Win32.Zafi.b worm (spent 2 days: this thing will not rid itself from my pc)

Belahzur wrote:

Hello.
Did Spyware Doctor fix these leftovers?

from the screenshot that I gave in my previous reply:




it seems to have fixed those, but the reason why i need your help is that I think that although that little pop up fake security alert isn't on my screen anymore, that doesn't mean that there's still traces infected or that it didn't spawn other malware that these scanners haven't picked up, that's why i gave those hijacker logs and dds logs. Can you look to see what else I can fix or remove? (By the way, these were all hidden from the registry editor for some reason as my previous posts show, I don't know why, but I have a feeling there's more)

I just ran scanfsc in the meantime.

please help spot other things. After all of this is cleaned out, I'll do another system restore.

also, since the spydoctor found win32 files that were infected, if those are quarantined, does that mean that they're missing now as required system files in the folder? Do I have a hole now?

thanks

Wait.
DO NOT use system restore, that will restore the infection.

Please download the OTMoveIt3 by OldTimer from here:

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :processes
  explorer.exe
  
  :files
  C:\Windows\system32\windrvnt.sys
  
  :reg
  [-HKEY_LOCAL MACHINE\SYSTEM\ControlSet001\Services\windrvNT]
  [-HKEY_LOCAL MACHINE\SYSTEM\ControlSet002\Services\windrvNT]
  [-HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\windrvNT]
  
  :commands
  [purity]
  [emptytemp]
  [start explorer]
  [reboot]
  
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

It's not letting me highlight the results. It's like it's locked or something.

Ah, it's okay, the report is saved to a txt file anyway.
Navigate to this folder in bold:
C:\_OTMoveIt

There is a .log file in there with the report, please post that.

Here is the log, I thought it froze, but it was just doing something else

From the results, C:\Windows\system32\windrvnt.sys, that was the file that got infected and quarantined when I ran spydoctor from the post earlier:





========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\Windows\system32\windrvnt.sys not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet001\Services\windrvNT\\ deleted successfully.
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet002\Services\windrvNT\\ deleted successfully.
Registry key HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\windrvNT\\ not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_7MuvplmcUhiPm1dAbIEY scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_bc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01112009_140958

Files moved on Reboot...
File C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_7MuvplmcUhiPm1dAbIEY not found!
C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_bc.dat not found!
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite moved successfully.

Well anyway, the zafi.b is gone and everything looks clean to me, any problems for you?

I ran the OTMoveIT the second time just in case for you to review:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\Windows\system32\windrvnt.sys not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet001\Services\windrvNT\\ not found.
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet002\Services\windrvNT\\ not found.
Registry key HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\windrvNT\\ not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_0R5h8sBp1jzrNvtq1SgK scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7dc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01112009_142346

Files moved on Reboot...
File C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_0R5h8sBp1jzrNvtq1SgK not found!
File C:\WINDOWS\temp\Perflib_Perfdata_7dc.dat not found!
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\XUL.mfl moved successfully.

mike69 wrote:

Here is the log, I thought it froze, but it was just doing something else

From the results, C:\Windows\system32\windrvnt.sys, that was the file that got infected and quarantined when I ran spydoctor from the post earlier:





========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\Windows\system32\windrvnt.sys not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet001\Services\windrvNT\\ deleted successfully.
Registry key HKEY_LOCAL MACHINE\SYSTEM\ControlSet002\Services\windrvNT\\ deleted successfully.
Registry key HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\windrvNT\\ not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_7MuvplmcUhiPm1dAbIEY scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_bc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01112009_140958

Files moved on Reboot...
File C:\DOCUME~1\Mike\LOCALS~1\Temp\etilqs_7MuvplmcUhiPm1dAbIEY not found!
C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_bc.dat not found!
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Mike\Local Settings\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\urlclassifier3.sqlite moved successfully.

q1)
What are all of those "not found" entries mean?

q2) Also, I got a response from another forum when they examined my dds log and needed to see if you can translate to how to remove:'

"
The logs look ok apart from these entries.
Code: Select All

O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/A...oadcontrol.cab

Not sure what ActiveX control is trying to be downloaded.

Code: Select All

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

Norton live update must have gotten screwed.

Code: Select All

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

"


please help with this

q3) I know that the zafi.b might not be there anymore, but there seems to still be traces of things spawned from it. My process list looks strange from the post I showed earlier, things a still a little slow and still a lag from the browser.

Are there supposed to be 3 svchost.exe in the process list?

Hello.
If you are being helped elsewhere, please let me know.
Helpers time is valuable and shouldn't be wasted.

Please let the other forum know you are being helped elsewhere.

The active X object is harmless.
I don't want to remove that service, it may say missing, but I don't want to stop the live update service.

Empty toolbar objects, harmless also.

well, I asked around in another forum since a lot of folks were unsure and that's how I was told about this site, otherwise, I wouldn't have found this geekpolice.net site, and that's why I'm here posting what I've gotten.

Could you inspect the logs shown from the previous apps you mentioned to install and run?? Including

========== FILES ==========
File/Folder C:\Windows\system32\windrvnt.sys not found.

I noticed when I ran the scan, this sys file was infected and quarantined, is that trouble?

No, the file isn't active now, it can't cause anymore problems.
What problems remain now?

I can't tell myself, because I see no more popups, but still a slow down in the processor as if something funny is happening behind the scenes. From your inspection of the logs that I've been posting here like the dds, hijacker, and imoveit, do you see anything at all that might be worth noting?

I can only help by killing some un-needed startup items and cleaning temp files, etc.

If you want us to kill some of the un-needed stuff, let me know.

Yes, I would like your help. I don't know how to interpret these logs that you requested to paste in the last few replies.

Okay.
Please post a NEW Hijack This log.

Here is a new HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:59 PM, on 1/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP Wireless Elite Desktop\HPKEYBOARDg.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre6\launch4j-tmp\JDownloader.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP KEYBOARDg] "C:\Program Files\Hewlett-Packard\HP Wireless Elite Desktop\HPKEYBOARDg.EXE"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download Flash with Flash &Grabber - res://C:\PROGRA~1\Flash Grabber\swfgrab.dll/iesave
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171423935984
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_3.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10126 bytes

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
  O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
  O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
  O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
  O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
  O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
  O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
  O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

I see you have Adobe Reader version 7 installed on here, this is old and has holes malware may abuse, we need to close these holes.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

• Adobe Reader 7
  

Then download and install version 9 from here:
http://get.adobe.com/uk/reader/

Reboot normally.
Any difference?

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.