I Need help removing Trojan Horse Generic9.AAUM

Viruses and worms
1

I need help. Im running Win XP and can’t remove this trojan.(Trojan Horse Generic9.AAUM) detected by AVG.

Located in: C:\WINDOWS\system32\cd.dll

Nothing allows me to remove or delete this file access is always denied.
I had SP1 and updated to SP2 but that did not fix it.
I tried different anti-viruses, safe mode, and regedit but none work! I found a post on this site of someone with the same exact problem and it was fixed here. However I’m not sure if its safe to follow the exact procedure on my machine.
Here is the link. Your help would be greatly appreciated!!

http://forum.avast.com/index.php?topic=32044.msg267591#msg267591

2

Did you try to follow Polonus’ advices here? http://forum.avast.com/index.php?topic=32044.msg267609#msg267609

Did you try to scan in Safe Mode to know if you can grand access to that file?
I also suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.
3

This will probably need an Avenger kill but I will need to know the driver name

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

4

Aha… essexboy/polonus… the same one as mine. Hope you guys get it in one shot.

About the Autorun… I’ve almost given up on it. I guess i’ll just let it remain. I’ll try to figure it out by myself later.

5

Shouldn’t take as long we had plenty of practice

6

Essexboy… slight problem i ran DSS but only get main.txt and no extra.txt.

7

Post the main that should give me enough data

8

Hi Oscar2,

Let essexboy get the bite out of the malware and leave the file association restoration for the last bit,

polonus

9

Sorry for the wait…guess what I managed to get rid of “cd.dll” I just updated to Internet Explorer 7 and it is gone, no threat or file found in the path anymore. However, everytime I close IE7 a blankpage appears and I get an error so I think something might still be hiding around. Another thing, I installed a program called STOPZilla and it detects two registry threats on startup but its a trial version and wont fix anything. What should I do? Also the post won’t fit so ill split it up.Thanks for your help.

Deckard’s System Scanner v20071014.68
Run by Owner on 2007-12-29 17:29:57
Computer is in Normal Mode.

Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 448 MiB (512 MiB recommended).

– HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:04 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NetZero DSL\ConnectionCenter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

10

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netzero.net/s/sp?sep=common
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero DSL\SearchEnh1.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-up Blocker - {4224FF33-C2EB-4039-B8C8-6EED565B9D96} - C:\Program Files\NetZero DSL\PopupBlocker.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: NetZero DSL - {8E613EAF-E16E-415C-BD39-F71D6A3B5518} - C:\Program Files\NetZero DSL\Toolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM..\Run: [HPHUPD05] c:\Program Files\HP{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [NetZeroDSL] “C:\Program Files\NetZero DSL\ConnectionCenter.exe”
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [C:\DOCUME~1\Owner\LOCALS~1\Temp\update.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\update.exe
O4 - HKLM..\Run: [VTTimer] VTTimer.exe
O4 - HKLM..\Run: [UpdateManager] “C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Organize.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1282162c8043f64cc001/netzip/RdxIE601.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe


End of file - 9527 bytes

11

– Files created between 2007-11-29 and 2007-12-29 -----------------------------

2007-12-29 16:33:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-29 15:28:38 0 dr-h----- C:\Documents and Settings\Owner\Recent
2007-12-29 14:19:11 1158 --a------ C:\WINDOWS\mozver.dat
2007-12-29 13:51:40 0 d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-12-29 12:56:31 0 d-------- C:\WINDOWS\network diagnostic
2007-12-28 17:49:42 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2007-12-28 14:34:15 0 d-------- C:\Program Files\MSXML 4.0
2007-12-27 20:34:14 0 d-------- C:\Program Files\STOPzilla!
2007-12-27 20:34:13 0 d-------- C:\Program Files\Common Files\iS3
2007-12-27 20:34:11 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-12-27 19:55:56 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2007-12-27 19:53:05 0 d-------- C:\WINDOWS\Prefetch
2007-12-27 19:19:29 0 d-------- C:\WINDOWS\peernet
2007-12-27 19:19:26 0 d-------- C:\WINDOWS\provisioning
2007-12-27 19:15:22 0 d-------- C:\WINDOWS\ServicePackFiles
2007-12-27 19:03:54 0 d-------- C:\WINDOWS\EHome
2007-12-27 17:39:12 0 d-------- C:\Program Files\Trend Micro
2007-12-27 17:19:06 0 d-------- C:\Documents and Settings\Owner\Application Data\WinPatrol
2007-12-27 17:18:43 0 d-------- C:\Program Files\BillP Studios
2007-12-26 18:56:10 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2007-12-26 17:40:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

– Find3M Report ---------------------------------------------------------------

2007-12-29 16:30:49 0 d-------- C:\Program Files\Common Files
2007-12-29 16:26:28 0 d-------- C:\Program Files\Easy Internet signup
2007-12-29 16:06:56 0 d-------- C:\Program Files\Java
2007-12-29 14:19:20 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2007-12-29 13:57:37 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-28 20:15:10 0 d-------- C:\Program Files\Messenger
2007-12-28 18:43:56 0 d-------- C:\Program Files\Symantec
2007-12-28 18:40:52 0 d-------- C:\Program Files\NetZero DSL
2007-12-28 18:37:32 0 d-------- C:\Program Files\Multimedia Card Reader
2007-12-28 18:32:06 0 d-------- C:\Program Files\iTunes
2007-12-28 18:27:22 0 d-------- C:\Program Files\Google
2007-12-28 17:59:07 0 d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2007-12-27 19:19:29 0 d-------- C:\Program Files\Movie Maker
2007-12-27 19:14:36 0 d-------- C:\Program Files\Windows NT
2007-12-26 17:01:26 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2007-11-23 20:03:56 0 d-------- C:\Program Files\Compaq Instant Support
2007-11-04 16:37:56 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-10-05 10:11:08 225280 -ra------ C:\WINDOWS\system32\SZBase5.dll <Not Verified; iS3, Inc.; STOPzilla>

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{4224FF33-C2EB-4039-B8C8-6EED565B9D96}]
03/06/2007 10:27 AM 225240 --a------ C:\Program Files\NetZero DSL\PopupBlocker.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{8E613EAF-E16E-415C-BD39-F71D6A3B5518}”= C:\Program Files\NetZero DSL\Toolbar.dll [09/13/2007 01:34 PM 264688]

[-HKEY_CLASSES_ROOT\CLSID{8E613EAF-E16E-415C-BD39-F71D6A3B5518}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL.1]
[HKEY_CLASSES_ROOT\TypeLib{98C469F7-8C27-489D-B107-44FD6A54C554}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [09/25/2007 01:11 AM]
“hpsysdrv”=“c:\windows\system\hpsysdrv.exe” [05/07/1998 04:04 PM]
“HPHUPD05”=“c:\Program Files\HP{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe” [08/21/2003 03:23 AM]
“HPHmon05”=“C:\WINDOWS\System32\hphmon05.exe” [08/21/2003 03:15 AM]
“Sunkist2k”=“C:\Program Files\Multimedia Card Reader\shwicon2k.exe” [10/29/2003 10:17 AM]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [01/16/2004 11:16 AM]
“HPDJ Taskbar Utility”=“C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe” [03/12/2003 04:23 AM]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [05/19/2004 07:35 PM]
“NetZeroDSL”=“C:\Program Files\NetZero DSL\ConnectionCenter.exe” [09/17/2007 03:48 PM]
“ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [01/22/2007 10:19 PM]
“C:\DOCUME~1\Owner\LOCALS~1\Temp\update.exe”=“C:\DOCUME~1\Owner\LOCALS~1\Temp\update.exe”
“VTTimer”=“VTTimer.exe” [10/22/2004 11:53 AM C:\WINDOWS\system32\VTTimer.exe]
“UpdateManager”=“C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” [08/19/2003 08:01 AM]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [09/11/2007 05:48 PM]
“Recguard”=“C:\WINDOWS\SMINST\RECGUARD.EXE” [11/03/2003 04:50 PM]
“KBD”=“C:\HP\KBD\KBD.EXE” [02/11/2003 07:02 PM]
“AlcxMonitor”=“ALCXMNTR.EXE” [09/07/2004 01:47 PM C:\WINDOWS\ALCXMNTR.EXE]
“AGRSMMSG”=“AGRSMMSG.exe” [06/29/2004 09:06 AM C:\WINDOWS\AGRSMMSG.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [09/06/2007 11:19 AM]
“RecordNow!”=“”
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/03/2004 11:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
“DJSNetCN”=C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“NoColorChoice”=0 (0x0)
“NoSizeChoice”=0 (0x0)
“NoDispScrSavPage”=0 (0x0)
“NoDispCPL”=0 (0x0)
“NoVisualStyleChoice”=0 (0x0)
“NoDispSettingsPage”=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoActiveDesktop”=0 (0x0)
“NoSaveSettings”=0 (0x0)
“NoThemesTab”=0 (0x0)
“ForceActiveDesktopOn”=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=“Volume shadow copy”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480

– End of Deckard’s System Scanner: finished at 2007-12-29 17:31:00 ------------

12

You can try to fix these entries in HijackThis:

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero DSL\SearchEnh1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM..\Run: [C:\DOCUME~1\Owner\LOCALS~1\Temp\update.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\update.exe

The latter being a remnant of the original trojan, so fire up HJT, flag the mentioned entries and give
an enter.

polonus

13

Apart from what Pol says there is not a lot aparent - However, to be on the safe side I would like a combofix run to see what else is hiding

Also is D drive your cdrom ? as I am curious about this D:\Info.exe

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

14

Ok. Here is the combofix and hijackthis log sorry for taking so long, I did not have access to this computer, its my brothers and I’m fixing it for him.

ComboFix 08-01-09.2 - Owner 2008-01-08 17:20:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.93 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

  • Created a new restore point
    .

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cd.dll
C:\WINDOWS\system32\drivers\cvkqeqwp.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_QUOQXXTV
-------\quoqxxtv

((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))
.

2008-01-08 17:19 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 17:18 . C:\WINDOWS\LastGood.Tmp
2007-12-29 16:33 . 2007-12-29 16:33 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-29 16:06 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-29 14:20 . 2007-12-29 14:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-29 14:20 . 2007-12-29 14:20 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-29 14:19 . 2007-12-29 14:19 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-29 13:51 . 2007-12-29 13:56 d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-12-29 13:16 . 2007-12-29 13:16 d-------- C:\Deckard
2007-12-29 13:13 . 2007-12-29 13:13 102,800 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-29 13:02 . 2007-10-10 15:55 6,065,664 -----c— C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-29 13:02 . 2007-06-30 19:31 2,455,488 -----c— C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-29 13:02 . 2007-06-30 19:36 991,232 -----c— C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-29 13:02 . 2007-10-10 15:55 459,264 -----c— C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-29 13:02 . 2007-10-10 15:55 383,488 -----c— C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-29 13:02 . 2007-10-10 15:55 267,776 -----c— C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-29 13:02 . 2007-10-10 15:55 63,488 -----c— C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-29 13:02 . 2007-10-10 15:55 52,224 -----c— C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-29 13:02 . 2007-10-10 02:59 13,824 -----c— C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-29 12:56 . 2007-08-13 18:54 33,792 --a–c— C:\WINDOWS\system32\dllcache\custsat.dll
2007-12-28 17:49 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-28 17:30 . 2007-12-28 17:30 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-28 17:30 . 2007-12-28 17:30 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-28 14:34 . 2007-12-28 14:34 d-------- C:\Program Files\MSXML 4.0
2007-12-28 14:14 . 2007-07-09 05:09 584,192 -----c— C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-27 20:37 . 2007-12-27 20:37 1,024 --a------ C:\WINDOWS\system32\drivers\A56410C6-E68F-4D5B-ACAA-852DBC59EE3A.cxv
2007-12-27 20:34 . 2007-12-29 18:06 d-------- C:\Program Files\STOPzilla!
2007-12-27 20:34 . 2007-12-27 20:34 d-------- C:\Program Files\Common Files\iS3
2007-12-27 20:34 . 2007-12-29 17:54 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-12-27 19:19 . 2007-12-27 19:19 d-------- C:\WINDOWS\provisioning
2007-12-27 19:19 . 2007-12-27 19:19 d-------- C:\WINDOWS\peernet
2007-12-27 19:15 . 2007-12-27 19:15 d-------- C:\WINDOWS\ServicePackFiles
2007-12-27 19:03 . 2007-12-27 19:03 d-------- C:\WINDOWS\EHome
2007-12-27 17:39 . 2007-12-27 17:39 d-------- C:\Program Files\Trend Micro
2007-12-27 17:19 . 2007-12-27 17:19 d-------- C:\Documents and Settings\Owner\Application Data\WinPatrol
2007-12-27 17:18 . 2007-12-27 17:18 d-------- C:\Program Files\BillP Studios
2007-12-26 17:40 . 2007-12-29 16:32 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-26 17:23 . 2007-12-26 17:25 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-26 17:23 . 2007-12-26 17:25 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 01:06 --------- d-----w C:\Program Files\Common Files\Real
2007-12-30 02:02 --------- d-----w C:\Program Files\interMute
2007-12-30 02:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\interMute
2007-12-30 01:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\NetZero DSL
2007-12-30 00:26 --------- d-----w C:\Program Files\Easy Internet signup
2007-12-30 00:06 --------- d-----w C:\Program Files\Java
2007-12-29 21:57 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-29 02:43 --------- d-----w C:\Program Files\Symantec
2007-12-29 02:40 --------- d-----w C:\Program Files\NetZero DSL
2007-12-29 02:37 --------- d-----w C:\Program Files\Multimedia Card Reader
2007-12-29 02:32 --------- d-----w C:\Program Files\iTunes
2007-12-29 02:27 --------- d-----w C:\Program Files\Google
2007-12-29 01:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
2007-12-29 01:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-27 01:25 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-27 01:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2007-11-24 04:03 --------- d-----w C:\Program Files\Compaq Instant Support
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

15

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{4224FF33-C2EB-4039-B8C8-6EED565B9D96}]
2007-03-06 10:27 225240 --a------ C:\Program Files\NetZero DSL\PopupBlocker.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{F5735C15-1FB2-41FE-BA12-242757E69DDE}
{8E613EAF-E16E-415C-BD39-F71D6A3B5518}
{C4069E3A-68F1-403E-B40E-20066696354B}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}

[HKEY_CLASSES_ROOT\clsid{8e613eaf-e16e-415c-bd39-f71d6a3b5518}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL.1]
[HKEY_CLASSES_ROOT\TypeLib{98C469F7-8C27-489D-B107-44FD6A54C554}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{8E613EAF-E16E-415C-BD39-F71D6A3B5518}”= C:\Program Files\NetZero DSL\Toolbar.dll [2007-09-13 13:34 264688]

[HKEY_CLASSES_ROOT\clsid{8e613eaf-e16e-415c-bd39-f71d6a3b5518}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL.1]
[HKEY_CLASSES_ROOT\TypeLib{98C469F7-8C27-489D-B107-44FD6A54C554}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-09-06 11:19 68856]
“RecordNow!”=“”
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“hpsysdrv”=“c:\windows\system\hpsysdrv.exe” [1998-05-07 16:04 52736]
“HPHUPD05”=“c:\Program Files\HP{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe” [2003-08-21 03:23 49152]
“HPHmon05”=“C:\WINDOWS\System32\hphmon05.exe” [2003-08-21 03:15 483328]
“Sunkist2k”=“C:\Program Files\Multimedia Card Reader\shwicon2k.exe” [2003-10-29 10:17 135168]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2004-01-16 11:16 229376]
“HPDJ Taskbar Utility”=“C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe” [2003-03-12 04:23 172032]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2004-05-19 19:35 98304]
“NetZeroDSL”=“C:\Program Files\NetZero DSL\ConnectionCenter.exe” [2007-09-17 15:48 1095152]
“ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2007-01-22 22:19 52840]
“VTTimer”=“VTTimer.exe” [2004-10-22 11:53 53248 C:\WINDOWS\system32\VTTimer.exe]
“UpdateManager”=“C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” [2003-08-19 08:01 110592]
“Recguard”=“C:\WINDOWS\SMINST\RECGUARD.EXE” [2003-11-03 16:50 221184]
“KBD”=“C:\HP\KBD\KBD.EXE” [2003-02-11 19:02 61440]
“AlcxMonitor”=“ALCXMNTR.EXE” [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
“AGRSMMSG”=“AGRSMMSG.exe” [2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
“DJSNetCN”=“C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe” [2005-09-29 21:34 54928]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 12:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 04:05:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the ‘Scheduled Tasks’ folder
“2007-12-29 04:09:10 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job”

  • C:\PROGRA~1\NORTON~1\Navw32.exe
    “2007-09-20 02:59:01 C:\WINDOWS\Tasks\Norton AntiVirus - Run Norton QuickScan - Owner.job”
  • C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 17:28:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-08 17:32:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-09 01:32:07
.
2007-12-30 15:28:53 — E O F —

16

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:42 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\NetZero DSL\ConnectionCenter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netzero.net/s/sp?sep=common
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-up Blocker - {4224FF33-C2EB-4039-B8C8-6EED565B9D96} - C:\Program Files\NetZero DSL\PopupBlocker.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: NetZero DSL - {8E613EAF-E16E-415C-BD39-F71D6A3B5518} - C:\Program Files\NetZero DSL\Toolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM..\Run: [HPHUPD05] c:\Program Files\HP{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [NetZeroDSL] “C:\Program Files\NetZero DSL\ConnectionCenter.exe”
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [VTTimer] VTTimer.exe
O4 - HKLM..\Run: [UpdateManager] “C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Organize.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1282162c8043f64cc001/netzip/RdxIE601.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


End of file - 8649 bytes

17

Essexboy, about "D:\Info.exe " I think it’s a safe file.

(Also is D drive your cdrom ? as I am curious about this D:\Info.exe)

The D: drive is a recovery partition on this computer that was factory installed by HP. This is a Compaq Presario.
I opened D: and there are only 2 files named…“recovery” and “user” and no hidden files.Thanks.

18

In that case

Now the best part of the day ----- Your log now appears clean :thumbsup:

Time for some housekeeping
[*] Click START then RUN
[*] Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

[*]
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

[*] When shown the disclaimer, Select “2”

The above procedure will:
[] Delete the following:
[] ComboFix and its associated files and folders.
[] VundoFix backups, if present
[] The C:\Deckard folder, if present
[*] The C:_OtMoveIt folder, if present

[] Reset the clock settings.
[] Hide file extensions, if required.
[] Hide System/Hidden files, if required.
[] Set a new, clean Restore Point.

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

  1. Select Start > All Programs > Accessories > System tools > System Restore.
  2. On the dialogue box that appears select Create a Restore Point
  3. Click NEXT
  4. Enter a name e.g. Clean
  5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

  1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  2. In the Drop down box that appears select your main drive e.g. C
  3. Click OK
  4. The System will do some calculation and the display a dialogue box with TABS
  5. Select the More Options Tab.
  6. At the bottom will be a system restore box with a CLEANUP button click this
  7. Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:
[*]SpywareBlaster to help prevent spyware from installing in the first place.
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Keep safe :wave: