Trojan Dropper and Trojan Dialler - help needed

Right, I have tried everything I can think of but I think this is a case for you guys and gals here. It needs finesse where I have none!
I am currently trying to get a computer back to it's pre-spyware state and have so far used Adaware SE, Spybot 1.4 and Norton Anti virus to try and help get rid of the gremlins. I believe there are currently at least 2 more programs that I can't easily get rid of.

Any help would be greatly appreciated

Hijack this log posting updated in post #2

 

updated HJT scan

Sorry my first post included software that had just been installed...new scan log

Logfile of HijackThis v1.99.1
Scan saved at 9:48:34 AM, on 9/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\BITWARE\NT\bwprnmon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ihug Internet
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {77B060C3-646C-48E8-D0EA-7A663AA79750} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe "
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Update] snlogsvc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1036_pack_XP.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151738444280
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D09243F-9541-41A3-A9D8-92E32DC3CBF1}: NameServer = 203.109.252.42 203.109.252.43
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D09243F-9541-41A3-A9D8-92E32DC3CBF1}: NameServer = 203.109.252.42 203.109.252.43
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: windgj32 - C:\WINDOWS\SYSTEM32\windgj32.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

Hello and welcome to WindowsBBS Forums.

Ok, looks like ther are a one or two nasties, lets try and rid them.

Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.

Please go to this page, Panda ActiveScan

• Click the 'Scan your PC' button. ( You may have to disable any pop up blockers)
• Then press the green 'Check Now' button.
• Enter your country and state along with a valid email address.
• Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)
• Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.
• Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.

Once that scan has finished:

Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank


O2 - BHO: (no name) - {77B060C3-646C-48E8-D0EA-7A663AA79750} - (no file)


O4 - HKCU\..\Run: [Microsoft Update] snlogsvc.exe



O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binarie...36_pack_XP.cab

O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binarie...hv32_EN_XP.cab

O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binarie...pe32_EN_XP.cab


O20 - Winlogon Notify: windgj32 - C:\WINDOWS\SYSTEM32\windgj32.dll

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\WINDOWS\SYSTEM32\windgj32.dll<<<--this file
snlogsvc.exe<<<--this file

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log back into this thread please.

 

<SNIP>>>

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\WINDOWS\SYSTEM32\windgj32.dll<<<--this file
snlogsvc.exe<<<--this file

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log back into this thread please.[/QUOTE]
<<<SNIP>
Thanks for the reply....I have done all the steps as you listed them but have had two problems.

1. In safe mode I was unable to delete windgj32.dll, Windows would not allow it.
2. I can find smlogsvc.exe (also in the win32 folder) but NOT snlogsvc.exe as you listed.

I have saved the log from Panda and have run HJT and used it to 'fix' the problems you noted.

What next....the trojans keep on marching!!

 

Logfile of HijackThis v1.99.1
Scan saved at 5:27:05 PM, on 9/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\BITWARE\NT\bwprnmon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ihug Internet
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe "
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151738444280
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D09243F-9541-41A3-A9D8-92E32DC3CBF1}: NameServer = 203.109.252.42 203.109.252.43
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D09243F-9541-41A3-A9D8-92E32DC3CBF1}: NameServer = 203.109.252.42 203.109.252.43
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: windgj32 - C:\WINDOWS\SYSTEM32\windgj32.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

We'll try an alternate method.

That's ok. It's most likely already gone.

1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot ", and then select "All files ".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
windgj32.dll

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Do not reboot yet but rather Run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

O20 - Winlogon Notify: windgj32 - C:\WINDOWS\SYSTEM32\windgj32.dll

Reboot your system and run HJT again, if the file is gone, no need to repost a new log.

Please get me the Panda file so I can have a look at it, thanks.

 

Panda report

Incident Status Location

Adware:Adware/SuperSpider Not disinfected C:\WINDOWS\system32\windgj32.dll
Adware:adware/comet Not disinfected c:\windows\downloaded program files\cc.inf
Adware:adware/clickalchemy Not disinfected c:\windows\inf\alchem.inf
Dialer:dialer generic Not disinfected c:\program files\dialers
Adware:adware/ist.istbar Not disinfected c:\program files\gmsoft
Adware:adware/sidesearch Not disinfected c:\program files\Lycos
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\sobin mourn\Application Data\Registry Cleaner
Adware:adware/topmoxie Not disinfected Windows Registry
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/webhancer Not disinfected Windows Registry
Adware:adware/cws Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Spyware:spyware/apropos Not disinfected Windows Registry
Dialer:dialer.b Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1}
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\sobin mourn\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-1c7103f9-474d11aa.zip[Dummy.class]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\sobin mourn\Cookies\sobin mourn@ads.addynamix[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\sobin mourn\Cookies\sobin mourn@adultfriendfinder[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\sobin mourn\Desktop\tony\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@888[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@ad.sensismediasmart.com[1].txt
Spyware:Cookie/Gorillanation Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@ads.gorillanation[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@atwola[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@ccbill[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@cgi-bin[2].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@desktop.kazaa[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@gostats[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@go[2].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@kount[2].txt
Spyware:Cookie/Mircx Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@pop.mircx[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@rn11[1].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@smni[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@toplist[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@webpower[1].txt
Adware:Adware/FlashTrack Not disinfected C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\SPYBOLI7\channels_02[1].gif
Hacktool:HackTool/ExitWin.A Not disinfected C:\Documents and Settings\Tony\Start Menu\Programs\Startup\Reboot.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix\Process.exe
Virus:Trojan Horse Disinfected C:\WINDOWS\Downloaded Program Files\mm19.INF
Potentially unwanted tool:Application/Restart Not disinfected C:\WINDOWS\system32\Tools\Restart.exe

 

Both files now have gone...
C:\WINDOWS\SYSTEM32\windgj32.dll<<<--this file
snlogsvc.exe<<<--this file

Thanks so far!

 

Excellent news!!

Lets address the rest of the items found in the Panda log.

For the items relating to anything in 'temp folders and Java cache:

Download Atribunes ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
• Tick the following boxes:
  • Windows Temp
  • Current User Temp
  • All User Temp
  • Cookies
  • Temporary Internet Files
  • History
  • Prefetch
  • Java Cache
• Click the Empty Selected button.

We'll empty the Recycle Bin later, once we know you're all cleaned up and nothing needs to be restored.

Lets go back to Killbox and insert the following files for deletion. Follow the same instructions as previously posted please:
c:\windows\downloaded program files\cc.inf
c:\windows\inf\alchem.inf
c:\program files\dialers
c:\program files\gmsoft
C:\WINDOWS\system32\Tools\Restart.exe

Reboot the system go back to Panda for another scan and then give me a new HJT logfile please.

Also let me know if you're having any other problems with the system at this point.

 

Thanks for that.
I should have told you earlier but the computer I am asking your help with belongs to MD (Mother Dearest!) and I am currently visiting her in New Zealand. I am due to leave in about 2 hours, and because of this and my desire to try and leave her with a functional computer, I went ahead and allowed ewido to quarantine any nasties it found during a safe mode boot late last night (a shotgun approach!).
I have got up early (it's now 6am here) and have seen that you have posted again. I have tried pasting those files into killbox, however none were found (and therefore added to the kill list).
I am just waiting for Panda to load then will run it and HJT and post the results as soon as it is done.

Symptoms currently include
-incredibly poor performance for what the machine *should* be able to manage. (I have a feeling this may be attributed to all the anti spy/mal/virus software that is currently installed from this process).
-Start up times that should live in the dark ages
-random closure of internet explorer windows (not sure if I am imagining this!)

I don't really like norton anti virus but MD's partner went out and bought (and installed) system works in an attempt to rid her computer of the demons.
Once we get to a point of no more nasties I would appreciate some advice on what to leave on it to protect her.

Sorry if my shotgun approach has interferred with your hard work...fingers crossed it hasn't done too much damage.
Tony.

 

The good news is that I have not had a single Trojan.Dropper or Dialler.Trojan advice box pop up from Norton over the past 10 or so reboots.
That has to be good!

 

Nothing we installed or DLed will use any resources unless actually running.

For start up time you may want to trim some of the unnecessary components from starting. Here is an excellent site for that:
AnswersThatWork
Just go to the appropriate letter, and search for the process/exe, they will give good detailed info regarding it, we use it quite often.

But with the time frame you have, this may not be possible.

For the IE closing randomly, I'd need to get more info about it. When does it close, does it close when certain applications are opened, does it crash with errors and the like.

And letting Ewido quarantine what was found was of no major consequence in so far as the work I did here.

If your mom is even the slightest bit experienced, we can guide her thru any further steps and and answer questions. We're all very well accustomed to dealing with users whose experience with the PC is not very deep. Instructions are given in clear concise text. And it's never an annoyance to come back and ask even the smallest thing. Our motto is better safe than sorry.

Good luck with your remaining time there and I hope the PC didn't eat into your visit too much.

Oh and if she needs a different language to better understand, I'm certain there is at least one site I can send her to where she can feel more comfortable.

 

Thanks, I am very impressed by the professionalism shown!

here is the HJT log (panda to follow)

Logfile of HijackThis v1.99.1
Scan saved at 6:45:21 AM, on 9/9/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\htpatch.exe
C:\BITWARE\NT\bwprnmon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ihug Internet
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe "
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151738444280
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D09243F-9541-41A3-A9D8-92E32DC3CBF1}: NameServer = 203.109.252.42 203.109.252.43
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D09243F-9541-41A3-A9D8-92E32DC3CBF1}: NameServer = 203.109.252.42 203.109.252.43
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

Panda log

Incident Status Location

Adware:adware/clickalchemy Not disinfected c:\windows\alchem.ini
Dialer:dialer generic Not disinfected c:\program files\dialers
Adware:adware/sidesearch Not disinfected c:\program files\Lycos
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\sobin mourn\Application Data\Registry Cleaner
Adware:adware/topmoxie Not disinfected Windows Registry
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Adware:adware/comet Not disinfected Windows Registry
Spyware:spyware/apropos Not disinfected Windows Registry
Adware:Adware/IPInsight Not disinfected C:\!KillBox\alchem.inf
Adware:Adware/IPInsight Not disinfected C:\!KillBox\alchem.inf ( 3)
Adware:Adware/IPInsight Not disinfected C:\!KillBox\alchem.inf( 7)
Potentially unwanted tool:Application/Restart Not disinfected C:\!KillBox\Restart.exe
Potentially unwanted tool:Application/Restart Not disinfected C:\!KillBox\Restart.exe( 4)
Potentially unwanted tool:Application/Restart Not disinfected C:\!KillBox\Restart.exe( 6)
Potentially unwanted tool:Application/Restart Not disinfected C:\!KillBox\Restart.exe( 8)
Adware:Adware/SuperSpider Not disinfected C:\!KillBox\windgj32.dll
Adware:Adware/SuperSpider Not disinfected C:\!KillBox\windgj32.dll( 1)
Adware:Adware/SuperSpider Not disinfected C:\!KillBox\windgj32.dll( 2)
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\sobin mourn\Desktop\tony\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@888[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@ad.sensismediasmart.com[1].txt
Spyware:Cookie/Gorillanation Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@ads.gorillanation[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@atwola[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@ccbill[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@cgi-bin[2].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@desktop.kazaa[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@gostats[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@go[2].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@kount[2].txt
Spyware:Cookie/Mircx Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@pop.mircx[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@rn11[1].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@smni[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@toplist[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Tony\Cookies\sobin@webpower[1].txt
Adware:Adware/FlashTrack Not disinfected C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\SPYBOLI7\channels_02[1].gif
Hacktool:HackTool/ExitWin.A Not disinfected C:\Documents and Settings\Tony\Start Menu\Programs\Startup\Reboot.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix\Process.exe

 

One thing of Vital Importance, I notice your OS/IE is not properly updated, please go to the Windows Update page, and load up all 'Critical Updates'. As this will ensure your IE is as protected as is possible. Follow this link:
Windows Update Page

Without those patches, Mom will be calling you before you return home!!

The only two concerns are these, and they are not nasty either.
c:\program files\dialers <<<<---this folder
c:\windows\alchem.ini <<<--this file

Try and delete them manually.

Beyond that, everything else is looking good.

Note on resources: Depending on your RAM, Norton may not be the best app to run, it can be resource intensive. I know it's been bought and paid for, but just a suggestion.

We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.1.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom

 

Thanks again for all your help. I wasn't able to comlete all of your instructions prior to the departure and have now travelled all through New Zealand and have arrived at my home in Sydney. I will ensure that MD (mother dearest) completes the required steps and we will have a go at taking off some of the unecessary software. It turns out that Nortons was purchased for that computer so that IS a shame and she feels bad at even considering taking it off. I will encourage her to and will see if the program can be transferred to a more deserving computer.
I am going to have a look at what might be lurking on my computer. I would hope that it is not much as I am fairly careful but I was shocked by what she had picked up.
Downloading HJT now and ready to load up a panda scan...

Tony.

 

Regarding the windows updates....it turns out she was sold a computer without a real windows license. As she has Windows XP pro on it at present Microsoft are offering a very expensive COA and online upgrade to a licensed version but for a very high price. She only needs XP home but I think we will have to do a full reinstall for that.