please help kernel32.exe trojan

[Aidan]

I need two things, to get rid of whatever traces may be left, and to reenable the task manager, as well as the display wallpaper so that it does not show this message:

YOUR COMPUTER IS IN DANGER!
Windows security center has detected spyware/adware infection!
It is strongly recommended to use special antispyware tools to prevent data loss.

And, yeah, guestolo, if you answer, I think there was a post a while back with something similar to this where you could download a fix to reactivate Task manager, I had it on my HD, but now something is wrong. and I cant access the one that it is stored on. I only have the 6gb hd currently running. (man I need a major hardware update.. but im broke...so there)

[guestolo]

I need 2 logs from you before we continue

Download the latest version of  [color=\"red\"]SmitfraudFix[/color][/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

[color=\"#3366FF\"]Note[/color] : [color=\"#FF0000\"]process.exe[/color] [color=\"#3366FF\"]is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.[/color]


+Also,
Download Hijackthis from my signature below
SAVE it to your desktop

Double click on hijackthis_sfx.exe on desktop
Click the UNZIP button>>OK the prompt
This will self extract to C:\Program Files\HijackThis
Delete hijackthis_sfx.exe from desktop

Go to START>>RUN
Copy>>paste the following to the open field, then hit OK
%systemdrive%\Program Files\HijackThis
This will open the Hijackthis folder
RIGHT CLICK on Hijackthis.exe and select SEND TO>>Desktop (create shortcut)
You can now run Hijackthis.exe from the new shortcut placed on your desktop

Double click to run Hijackthis.exe
Do a "SCAN and Save a Log file"
A log will open in Notepad
Copy and paste the WHOLE contents of the log  here... Don't try and fix anything---It is all important

[Aidan]

I seem to have misdjuged the severity of the problem. Smitfraud is not giving me any logs, but I have a whole bunch of garbage asking for allowance to run in the safe zone. It is beingblocked by zonealarm, but Avast cannot deal with it because it is a program, the trojan, that is running at the time and I cannot delete it because it is being used by something else.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8HGZGBG7\krab03[1].exe\[FSG]
Win32:Trojano-3408 [Trj]
Trojan Horse
0646-2, 07/11/2006

that is the report from avast!

more to come (hopefully)

[Aidan]

Here are the logs:

SmitFraudFix v2.120

Scan done at 18:22:03.47, Thu 09/11/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

C:\WINNT\desktop.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

C:\WINNT\system32\dlh9jkdq?.exe FOUND !
C:\WINNT\system32\kernels8.exe FOUND !
C:\WINNT\system32\taskdir.exe FOUND !
C:\WINNT\system32\vxgame?.exe FOUND !
C:\WINNT\system32\vxgamet?.exe FOUND !
C:\WINNT\system32\zlbw.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2236}\InProcServer32]
@="C:\WINNT\system32\ptgotbl.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2236}\InProcServer32]
@="C:\WINNT\system32\ptgotbl.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End





Logfile of HijackThis v1.99.1
Scan saved at 6:28:52 PM, on 09/11/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\adirss.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\DOCUME~1\GABRIE~1.CAS\LOCALS~1\Temp\25078\gm.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\vxgame4.exe
C:\WINNT\system32\vxgame4.exe
C:\WINNT\System32\ZoneLabs\isafe.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\$NtUninstallKB0227780$\kavss.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [System] C:\WINNT\system32\kernels8.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\WINNT\92_2050_bmserver.exe
O4 - HKLM\..\Run: [adir] C:\WINNT\system32\adirss.exe
O4 - HKLM\..\Run: [ms] C:\DOCUME~1\GABRIE~1.CAS\LOCALS~1\Temp\25078\gm.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINNT\system32\wservice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2104c47033df5d...ip/RdxIE601.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINNT\system32\ptgotbl.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINNT\System32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

[guestolo]

Can you do the following

Download [color=\"#FF0000\"]ATF-Cleaner[/color] by Atribune.
Save it to your desktop, we'll need it later

Download>>Install [color=\"#000099\"]AVG Anti-Spyware 7.5[/color] from Ewido networks

• Load AVG-antispyware and then click the Update tab at the top. Under Manual Update click Start update.
  
• After the update finishes (the status bar at the bottom will display "Update successful")
• Close AVG antispyware as we will need it later

Print the rest of these instructions or save them too a text file on desktop

Do a "System scan only" with Hijackthis and put a check next to these entries:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)

O4 - HKLM\..\Run: [System] C:\WINNT\system32\kernels8.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\WINNT\92_2050_bmserver.exe
O4 - HKLM\..\Run: [adir] C:\WINNT\system32\adirss.exe
O4 - HKLM\..\Run: [ms] C:\DOCUME~1\GABRIE~1.CAS\LOCALS~1\Temp\25078\gm.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINNT\system32\wservice.exe

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2104c47033df5d...ip/RdxIE601.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINNT\system32\ptgotbl.dll

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the top of the screen that appears.
Sign in with your normal user account

In safe mode, do the following

Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.

If you use Firefox browser
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

      Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

 ====================================================
Open the SmitfraudFix folder you extracted to desktop earlier

• Double-click smitfraudfix.cmd
  
• Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
  
  
• You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
  
  
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
  

The tool may need to restart your computer to finish the cleaning process.  A text file will appear onscreen, with results from the cleaning process
I'll need to see these later, by default they are also saved at C:\rapport.txt
If a reboot was required, allow windows to load normally, than later reboot back to safe mode
If a reboot is not required, Remain in safe mode

AVG-Antispyware Scan

• Load AVG and select the "Scanner" tab
• Click the "Settings" tab and then change the recommended action to Quarantine and ensure that  Automatically generate report after every scan is selected
  
• Click back to the "Scan" tab and then click on Complete System Scan.
  
• Let this scan complete
• AVG will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  
  
• Click on "Save Report", then "Save Report As".  This will create a text file.  Make sure you know where to find this file again (like on the Desktop).

Allow the computer to Reboot to Normal windows
Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there. (except for "My current home page")

Can I see all the following please, even if it takes more than one reply to post everything

1. Post a fresh hijackthis log
2. Post the whole report from Avg Antispyware
3. Post the log from Smitfraudfix>>C:\Rapport.txt

[Aidan]

Alright man, I apologize for that unnecessary post and waste of forum space.

Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 10:54:30 PM, on 09/11/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\ezSP_Px.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\ZoneLabs\isafe.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINNT\System32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at:   10:45:16 PM 09/11/2006

 + Scan result:   



C:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : No action taken.
C:\Temp\ja.exe -> Downloader.Agent.awf : No action taken.
C:\Documents and Settings\gabriel.CASPER\Local Settings\Temp\vxt3.game -> Downloader.Small.cpt : No action taken.
C:\Documents and Settings\gabriel.CASPER\Local Settings\Temp\maindll.dll -> Proxy.Small : No action taken.
C:\Documents and Settings\gabriel.CASPER\Local Settings\Temp\win2CD7.tmp -> Proxy.Xorpix.at : No action taken.
C:\Documents and Settings\gabriel.CASPER\Local Settings\Temp\winAD17.tmp -> Proxy.Xorpix.at : No action taken.
[208] C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll -> Proxy.Xorpix.at : No action taken.
C:\Documents and Settings\gabriel.CASPER\Local Settings\Temp\vx1.game -> Proxy.Xorpix.au : No action taken.
:mozilla.271:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.273:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.274:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.9:C:\Documents and Settings\parents\Application Data\Mozilla\Firefox\Profiles\5x0ewaxy.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.233:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.234:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.235:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.236:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.237:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.238:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.21:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.22:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.23:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.24:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.25:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.26:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.27:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.180:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.181:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.182:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.268:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.17:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.98:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Burstbeacon : No action taken.
:mozilla.124:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.13:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.14:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.15:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.16:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.18:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.19:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.20:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.38:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.191:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Estat : No action taken.
:mozilla.10:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.11:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.6:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.8:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.9:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.190:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.137:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.249:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.250:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.179:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.264:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.265:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.266:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.267:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.100:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.101:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.102:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.99:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.214:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.215:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.216:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.217:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.218:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.219:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.220:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.221:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.222:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.223:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.224:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.225:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.103:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.104:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.79:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.
:mozilla.166:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.167:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.168:C:\Documents and Settings\gabriel.CASPER\Application Data\Mozilla\Firefox\Profiles3sblmxq.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\gabriel.CASPER\Local Settings\Temp\vxt2.game -> Worm.Glowa.g : No action taken.


::Report end



SmitFraudFix v2.120

Scan done at 21:22:21.59, Thu 09/11/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINNT\desktop.html Deleted
C:\WINNT\system32\dlh9jkdq?.exe Deleted
C:\WINNT\system32\kernels8.exe Deleted
C:\WINNT\system32\taskdir.exe Deleted
C:\WINNT\system32\vxgame?.exe Deleted
C:\WINNT\system32\vxgamet?.exe Deleted
C:\WINNT\system32\zlbw.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"



»»»»»»»»»»»»»»»»»»»»»»»» End



Yeah I apologize, the task Manager is up and running again. That really was an unnecessary post...><

[guestolo]

Why didn't you follow my instructions with AVG antispyware??

Notice the following in bold

C:\Temp\ja.exe -> Downloader.Agent.awf : No action taken.



Your No action taken means your not following the instructions I posted when running AVG-Antispyware
and everything found by AVG is still on your system

Notice what I said here

# Select the "Scanner" tab
# Click the "Settings" tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected

I recommend you follow my instructions and run it again
But first delete the report from AVG you saved earlier

Then
    * Load AVG and select the "Scanner" tab
    * Click the "Settings" tab and then change the "recommended action" to Quarantine and ensure that Automatically generate report after every scan is selected
    * Click back to the "Scan" tab and then click on Complete System Scan.
    * Let this scan complete
    * AVG will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
    * Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).


 Reboot the computer
Post the fresh log from AVG antispyware

[Aidan]

alright, that's odd. I followed your instructions to the letter. Maybe the scan I selected to be saved was the wrong one, cause there were two let me explain. I went to scan and I stared it, but then I realized I had  forgotten your steps for the sttings, so I stopped it, and then I set them right. then I redid the scan. I saved the log and posted  it and I Assure you I did those things that you tell me I didnt do. Thing is in safe mode the screen was too small, and I could not see the entire program, and all the options, so something may have gone amiss due to that. Well, I am going to do it again anyway, but I just wanted to tell you.
oh and also, though My admin profile is fine, on my brother's profile, the display properties won't allow him to change his desktop background. Is there anything we could do about that?
Thanks again.

[guestolo]

Can you do the following
Run AVG again with the instructions I posted
Save the NEW log
Reboot the computer
Post the new log

Also, Download this file - Combofix.exe and save it too desktop

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the log from combofix

[Aidan]

I get it. I know what I did wrong. I pressed save report before pressing apply all actions and it saved a report of the items before any action was taken and thus it appeared that they had not been dealt with when in fact they had. This other report is a record of the scan that I took while I was on another profile. I hope that wont matter too much...

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at:   8:08:25 PM 10/11/2006

 + Scan result:   



C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\gabriel.CASPER\Cookies\gabriel@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\gabriel.CASPER\Cookies\gabriel@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\gabriel.CASPER\Cookies\[email protected][2].txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\gabriel.CASPER\Cookies\gabriel@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.


::Report end

See, there wasn't much left except minor things like these tracking cookies.



Administrator - Fri 2006-11-10 23:10:27.43    Service Pack 3
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Administrator"

((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
 

C:\Documents and Settings\All Users\Documents\Settings
C:\Program Files\winupdates

 
(((((((((((((((((((((((((((((((   Files Created from 2006-10-10 to 2006-11-10  ))))))))))))))))))))))))))))))))))
 
 
2006-11-09   21:04   29,696   --a------   C:\WINNT\system32\481352ld.exe
2006-11-09   21:04   29,696   --a------   C:\WINNT\system32\481352ld.exe
2006-11-09   20:57   3,968   --a------   C:\WINNT\system32\drivers\AvgAsCln.sys
2006-11-09   20:57   3,968   --a------   C:\WINNT\system32\drivers\AvgAsCln.sys
2006-11-09   20:44   29,696   --a------   C:\WINNT\system32\4419302ld.exe
2006-11-09   20:44   29,696   --a------   C:\WINNT\system32\4419302ld.exe
2006-11-09   20:23   29,696   --a------   C:\WINNT\system32\23573682ld.exe
2006-11-09   20:23   29,696   --a------   C:\WINNT\system32\23573682ld.exe
2006-11-09   20:03   29,696   --a------   C:\WINNT\system32\3528662ld.exe
2006-11-09   20:03   29,696   --a------   C:\WINNT\system32\3528662ld.exe
2006-11-09   19:43   29,696   --a------   C:\WINNT\system32\43484042ld.exe
2006-11-09   19:43   29,696   --a------   C:\WINNT\system32\43484042ld.exe
2006-11-09   19:23   29,696   --a------   C:\WINNT\system32\23442332ld.exe
2006-11-09   19:23   29,696   --a------   C:\WINNT\system32\23442332ld.exe
2006-11-09   19:03   29,696   --a------   C:\WINNT\system32\3397112ld.exe
2006-11-09   19:03   29,696   --a------   C:\WINNT\system32\3397112ld.exe
2006-11-09   18:43   29,696   --a------   C:\WINNT\system32\43341772ld.exe
2006-11-09   18:43   29,696   --a------   C:\WINNT\system32\43341772ld.exe
2006-11-09   18:23   29,696   --a------   C:\WINNT\system32\2321232ld.exe
2006-11-09   18:23   29,696   --a------   C:\WINNT\system32\2321232ld.exe
2006-11-09   18:03   29,696   --a------   C:\WINNT\system32\3154392ld.exe
2006-11-09   18:03   29,696   --a------   C:\WINNT\system32\3154392ld.exe
2006-11-09   18:00   2,552   --a------   C:\WINNT\system32\tmp.reg
2006-11-09   18:00   2,552   --a------   C:\WINNT\system32\tmp.reg
2006-11-08   12:57   46,592   --a------   C:\WINNT\92_2050_bmserver.exe
2006-11-08   12:57   46,592   --a------   C:\WINNT\92_2050_bmserver.exe
2006-11-08   12:57   25,088   --a------   C:\WINNT\system32\rpcc.dll
2006-11-08   12:57   25,088   --a------   C:\WINNT\system32\rpcc.dll
2006-11-08   12:57   161,280   --a------   C:\WINNT\system32\ptgotbl.dll
2006-11-08   12:57   161,280   --a------   C:\WINNT\system32\ptgotbl.dll
2006-10-31   20:32   611,064   --a------   C:\WINNT\system32\drivers\sptd.sys
2006-10-31   20:32   611,064   --a------   C:\WINNT\system32\drivers\sptd.sys
2006-10-29   10:28   2,560   --a------   C:\WINNT\_MSRSTRT.EXE
2006-10-29   10:28   2,560   --a------   C:\WINNT\_MSRSTRT.EXE
2006-10-23   17:04   8,464   --a------   C:\WINNT\system32\kbdkor.dll
2006-10-23   17:04   8,464   --a------   C:\WINNT\system32\kbdkor.dll
2006-10-23   17:04   6,928   --a------   C:\WINNT\system32\kbd101c.dll
2006-10-23   17:04   6,928   --a------   C:\WINNT\system32\kbd101c.dll
2006-10-23   17:04   6,416   --a------   C:\WINNT\system32\kbd103.dll
2006-10-23   17:04   6,416   --a------   C:\WINNT\system32\kbd103.dll
2006-10-23   17:04   6,416   --a------   C:\WINNT\system32\kbd101b.dll
2006-10-23   17:04   6,416   --a------   C:\WINNT\system32\kbd101b.dll


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))   


2006-11-09 22:53    --------   d--------   C:\Program Files\HijackThis
2006-11-09 22:46    --------   d--------   C:\Program Files\DAEMON Tools
2006-11-09 20:57    --------   d--------   C:\Program Files\Grisoft
2006-11-09 18:35    --------   d-a------   C:\Program Files\Mozilla Firefox
2006-11-09 17:49    --------   d---s----   C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-11-07 22:14    --------   d-a------   C:\Program Files\microsoft frontpage
2006-11-07 22:14    --------   d-a------   C:\Program Files\Common Files\Microsoft Shared
2006-11-06 17:31    --------   d-a------   C:\Program Files\LimeWire
2006-10-31 20:42    --------   d--------   C:\Program Files\DaemonTools_WhenUSave_Installer
2006-10-29 10:28    2560   --a------   C:\WINNT\_MSRSTRT.EXE
2006-10-28 23:55    --------   d--------   C:\Documents and Settings\Administrator\Application Data\Google
2006-10-21 10:39    --------   d-a------   C:\Program Files\WinZip
2006-10-21 10:39    --------   d--------   C:\Documents and Settings\Administrator\Application Data\Help
2006-10-21 10:19    --------   d--h-----   C:\Documents and Settings\Administrator\Application Data\yahoo!
2006-10-03 17:00    --------   d--------   C:\Documents and Settings\Administrator\Application Data\IMVU
2006-09-25 10:45    666240   --a------   C:\WINNT\system32\aswBoot.exe
2006-09-25 10:40    87424   --a------   C:\WINNT\system32\drivers\aswmon2.sys
2006-09-25 10:40    85952   --a------   C:\WINNT\system32\drivers\aswmon.sys
2006-09-25 10:39    36176   --a------   C:\WINNT\system32\drivers\aswTdi.sys
2006-09-25 10:39    16352   --a------   C:\WINNT\system32\drivers\aswRdr.sys
2006-09-25 10:37    90112   --a------   C:\WINNT\system32\AVASTSS.scr
2006-09-25 10:37    24560   --a------   C:\WINNT\system32\drivers\aavmker4.sys
2006-09-18 17:19    --------   d-a------   C:\Program Files\MSN Messenger
2006-09-16 22:44    --------   d-a------   C:\Program Files\NetMeeting
2006-09-16 22:20    --------   d-ah-----   C:\Program Files\Uninstall Information
2006-09-16 22:20    --------   d-a------   C:\Program Files\Outlook Express
2006-09-16 22:20    --------   d-a------   C:\Program Files\Internet Explorer
2006-09-16 22:20    --------   d-a------   C:\Program Files\Common Files\System
2006-09-16 22:20    --------   d-a------   C:\Program Files\Common Files
2006-09-14 14:42    --------   d--------   C:\Documents and Settings\Administrator\Application Data\Lavasoft
2006-08-29 19:20    162   --a------   C:\Documents and Settings\Administrator\Application Data\dm.ini
2006-08-23 22:38    75776   --a------   C:\WINNT\zllsputility.exe
2006-08-20 18:41    0   ---h-----   C:\CONFIG.SYS
2006-08-20 18:41    0   ---h-----   C:\AUTOEXEC.BAT
2006-08-20 18:39    271   ---h-----   C:\Program Files\desktop.ini
2006-08-20 18:39    21952   ---h-----   C:\Program Files\folder.htt
2006-08-13 19:46    218112   --a------   C:\hijackthis.exe
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"ezShieldProtector for Px"="C:\\WINNT\\System32\\ezSP_Px.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]   
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: Fri 2006-11-10 23:20:40.10
C:\ComboFix.txt ... 06-11-10 23:20
C:\ComboFix2.txt ... 06-11-10 21:23



There you are, I hope this is it, and we are concluded, oh, but you didnt tell me what to do about the problem with the other profile's display properties, the desktop wallpaper cannot be changed. This is an issue that he would like to solve.

Thanks again for your time.

[guestolo]

Sorry for the delay, we're not done here yet, we have some leftovers to deal with that are causing problems

Can you do the following
Let's check on a couple files, then we'll try and kill the rest
Go to either of these links
http://virusscan.jotti.org/
OR
http://www.virustotal.com/flash/index_en.html

Use the browse button and navigate to the file on your harddrive

C:\WINNT\system32\481352ld.exe<-this file,
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please

Do the same for the next one too
C:\WINNT\92_2050_bmserver.exe

Also, can you do the following
Please supply a Host file list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open HOSTS FILE MANAGER
Click the OPEN IN NOTEPAD... button
A text file will open in Notepad, copy>>Paste the whole contents back here please