Solved browser closes unexpected (firefox and avant)

[Resolved] browser closes unexpected (firefox and avant)

Hello, I am back with yet another computer. This time it is my daughter's computer. She is having some problems with her main browser, Avant as well as the one she uses when Avant gives her problems, firefox.
The system is an ibm netvista 1.8 ghz intel pentium 4 processor running win xp sp2. upgraded from win2k. Connected to university network LAN connection 10mbps. Using windows firewall, as well as symantec anti virus, clean access agent (univeristy requirements). The browsers used are avant and firefox. Avant is the primary browser. The problem is that Avant is freezing unexpectedly. It starts normally but will freeze after opening. Firefox will just close. Not sure if the problem is virus or spyware related but ran hjt and dss just to be sure. Here are the log files

Deckard's System Scanner v20070905.67
Run by Administrator on 2007-10-05 15:03:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
91: 2007-10-05 18:32:19 UTC - RP231 - Deckard's System Scanner Restore Point
90: 2007-10-05 03:55:51 UTC - RP230 - System Checkpoint
89: 2007-10-04 00:36:14 UTC - RP229 - System Checkpoint
88: 2007-10-02 22:36:19 UTC - RP228 - System Checkpoint
87: 2007-10-01 20:36:10 UTC - RP227 - System Checkpoint


-- First Restore Point --
1: 2007-07-08 07:16:56 UTC - RP141 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:04:44 PM, on 10/5/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\WINNT\vsnpstd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Winter Fun Pack 2004 for Windows XP\WinterWallToy\WinterWalltoy.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Trillian\trillian.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/po
rtal/
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086F3ADF-92EA-4415-877E-C7DD7DD64F14} -
C:\WINNT\system32\efcbccd.dll (file missing)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program
Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {376B7A71-EE2B-4024-B743-540DF86D22B3} - C:\WINNT\system32\ddcya.dll
(file missing)
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program
Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} -
C:\WINNT\system32\xkbqnyog.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} -
C:\WINNT\system32\TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} -
C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program
Files\NetZero\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} -
C:\WINNT\system32\TwcToolbarIe7.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} -
C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program
Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [Microsoft] hzeu.exe
O4 - HKLM\..\Run: [DllRunning] C:\WINNT\system32\njkyaugn.dll,setvm
O4 - HKLM\..\Run: [Windows Firewall Updater] fwupdat.exe
O4 - HKLM\..\Run: [Windows Secure Update] SecUpd.exe
O4 - HKLM\..\Run: [SNPSTD2] C:\WINNT\vsnpstd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\RunServices: [Microsoft] hzeu.exe
O4 - HKLM\..\RunServices: [Windows Firewall Updater] fwupdat.exe
O4 - HKLM\..\RunServices: [Windows Secure Update] SecUpd.exe
O4 - HKCU\..\Run: [Microsoft] hzeu.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop
Weather\DesktopWeather.exe "
O4 - HKUS\S-1-5-19\..\Run: [Microsoft] hzeu.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet
Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Microsoft] hzeu.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet
Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft] hzeu.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet
Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft] hzeu.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet
Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access
Agent\CCAAgent.exe
O4 - Global Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S.
Robotics\U.S. Robotics Internet Call Notification\CallWaiting.exe
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusear
ch.jhtml?p=ZNfox000
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant
Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program
Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program
Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program
Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant
Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant
Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no
file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43}
- (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network
Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583}
- C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.65.108.158/Java/cfs40320.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-8.0.8.30/chess2/chess2-en_US.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-8.0.3.20/domino/domino-en_US.ca
b
O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-8.0.3.20/greenback/green
back-en_US.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-8.0.8.30/harvest/harvest-e
n_US.cab
O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-8.0.3.36/mhpoker/mhpok
er-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-8.0.9.33/lottso/lottso-en_US.cab

O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-8.0.6.49/mahjong2/mahjon
g2-en_US.cab
O16 - DPF: Makeover Madness by pogo - http://game1.pogo.com/applet-8.0.4.41/shoes/shoes-en
_US.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-8.0.9.41/flinger/flinger-en_US.ca
b
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-8.0.8.30/poppit2/poppit2-en_US.ca
b
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-8.0.3.20/hotstreak/hotstreak
-en_US.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-8.0.6.49/squelchies/squelchie
s-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-8.0.3.36/peaks/peaks-en_US.cab
O16 - DPF: Yahoo! Checkers - http://download2.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation
Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program
Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.p
ogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.ho
tmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http
://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.mic
rosoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171590453703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.mic
rosoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156426823156
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ib
m.com/pc/support/IbmEgath.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownlo
ad.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - https://
webapps.eku.edu/stunav/webinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://b
y125fd.bay125.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: ddcya - C:\WINNT\system32\ddcya.dll (file missing)
O20 - Winlogon Notify: efcbccd - efcbccd.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program
Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation -
C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner -
C:\WINNT\system\dllhost.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe
(file missing)
O23 - Service: LiveUpdate - Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec
AntiVirus\SavRoam.exe
O23 - Service: service - Unknown owner - C:\WINNT\service.exe (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program
Files\SiteAdvisor\6172\SAService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec
AntiVirus\Rtvscan.exe

--
End of file - 13776 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SbcpHid - c:\winnt\system32\drivers\sbcphid.sys
R2 mdmxsdk - c:\winnt\system32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic
Interface>
R3 Pcouffin (Low level access layer for CD devices) -
c:\winnt\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin
engine>

S3 CA561 (ICatch (VI) PC Camera) - c:\winnt\system32\drivers\spca561.sys (file missing)
S3 EGATHDRV (IBM Access Support) - c:\winnt\downloaded program files\egathdrv.sys <Not
Verified; IBM Corporation; IBM eGatherer>
S3 EraserUtilDrv10710 - c:\program files\common files\symantec
shared\eengine\eraserutildrv10710.sys (file missing)
S3 ichaud (Service for AC'97 Driver (WDM)) - c:\winnt\system32\drivers\ichaud.sys <Not
Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
S3 InCDFat (Ahead InCDFat File System Driver) - c:\winnt\system32\drivers\incdfat.sys
<Not Verified; Nero AG; Ahead InCDFat File System Driver>
S3 rdriv - c:\winnt\system32\rdriv.sys (file missing)
S3 samhid - c:\winnt\system32\drivers\samhid.sys
S3 snpstd2 (CAM 30) - c:\winnt\system32\drivers\snpstd2.sys <Not Verified; ; PC Camera
driver>
S3 SYMIDSCO - c:\winnt\system32\drivers\symidsco.sys (file missing)
S3 Winacusb - c:\winnt\system32\drivers\winacusb.sys <Not Verified; U.S. Robotics; Host
AT Modem>
S4 Parallel (Parallel class driver) - c:\winnt\system32\drivers\parallel.sys (file
missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 DLLHOST32 (Windows Host Services) - "c:\winnt\system\dllhost.exe" (file
missing)
S2 service - "c:\winnt\service.exe" (file missing)
S3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ROOT\PARALLELCLASS\0000
Manufacturer:
Name:
PNP Device ID: ROOT\PARALLELCLASS\0000
Service: Parallel


-- Files created between 2007-09-05 and 2007-10-05 -----------------------------

2007-10-05 14:26:45 0 d-------- C:\Program Files\Trend Micro
2007-10-05 13:45:19 0 d--hs---- C:\found.000
2007-09-30 19:45:35 0 d-------- C:\Documents and Settings\LocalService\Desktop
2007-09-30 19:45:35 0 d-------- C:\Documents and Settings\LocalService\Application
Data\SiteAdvisor
2007-09-30 19:45:09 0 d-------- C:\Program Files\SiteAdvisor
2007-09-30 19:45:00 0 d-------- C:\Documents and Settings\All Users\Application
Data\SiteAdvisor
2007-09-30 19:45:00 0 d-------- C:\Documents and Settings\All Users\Application
Data\McAfee
2007-09-30 19:44:59 0 d-------- C:\Documents and
Settings\Administrator\Application Data\SiteAdvisor


-- Find3M Report ---------------------------------------------------------------

2007-10-05 11:14:16 1632 --a------ C:\WINNT\system32\d3d8caps.dat
2007-09-22 00:13:12 0 d-------- C:\Program Files\Avant Browser
2007-09-21 22:19:37 0 d-------- C:\Program Files\Windows NT
2007-09-20 11:18:59 0 d-------- C:\Program Files\Yahoo!
2007-09-20 11:17:39 0 d--h----- C:\Documents and
Settings\Administrator\Application Data\yahoo!
2007-09-03 16:30:38 0 d-------- C:\Program Files\Project64 1.6
2007-08-27 10:28:24 0 d-------- C:\Program Files\MacGAMUT 2003
2007-08-27 10:28:22 0 d--h----- C:\Program Files\InstallShield Installation
Information
2007-08-26 09:13:45 0 d-------- C:\Documents and
Settings\Administrator\Application Data\Avant Profiles
2007-08-25 09:46:29 0 d-a------ C:\Program Files\NetZero
2007-08-24 23:42:29 0 d-------- C:\Documents and
Settings\Administrator\Application Data\Help
2007-08-17 21:52:20 0 d-------- C:\Program Files\Java
2007-08-17 08:34:35 0 d-------- C:\Program Files\Trillian
2007-08-14 22:56:53 0 d-------- C:\Program Files\Cisco Systems
2007-08-14 22:48:27 0 d-------- C:\Program Files\Symantec AntiVirus


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086F3ADF-92EA-4415-877E-C7DD7DD64F14}]
C:\WINNT\system32\efcbccd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{376B7A71-EE2B-4024-B743-540DF86D22B3}]
C:\WINNT\system32\ddcya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DA39570-5FD2-4f18-94B4-20730CB3F727}]
C:\WINNT\system32\xkbqnyog.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe" [08/04/04 08:00 AM
C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched "= "C:\Program
Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/07 04:00 AM]
"NeroFilterCheck "= "C:\WINNT\system32\NeroCheck.exe" [07/09/01 01:50
PM]
"InCD "= "C:\Program Files\Ahead\InCD\InCD.exe" [01/27/05 01:17 PM]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
[03/07/06 01:02 PM]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[10/31/03 08:42 PM]
"USB Storage Toolbox "= "C:\Program Files\USB Disk Win98 Driver\Res.EXE"
[09/14/05 09:44 PM]
"Microsoft "= "hzeu.exe" []
"DllRunning "= "C:\WINNT\system32\njkyaugn.dll" []
"Windows Firewall Updater "= "fwupdat.exe" []
"Windows Secure Update "= "SecUpd.exe" []
"SNPSTD2 "= "C:\WINNT\vsnpstd2.exe" [06/10/04 12:54 PM]
"NvCplDaemon "= "C:\WINNT\system32\NvCpl.dll" [04/02/03 04:40 PM]
"nwiz "= "nwiz.exe" [04/02/03 04:40 PM C:\WINNT\system32\nwiz.exe]
"TkBellExe "= "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" [06/19/07 08:30 PM]
"KernelFaultCheck "= "C:\WINNT\system32\dumprep 0 -k" []
"SiteAdvisor "= "C:\Program Files\SiteAdvisor\6172\SiteAdv.exe"
[03/30/07 11:42 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft "= "hzeu.exe" []
"NetZero_uoltray "= "C:\Program Files\NetZero\exec.exe" [03/22/06 02:55
PM]
"ctfmon.exe "= "C:\WINNT\system32\ctfmon.exe" [08/04/04 08:00 AM]
"DW4 "= "C:\Program Files\The Weather Channel FW\Desktop
Weather\DesktopWeather.exe" [03/16/07 07:51 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft "=hzeu.exe
"Windows Firewall Updater "=fwupdat.exe
"Windows Secure Update "=SecUpd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop "=C:\Program Files\Internet Explorer\Connection
Wizard\icwconn1.exe /desktop
"tscuninstall "=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft "=hzeu.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[9/23/05 11:05:26 PM]
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
[9/6/07 11:13:06 PM]
U.S. Robotics Internet Call Notification.lnk - C:\Program Files\U.S. Robotics\U.S.
Robotics Internet Call Notification\CallWaiting.exe [6/2/06 2:54:18 PM]
Winter Fun Wallpaper Changer.lnk -
C:\WINNT\Installer\{038A524F-58DB-438A-8391-8F7F0CA14B9E}\Icon038A524F.exe [2/14/07
7:08:17 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD "=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{086F3ADF-92EA-4415-877E-C7DD7DD64F14} "= C:\WINNT\system32\efcbccd.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcya]
C:\WINNT\system32\ddcya.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbccd]

efcbccd.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@= "Driver "


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c83c9
d7-8d2b-11db-9b5b-00096bb8c868}]
AutoRun\command- E:\setupSNK.exe




-- End of Deckard's System Scanner: finished at 2007-10-05 15:05:31 ------------

 

Download VundoFix by Atribune, saving it to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encounters a file it could not remove. In this case, VundoFix will run on reboot. If that happens, follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Then, download ComboFix by sUBs from here, saving the file to your Desktop.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• When finished, it will open a log for you. Post that log, C:\Vundofix.txt and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Dave,
Good Morning, I just logged on wasn't here last night or would have responded then, my daughter would like to know what infections you see and what files are infected. She may respond herself but for now she leaves that to me, lol

Also, I am curious symantec is updated regularly on her computer and she scans overnight when the computer is not in use, and has the firewall active all the time (I tell her about virus and spyware protection and that it doesn't work very well if she doesn't update, plus she has been here with me when I am fixing a machine so she can see some of the problems no protection can cause). Her computer at school is connected 24/7 also so of course mom told her she really has to be careful.

 

Here's the VundoFix log.

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 10:18:01 AM 10/6/07

Listing files found while scanning....

C:\WINNT\system32\aycdd.bak1
C:\WINNT\system32\aycdd.bak2
C:\WINNT\system32\aycdd.ini
C:\WINNT\system32\aycdd.ini2
C:\WINNT\system32\aycdd.tmp
C:\WINNT\system32\ddcya.dll
C:\WINNT\system32\efcbccd.dll
C:\WINNT\system32\xkbqnyog.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\aycdd.bak1
C:\WINNT\system32\aycdd.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\aycdd.bak2
C:\WINNT\system32\aycdd.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\aycdd.ini
C:\WINNT\system32\aycdd.ini Has been deleted!

Attempting to delete C:\WINNT\system32\aycdd.ini2
C:\WINNT\system32\aycdd.ini2 Has been deleted!

Attempting to delete C:\WINNT\system32\aycdd.tmp
C:\WINNT\system32\aycdd.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 10:24:14 AM 10/6/07

Listing files found while scanning....

C:\WINNT\system32\ddcya.dll

Beginning removal...

Performing Repairs to the registry.
Done!

 

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11, on 2007-10-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\WINNT\vsnpstd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Winter Fun Pack 2004 for Windows XP\WinterWallToy\WinterWalltoy.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/portal/
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {376B7A71-EE2B-4024-B743-540DF86D22B3} - C:\WINNT\system32\ddcya.dll (file missing)
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINNT\system32\TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINNT\system32\TwcToolbarIe7.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [Windows Firewall Updater] fwupdat.exe
O4 - HKLM\..\Run: [Windows Secure Update] SecUpd.exe
O4 - HKLM\..\Run: [SNPSTD2] C:\WINNT\vsnpstd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\RunServices: [Microsoft] hzeu.exe
O4 - HKLM\..\RunServices: [Windows Firewall Updater] fwupdat.exe
O4 - HKLM\..\RunServices: [Windows Secure Update] SecUpd.exe
O4 - HKCU\..\Run: [Microsoft] hzeu.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe "
O4 - HKUS\S-1-5-19\..\Run: [Microsoft] hzeu.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Microsoft] hzeu.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft] hzeu.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft] hzeu.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\CallWaiting.exe
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.65.108.158/Java/cfs40320.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-8.0.8.30/chess2/chess2-en_US.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-8.0.3.20/domino/domino-en_US.cab
O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-8.0.3.20/greenback/greenback-en_US.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-8.0.8.30/harvest/harvest-en_US.cab
O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-8.0.3.36/mhpoker/mhpoker-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-8.0.9.33/lottso/lottso-en_US.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-8.0.6.49/mahjong2/mahjong2-en_US.cab
O16 - DPF: Makeover Madness by pogo - http://game1.pogo.com/applet-8.0.4.41/shoes/shoes-en_US.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-8.0.9.41/flinger/flinger-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-8.0.8.30/poppit2/poppit2-en_US.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-8.0.3.20/hotstreak/hotstreak-en_US.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-8.0.6.49/squelchies/squelchies-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-8.0.3.36/peaks/peaks-en_US.cab
O16 - DPF: Yahoo! Checkers - http://download2.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171590453703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156426823156
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - https://webapps.eku.edu/stunav/webinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by125fd.bay125.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: ddcya - C:\WINNT\system32\ddcya.dll (file missing)
O20 - Winlogon Notify: efcbccd - efcbccd.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: service - Unknown owner - C:\WINNT\service.exe (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 12741 bytes


ComboFix is not completing the scan. Incomplete logfile.

 

What exactly does ComboFix do? Does it stop in any particular place?

 

It tells me that it may take up to 10 mins to scan, but within a minute it disappears after that. It stops at the beginning of the scan.

 

Please delete the copy of ComboFix.exe you have, and the C:\ComboFix folder if it exists. Then re-download it and try again. If it does the same thing, try downloading it from here or here

 

It worked much better this time. I just clicked one of the other links you provided. Here's the log file.

ComboFix 07-10-06.5 - Administrator 2007-10-06 23:05:40.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.52 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\a.bat
C:\WINNT\system32\a.txt
C:\WINNT\system32\msn.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_RDRIV
-------\rdriv


((((((((((((((((((((((((( Files Created from 2007-09-07 to 2007-10-07 )))))))))))))))))))))))))))))))
.

2007-10-06 10:42 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-06 10:18 <DIR> d-------- C:\VundoFix Backups
2007-10-05 14:29 <DIR> d-------- C:\Deckard
2007-10-05 14:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-05 13:45 <DIR> d--hs---- C:\found.000
2007-09-30 19:45 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-09-30 19:45 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-09-30 19:45 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-09-30 19:45 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-09-30 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-09-30 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-09-30 19:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-22 00:13 --------- d-------- C:\Program Files\Avant Browser
2007-09-20 20:30 --------- d-------- C:\Documents and Settings\All Users\Application Data\WhiteCap (Holiday Edition)
2007-09-20 11:18 --------- d-------- C:\Program Files\Yahoo!
2007-09-20 11:17 --------- d--h----- C:\Documents and Settings\Administrator\Application Data\yahoo!
2007-09-20 11:17 --------- d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2007-09-03 16:30 --------- d-------- C:\Program Files\Project64 1.6
2007-08-27 10:28 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-27 10:28 --------- d-------- C:\Program Files\MacGAMUT 2003
2007-08-26 09:13 --------- d-------- C:\Documents and Settings\Administrator\Application Data\Avant Profiles
2007-08-25 09:46 --------- d-a------ C:\Program Files\NetZero
2007-08-24 23:42 --------- d-------- C:\Documents and Settings\Administrator\Application Data\Help
2007-08-17 08:34 --------- d-------- C:\Program Files\Trillian
2007-08-14 22:56 --------- d-------- C:\Program Files\Cisco Systems
2007-08-14 22:48 --------- d-------- C:\Program Files\Symantec AntiVirus
2006-02-09 18:54 271 ---hs---- C:\Program Files\desktop.ini
2006-02-09 18:54 21952 --ah----- C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{376B7A71-EE2B-4024-B743-540DF86D22B3}]
C:\WINNT\system32\ddcya.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe" [2004-08-04 08:00 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"NeroFilterCheck "= "C:\WINNT\system32\NeroCheck.exe" [2001-07-09 13:50]
"InCD "= "C:\Program Files\Ahead\InCD\InCD.exe" [2005-01-27 13:17]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42]
"USB Storage Toolbox "= "C:\Program Files\USB Disk Win98 Driver\Res.EXE" [2005-09-14 21:44]
"Windows Firewall Updater "= "fwupdat.exe" []
"Windows Secure Update "= "SecUpd.exe" []
"SNPSTD2 "= "C:\WINNT\vsnpstd2.exe" [2004-06-10 12:54]
"NvCplDaemon "= "C:\WINNT\system32\NvCpl.dll" [2003-04-02 16:40]
"nwiz "= "nwiz.exe" [2003-04-02 16:40 C:\WINNT\system32\nwiz.exe]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-19 20:30]
"SiteAdvisor "= "C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-03-30 11:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft "= "hzeu.exe" []
"NetZero_uoltray "= "C:\Program Files\NetZero\exec.exe" [2006-03-22 14:55]
"ctfmon.exe "= "C:\WINNT\system32\ctfmon.exe" [2004-08-04 08:00]
"DW4 "= "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 07:51]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"untd_recovery "= "C:\Program Files\NetZero\qsacc\x1exec.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft "=hzeu.exe
"Windows Firewall Updater "=fwupdat.exe
"Windows Secure Update "=SecUpd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop "=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall "=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft "=hzeu.exe

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Microsoft Office Fast Start.lnk - C:\MSOffice\Office\FASTBOOT.EXE [1996-03-20 01:00:00]
Microsoft Office Find Fast Indexer.lnk - C:\MSOffice\Office\FINDFAST.EXE [1996-03-20 01:00:00]
Microsoft Office Shortcut Bar.lnk - C:\MSOffice\Office\MSOFFICE.EXE [1996-03-20 01:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-09-06 23:13:06]
U.S. Robotics Internet Call Notification.lnk - C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\CallWaiting.exe [2006-06-02 14:54:18]
Winter Fun Wallpaper Changer.lnk - C:\WINNT\Installer\{038A524F-58DB-438A-8391-8F7F0CA14B9E}\Icon038A524F.exe [2007-02-14 19:08:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcya]
C:\WINNT\system32\ddcya.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbccd]
efcbccd.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@= "Driver "

R3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;C:\WINNT\system32\DRIVERS\wind502u.sys
S2 DLLHOST32;Windows Host Services; "C:\WINNT\system\dllhost.exe "
S3 ADM8511;ADM8511 USB To Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\ADM8511.SYS
S3 EraserUtilDrv10710;EraserUtilDrv10710;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys
S3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S3 InCDFat;Ahead InCDFat File System Driver;\??\C:\WINNT\system32\Drivers\InCDFat.sys
S3 samhid;samhid;C:\WINNT\system32\drivers\samhid.sys
S3 snpstd2;CAM 30;C:\WINNT\system32\DRIVERS\snpstd2.sys
S3 Winacusb;Winacusb;C:\WINNT\system32\DRIVERS\winacusb.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c83c9d7-8d2b-11db-9b5b-00096bb8c868}]
AutoRun\command- E:\setupSNK.exe

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 08:00:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-07 8:04:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-07 08:04
.
--- E O F ---


Thanks for your help!

 

Scan again with HijackThis and place a check next to the following entries, then click Fix Checked.

O4 - HKUS\S-1-5-19\..\Run: [Microsoft] hzeu.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Microsoft] hzeu.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft] hzeu.exe (User 'SYSTEM')



Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINNT\System32\fwupdat.exe
C:\WINNT\System32\SecUpd.exe
C:\WINNT\System32\hzeu.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{376B7A71-EE2B-4024-B743-540DF86D22B3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\[COLOR="Black"]CurrentVersion[/COLOR]\Run]
 "Windows Firewall Updater "=-
 "Windows Secure Update "=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\[COLOR="black"]CurrentVersion[/COLOR]\Run]
 "Microsoft "=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\runservices]
 "Microsoft "=-
 "Windows Firewall Updater "=-
 "Windows Secure Update "=-
[HKEY_USERS\.default\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\run]
 "Microsoft "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcya] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbccd] 

Driver::
DLLHOST32

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log along with a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

Here's the newer ComboFix log.

ComboFix 07-10-06.5 - Administrator 2007-10-07 11:25:18.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.61 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINNT\System32\fwupdat.exe
C:\WINNT\System32\hzeu.exe
C:\WINNT\System32\SecUpd.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-07 to 2007-10-07 )))))))))))))))))))))))))))))))
.

2007-10-06 10:42 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-06 10:18 <DIR> d-------- C:\VundoFix Backups
2007-10-05 14:29 <DIR> d-------- C:\Deckard
2007-10-05 14:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-05 13:45 <DIR> d--hs---- C:\found.000
2007-09-30 19:45 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-09-30 19:45 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-09-30 19:45 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-09-30 19:45 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-09-30 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-09-30 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-09-30 19:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 08:13 --------- d-------- C:\Program Files\Avant Browser
2007-09-20 20:30 --------- d-------- C:\Documents and Settings\All Users\Application Data\WhiteCap (Holiday Edition)
2007-09-20 11:18 --------- d-------- C:\Program Files\Yahoo!
2007-09-20 11:17 --------- d--h----- C:\Documents and Settings\Administrator\Application Data\yahoo!
2007-09-20 11:17 --------- d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2007-09-03 16:30 --------- d-------- C:\Program Files\Project64 1.6
2007-08-27 10:28 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-27 10:28 --------- d-------- C:\Program Files\MacGAMUT 2003
2007-08-26 09:13 --------- d-------- C:\Documents and Settings\Administrator\Application Data\Avant Profiles
2007-08-25 09:46 --------- d-a------ C:\Program Files\NetZero
2007-08-24 23:42 --------- d-------- C:\Documents and Settings\Administrator\Application Data\Help
2007-08-17 08:34 --------- d-------- C:\Program Files\Trillian
2007-08-14 22:56 --------- d-------- C:\Program Files\Cisco Systems
2007-08-14 22:48 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-07-30 19:19 92504 --a------ C:\WINNT\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINNT\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINNT\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINNT\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINNT\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINNT\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINNT\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINNT\system32\wups.dll
2006-02-09 18:54 271 ---hs---- C:\Program Files\desktop.ini
2006-02-09 18:54 21952 --ah----- C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe" [2004-08-04 08:00 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"NeroFilterCheck "= "C:\WINNT\system32\NeroCheck.exe" [2001-07-09 13:50]
"InCD "= "C:\Program Files\Ahead\InCD\InCD.exe" [2005-01-27 13:17]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42]
"USB Storage Toolbox "= "C:\Program Files\USB Disk Win98 Driver\Res.EXE" [2005-09-14 21:44]
"SNPSTD2 "= "C:\WINNT\vsnpstd2.exe" [2004-06-10 12:54]
"NvCplDaemon "= "C:\WINNT\system32\NvCpl.dll" [2003-04-02 16:40]
"nwiz "= "nwiz.exe" [2003-04-02 16:40 C:\WINNT\system32\nwiz.exe]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-19 20:30]
"SiteAdvisor "= "C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-03-30 11:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetZero_uoltray "= "C:\Program Files\NetZero\exec.exe" [2006-03-22 14:55]
"ctfmon.exe "= "C:\WINNT\system32\ctfmon.exe" [2004-08-04 08:00]
"DW4 "= "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 07:51]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"untd_recovery "= "C:\Program Files\NetZero\qsacc\x1exec.exe "

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop "=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall "=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Microsoft Office Fast Start.lnk - C:\MSOffice\Office\FASTBOOT.EXE [1996-03-20 01:00:00]
Microsoft Office Find Fast Indexer.lnk - C:\MSOffice\Office\FINDFAST.EXE [1996-03-20 01:00:00]
Microsoft Office Shortcut Bar.lnk - C:\MSOffice\Office\MSOFFICE.EXE [1996-03-20 01:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-09-06 23:13:06]
U.S. Robotics Internet Call Notification.lnk - C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\CallWaiting.exe [2006-06-02 14:54:18]
Winter Fun Wallpaper Changer.lnk - C:\WINNT\Installer\{038A524F-58DB-438A-8391-8F7F0CA14B9E}\Icon038A524F.exe [2007-02-14 19:08:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD "=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@= "Driver "

R3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;C:\WINNT\system32\DRIVERS\wind502u.sys
S2 DLLHOST32;Windows Host Services; "C:\WINNT\system\dllhost.exe "
S3 ADM8511;ADM8511 USB To Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\ADM8511.SYS
S3 EraserUtilDrv10710;EraserUtilDrv10710;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys
S3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S3 InCDFat;Ahead InCDFat File System Driver;\??\C:\WINNT\system32\Drivers\InCDFat.sys
S3 samhid;samhid;C:\WINNT\system32\drivers\samhid.sys
S3 snpstd2;CAM 30;C:\WINNT\system32\DRIVERS\snpstd2.sys
S3 Winacusb;Winacusb;C:\WINNT\system32\DRIVERS\winacusb.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c83c9d7-8d2b-11db-9b5b-00096bb8c868}]
AutoRun\command- E:\setupSNK.exe

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 11:30:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-07 11:32:42
C:\ComboFix-quarantined-files.txt ... 2007-10-07 11:32
C:\ComboFix2.txt ... 2007-10-07 08:04
.
--- E O F ---

And the newer HJT log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:59 AM, on 10/7/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\WINNT\vsnpstd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\NetZero\exec.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Winter Fun Pack 2004 for Windows XP\WinterWallToy\WinterWalltoy.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/portal/
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINNT\system32\TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINNT\system32\TwcToolbarIe7.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [SNPSTD2] C:\WINNT\vsnpstd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe "
O4 - HKUS\S-1-5-19\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\CallWaiting.exe
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.65.108.158/Java/cfs40320.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-8.0.8.30/chess2/chess2-en_US.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-8.0.3.20/domino/domino-en_US.cab
O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-8.0.3.20/greenback/greenback-en_US.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-8.0.8.30/harvest/harvest-en_US.cab
O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-8.0.3.36/mhpoker/mhpoker-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-8.0.9.33/lottso/lottso-en_US.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-8.0.6.49/mahjong2/mahjong2-en_US.cab
O16 - DPF: Makeover Madness by pogo - http://game1.pogo.com/applet-8.0.4.41/shoes/shoes-en_US.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-8.0.9.41/flinger/flinger-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-8.0.8.30/poppit2/poppit2-en_US.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-8.0.3.20/hotstreak/hotstreak-en_US.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/v/8.1.0.23/applet/spider/spider-en_US.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-8.0.6.49/squelchies/squelchies-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-8.0.3.36/peaks/peaks-en_US.cab
O16 - DPF: Yahoo! Checkers - http://download2.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171590453703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156426823156
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - https://webapps.eku.edu/stunav/webinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by125fd.bay125.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: service - Unknown owner - C:\WINNT\service.exe (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 12211 bytes

 

Highlight and copy the bolded command below.

sc delete DLLHOST32

Click Start>Run and paste the command in, then hit Enter.

Now do the same with the next command.

sc delete service

Please run a new HijackThis scan and post the log.

 

HJT Logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:18 PM, on 10/7/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\WINNT\vsnpstd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\NetZero\exec.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Winter Fun Pack 2004 for Windows XP\WinterWallToy\WinterWalltoy.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINNT\explorer.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/portal/
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINNT\system32\TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINNT\system32\TwcToolbarIe7.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [SNPSTD2] C:\WINNT\vsnpstd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe "
O4 - HKUS\S-1-5-19\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\CallWaiting.exe
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.65.108.158/Java/cfs40320.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-8.0.8.30/chess2/chess2-en_US.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-8.0.3.20/domino/domino-en_US.cab
O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-8.0.3.20/greenback/greenback-en_US.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-8.0.8.30/harvest/harvest-en_US.cab
O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-8.0.3.36/mhpoker/mhpoker-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-8.0.9.33/lottso/lottso-en_US.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-8.0.6.49/mahjong2/mahjong2-en_US.cab
O16 - DPF: Makeover Madness by pogo - http://game1.pogo.com/applet-8.0.4.41/shoes/shoes-en_US.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-8.0.9.41/flinger/flinger-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-8.0.8.30/poppit2/poppit2-en_US.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-8.0.3.20/hotstreak/hotstreak-en_US.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/v/8.1.0.23/applet/spider/spider-en_US.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-8.0.6.49/squelchies/squelchies-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-8.0.3.36/peaks/peaks-en_US.cab
O16 - DPF: Yahoo! Checkers - http://download2.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171590453703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156426823156
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - https://webapps.eku.edu/stunav/webinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by125fd.bay125.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11991 bytes

 

Well done! Fix the following entry with HijackThis.

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)


Your logs appear clean now. Lets run an online scan to see if there's anything else lurking around. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log.

 

Kapersky Logfile.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 07, 2007 5:59:55 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 7/10/2007
Kaspersky Anti-Virus database records: 428850
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 86675
Number of viruses found: 10
Number of infected objects: 61
Number of suspicious objects: 0
Duration of the scan process: 02:30:45

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\c.bac_a04068 Infected: Backdoor.IRC.Sliv.d skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\f.bac_a02300 Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\mgsb.exe.bac_a02572/file1 Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\mgsb.exe.bac_a02572 Inno: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\mgsb.exe.bac_a02572 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\MGSBAR.DLL.bac_a02572 Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\MGSBAR.DLL.bac_a04068 Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\smsbm.exe.bac_a04068/a Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\smsbm.exe.bac_a04068/b Infected: Net-Worm.Win32.Randon.ar skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\smsbm.exe.bac_a04068/c Infected: Backdoor.IRC.Sliv.d skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\smsbm.exe.bac_a04068/cl Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\smsbm.exe.bac_a04068/d Infected: Net-Worm.Win32.Randon.ar skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\smsbm.exe.bac_a04068/f Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\smsbm.exe.bac_a04068/g Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\smsbm.exe.bac_a04068/kasber.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\smsbm.exe.bac_a04068/norton.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\smsbm.exe.bac_a04068/o1o2o3o4 Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\smsbm.exe.bac_a04068/of.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\smsbm.exe.bac_a04068/ps2m.exe Infected: not-a-virusSWTool.Win32.PassView.162 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\smsbm.exe.bac_a04068/scans Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\smsbm.exe.bac_a04068/securaq.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\smsbm.exe.bac_a04068/test Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\smsbm.exe.bac_a04068 CAB: infected - 15 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\smsbm.exe.bac_a04068 CryptFF.b: infected - 15 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\symtea.exe.bac_a02300 Infected: Backdoor.Win32.Rbot.btd skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ymvtt.exe.bac_a04068/a Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ymvtt.exe.bac_a04068/b Infected: Net-Worm.Win32.Randon.ar skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ymvtt.exe.bac_a04068/c Infected: Backdoor.IRC.Sliv.d skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ymvtt.exe.bac_a04068/cl Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ymvtt.exe.bac_a04068/d Infected: Net-Worm.Win32.Randon.ar skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ymvtt.exe.bac_a04068/f Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ymvtt.exe.bac_a04068/g Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ymvtt.exe.bac_a04068/kasber.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ymvtt.exe.bac_a04068/norton.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ymvtt.exe.bac_a04068/o1o2o3o4 Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ymvtt.exe.bac_a04068/of.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ymvtt.exe.bac_a04068/ps2m.exe Infected: not-a-virusSWTool.Win32.PassView.162 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ymvtt.exe.bac_a04068/scans Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ymvtt.exe.bac_a04068/securaq.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ymvtt.exe.bac_a04068/test Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ymvtt.exe.bac_a04068 CAB: infected - 15 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ymvtt.exe.bac_a04068 CryptFF.b: infected - 15 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zwkorc.exe.bac_a04068/a Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zwkorc.exe.bac_a04068/b Infected: Net-Worm.Win32.Randon.ar skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zwkorc.exe.bac_a04068/c Infected: Backdoor.IRC.Sliv.d skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zwkorc.exe.bac_a04068/cl Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zwkorc.exe.bac_a04068/d Infected: Net-Worm.Win32.Randon.ar skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zwkorc.exe.bac_a04068/f Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zwkorc.exe.bac_a04068/g Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zwkorc.exe.bac_a04068/kasber.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zwkorc.exe.bac_a04068/norton.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zwkorc.exe.bac_a04068/o1o2o3o4 Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zwkorc.exe.bac_a04068/of.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zwkorc.exe.bac_a04068/ps2m.exe Infected: not-a-virusSWTool.Win32.PassView.162 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zwkorc.exe.bac_a04068/scans Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zwkorc.exe.bac_a04068/securaq.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zwkorc.exe.bac_a04068/test Infected: Backdoor.IRC.Zapchast skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zwkorc.exe.bac_a04068 CAB: infected - 15 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zwkorc.exe.bac_a04068 CryptFF.b: infected - 15 skipped
C:\Documents and Settings\Administrator\Application Data\CiscoCAA\event.log Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\11.0\WMSDKNSD.XML Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_468.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_9cc.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF6A91.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFE836.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8XOFORK3\af[2].gif Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-10-06_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\NetZero\BootExceptions.log Object is locked skipped
C:\Program Files\NetZero\ExecExceptions.log Object is locked skipped
C:\Program Files\NetZero\IspDblog.txt Object is locked skipped
C:\Program Files\NetZero\MainExceptions.log Object is locked skipped
C:\Program Files\NetZero\qsacc\dblog.txt Object is locked skipped
C:\Program Files\NetZero\qsacc\MainExceptions.log Object is locked skipped
C:\Program Files\NetZero\qsacc\sdi.db Object is locked skipped
C:\Program Files\NetZero\qsacc\sdi.lg Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0462NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0468NAV~.TMP Object is locked skipped
C:\Program Files\Trillian\users\default\logs\AIM\Console\AIM - bmichelle6412.log Object is locked skipped
C:\Program Files\Trillian\users\default\logs\AIM\Console\AIM - luigifan688.log Object is locked skipped
C:\Program Files\Trillian\users\default\logs\AIM\Console\AIM - silverbritt822.log Object is locked skipped
C:\Program Files\Trillian\users\default\logs\AIM\Console\AIM - ssbmfreak822.log Object is locked skipped
C:\Program Files\Trillian\users\default\logs\AIM\Console\AIM - TinyTuba822.log Object is locked skipped
C:\Program Files\Trillian\users\default\logs\ICQ\Console\ICQ - 478545754.log Object is locked skipped
C:\Program Files\Trillian\users\default\logs\MSN\Console\MSN - brittanyma06@hotmail.com.log Object is locked skipped
C:\Program Files\Trillian\users\default\logs\MSN\Console\MSN - TinyTuba822@hotmail.com.log Object is locked skipped
C:\Program Files\Trillian\users\default\logs\MSN\Query\mva5493@hotmail.com.log Object is locked skipped
C:\Program Files\Trillian\users\default\logs\YAHOO\Console\YAHOO - hyper_idiot64.log Object is locked skipped
C:\Program Files\Trillian\users\default\logs\YAHOO\Console\YAHOO - TinyTuba822.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CDAF4C89-795E-410A-9CA6-7F079741A227}\RP217\A0026350.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{CDAF4C89-795E-410A-9CA6-7F079741A227}\RP217\A0026351.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{CDAF4C89-795E-410A-9CA6-7F079741A227}\RP234\change.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\Internet.evt Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\wiadebug.log Object is locked skipped
C:\WINNT\wiaservc.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

Also, mom told you I scan with symantec daily. I was until a couple of moths ago. When I updated Symantec, it stopped its scheduled scans.

 

Looks great. All of the remaining infections are in the C:\Documents and Settings\Administrator\.housecall6.6\Quarantine folder, and a couple in old System Restore points. Delete the contents of that quarantine folder.

Delete all of the following tools we have used, and the files/folders they created, if they exist.

combofix.exe
dss.exe
vundofix.exe
C:\Deckard
C:\ComboFix
C:\QOOBOX
C:\VundoFix Backups
C:\WINNT\NirCmd.exe
all combofix and vundofix logs
Open the HijackThis backups folder and delete everything.

Download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot


If you're satisfied that the computer is working properly, clear the System Restore points. They are infected.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.


Your computer is now clean! Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!

 

Thanks for all of your help Dave!

 

You're very welcome. Glad I could help.