Hi there. I guess I should start by mentioning that I am brand new here and not exactly a hotshot when it comes to IT issues.
About three weeks ago my computer started to be very slow when browsing the net. My Noten AV kept showing a window stating that it was waiting for a scan of some file. I ran scans with Norten av, spybot s&d, adaware and a-squared. There were plenty of cookies removed but the problem remained. A system restore to an earlier point didn't make a difference either. Suspecting that something may be imbedded in the Norten AV I uninstalled Norten and then put it on again. The computer is now running at normal speed but when I try to scan the computer with Norten AV I get an error message half way through the scan saying it was unable to complete it. If I scan with a-squared the computer gets to the half way again and then shuts itself down before rebooting. Spybot and adaware keep finding cookies but seem to be unable to fix the problem. I had a look at a log of hijackthis but am not clever enough to tell the goodies from the bad stuff.
Any help would be greatly apprciated. Many thanks in advance.

Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop.

!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!

Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Please download and install the latest version of HijackThis v2.0.2:

Download the HijackThis Installer from this link: HijackThis

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Hi and thank you for the quick reply.
I downloaded the SmitFraudFix. When I click on the cmd I am being told that the Fichier Process.exe is absent and a Process.exe file is missing. It is asking me to unzip the archive in a folder. Is that save to do as I have no clue about zip files?
Here is the log of Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:26 AM, on 3/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmx.net/de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ads_optimizer - {26E45419-7205-4fac-BBFE-174BC7337A79} - C:\WINDOWS\system32\nsfD1.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [hid_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O17 - HKLM\System\CCS\Services\Tcpip\..\{377CD168-F960-4937-A49A-6316A88BE7C2}: NameServer = 203.8.183.1,192.189.54.17
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7990 bytes

Turn off any of these that you have (they are blocking the tool) then run Smitfraudfix option #1 again please. Leave them off untill we get you clean please.

Temporarily disable any of the following anti-spyware realtime protection programs that you may have Disable Realtime Protection or the fixes will not work. Be sure to turn yout anti-spyware programs back on once the computer is clean.

Turn off Norton's ScriptBlocking:

To disable Norton AntiVirus Script Blocking:

Start Norton AntiVirus.
If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options.
If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK.

I disabled the script blocking. I hope the spybot S&D, adaware and a-squared won't interfere?
I tried the SmitFraudFix again and get the same message - do I have to unzip the file first?

Yes, unsip it to the desktop.

Okay, it's done now. Sorry about my poor IT knowledge. Here comes the log:

SmitFraudFix v2.235

Scan done at 12:00:01.92, Wed 03/10/2007
Run from C:\Documents and Settings\Frank\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Frank

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Frank\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Frank\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: D-Link DSL-302G Modem - Packet Scheduler Miniport
DNS Server Search Order: 203.8.183.1
DNS Server Search Order: 192.189.54.17

HKLM\SYSTEM\CCS\Services\Tcpip\..\{377CD168-F960-4937-A49A-6316A88BE7C2}: DhcpNameServer=10.1.1.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{377CD168-F960-4937-A49A-6316A88BE7C2}: NameServer=203.8.183.1,192.189.54.17
HKLM\SYSTEM\CS1\Services\Tcpip\..\{377CD168-F960-4937-A49A-6316A88BE7C2}: DhcpNameServer=10.1.1.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{377CD168-F960-4937-A49A-6316A88BE7C2}: NameServer=203.8.183.1,192.189.54.17
HKLM\SYSTEM\CS3\Services\Tcpip\..\{377CD168-F960-4937-A49A-6316A88BE7C2}: DhcpNameServer=10.1.1.2
HKLM\SYSTEM\CS3\Services\Tcpip\..\{377CD168-F960-4937-A49A-6316A88BE7C2}: NameServer=203.8.183.1,192.189.54.17
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.2
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.2
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.2

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Ruled out one baddie, make sure scriptblocking it off when you run this tool.

Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the log it produces.

Done as well - appreciate the time you are putting in for this....

The log:
ComboFix 07-10-03.5 - Frank 2007-10-03 12:14:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.195 [GMT 10:00]
Running from: C:\Documents and Settings\Frank\Desktop\ComboFix.exe
.
/wow section - STAGE 29

((((((((((((((((((((((((( Files Created from 2007-09-03 to 2007-10-03 )))))))))))))))))))))))))))))))
.

2007-10-03 12:12 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-03 12:00 3,332 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-03 11:59 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-03 11:59 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-03 11:59 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-03 11:59 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-03 11:59 25,088 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-02 07:34 83,208 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-02 07:34 82,136 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-02 07:34 2,397 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-10-02 07:34 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-10-02 07:33 <DIR> d-------- C:\Program Files\Symantec
2007-09-21 12:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-21 12:04 <DIR> d-------- C:\Program Files\HoverDesk
2007-09-21 11:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-21 11:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-20 15:17 55,560 --a------ C:\WINDOWS\system32\adssite-remove.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-03 1ocuments and Settings\Frank\Application Data\Skype
2007-10-03 1rogram Files\Common Files\Symantec Shared
2007-10-02 0rogram Files\a-squared Free
2007-10-02 0ocuments and Settings\All Users\Application Data\Symantec
2007-09-21 1ocuments and Settings\Frank\Application Data\LimeWire
2007-09-20 1rogram Files\InstallShield Installation Information
2007-09-20 1rogram Files\LimeWire
2007-08-30 1rogram Files\Prevx2
2007-08-30 1ocuments and Settings\All Users\Application Data\Prevx
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2001-11-23 14:08 712704 --a------ C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26E45419-7205-4fac-BBFE-174BC7337A79}]
C:\WINDOWS\system32\nsfD1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-02 17:19]
"nwiz"="nwiz.exe" [2003-05-02 17:19 C:\WINDOWS\system32\nwiz.exe]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 09:16]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-02-07 01:03]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 01:01]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Camera Detector"="C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.exe" [2003-06-17 14:43]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-09-06 10:20]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2003-09-07 02:36]
"hid_start"="C:\WINDOWS\system32\gzmrotate.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-01-22 14:23]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-06-11 04:34:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-06-11 04:34:20]

R2 WF23880;WinFast TV2000/DV2000 WDM Video Capture.;C:\WINDOWS\system32\drivers\wf88vcap.sys
R2 WF88XBAR;WinFast TV2000/DV2000 WDM Crossbar.;C:\WINDOWS\system32\drivers\WF88XBAR.sys
R2 WFTUNE;WinFast TV2000/DV2000 WDM Tuner.;C:\WINDOWS\system32\drivers\WF88TUNE.sys
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys
R3 glauiad;D-Link DSL-302G Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys
S3 WFIOCTL;WFIOCTL;\??\C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-01 22:07:11 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
"2007-10-02 22:24:23 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-03 12:16:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-03 12:16:49
.
--- E O F ---

Go to start> run> add/remove programs and uninstall these programs if found:

LimeWire

Please download “Avenger” by swandog46 to your desktop from this link Avenger
1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Files to delete:
C:\WINDOWS\system32\adssite-remove.exe
C:\WINDOWS\system32\nsfD1.dll
C:\WINDOWS\system32\gzmrotate.dll

Folders to delete:
C:\Documents and Settings\Frank\Application Data\LimeWire
C:\Program Files\LimeWire

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Run Hijack this, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...

O2 - BHO: ads_optimizer - {26E45419-7205-4fac-BBFE-174BC7337A79} - C:\WINDOWS\system32\nsfD1.dll (file missing)

O4 - HKLM\..\Run: [hid_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify

Exit Hijack This

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Restart into normal mode.

Post a new Hijack This log.

Turn any real time protecting that you disabled back on.

Turn scriptblocking back on.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, just do a google search for spywareblaster, download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

This is the avenger result(will do the rest step by step):

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ypkyfmxq

*******************

Script file located at: \??\C:\Program Files\ibimmtyw.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\adssite-remove.exe deleted successfully.

File C:\WINDOWS\system32\nsfD1.dll not found!
Deletion of file C:\WINDOWS\system32\nsfD1.dll failed!

Could not process line:
C:\WINDOWS\system32\nsfD1.dll
Status: 0xc0000034

File C:\WINDOWS\system32\gzmrotate.dll not found!
Deletion of file C:\WINDOWS\system32\gzmrotate.dll failed!

Could not process line:
C:\WINDOWS\system32\gzmrotate.dll
Status: 0xc0000034

Folder C:\Documents and Settings\Frank\Application Data\LimeWire deleted successfully.
Folder C:\Program Files\LimeWire deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

And this is the Hijackthis log.
I might run a Norten or a-square scan to see what happens.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:48 PM, on 3/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmx.net/de
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O17 - HKLM\System\CCS\Services\Tcpip\..\{377CD168-F960-4937-A49A-6316A88BE7C2}: NameServer = 203.8.183.1,192.189.54.17
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7255 byte

The scan is still running but usually the computer would have turned itself off by now and then restarted. Hopefully this means that whatever there was is now gone.
This has been totally amazing and I can't thank you enough. Hard to believe that you managed to explain things in a way that even I could follow and do the required steps.
Should I keep all those tools or are they useless for an amateur like me? And what do you think the problem was in the end?

Scan has finished with no problems found.

And the dad news is that the Norten Scan still got disrupted - stating that a critical error occured during the scan and it could not be comleted.

I don't see any other suspect files but we can look a little deeper.

Please download SDFix by AndyManchesta and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following:
Restart your computer.
After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
Instead of Windows loading as normal, a menu with options should appear.
Select the first option, to run Windows in "Safe Mode", then press "Enter".
Choose your usual account.

Once in Safe Mode, please do the following:
In Safe Mode, right-click the SDFix.zip folder and choose Extract All.
Open the extracted folder and double-click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

Run this free online scan from Kaspersky http://kaspersky.com/kos/english/kavwebscan.html
Click Accept
When the updates are finished downloading, click Next, Scan Settings
Under Scan using the following antivirus database:, select extended
Make sure the Scan Archives and Scan Mail Bases options are selected as well. Click OK
Click My Computer and wait for the scan to finish
Click Save Report As. Under Save as type:, select Text file. Save this log to your Desktop and post a copy of it here.

Hi again,
Here the log of SDFix:

SDFix: Version 1.107

Run by Frank on Wed 03/10/2007 at 11:18 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

And here is the Kaspersy Scan:
(It's bedtime now here in Down Under so I will check in again after work tomorrow)

---------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, October 04, 2007 12:45:37 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 3/10/2007
Kaspersky Anti-Virus database records: 426752
---------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 59308
Number of viruses found: 1
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:39:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\Frank\Application Data\Skype\schlawiner1966\call256.dbb Object is locked skipped
C:\Documents and Settings\Frank\Application Data\Skype\schlawiner1966\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Frank\Application Data\Skype\schlawiner1966\chat1024.dbb Object is locked skipped
C:\Documents and Settings\Frank\Application Data\Skype\schlawiner1966\chat512.dbb Object is locked skipped
C:\Documents and Settings\Frank\Application Data\Skype\schlawiner1966\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\Frank\Application Data\Skype\schlawiner1966\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\Frank\Application Data\Skype\schlawiner1966\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\Frank\Application Data\Skype\schlawiner1966\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Frank\Application Data\Skype\schlawiner1966\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Frank\Application Data\Skype\schlawiner1966\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Frank\Application Data\Skype\schlawiner1966\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Frank\Application Data\Skype\schlawiner1966\index2.dat Object is locked skipped
C:\Documents and Settings\Frank\Application Data\Skype\schlawiner1966\profile16384.dbb Object is locked skipped
C:\Documents and Settings\Frank\Application Data\Skype\schlawiner1966\transfer256.dbb Object is locked skipped
C:\Documents and Settings\Frank\Application Data\Skype\schlawiner1966\user1024.dbb Object is locked skipped
C:\Documents and Settings\Frank\Application Data\Skype\schlawiner1966\user16384.dbb Object is locked skipped
C:\Documents and Settings\Frank\Application Data\Skype\schlawiner1966\user256.dbb Object is locked skipped
C:\Documents and Settings\Frank\Application Data\Skype\schlawiner1966\user4096.dbb Object is locked skipped
C:\Documents and Settings\Frank\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Frank\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Frank\Local Settings\History\History.IE5\MSHist012007100320071004\index.dat Object is locked skipped
C:\Documents and Settings\Frank\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Frank\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Frank\My Documents\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Frank\My Documents\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Frank\My Documents\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Frank\ntuser.dat Object is locked skipped
C:\Documents and Settings\Frank\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\Antispam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F1DB2795-5675-408F-827B-3537E4DE4343}\RP2\A0000030.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{F1DB2795-5675-408F-827B-3537E4DE4343}\RP2\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

By the way - when I run Norton Live Update it doesn't install the Internet Security URL Update and tells me that a program that was part of this update failed when it ran so that the update was not applied. When I try to click on more information on this error I just get a blank windows explorer page. Not sure whether this may have something to do with the problem.