Solved: Trojan adware.w32.exp.dwnldr and UltimateDefender

[lazzaro]

I think my computer (Windows XP) was infected by those two virus.... Usually it is protected by SpyDoctor (I bought it and renewed it every year!!!)

I follow your instructioins in different posts, downloaded Spyboot, Ccleaner, Ad-Aware, and now have more anti-virus on my computer than hair on my head; but the problem still exists.

I have a fake windows security alert, than explore is launched and it start to download exe form the net....
and everithing is deadly slow and it is impossible to work.

This is my Hijack file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.03.59, on 10/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\lxctcoms.exe
C:\Programmi\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\bak\EM_EXEC.EXE
C:\Programmi\Lexmark 5400 Series\lxctmon.exe
C:\Programmi\Lexmark 5400 Series\ezprint.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Outlook Express\msimn.exe
C:\Documents and Settings\lay principale\Desktop\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Lexmark Barra degli strumenti - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programmi\Lexmark Toolbar\toolband.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Barra degli strumenti - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programmi\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Programmi\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Programmi\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Programmi\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,[email protected]
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Desktop Manager.lnk = C:\Programmi\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: DSLMON.lnk = C:\Programmi\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.planetis.com/it
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{274A8570-B354-4F6C-9EFB-F8A512123172}: NameServer = 212.139.132.26 212.139.132.27
O17 - HKLM\System\CS1\Services\Tcpip\..\{274A8570-B354-4F6C-9EFB-F8A512123172}: NameServer = 212.139.132.26 212.139.132.27
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: msddx - {AEDBED08-5EEB-4555-BF03-D95E98DB6478} - C:\WINDOWS\msddx.dll
O21 - SSODL: msqnx - {BCDE187C-A1DA-4585-8A64-D59BB9C64578} - C:\WINDOWS\msqnx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: FileMaker Server - FileMaker Incorporated - C:\Programmi\FileMaker\FileMaker Server Trial 5.5\Fmserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: lxct_device - - C:\WINDOWS\System32\lxctcoms.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programmi\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
Is thjere anything i can do? I am really thinking of re-inizialize my computer... Yhanks

 

[MFDnNC]

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.
======================

Download Superantispyware (SAS) free home version

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new HijackThis log.

This will take some time!!!!!!!!

 

[lazzaro]

Thanks very uch for your prompt reply.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.[/HTML]

I have done all the above, but when launching SmitFraudFix I have got this message : impossible to find the file "C:\Documents and Settings\lay principale\DEsktop\SmitFraudFix\SmitFraudFix.cmd PLease verify the path and the name of the file...."

WHAT SHOULD I DO?

 

[MFDnNC]

Go back and carefully read the instructions - yo did not extract all files to the folder and run from there

 

[lazzaro]

Thanks for your patience: I am beginner, but not stupid.

I have downloaded the file from the link above.
I have saved the zip on the desktop, then have extract all the files (there are 13 files in the zip and 13 inthe new folder)
In security mode, i open the new folder and double click on the SmitfraudFix.cmd.
I have done it TWICE but always the same message: impossible to find the file. Please verify....

I have tried to do the same in nomal mode, ans also there the message is the same. Ands the programe don't run....

WHAT ELSE CAN I DO?

Please help me, as you are very professional and helpful....

Thanks Lazzaro

P.S. On my desktop, every tuime that i open the computer there are three likk to "Error Cleaner", "Privacy Protector" and Spyware Protection" the same pages that my esplorer open quthomatically (or by order of the virus). CAN THIS ALSO AVOID ME OPENING THE SMITFRAUDFIX file?

 

[MFDnNC]

Run the second half of my first post - SAS

 

[lazzaro]

I will do it tomorrow....

I have just noticed that on my menu there is not the "Comand promt" and wheni run an exe, or a DOS rograme it always give me the usual alert (Thisa file doesnt existe. plese check the path...")

Maybe this is the casue of the problem.... How can i manage that? THank

 

[MFDnNC]

That is the most cryptic post I've seen - pls take time posting


XP Fix - http://www.visualtour.com/downloads/

Scroll down to get XP Fix

 

[lazzaro]

First things first!

1. I have done the Superspyantiware
   
2. I have done the Hijack This
   
3. I have run the XP Fix (the cmd.exe file in the Windows/system32 directory was issing...)
   
4. I have done the SmitfraudFix

Here the results:
SUPERSPYANTIWARE

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/11/2007 at 06:39 AM

Application Version : 3.9.1008

Core Rules Database Version : 3266
Trace Rules Database Version: 1277

Scan type : Complete Scan
Total Scan Time : 05:29:20

Memory items scanned : 366
Memory threats detected : 0
Registry items scanned : 4024
Registry threats detected : 0
File items scanned : 63174
File threats detected : 14

Adware.Tracking Cookie
C:\Documents and Settings\lay principale\Cookies\[email protected][2].txt

Desktop Hijacker.AboutYourPrivacy
C:\Documents and Settings\lay principale\Desktop\Error Cleaner.url
C:\Documents and Settings\lay principale\Desktop\Privacy Protector.url
C:\Documents and Settings\lay principale\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\lay principale\Preferiti\Error Cleaner.url
C:\Documents and Settings\lay principale\Preferiti\Privacy Protector.url
C:\Documents and Settings\lay principale\Preferiti\Spyware&Malware Protection.url
C:\DOCUMENTS AND SETTINGS\LAY PRINCIPALE\IMPOSTAZIONI LOCALI\TEMP\PRIVACY_DANGER\IMAGES\CAPT.GIF
C:\DOCUMENTS AND SETTINGS\LAY PRINCIPALE\IMPOSTAZIONI LOCALI\TEMP\PRIVACY_DANGER\IMAGES\DANGER.JPG
C:\DOCUMENTS AND SETTINGS\LAY PRINCIPALE\IMPOSTAZIONI LOCALI\TEMP\PRIVACY_DANGER\IMAGES\DOWN.GIF
C:\DOCUMENTS AND SETTINGS\LAY PRINCIPALE\IMPOSTAZIONI LOCALI\TEMP\PRIVACY_DANGER\INDEX.HTM

Malware.Ultimate Defender
C:\DOCUMENTS AND SETTINGS\LAY PRINCIPALE\IMPOSTAZIONI LOCALI\TEMPORARY INTERNET FILES\CONTENT.IE5\21O8AQTL\UDEFENDER_SETUP[1].EXE

Trojan.Net-MSV/VPS-G
C:\SYSTEM VOLUME INFORMATION\_RESTORE{72A5625D-1C6D-48BC-B2DA-8A1E10076E13}\RP452\A0182564.DLL

Trojan.Downloader-Gen/AVP
C:\SYSTEM VOLUME INFORMATION\_RESTORE{72A5625D-1C6D-48BC-B2DA-8A1E10076E13}\RP452\A0182565.EXE
*******

HIJACK THIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11.21.29, on 11/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\lxctcoms.exe
C:\Programmi\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programmi\Lexmark 5400 Series\lxctmon.exe
C:\Programmi\Lexmark 5400 Series\ezprint.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Lexmark Barra degli strumenti - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programmi\Lexmark Toolbar\toolband.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Barra degli strumenti - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programmi\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Programmi\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Programmi\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Programmi\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,[email protected]
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Desktop Manager.lnk = C:\Programmi\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: DSLMON.lnk = C:\Programmi\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.planetis.com/it
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: msddx - {AEDBED08-5EEB-4555-BF03-D95E98DB6478} - C:\WINDOWS\msddx.dll
O21 - SSODL: msqnx - {BCDE187C-A1DA-4585-8A64-D59BB9C64578} - C:\WINDOWS\msqnx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: FileMaker Server - FileMaker Incorporated - C:\Programmi\FileMaker\FileMaker Server Trial 5.5\Fmserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: lxct_device - - C:\WINDOWS\System32\lxctcoms.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programmi\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6314 bytes
******
SMITFRAUD

SmitFraudFix v2.202

Scan done at 12.42.38,34, 11/07/2007
Run from C:\Documents and Settings\lay principale\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

*****

THE COMPUTER NOW sems not to be infected (there are no all the tedious pop up and fake alert, at least) but it is very slow...

Any other suggestions?

Thanks very much

 

[MFDnNC]

Download http://downloads.andymanchesta.com/RemovalTools/SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
· Restart your computer
· After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
· Instead of Windows loading as normal, the Advanced Options Menu should appear;
· Select the first option, to run Windows in Safe Mode, then press Enter.
· Choose your usual account.
· Open the extracted SDFix folder and double click RunThis.bat to start the script.
· Type Y to begin the cleanup process.
· It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
· Press any Key and it will restart the PC.
· When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
· Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
· Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

 

[lazzaro]

It works but deadly slow!

This is SDFIX:

SDFix: Version 1.90

Run by lay principale on 11/07/2007 at 22.52

Microsoft Windows XP [Versione 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\Documents and Settings\lay principale\Desktop\CARTELLE\vale\Privacy Protector.url - Deleted
C:\Documents and Settings\lay principale\Dati applicazioni\Install.dat - Deleted
C:\DOCUME~1\LAYPRI~1\IMPOST~1\Temp\abc123.pid - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\rundll32.exe - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINDOWS
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Programmi\\Skype\\Phone\\Skype.exe"="C:\\Programmi\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Programmi\\Messenger\\msmsgs.exe"="C:\\Programmi\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Programmi\\Real\\RealPlayer\\realplay.exe"="C:\\Programmi\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\WINDOWS\\system32\\lxctcoms.exe"="C:\\WINDOWS\\system32\\lxctcoms.exe:*:Enabled:Lexmark Communications System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\System Volume Information\_restore{72A5625D-1C6D-48BC-B2DA-8A1E10076E13}\RP452\A0182559.dll
C:\System Volume Information\_restore{72A5625D-1C6D-48BC-B2DA-8A1E10076E13}\RP452\A0182555.exe
C:\System Volume Information\_restore{72A5625D-1C6D-48BC-B2DA-8A1E10076E13}\RP452\A0182556.exe
C:\System Volume Information\_restore{72A5625D-1C6D-48BC-B2DA-8A1E10076E13}\RP452\A0182557.exe
C:\System Volume Information\_restore{72A5625D-1C6D-48BC-B2DA-8A1E10076E13}\RP452\A0182558.exe
C:\WINDOWS\system\svcinit.exe
C:\WINDOWS\system\TAPICFG.EXE
C:\System Volume Information\_restore{72A5625D-1C6D-48BC-B2DA-8A1E10076E13}\RP448\A0182181.sys
C:\System Volume Information\_restore{72A5625D-1C6D-48BC-B2DA-8A1E10076E13}\RP448\A0182219.sys
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Modelli\~WRL1832.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Modelli\~WRL2305.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Modelli\~WRL3034.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Modelli\~WRL3253.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0004.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0005.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0006.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0306.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0368.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0474.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0640.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0789.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0862.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0907.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL0961.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1084.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1099.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1121.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1272.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1305.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1471.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1589.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1615.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1697.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1813.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1919.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1926.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL1970.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2002.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2086.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2271.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2298.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2399.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2400.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2499.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2537.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2628.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2636.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2688.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2803.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2822.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2916.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL2941.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3285.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3292.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3337.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3362.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3451.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3478.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3635.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3663.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3677.tmp
C:\Documents and Settings\lay principale\Dati applicazioni\Microsoft\Word\~WRL3721.tmp
C:\Documents and Settings\lay principale\Desktop\CARTELLE\LAZZARO\LOSI\LOSI\~WRL0001.tmp

Finished
******

THis is HIJACKTHIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0.14.34, on 12/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\lxctcoms.exe
C:\Programmi\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programmi\Lexmark 5400 Series\lxctmon.exe
C:\Programmi\Lexmark 5400 Series\ezprint.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\Programmi\Outlook Express\msimn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\apps\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Lexmark Barra degli strumenti - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programmi\Lexmark Toolbar\toolband.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Barra degli strumenti - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programmi\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Programmi\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Programmi\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Programmi\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,[email protected]
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: Desktop Manager.lnk = C:\Programmi\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: DSLMON.lnk = C:\Programmi\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.planetis.com/it
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{274A8570-B354-4F6C-9EFB-F8A512123172}: NameServer = 212.139.132.26 212.139.132.27
O17 - HKLM\System\CS1\Services\Tcpip\..\{274A8570-B354-4F6C-9EFB-F8A512123172}: NameServer = 212.139.132.26 212.139.132.27
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: FileMaker Server - FileMaker Incorporated - C:\Programmi\FileMaker\FileMaker Server Trial 5.5\Fmserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programmi\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5803 bytes



What else? Thanks Lazzaro

 

[MFDnNC]

Clean

If you feel its is fixed mark it solved via Thread Tools above

Turn off restore points, boot, turn them back on – here’s how

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

This clears infected restore points and sets a new, clean one.