I have encountered a virus that I am 100% clueless about. When I start Windows, around 10 Norton 'scanning message 1 of 1' messages and if I try to close them, more will come up. Eventually I can slow it down, stop it and delete it all and the computer is fine. It is not a Norton run message because when it tells me why a message (generally to jibberish like jfi0asvhosnk@kjfsdkofd.com) did not send, it is mostly in english except for the reason which is in spanish, something about not being sent because it is a spam message. I have had antivirus running through safe mode, normal mode, removal tools for Trojan.Abwiz and Trojan.Anserin going and still it comes up. It also appears with pop ups for DriveCleaner and installed SpySherrif without asking anything (deep breath) Does anybody have any idea what might be causing this? Hopefully i managed to explain the whole story...

Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop. Doubleclick on the HJTsetup.exe icon on your desktop. By default it will install to C:\Program Files\Hijack This. Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue. Put a check by "Create a desktop icon" then click "Next" again. Continue to follow the rest of the prompts from there. At the final dialogue box click "Finish" and it will launch Hijack This. Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread. Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.

Here is my HiJack This! log Logfile of HijackThis v1.99.1 Scan saved at 22:55:08, on 27/08/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\MSN Messenger\MsnMsgr.exe C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe C:\Program Files\BT Voyager\BT Voyager Wireless\WLM.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.exe C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\taskmgr.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Hijackthis\HijackThis.exe O2 - BHO: (no name) - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file) O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe O4 - HKCU\..\Run: [adminmgr.exe] C:\WINDOWS\System32\adminmgr.exe O4 - HKCU\..\Run: [almgr.exe] C:\WINDOWS\System32\almgr.exe O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe O4 - Startup: Lotus SmartSuite 9.6 - English Registration.lnk = C:\Lotus\register\REMIND32.exe O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.exe O4 - Global Startup: BT Voyager Wireless Utility.lnk = ? O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/10bb253d6cad15064d05/netzip/RdxIE601.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F3381910-648D-42E9-ADC5-1D5027663B5F}: NameServer = 192.168.1.1 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Please download ATF-Cleaner to your desktop from this link http://www.atribune.org/content/view/19/2/ We will need it later in safe mode Download and install Ewido Security Suite We will need this later in safe mode Be sure to update Ewido Download killbox to your desktop from this link Killbox We will need it later in safe mode Download SmitRem.exe and save the file to your desktop. Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem. Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. Reboot back into Windows normal mode. Do a search for "smitfiles.txt" usually found a C:\smitfiles.txt and post the results of the scan. Reboot into safe mode. Run Hijack This from safe mode, close all windows except Hijack This, place a check to the left of the following items and press "fix checked": O2 - BHO: (no name) - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - (no file) O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file) O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe O4 - HKCU\..\Run: [almgr.exe] C:\WINDOWS\System32\almgr.exe O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/10bb253d6cad15064d05/netzip/RdxIE601.cab Exit Hijack This but remain in safe mode Navigate to and delete these files if found: c:\windows\system32\stonedrv.exe C:\WINDOWS\System32\almgr.exe C:\winstall.exe Reboot to normal mode. We need to check a file that may be a virus. Go to this link http://virusscan.jotti.org/ then click borwse and navigate to this file: C:\WINDOWS\System32\adminmgr.exe Click submit then post the results along with a new Hijack This log.

I have found out what causes the screw up to run but still don't know what it is called or why. It only ever works when Norton starts up. If i turn Norton off and restart it, it will do its work. I have five svchosts, not sure if thats right and I have a process called wdfmgr.exe. I have a feeling this is not Media player related. Below is the new Hijack this log Logfile of HijackThis v1.99.1 Scan saved at 14:52:40, on 30/08/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\MSN Messenger\MsnMsgr.exe C:\Program Files\BT Voyager\BT Voyager Wireless\WLM.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\Program Files\BitTorrent\bittorrent.exe C:\Lotus\register\REMIND32.exe C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.exe C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\taskmgr.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Hijackthis\HijackThis.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe O4 - HKCU\..\Run: [adminmgr.exe] C:\WINDOWS\System32\adminmgr.exe O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe O4 - Startup: Lotus SmartSuite 9.6 - English Registration.lnk = C:\Lotus\register\REMIND32.exe O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.exe O4 - Global Startup: BT Voyager Wireless Utility.lnk = ? O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip\..\{F3381910-648D-42E9-ADC5-1D5027663B5F}: NameServer = 192.168.1.1 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

We need to results Jotti's as requested in response #3. The please download ComboFix to the Desktop from this link: http://download.bleepingcomputer.com/sUBs/combofix.exe Double-click combofix.exe Follow the prompts. (Don't click on the window while the program is running, it may cause your system to hang.) Please post the combofix.txt log and a new Hijack This log.

Couldn't find adminmgr.exe so there is no Jotti results to be given. I completed the Combofix and here is the results: Michael - 06-08-31 8:50:51.65 ComboFix 06.08.30BT - Running from: C:\Documents and Settings\Michael\Desktop (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\rpcc.exe ((((((((((((((((((((((((((((((( Files Created from 2006-07-31 to 2006-08-31 )))))))))))))))))))))))))))))))))) 2006-08-30 14:47 3,451 --a------ C:\delfiles.cmd 2006-08-30 14:47 16,824 --a------ C:\replace.cmd 2006-08-30 14:47 13,063 --a------ C:\smitfrau.reg 2006-08-27 17:11 3,584 --a------ C:\WINDOWS\system32\dxvwlmzf.exe 2006-08-27 16:41 3,584 --a------ C:\WINDOWS\system32\dxvweoum.exe 2006-08-27 16:41 3,072 --a------ C:\WINDOWS\system32\dxvweoum.exe3072.exe 2006-08-26 19:09 1,232 --a------ C:\WINDOWS\system32\TheMatrixHasYou.exe 2006-08-26 19:07 63,747 --a------ C:\WINDOWS\system32\ipod.raw.exe 2006-08-07 16:02 534,208 --a------ C:\WINDOWS\system32\SymNeti.dll 2006-08-07 16:02 161,472 --a------ C:\WINDOWS\system32\SymRedir.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-08-31 08:18 -------- d-------- C:\Program Files\Mozilla Firefox 2006-08-30 14:51 -------- d-------- C:\Program Files\Hijackthis 2006-08-29 15:20 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-08-29 15:20 -------- d-------- C:\Program Files\Google 2006-08-29 13:49 -------- d-------- C:\Program Files\eMule 2006-08-29 13:43 -------- d-------- C:\Program Files\WinISD 2006-08-27 22:25 -------- d-------- C:\Program Files\Common Files\Symantec Shared 2006-08-27 22:18 -------- d-------- C:\Program Files\Symantec 2006-08-27 22:13 -------- d-------- C:\Program Files\Java 2006-08-25 17:07 -------- d-------- C:\Program Files\EPSON 2006-08-21 13:14 -------- d-------- C:\Program Files\Norton SystemWorks 2006-08-07 16:02 31936 --a------ C:\WINDOWS\system32\drivers\symids.sys 2006-08-07 16:02 28352 --a------ C:\WINDOWS\system32\drivers\symndis.sys 2006-08-07 16:02 24768 --a------ C:\WINDOWS\system32\drivers\symredrv.sys 2006-08-07 16:02 195776 --a------ C:\WINDOWS\system32\drivers\symtdi.sys 2006-08-07 16:02 110784 --a------ C:\WINDOWS\system32\drivers\symfw.sys 2006-08-07 16:01 12992 --a------ C:\WINDOWS\system32\drivers\symdns.sys 2006-07-28 16:45 -------- d-------- C:\Documents and Settings\Michael\Application Data\Help 2006-07-26 09:43 -------- d-------- C:\Program Files\avisplit 2006-07-24 17:30 -------- d-------- C:\Program Files\VIDEOzilla 2006-07-24 17:19 -------- d-------- C:\Program Files\SmartSoftVideoConverter 2006-07-22 08:21 -------- d-------- C:\Program Files\Movie Splitter 2006-07-20 12:19 -------- d-------- C:\Program Files\Smart Projects 2006-07-20 11:57 336 --a------ C:\Documents and Settings\Michael\Application Data\AutoGK.ini 2006-07-20 11:55 43668 --a------ C:\WINDOWS\system32\xvid-uninstall.exe 2006-07-20 11:55 -------- d-------- C:\Program Files\AviSynth 2.5 2006-07-15 18:35 -------- d-------- C:\Program Files\Intelore 2006-07-12 17:52 -------- d-------- C:\Program Files\AVI to MPEG Converter 2006-07-12 17:43 -------- d-------- C:\Program Files\K-Lite Codec Pack 2006-07-12 17:06 -------- d-------- C:\Program Files\Cucusoft 2006-07-10 17:30 -------- d-------- C:\Program Files\AVI Codec Pack 2006-07-10 13:09 -------- d-------- C:\Program Files\Fx Video Converter 2006-07-10 13:09 -------- d-------- C:\Program Files\Common Files 2006-07-10 11:19 -------- d-------- C:\Documents and Settings\Michael\Application Data\Symantec 2006-07-10 10:27 -------- d-------- C:\Program Files\Common Files\xing shared 2006-07-10 10:26 -------- d-------- C:\Program Files\Common Files\Real 2006-07-09 20:55 -------- d-------- C:\Program Files\MPEG4 Direct Maker 2006-07-09 16:43 2368 --a------ C:\WINDOWS\system32\SVKP.sys 2006-07-06 15:01 -------- d-------- C:\Program Files\Watch.us.f---[Ironing] 2006-07-06 14:24 -------- d-------- C:\Documents and Settings\Michael\Application Data\Seven Zip (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "ICQ Lite"="C:\\Program Files\\ICQLite\\ICQLite.exe -minimize" "DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "SSC_UserPrompt"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\"" "PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.exe" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "PPWebCap"="C:\\PROGRA~1\\ScanSoft\\PAPERP~1\\PPWebCap.exe" "adminmgr.exe"="C:\\WINDOWS\\System32\\adminmgr.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoCDBurning"=dword:00000000 "NoActiveDesktopChanges"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 "DisableTaskMgr"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce] "ICQ Lite"="C:\\Program Files\\ICQLite\\ICQLite.exe -trayboot" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "NoActiveDesktop"=dword:00000000 "NoSaveSettings"=dword:00000000 "ClassicShell"=dword:00000000 "NoThemesTab"=dword:00000000 "ForceActiveDesktopOn"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "NoDispAppearancePage"=dword:00000000 "NoColorChoice"=dword:00000000 "NoSizeChoice"=dword:00000000 "NoDispBackgroundPage"=dword:00000000 "NoDispScrSavPage"=dword:00000000 "NoDispCPL"=dword:00000000 "NoVisualStyleChoice"=dword:00000000 "NoDispSettingsPage"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Michael.job C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job C:\WINDOWS\tasks\Symantec Drmc.job Completion time: 31/08/2006 8:51:52.21 ComboFix.txt