator.HOME.000\Application Data\Lavasoft
2007-11-30 05:13 . 2007-11-30 19:38 <DIR> d

---

C:\cmdcons(3)
2007-11-30 04:33 . 2007-11-27 00:06 283 --ah

---

C:\boot.ini.SAB
2007-11-29 18:35 . 2007-12-08 20:52 <DIR> d

---

C:\Program Files\SUPERAntiSpyware
2007-11-29 18:35 . 2007-11-29 18:35 <DIR> d

---

C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2007-11-27 18:07 . 2007-11-27 18:07 <DIR> d

---

C:\Documents and Settings\Compaq_Owner\Application Data\MSNInstaller(2)
2007-11-27 00:26 . 2007-11-27 00:26 <DIR> d

---

C:\Documents and Settings\Administrator.HOME\Application Data\Lavasoft
2007-11-27 00:05 . 2007-11-30 19:44 <DIR> d

---

C:\cmdcons(2)
2007-11-26 04:15 . 2007-11-26 04:15 <DIR> d

---

C:\Documents and Settings\Administrator\WINDOWS
2007-11-26 04:15 . 2007-11-26 04:15 <DIR> d

---

C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-26 04:15 . 2007-11-26 04:15 <DIR> d

---

C:\Documents and Settings\Administrator\Application Data\Intuit
2007-11-25 18:24 . 2007-11-25 18:25 <DIR> d

---

C:\WINDOWS\ERUNT
2007-11-25 16:49 . 2007-11-25 16:50 <DIR> d

---

C:\Documents and Settings\Compaq_Owner\Application Data\Netscape
2007-11-25 15:12 . 2007-11-25 15:12 <DIR> d

---

C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2007-11-25 15:11 . 2007-11-25 15:11 <DIR> d

---

C:\Program Files\Lavasoft
2007-11-17 09:47 . 2007-11-17 09:47 <DIR> d

---

C:\Program Files\Windows Sidebar
2007-11-17 09:47 . 2007-12-17 06:34 <DIR> d

---

C:\Program Files\Norton AntiVirus
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-12-17 06:34 116088 --a

---

C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"froody"="C:\WINDOWS\system32\timoty.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-09 07:49]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 12:41]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 09:11]
"version"="C:\WINDOWS\system32\timoty.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-25 00:07]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 23:53]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-12-13 05:12:52]
C:\Documents and Settings\Administrator.HOME.001\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-12-13 05:12:52]
C:\Documents and Settings\Administrator.YOUR-27E1513D96\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-12-13 05:12:52]
C:\Documents and Settings\Administrator.YOUR-27E1513D96.000\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-12-13 05:12:52]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-12-13 06:00:06]
startup.exe [2007-11-22 05:02:43]
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1006968c-a5ef-11dc-b231-806d6172696f}]
\Shell\AutoRun\command - E:\CDStart.Exe
\Shell\Install\Command - E:\Stub.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
*Newly Created Service* - AUTOMATIC_LIVEUPDATE_SCHEDULER
*Newly Created Service* - CCEVTMGR
*Newly Created Service* - CCSETMGR
*Newly Created Service* - EECTRL
*Newly Created Service* - ERASERUTILDRVI3
*Newly Created Service* - LIVEUPDATE
*Newly Created Service* - NAVENG
*Newly Created Service* - NAVEX15
*Newly Created Service* - SPBBCDRV
*Newly Created Service* - SRTSP
*Newly Created Service* - SRTSPX
*Newly Created Service* - SYMANTEC_CORE_LC
*Newly Created Service* - SYMIDSCO
.
Contents of the 'Scheduled Tasks' folder
"2007-12-09 00:49:16 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exef/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Easy Internet signup\StartEIS.aml
"2007-12-17 01:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Compaq_Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 15:56:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-17 15:57:52
C:\ComboFix2.txt ... 2007-12-17 05:28
C:\ComboFix3.txt ... 2007-12-17 05:01
.
2007-12-17 11:19:45 --- E O F ---

fellowesman

vekarppe
could not find lines 1,3and 5
hopes this helps

Veka

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.


Step 1

Donwload to your desktop

CCleaner
AVG Anti-Spyware


Step 2

Please run HijackThis and click Do system scan only.

W[SIZE=-1]hen the scan is complete, check the following entries:
[/SIZE]
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe

Click Fix Checked.


Step 3

Install and run CCleaner.

NOTE: If you don't want the Yahoo toolbar, be sure to uncheck that option when installing the software or update.

• Launch CCleaner and under Options > Advanced > uncheck "Only delete files in Windows Temp folder older than 48 hours".
• A pop up box will appear advising this process will permanently delete files from your system.
• To protect logon cookies that you wish to retain, under Options > Cookies. Select and using the arrow move those cookies to the "Cookies to keep" column.
• Then select the items you wish to clean up.
  • In the Windows Tab:
    • Clean all entries in the "Internet Explorer" section.
    • Clean all the entries in the "Windows Explorer" section.
    • Clean all entries in the "System" section.
    • Clean all entries in the "Advanced" section.
    • Clean any others that you choose.
  • In the Applications Tab:
  • Clean all in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Please UNcheck "Utilities" (i.e., Ad-Aware, ewido and other security program logs.)

• Click the "Run Cleaner" button and it will scan and clean your system.
• Click exit.
• Shutdown/restart the computer.

Jahewi's CCleaner guide.

http://www.jahewi.nl/ccleaner/quick/quick.html


Step 4

Configure and update AVG Anti-Spyware

• Install and start AVG Anti-Spyware
• Click the Update icon
• Click Start update
• Wait until updates are downloaded
• Click the Scanner icon
• Open the Settings tab
  • Make sure that under "How to act?" read Quarantine (If not, click the text and choose Quarantine)
  • Under "How to scan?" all checkboxes should be ticked
  • Under "Reports" unselect Automatically generate report after every scan and Only if threats were found.
  • Under "What to scan?" select Scan every file

• Click the Shield icon
• Under the "Resident shield is" click active to make it inactive
• Close AVG Anti-Spyware (do not scan yet)

Step 5

Reboot into Safe Mode

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
• Instead of Windows loading as normal, a menu with options should appear
• Select the first option, to run Windows in Safe Mode, then press Enter
• Choose your usual account.

Step 6

Run AVG Anti-Spyware

• Close all open windows / programs / folders
• Start AVG Anti-Spyware
• Click the Scanner icon
• Click Complete System Scan
• Let the program scan the machine
  (do NOT use your computer while sanning)
• When the scan has finished, follow the instructions below
  • Make sure that under "Set all elements to" read Quarantine (If not, click the text and choose Quarantine)
  • Click Apply all actions
  • Click Save Report
  • Click Save reports as
  • Save report to your Desktop

Step 7

Reboot your computer into normal mode.

Please post AVG Anti-Spyware report and HijackThis log.

fellowesman

vekarppe
sorry about the delay AVG taking long time to up date on dial-up
will post later today

fellowesman

ok
here is the scan logs

---

AVG Anti-Spyware - Scan Report

---

+ Created at: 6:20:55 PM 12/19/2007
+ Scan result:

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP12\A0003026.exe -> Not-A-Virus.Hoax.Win32.Renos.vj : No action taken.
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP12\A0003027.exe -> Not-A-Virus.Hoax.Win32.Renos.vj : No action taken.
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP12\A0003028.exe -> Not-A-Virus.Hoax.Win32.Renos.vj : No action taken.

::Report end


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:07 PM, on 12/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 4449 bytes

Veka

Hello. Your log is clean.

But what about your antivirus & firewall? It seems that Norton isn't working properly. Please re-install your Norton Internet Security Suite, if you have an installation CD, or remove it and download and install one antivirus and one firewall.


Here is the guide how to fully remove Norton 2004 and newer

http://www.bleepingcomputer.com/forums/topic42247.html


See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources


For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


What ever your decision will be, please post a new HijackThis log after the operation.

fellowesman

ok done here is the latest log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:54 PM, on 12/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE4DA159-B6DA-499F-91AA-5D04767ED62C}: NameServer = 64.179.43.190 69.95.31.250
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 4666 bytes

Veka

fellowesman, I do not see antivirus or firewall running in your system. It's very important that your computer has an antivirus and a firewall software running. This alone can save you a lot of trouble with malware in the future.

Donwload one antivirus

Avira AntiVir
avast! 4 Home Edition
AVG Virus Scan

Donwload one firewall

Kerio
Zone Alarm Free

Install and reboot.

fellowesman

i am reinstalling zone alarm but AVG is up and running as is norton
every thing looks good will post new log when done

Veka

Ok. Good.

fellowesman

here is the latest log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:39 AM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE4DA159-B6DA-499F-91AA-5D04767ED62C}: NameServer = 64.179.43.190 69.95.31.250
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 5577 bytes