Solve : W32.Shodi Removal?

1.	Solve : W32.Shodi Removal?
Answer» This one might be a little tricky, but we're gonna try to get this thing. First, open up Task Manager and end the following processes... shellker.usr NICCONFIGSVC.usr ssonsvr.usr client.usr YahooMessenger.usr mdm.usr pccntmon.usr ANYTHING ELSE THAT ENDS WITH .USR. Now, for your log... Your HijackThis is in a temporary location. If you leave it there, it (along with its important backups) can and will eventually be deleted. Please navigate to its current location (CURRENT LOCATION) and it move to a NEW permanent folder at C:\Program Files\HJT. Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file. Open HijackThis and scan again. Check the following entries, but don't do anything to them yet... O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.usr O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.usr" -atboottime O16 - DPF: {E4F874A0-56ED-11D0-9C43-00A0C90F29FC} (ActiveBar Class) - http://srvcm01hq/cm/cabs/actbar.cab Now, CLOSE all windows (including this one) besides HijackThis, then click Fix Checked. Close HijackThis and reboot into Safe Mode and enable hidden files and folders. Navigate to and delete the following file(s) if present... C:\Program Files\Dell\QuickSet\Quickset.usr C:\Program Files\QuickTime\qttask.usr C:\Windows\USR_Shohdi_Photo_USR.exe C:\Windows\system\USR_Shohdi_Photo_USR.rsu NOTE: If you don't find either of the two Shohdi files, perform a system-wide search for them. Once you've done all of this, reboot into Normal Mode. You might want to take a look at this removal procedure I found on the Sophos site... Quote 1. Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Add any RELEVANT IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session). 2. Restart the computer in Safe Mode. Go to Start\|Shut Down. Select 'Restart' from the dropdown list and click 'OK'. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu select the third option 'Safe Mode with Command Prompt'. 3. At the infected computer, place the CD in the CD drive (D: in this example). At the command prompt type D: to access the CD drive. Type: CD SAV32CLI Then type: SAV32CLI -REMOVE -P=C:\LOGFILE.TXT to remove the virus. 4. Before leaving Safe Mode, edit any registry entries mentioned in the virus analysis recovery instructions. 5. Replace the infected files with 'clean' versions from the original installation media or a clean PC. 6. If problems persist, contact support. If you can, I'd like for you to give this a try and then report back to me.CBMatt, Thanks for looking into this for me. I did get a scan done by Kaspersky and part one is posted below. Before I try what you suggested earlier can you look at it and let me know if that is still the way you want me to proceed? Part 1 ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Wednesday, May 30, 2007 11:20:21 AM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 30/05/2007 Kaspersky Anti-Virus database records: 333967 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ Scan Statistics: Total number of scanned objects: 59401 Number of viruses found: 2 Number of infected objects: 98 / 0 Number of suspicious objects: 0 Duration of the scan process: 00:46:34 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\518d3b3fd6ce0222481939caa95e41a2_6ee841b4-6103-4ce6-830e-ecb66b9670bfObject is lockedskipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5aa7b1f9b4952b0a5b2915b14b8e038a_6ee841b4-6103-4ce6-830e-ecb66b9670bfObject is lockedskipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7346f0ad2f7269d43adc1db49e1d210f_6ee841b4-6103-4ce6-830e-ecb66b9670bfObject is lockedskipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d3745e1e9bd1e7182ebd85b5b1efa2b2_6ee841b4-6103-4ce6-830e-ecb66b9670bfObject is lockedskipped C:\Documents and Settings\All Users\Application Data\Prevx\PXSetup.exeInfected: Virus.Win32.Shodi.iskipped C:\Documents and Settings\All Users\Application Data\QSLLPSVCShareObject is lockedskipped C:\Documents and Settings\ChWalker\Application Data\Microsoft\Outlook\CWalker.srsObject is lockedskipped C:\Documents and Settings\ChWalker\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.673.0-static.exeInfected: Virus.Win32.Shodi.iskipped C:\Documents and Settings\ChWalker\Cookies\index.datObject is lockedskipped C:\Documents and Settings\ChWalker\Desktop\Home\Generals\Command & Conquer\generals.exeInfected: Virus.Win32.Shodi.iskipped C:\Documents and Settings\ChWalker\Desktop\Home\Programs\CnC3_Demo.exeInfected: Virus.Win32.Shodi.iskipped C:\Documents and Settings\ChWalker\Desktop\Home\Programs\Programs\MySpaceIM_Setup.exeInfected: Virus.Win32.Shodi.iskipped C:\Documents and Settings\ChWalker\Desktop\Home\Programs\Programs\spybotsd14.exeInfected: Virus.Win32.Shodi.iskipped C:\Documents and Settings\ChWalker\Local Settings\Application Data\Microsoft\Feeds Cache\index.datObject is lockedskipped C:\Documents and Settings\ChWalker\Local Settings\Application Data\Microsoft\Windows\UsrClass.datObject is lockedskipped C:\Documents and Settings\ChWalker\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOGObject is lockedskipped C:\Documents and Settings\ChWalker\Local Settings\History\History.IE5\index.datObject is lockedskipped C:\Documents and Settings\ChWalker\Local Settings\History\History.IE5\MSHist012007053020070531\index.datObject is lockedskipped C:\Documents and Settings\ChWalker\Local Settings\Temp\~DF4184.tmpObject is lockedskipped C:\Documents and Settings\ChWalker\Local Settings\Temp\~DF4189.tmpObject is lockedskipped C:\Documents and Settings\ChWalker\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.datObject is lockedskipped C:\Documents and Settings\ChWalker\Local Settings\Temporary Internet Files\Content.IE5\index.datObject is lockedskipped C:\Documents and Settings\ChWalker\Local Settings\Temporary Internet Files\Content.IE5\L21H2XHD\HijackThis[1].exeInfected: Virus.Win32.Shodi.iskipped C:\Documents and Settings\ChWalker\Local Settings\Temporary Internet Files\Content.IE5\SAHFBVXK\avg75free_472a1024[1].exeInfected: Virus.Win32.Shodi.iskipped C:\Documents and Settings\ChWalker\NTUSER.DATObject is lockedskipped C:\Documents and Settings\ChWalker\ntuser.dat.LOGObject is lockedskipped C:\Documents and Settings\LocalService\Cookies\index.datObject is lockedskipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.datObject is lockedskipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOGObject is lockedskipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.datObject is lockedskipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.datObject is lockedskipped C:\Documents and Settings\LocalService\NTUSER.DATObject is lockedskipped C:\Documents and Settings\LocalService\ntuser.dat.LOGObject is lockedskipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.datObject is lockedskipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOGObject is lockedskipped C:\Documents and Settings\NetworkService\NTUSER.DATObject is lockedskipped C:\Documents and Settings\NetworkService\ntuser.dat.LOGObject is lockedskipped C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXAPedit.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXAuditPls.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXCustInv.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXExchPls.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXInvSoln.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXMachInv.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXNSInvCollector.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXRunControl.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXSNPlus.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\SNData2.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Altiris Agent\Software Delivery\{5C599BF5-AC69-4DFE-9262-AF2418FEFEA1}\cache\TaskSynchronization.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Altiris Agent\Software Delivery\{5C599BF5-AC69-4DFE-9262-AF2418FEFEA1}\cache\UnInstallSynchAgent.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Altiris Agent\Software Delivery\{5C599BF5-AC69-4DFE-9262-AF2418FEFEA1}\cache\UpgradeSynchAgent.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Altiris Agent\Software Delivery\{B7B543B5-3679-4D73-9E1F-E162D5A59C53}\cache\AeXMSIAgent.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Altiris Agent\Software Delivery\{B7B543B5-3679-4D73-9E1F-E162D5A59C53}\cache\AeXNSInvCollector.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Altiris Agent\Task Synchronization\UnInstallSynchAgent.exeInfected: Virus.Win32.Shodi.iskipped Part 2 of kaspersky scan C:\Program Files\Altiris\Carbon Copy\client.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Altiris\Carbon Copy\shellker.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Citrix\ICA Client\ssoncom.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Citrix\ICA Client\ssonsvr.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Common Files\Adobe\Web\AOM.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Common Files\Microsoft Shared\PhotoEd\PHOTOED.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Common Files\Real\Update_OB\realsched.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Dell\NicConfigSvc\NICCONFIGSVC.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Dell\QuickSet\Quickset.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Internet Explorer\Connection Wizard\icwconn2.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Internet Explorer\Connection Wizard\icwrmind.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Internet Explorer\Connection Wizard\icwtutor.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Internet Explorer\Connection Wizard\inetwiz.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Internet Explorer\Connection Wizard\isignup.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Internet Explorer\iedw.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Microsoft Office\Office10\EXCEL.EXEInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Microsoft Office\Office10\MSACCESS.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Movie Maker\moviemk.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\NetMeeting\cb32.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\NetMeeting\conf.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\NetMeeting\wb32.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Outlook Express\msimn.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Outlook Express\oemig50.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Outlook Express\setup50.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Outlook Express\wab.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Outlook Express\wabmig.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\RealVNC\VNC4\winvnc4.exeInfected: not-a-virus:RemoteAdmin.Win32.WinVNC.4skipped C:\Program Files\RealVNC\VNC4\wm_hooks.dllInfected: not-a-virus:RemoteAdmin.Win32.WinVNC.4skipped C:\Program Files\SlySoft\AnyDVD\AnyDVD.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Sonic\Express Labeler\stax.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Sonic\Sonic Solutions Product CD\DLA\dlaunin.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Sonic\Sonic Solutions Product CD\DLA\install\ssdiag.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Sonic\Sonic Solutions Product CD\DLA\install\tfswcmd.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Sonic\Sonic Solutions Product CD\DLA\install\tfswctrl.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Sonic\Sonic Solutions Product CD\RecordNow! Plus\Launch.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Sonic\Sonic Solutions Product CD\RecordNow! Plus\LeaderReg.EXEInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Sonic\Sonic Solutions Product CD\RecordNow! Plus\RecordNow.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXEInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXEInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Symantec\LiveUpdate\LSETUP.EXEInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Symantec\LiveUpdate\LUALL.EXEInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Symantec\LiveUpdate\LuComServer.EXEInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Symantec\LiveUpdate\LUInit.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Symantec\LiveUpdate\NDETECT.EXEInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Symantec\LiveUpdate\SymantecRootInstaller.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Terminal Services Client\CONMAN.EXEInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Terminal Services Client\MSTSC.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Terminal Services Client\setup\SETUP.EXEInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Trend Micro\OfficeScan Client\ConnLog\Conn_20070530.logObject is lockedskipped C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\WebCyberCoach\b_Dell\AdpBrowser.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\WebCyberCoach\b_Dell\DelDelay.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\WebCyberCoach\b_Dell\delfolder.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\WebCyberCoach\b_Dell\DoShutDown.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\WebCyberCoach\b_Dell\gtny.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\WebCyberCoach\b_Dell\setspath.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\WebCyberCoach\b_Dell\tranplug.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Windows Media Player\migrate.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Windows Media Player\mplayer2.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Windows Media Player\setup_wm.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Windows Media Player\wmplayer.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Windows NT\Accessories\wordpad.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Windows NT\dialer.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Windows NT\Pinball\pinball.exeInfected: Virus.Win32.Shodi.iskipped C:\Program Files\Yahoo!\Messenger\YahooMessenger.exeInfected: Virus.Win32.Shodi.iskipped C:\System Volume Information\MountPointManagerRemoteDatabaseObject is lockedskipped C:\WINDOWS\CSC\00000001Object is lockedskipped C:\WINDOWS\Debug\Netlogon.logObject is lockedskipped C:\WINDOWS\Debug\PASSWD.LOGObject is lockedskipped C:\WINDOWS\SchedLgU.TxtObject is lockedskipped C:\WINDOWS\SoftwareDistribution\EventCache\{F2A8DBC0-47EA-41F1-9FAF-D7C595B9864C}.binObject is lockedskipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.logObject is lockedskipped C:\WINDOWS\Sti_Trace.logObject is lockedskipped C:\WINDOWS\system32\CatRoot2\edb.logObject is lockedskipped C:\WINDOWS\system32\CatRoot2\tmp.edbObject is lockedskipped C:\WINDOWS\system32\config\AppEvent.EvtObject is lockedskipped C:\WINDOWS\system32\config\DEFAULTObject is lockedskipped C:\WINDOWS\system32\config\default.LOGObject is lockedskipped C:\WINDOWS\system32\config\Internet.evtObject is lockedskipped C:\WINDOWS\system32\config\SAMObject is lockedskipped C:\WINDOWS\system32\config\SAM.LOGObject is lockedskipped C:\WINDOWS\system32\config\SecEvent.EvtObject is lockedskipped C:\WINDOWS\system32\config\SECURITYObject is lockedskipped C:\WINDOWS\system32\config\SECURITY.LOGObject is lockedskipped C:\WINDOWS\system32\config\SOFTWAREObject is lockedskipped C:\WINDOWS\system32\config\software.LOGObject is lockedskipped C:\WINDOWS\system32\config\SysEvent.EvtObject is lockedskipped C:\WINDOWS\system32\config\SYSTEMObject is lockedskipped C:\WINDOWS\system32\config\system.LOGObject is lockedskipped C:\WINDOWS\system32\h323log.txtObject is lockedskipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTRObject is lockedskipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAPObject is lockedskipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VERObject is lockedskipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAPObject is lockedskipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAPObject is lockedskipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATAObject is lockedskipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAPObject is lockedskipped C:\WINDOWS\wiadebug.logObject is lockedskipped C:\WINDOWS\wiaservc.logObject is lockedskipped C:\WINDOWS\WindowsUpdate.logObject is lockedskipped Scan process completed. Unfortunately, info on your version of this particular infection appears to be hard to come by and that is the only fix I have been able to find. At the moment, I don't know of any alternatives, aside from a reformat. But give me a moment to consult another member and ask for his input... In the meantime... Download ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls. Given your current situation, the program might not work, but give it a couple of tries. It's worth.Here is the combofix log part 1 "ChWalker" - 2007-05-30 18:58:12 Service Pack 2 ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\ChWalker\Desktop\Home\Programs\" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) "C:\WINDOWS\system32\drivers\fad.sys" ((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-30 )))))))))))))))))))))))))))))))))) 2007-05-30 09:38d--------C:\WINDOWS\system32\Kaspersky Lab 2007-05-30 05:450--a------C:\WINDOWS\USR_Shohdi_Photo_USR.exe 2007-05-28 11:05d--------C:\DOCUME~1\ChWalker\APPLIC~1\Prevx 2007-05-28 11:04d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx 2007-05-28 10:5777,312--a------C:\WINDOWS\ua2.dll 2007-05-27 16:52d--------C:\Program Files\WebCyberCoach 2007-05-27 16:39d--h-----C:\DOCUME~1\ChWalker\APPLIC~1\GTek 2007-05-27 16:39d--h-----C:\DOCUME~1\ALLUSE~1\APPLIC~1\GTek 2007-05-27 16:387,882--a------C:\WINDOWS\system32\GTKCMOS.sys 2007-05-27 16:387,626--a------C:\WINDOWS\system32\GPCIEnum.sys 2007-05-27 16:387,168--a------C:\WINDOWS\system32\DLPT64.sys 2007-05-27 16:386,977--a------C:\WINDOWS\system32\DDMI2.sys 2007-05-27 16:386,656--a------C:\WINDOWS\system32\DLPT2.sys 2007-05-27 16:385,632--a------C:\WINDOWS\system32\GPCIEn64.sys 2007-05-27 16:385,120--a------C:\WINDOWS\system32\GTKCMO64.sys 2007-05-27 16:384,608--a------C:\WINDOWS\system32\DDMI64.sys 2007-05-25 15:0883,168--a------C:\WINDOWS\system32\S32EVNT1.DLL 2007-05-25 15:0882,832--a------C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-05-25 15:08d--------C:\Program Files\Symantec AntiVirus 2007-05-25 15:08d--------C:\Program Files\Symantec 2007-05-25 15:08d--------C:\Program Files\Common Files\Symantec Shared 2007-05-25 15:08d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec 2007-05-19 16:12d--------C:\DOCUME~1\ChWalker\APPLIC~1\HP 2007-05-19 07:17d--------C:\DOCUME~1\LOCALS~1\APPLIC~1\HP 2007-05-19 07:15d--------C:\Program Files\Common Files\HP 2007-05-19 07:14d--------C:\Program Files\Hewlett-Packard 2007-05-19 07:13d--------C:\Program Files\Common Files\Hewlett-Packard 2007-05-19 07:1294,208--a------C:\WINDOWS\system32\HPZipt12.dll 2007-05-19 07:1269,632--a------C:\WINDOWS\system32\HPZipm12.exe 2007-05-19 07:1265,536--a------C:\WINDOWS\system32\HPZinw12.exe 2007-05-19 07:1257,344--a------C:\WINDOWS\system32\HPZisn12.dll 2007-05-19 07:12278,584--a------C:\WINDOWS\system32\HPZidr12.dll 2007-05-19 07:12204,800--a------C:\WINDOWS\system32\HPZipr12.dll 2007-05-19 07:1049,664-ra------C:\WINDOWS\system32\drivers\HPZid412.sys 2007-05-19 07:1016,496-ra------C:\WINDOWS\system32\drivers\HPZipr12.sys 2007-05-19 07:10118,727--a------C:\WINDOWS\hpoins09.dat 2007-05-19 07:09827,392-ra------C:\WINDOWS\system32\hpotiop2.dll 2007-05-19 07:0977,824-ra------C:\WINDOWS\system32\HPZIDS01.dll 2007-05-19 07:09659,456-ra------C:\WINDOWS\system32\hpowiax2.dll 2007-05-19 07:0938,400--a------C:\WINDOWS\system32\hpz3l054.dll 2007-05-19 07:09254,026-ra------C:\WINDOWS\system32\hpovst09.dll 2007-05-19 07:0915,104--a------C:\WINDOWS\system32\drivers\usbscan.sys 2007-05-19 06:41d--------C:\Program Files\HP 2007-05-19 06:2825,856--a------C:\WINDOWS\system32\drivers\usbprint.sys 2007-05-03 05:14374,784--a------C:\WINDOWS\3dg32.dll 2007-05-03 05:13876,066--a------C:\WINDOWS\system32\3dreng.dll 2007-05-03 05:1371,680--a------C:\WINDOWS\system32\3dr.dll 2007-05-03 05:13479,744--a------C:\WINDOWS\system32\3dr332.dll 2007-05-03 05:1338,400--a------C:\WINDOWS\system32\3dr32.dll 2007-05-03 05:13278,528--a------C:\WINDOWS\system32\3drrgb.dll 2007-05-03 05:13278,528--a------C:\WINDOWS\system32\3drbgr.dll 2007-05-03 05:13274,944--a------C:\WINDOWS\system32\3drargb.dll 2007-05-03 05:13274,944--a------C:\WINDOWS\system32\3dr565.dll 2007-05-03 05:13274,432--a------C:\WINDOWS\system32\3drrgba.dll 2007-05-03 05:13274,432--a------C:\WINDOWS\system32\3drbgra.dll 2007-05-03 05:13274,432--a------C:\WINDOWS\system32\3drabgr.dll 2007-05-03 05:13274,432--a------C:\WINDOWS\system32\3dr664.dll 2007-05-03 05:13274,432--a------C:\WINDOWS\system32\3dr655.dll 2007-05-03 05:13274,432--a------C:\WINDOWS\system32\3dr555.dll 2007-05-03 05:1322,016--a------C:\WINDOWS\system32\3drsys.dll 2007-04-28 16:5738,229--a------C:\WINDOWS\system32\drivers\StMp3Rec.sys 2007-04-10 22:08d--------C:\Program Files\QuickTime (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-30 13:30:41--------d-----wC:\Program Files\Terminal Services Client 2007-05-30 10:49:34--------d-----wC:\Program Files\Common Files\SureThing Shared 2007-05-29 07:36:40--------d-----wC:\Program Files\Sonic 2007-05-28 03:05:43--------d-----wC:\Program Files\MySpace 2007-05-27 09:07:00--------d-----wC:\Program Files\IrfanView 2007-05-27 09:05:38--------d-----wC:\Program Files\Digital Line Detect 2007-05-27 05:56:25--------d-----wC:\Program Files\Movie Maker 2007-05-25 13:21:45--------d-----wC:\Program Files\Xvid 2007-05-25 13:21:31--------d-----wC:\Program Files\Windows NT 2007-05-25 13:21:16--------d-----wC:\Program Files\Windows Media Connect 2 2007-05-25 13:21:09--------d-----wC:\Program Files\Volo View Express 2007-05-25 13:19:04--------d-----wC:\Program Files\Sierra On-Line 2007-05-25 13:15:07--------d-----wC:\Program Files\NetZero 2007-05-25 13:14:56--------d-----wC:\Program Files\NetWaiting 2007-05-25 13:14:30--------d-----wC:\Program Files\MSN Messenger 2007-05-25 13:14:02--------d-----wC:\Program Files\Modem Helper 2007-05-25 13:11:56--------d-----wC:\Program Files\Messenger 2007-05-25 12:59:50--------d-----wC:\Program Files\CCleaner 2007-05-25 12:59:28--------d-----wC:\Program Files\Apple Software Update 2007-05-25 12:59:27--------d-----wC:\Program Files\Apoint 2007-05-24 13:38:29--------d-----wC:\DOCUME~1\ChWalker\APPLIC~1\Skype 2007-05-19 06:08:48--------d-----wC:\DOCUME~1\ChWalker\APPLIC~1\IGN_DLM 2007-04-28 13:59:26--------d-----wC:\DOCUME~1\ChWalker\APPLIC~1\Apple Computer 2007-04-18 16:12:232,854,400----a-wC:\WINDOWS\system32\msi.dll 2007-04-12 12:18:41--------d-----wC:\DOCUME~1\ChWalker\APPLIC~1\LimeWire 2007-04-03 19:53:13--------d--h--wC:\Program Files\InstallShield Installation Information 2007-03-30 17:30:03--------d-----wC:\DOCUME~1\ChWalker\APPLIC~1\Command & Conquer 3 Tiberium Wars Demo 2007-03-30 17:04:07--------d-----wC:\Program Files\Electronic Arts 2007-03-22 22:58:54262,144----a-wC:\WINDOWS\system32\default_user_class.dat 2007-03-17 13:43:01292,864----a-wC:\WINDOWS\system32\winsrv.dll 2007-03-08 15:36:28577,536----a-wC:\WINDOWS\system32\user32.dll 2007-03-08 15:36:2840,960----a-wC:\WINDOWS\system32\mf3216.dll 2007-03-08 15:36:28281,600----a-wC:\WINDOWS\system32\gdi32.dll 2007-03-08 13:47:481,843,584----a-wC:\WINDOWS\system32\win32k.sys part 2 of combo fix log (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll [2006-10-26 11:28] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx [2001-03-02 14:02] {55EA1964-F5E4-4D6A-B9B2-125B37655FCB}=C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll [2006-01-10 12:09] {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 17:29] {5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-12-06 03:05] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 06:25] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.usr" [] "AeXAgentLogon"="C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2007-05-27 17:36] "OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-27 17:41] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-27 17:37] "QuickTime Task"="C:\Program Files\QuickTime\qttask.usr -atboottime" [] "PrevxOne"="C:\Program Files\Prevx1\PXConsole.exe" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] "WIAWizardMenu"=RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "RunStartupScriptSync"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "RunLogonScriptSync"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceStartMenuLogOff"=1 (0x1) "NoTaskGrouping"=1 (0x1) "NoWelcomeScreen"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"= AMINIT.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "wwSecSvc"=2 (0x2) "iPodService"=3 (0x3) HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost netsvcs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1cf7bc02-071b-11dc-a703-0014a54bb7e3}] AutoRun\command- E:\Installer.exe Contents of the 'Scheduled Tasks' folder 2007-04-25 01:29:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job ****************************************************************** catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-30 19:00:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ****************************************************************** Completion time: 2007-05-30 19:01:52 C:\ComboFix-quarantined-files.txt ... 2007-05-30 19:01 --- E O F --- Quote [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "RunStartupScriptSync"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "RunLogonScriptSync"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceStartMenuLogOff"=1 (0x1) "NoTaskGrouping"=1 (0x1) "NoWelcomeScreen"=1 (0x1) Have you messed with your registry to make changes to your computer? Download The Avenger by Swandog46, and save it to your Desktop. Extract avenger.exe from the Zip file and save it to your desktop Run avenger.exe by double-clicking on it. Check the 'Input script manually' box. Click on the magnifying glass icon. Copy everything in the Quote box below, and PASTE it in the box that opens: Quote Files to delete: C:\WINDOWS\USR_Shohdi_Photo_USR.exe C:\WINDOWS\ua2.dll Now click the 'Done' button. Click on the traffic light icon and OK the prompt. You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself. A log file from Avenger will be produced at C:\avenger.txt Post that. I know you're having problems with executables, but see if you can manage to scan with TrojanHunter, AVG Anti-Spyware, and SUPERAntiSpyware. It's a longshot, I know, but it could really help.Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged. If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

Answer»

This one might be a little tricky, but we're gonna try to get this thing.

First, open up Task Manager and end the following processes...
shellker.usr
NICCONFIGSVC.usr
ssonsvr.usr
client.usr
YahooMessenger.usr
mdm.usr
pccntmon.usr
ANYTHING ELSE THAT ENDS WITH .USR.

Now, for your log...
Your HijackThis is in a temporary location. If you leave it there, it (along with its important backups) can and will eventually be deleted. Please navigate to its current location (CURRENT LOCATION) and it move to a NEW permanent folder at C:\Program Files\HJT.

Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file. Open HijackThis and scan again. Check the following entries, but don't do anything to them yet...

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.usr
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.usr" -atboottime

O16 - DPF: {E4F874A0-56ED-11D0-9C43-00A0C90F29FC} (ActiveBar Class) - http://srvcm01hq/cm/cabs/actbar.cab

Now, CLOSE all windows (including this one) besides HijackThis, then click Fix Checked. Close HijackThis and reboot into Safe Mode and enable hidden files and folders.

Navigate to and delete the following file(s) if present...

C:\Program Files\Dell\QuickSet\Quickset.usr
C:\Program Files\QuickTime\qttask.usr
C:\Windows\USR_Shohdi_Photo_USR.exe
C:\Windows\system\USR_Shohdi_Photo_USR.rsu
NOTE: If you don't find either of the two Shohdi files, perform a system-wide search for them.

Once you've done all of this, reboot into Normal Mode.

You might want to take a look at this removal procedure I found on the Sophos site...
Quote

1. Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Add any RELEVANT IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).
2. Restart the computer in Safe Mode. Go to Start|Shut Down. Select 'Restart' from the dropdown list and click 'OK'. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu select the third option 'Safe Mode with Command Prompt'.
3. At the infected computer, place the CD in the CD drive (D: in this example).
At the command prompt type
D:

to access the CD drive. Type:
CD SAV32CLI

Then type:
SAV32CLI -REMOVE -P=C:\LOGFILE.TXT

to remove the virus.
4. Before leaving Safe Mode, edit any registry entries mentioned in the virus analysis recovery instructions.
5. Replace the infected files with 'clean' versions from the original installation media or a clean PC.
6. If problems persist, contact support.

If you can, I'd like for you to give this a try and then report back to me.CBMatt,

Thanks for looking into this for me. I did get a scan done by Kaspersky and part one is posted below. Before I try what you suggested earlier can you look at it and let me know if that is still the way you want me to proceed?

Part 1

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 30, 2007 11:20:21 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 30/05/2007
Kaspersky Anti-Virus database records: 333967
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 59401
Number of viruses found: 2
Number of infected objects: 98 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:46:34

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\518d3b3fd6ce0222481939caa95e41a2_6ee841b4-6103-4ce6-830e-ecb66b9670bfObject is lockedskipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5aa7b1f9b4952b0a5b2915b14b8e038a_6ee841b4-6103-4ce6-830e-ecb66b9670bfObject is lockedskipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7346f0ad2f7269d43adc1db49e1d210f_6ee841b4-6103-4ce6-830e-ecb66b9670bfObject is lockedskipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d3745e1e9bd1e7182ebd85b5b1efa2b2_6ee841b4-6103-4ce6-830e-ecb66b9670bfObject is lockedskipped
C:\Documents and Settings\All Users\Application Data\Prevx\PXSetup.exeInfected: Virus.Win32.Shodi.iskipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShareObject is lockedskipped
C:\Documents and Settings\ChWalker\Application Data\Microsoft\Outlook\CWalker.srsObject is lockedskipped
C:\Documents and Settings\ChWalker\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.673.0-static.exeInfected: Virus.Win32.Shodi.iskipped
C:\Documents and Settings\ChWalker\Cookies\index.datObject is lockedskipped
C:\Documents and Settings\ChWalker\Desktop\Home\Generals\Command & Conquer\generals.exeInfected: Virus.Win32.Shodi.iskipped
C:\Documents and Settings\ChWalker\Desktop\Home\Programs\CnC3_Demo.exeInfected: Virus.Win32.Shodi.iskipped
C:\Documents and Settings\ChWalker\Desktop\Home\Programs\Programs\MySpaceIM_Setup.exeInfected: Virus.Win32.Shodi.iskipped
C:\Documents and Settings\ChWalker\Desktop\Home\Programs\Programs\spybotsd14.exeInfected: Virus.Win32.Shodi.iskipped
C:\Documents and Settings\ChWalker\Local Settings\Application Data\Microsoft\Feeds Cache\index.datObject is lockedskipped
C:\Documents and Settings\ChWalker\Local Settings\Application Data\Microsoft\Windows\UsrClass.datObject is lockedskipped
C:\Documents and Settings\ChWalker\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOGObject is lockedskipped
C:\Documents and Settings\ChWalker\Local Settings\History\History.IE5\index.datObject is lockedskipped
C:\Documents and Settings\ChWalker\Local Settings\History\History.IE5\MSHist012007053020070531\index.datObject is lockedskipped
C:\Documents and Settings\ChWalker\Local Settings\Temp\~DF4184.tmpObject is lockedskipped
C:\Documents and Settings\ChWalker\Local Settings\Temp\~DF4189.tmpObject is lockedskipped
C:\Documents and Settings\ChWalker\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.datObject is lockedskipped
C:\Documents and Settings\ChWalker\Local Settings\Temporary Internet Files\Content.IE5\index.datObject is lockedskipped
C:\Documents and Settings\ChWalker\Local Settings\Temporary Internet Files\Content.IE5\L21H2XHD\HijackThis[1].exeInfected: Virus.Win32.Shodi.iskipped
C:\Documents and Settings\ChWalker\Local Settings\Temporary Internet Files\Content.IE5\SAHFBVXK\avg75free_472a1024[1].exeInfected: Virus.Win32.Shodi.iskipped
C:\Documents and Settings\ChWalker\NTUSER.DATObject is lockedskipped
C:\Documents and Settings\ChWalker\ntuser.dat.LOGObject is lockedskipped
C:\Documents and Settings\LocalService\Cookies\index.datObject is lockedskipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.datObject is lockedskipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOGObject is lockedskipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.datObject is lockedskipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.datObject is lockedskipped
C:\Documents and Settings\LocalService\NTUSER.DATObject is lockedskipped
C:\Documents and Settings\LocalService\ntuser.dat.LOGObject is lockedskipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.datObject is lockedskipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOGObject is lockedskipped
C:\Documents and Settings\NetworkService\NTUSER.DATObject is lockedskipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOGObject is lockedskipped
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXAPedit.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXAuditPls.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXCustInv.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXExchPls.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXInvSoln.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXMachInv.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXNSInvCollector.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXRunControl.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXSNPlus.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\SNData2.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{5C599BF5-AC69-4DFE-9262-AF2418FEFEA1}\cache\TaskSynchronization.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{5C599BF5-AC69-4DFE-9262-AF2418FEFEA1}\cache\UnInstallSynchAgent.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{5C599BF5-AC69-4DFE-9262-AF2418FEFEA1}\cache\UpgradeSynchAgent.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{B7B543B5-3679-4D73-9E1F-E162D5A59C53}\cache\AeXMSIAgent.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{B7B543B5-3679-4D73-9E1F-E162D5A59C53}\cache\AeXNSInvCollector.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Altiris Agent\Task Synchronization\UnInstallSynchAgent.exeInfected: Virus.Win32.Shodi.iskipped
Part 2 of kaspersky scan

C:\Program Files\Altiris\Carbon Copy\client.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Altiris\Carbon Copy\shellker.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Citrix\ICA Client\ssoncom.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Citrix\ICA Client\ssonsvr.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Common Files\Adobe\Web\AOM.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Common Files\Microsoft Shared\PhotoEd\PHOTOED.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Common Files\Real\Update_OB\realsched.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Dell\NicConfigSvc\NICCONFIGSVC.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Dell\QuickSet\Quickset.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Internet Explorer\Connection Wizard\icwconn2.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Internet Explorer\Connection Wizard\icwrmind.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Internet Explorer\Connection Wizard\icwtutor.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Internet Explorer\Connection Wizard\inetwiz.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Internet Explorer\Connection Wizard\isignup.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Internet Explorer\iedw.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Microsoft Office\Office10\EXCEL.EXEInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Microsoft Office\Office10\MSACCESS.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Movie Maker\moviemk.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\NetMeeting\cb32.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\NetMeeting\conf.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\NetMeeting\wb32.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Outlook Express\msimn.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Outlook Express\oemig50.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Outlook Express\setup50.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Outlook Express\wab.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Outlook Express\wabmig.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\RealVNC\VNC4\winvnc4.exeInfected: not-a-virus:RemoteAdmin.Win32.WinVNC.4skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dllInfected: not-a-virus:RemoteAdmin.Win32.WinVNC.4skipped
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Sonic\Express Labeler\stax.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Sonic\Sonic Solutions Product CD\DLA\dlaunin.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Sonic\Sonic Solutions Product CD\DLA\install\ssdiag.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Sonic\Sonic Solutions Product CD\DLA\install\tfswcmd.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Sonic\Sonic Solutions Product CD\DLA\install\tfswctrl.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Sonic\Sonic Solutions Product CD\RecordNow! Plus\Launch.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Sonic\Sonic Solutions Product CD\RecordNow! Plus\LeaderReg.EXEInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Sonic\Sonic Solutions Product CD\RecordNow! Plus\RecordNow.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXEInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXEInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Symantec\LiveUpdate\LSETUP.EXEInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Symantec\LiveUpdate\LUALL.EXEInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Symantec\LiveUpdate\LuComServer.EXEInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Symantec\LiveUpdate\LUInit.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXEInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Symantec\LiveUpdate\SymantecRootInstaller.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Terminal Services Client\CONMAN.EXEInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Terminal Services Client\MSTSC.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Terminal Services Client\setup\SETUP.EXEInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Trend Micro\OfficeScan Client\ConnLog\Conn_20070530.logObject is lockedskipped
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\WebCyberCoach\b_Dell\AdpBrowser.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\WebCyberCoach\b_Dell\DelDelay.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\WebCyberCoach\b_Dell\delfolder.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\WebCyberCoach\b_Dell\DoShutDown.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\WebCyberCoach\b_Dell\gtny.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\WebCyberCoach\b_Dell\setspath.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\WebCyberCoach\b_Dell\tranplug.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Windows Media Player\migrate.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Windows Media Player\mplayer2.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Windows Media Player\setup_wm.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Windows Media Player\wmplayer.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Windows NT\Accessories\wordpad.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Windows NT\dialer.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Windows NT\Pinball\pinball.exeInfected: Virus.Win32.Shodi.iskipped
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exeInfected: Virus.Win32.Shodi.iskipped
C:\System Volume Information\MountPointManagerRemoteDatabaseObject is lockedskipped
C:\WINDOWS\CSC\00000001Object is lockedskipped
C:\WINDOWS\Debug\Netlogon.logObject is lockedskipped
C:\WINDOWS\Debug\PASSWD.LOGObject is lockedskipped
C:\WINDOWS\SchedLgU.TxtObject is lockedskipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F2A8DBC0-47EA-41F1-9FAF-D7C595B9864C}.binObject is lockedskipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.logObject is lockedskipped
C:\WINDOWS\Sti_Trace.logObject is lockedskipped
C:\WINDOWS\system32\CatRoot2\edb.logObject is lockedskipped
C:\WINDOWS\system32\CatRoot2\tmp.edbObject is lockedskipped
C:\WINDOWS\system32\config\AppEvent.EvtObject is lockedskipped
C:\WINDOWS\system32\config\DEFAULTObject is lockedskipped
C:\WINDOWS\system32\config\default.LOGObject is lockedskipped
C:\WINDOWS\system32\config\Internet.evtObject is lockedskipped
C:\WINDOWS\system32\config\SAMObject is lockedskipped
C:\WINDOWS\system32\config\SAM.LOGObject is lockedskipped
C:\WINDOWS\system32\config\SecEvent.EvtObject is lockedskipped
C:\WINDOWS\system32\config\SECURITYObject is lockedskipped
C:\WINDOWS\system32\config\SECURITY.LOGObject is lockedskipped
C:\WINDOWS\system32\config\SOFTWAREObject is lockedskipped
C:\WINDOWS\system32\config\software.LOGObject is lockedskipped
C:\WINDOWS\system32\config\SysEvent.EvtObject is lockedskipped
C:\WINDOWS\system32\config\SYSTEMObject is lockedskipped
C:\WINDOWS\system32\config\system.LOGObject is lockedskipped
C:\WINDOWS\system32\h323log.txtObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTRObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAPObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VERObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAPObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAPObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATAObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAPObject is lockedskipped
C:\WINDOWS\wiadebug.logObject is lockedskipped
C:\WINDOWS\wiaservc.logObject is lockedskipped
C:\WINDOWS\WindowsUpdate.logObject is lockedskipped

Scan process completed.
Unfortunately, info on your version of this particular infection appears to be hard to come by and that is the only fix I have been able to find. At the moment, I don't know of any alternatives, aside from a reformat. But give me a moment to consult another member and ask for his input...

In the meantime...
Download ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls.

Given your current situation, the program might not work, but give it a couple of tries. It's worth.Here is the combofix log part 1

"ChWalker" - 2007-05-30 18:58:12 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\ChWalker\Desktop\Home\Programs\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

"C:\WINDOWS\system32\drivers\fad.sys"

((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-30 ))))))))))))))))))))))))))))))))))

2007-05-30 09:38d--------C:\WINDOWS\system32\Kaspersky Lab
2007-05-30 05:450--a------C:\WINDOWS\USR_Shohdi_Photo_USR.exe
2007-05-28 11:05d--------C:\DOCUME~1\ChWalker\APPLIC~1\Prevx
2007-05-28 11:04d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-05-28 10:5777,312--a------C:\WINDOWS\ua2.dll
2007-05-27 16:52d--------C:\Program Files\WebCyberCoach
2007-05-27 16:39d--h-----C:\DOCUME~1\ChWalker\APPLIC~1\GTek
2007-05-27 16:39d--h-----C:\DOCUME~1\ALLUSE~1\APPLIC~1\GTek
2007-05-27 16:387,882--a------C:\WINDOWS\system32\GTKCMOS.sys
2007-05-27 16:387,626--a------C:\WINDOWS\system32\GPCIEnum.sys
2007-05-27 16:387,168--a------C:\WINDOWS\system32\DLPT64.sys
2007-05-27 16:386,977--a------C:\WINDOWS\system32\DDMI2.sys
2007-05-27 16:386,656--a------C:\WINDOWS\system32\DLPT2.sys
2007-05-27 16:385,632--a------C:\WINDOWS\system32\GPCIEn64.sys
2007-05-27 16:385,120--a------C:\WINDOWS\system32\GTKCMO64.sys
2007-05-27 16:384,608--a------C:\WINDOWS\system32\DDMI64.sys
2007-05-25 15:0883,168--a------C:\WINDOWS\system32\S32EVNT1.DLL
2007-05-25 15:0882,832--a------C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-05-25 15:08d--------C:\Program Files\Symantec AntiVirus
2007-05-25 15:08d--------C:\Program Files\Symantec
2007-05-25 15:08d--------C:\Program Files\Common Files\Symantec Shared
2007-05-25 15:08d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-05-19 16:12d--------C:\DOCUME~1\ChWalker\APPLIC~1\HP
2007-05-19 07:17d--------C:\DOCUME~1\LOCALS~1\APPLIC~1\HP
2007-05-19 07:15d--------C:\Program Files\Common Files\HP
2007-05-19 07:14d--------C:\Program Files\Hewlett-Packard
2007-05-19 07:13d--------C:\Program Files\Common Files\Hewlett-Packard
2007-05-19 07:1294,208--a------C:\WINDOWS\system32\HPZipt12.dll
2007-05-19 07:1269,632--a------C:\WINDOWS\system32\HPZipm12.exe
2007-05-19 07:1265,536--a------C:\WINDOWS\system32\HPZinw12.exe
2007-05-19 07:1257,344--a------C:\WINDOWS\system32\HPZisn12.dll
2007-05-19 07:12278,584--a------C:\WINDOWS\system32\HPZidr12.dll
2007-05-19 07:12204,800--a------C:\WINDOWS\system32\HPZipr12.dll
2007-05-19 07:1049,664-ra------C:\WINDOWS\system32\drivers\HPZid412.sys
2007-05-19 07:1016,496-ra------C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-05-19 07:10118,727--a------C:\WINDOWS\hpoins09.dat
2007-05-19 07:09827,392-ra------C:\WINDOWS\system32\hpotiop2.dll
2007-05-19 07:0977,824-ra------C:\WINDOWS\system32\HPZIDS01.dll
2007-05-19 07:09659,456-ra------C:\WINDOWS\system32\hpowiax2.dll
2007-05-19 07:0938,400--a------C:\WINDOWS\system32\hpz3l054.dll
2007-05-19 07:09254,026-ra------C:\WINDOWS\system32\hpovst09.dll
2007-05-19 07:0915,104--a------C:\WINDOWS\system32\drivers\usbscan.sys
2007-05-19 06:41d--------C:\Program Files\HP
2007-05-19 06:2825,856--a------C:\WINDOWS\system32\drivers\usbprint.sys
2007-05-03 05:14374,784--a------C:\WINDOWS\3dg32.dll
2007-05-03 05:13876,066--a------C:\WINDOWS\system32\3dreng.dll
2007-05-03 05:1371,680--a------C:\WINDOWS\system32\3dr.dll
2007-05-03 05:13479,744--a------C:\WINDOWS\system32\3dr332.dll
2007-05-03 05:1338,400--a------C:\WINDOWS\system32\3dr32.dll
2007-05-03 05:13278,528--a------C:\WINDOWS\system32\3drrgb.dll
2007-05-03 05:13278,528--a------C:\WINDOWS\system32\3drbgr.dll
2007-05-03 05:13274,944--a------C:\WINDOWS\system32\3drargb.dll
2007-05-03 05:13274,944--a------C:\WINDOWS\system32\3dr565.dll
2007-05-03 05:13274,432--a------C:\WINDOWS\system32\3drrgba.dll
2007-05-03 05:13274,432--a------C:\WINDOWS\system32\3drbgra.dll
2007-05-03 05:13274,432--a------C:\WINDOWS\system32\3drabgr.dll
2007-05-03 05:13274,432--a------C:\WINDOWS\system32\3dr664.dll
2007-05-03 05:13274,432--a------C:\WINDOWS\system32\3dr655.dll
2007-05-03 05:13274,432--a------C:\WINDOWS\system32\3dr555.dll
2007-05-03 05:1322,016--a------C:\WINDOWS\system32\3drsys.dll
2007-04-28 16:5738,229--a------C:\WINDOWS\system32\drivers\StMp3Rec.sys
2007-04-10 22:08d--------C:\Program Files\QuickTime

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-30 13:30:41--------d-----wC:\Program Files\Terminal Services Client
2007-05-30 10:49:34--------d-----wC:\Program Files\Common Files\SureThing Shared
2007-05-29 07:36:40--------d-----wC:\Program Files\Sonic
2007-05-28 03:05:43--------d-----wC:\Program Files\MySpace
2007-05-27 09:07:00--------d-----wC:\Program Files\IrfanView
2007-05-27 09:05:38--------d-----wC:\Program Files\Digital Line Detect
2007-05-27 05:56:25--------d-----wC:\Program Files\Movie Maker
2007-05-25 13:21:45--------d-----wC:\Program Files\Xvid
2007-05-25 13:21:31--------d-----wC:\Program Files\Windows NT
2007-05-25 13:21:16--------d-----wC:\Program Files\Windows Media Connect 2
2007-05-25 13:21:09--------d-----wC:\Program Files\Volo View Express
2007-05-25 13:19:04--------d-----wC:\Program Files\Sierra On-Line
2007-05-25 13:15:07--------d-----wC:\Program Files\NetZero
2007-05-25 13:14:56--------d-----wC:\Program Files\NetWaiting
2007-05-25 13:14:30--------d-----wC:\Program Files\MSN Messenger
2007-05-25 13:14:02--------d-----wC:\Program Files\Modem Helper
2007-05-25 13:11:56--------d-----wC:\Program Files\Messenger
2007-05-25 12:59:50--------d-----wC:\Program Files\CCleaner
2007-05-25 12:59:28--------d-----wC:\Program Files\Apple Software Update
2007-05-25 12:59:27--------d-----wC:\Program Files\Apoint
2007-05-24 13:38:29--------d-----wC:\DOCUME~1\ChWalker\APPLIC~1\Skype
2007-05-19 06:08:48--------d-----wC:\DOCUME~1\ChWalker\APPLIC~1\IGN_DLM
2007-04-28 13:59:26--------d-----wC:\DOCUME~1\ChWalker\APPLIC~1\Apple Computer
2007-04-18 16:12:232,854,400----a-wC:\WINDOWS\system32\msi.dll
2007-04-12 12:18:41--------d-----wC:\DOCUME~1\ChWalker\APPLIC~1\LimeWire
2007-04-03 19:53:13--------d--h--wC:\Program Files\InstallShield Installation Information
2007-03-30 17:30:03--------d-----wC:\DOCUME~1\ChWalker\APPLIC~1\Command & Conquer 3 Tiberium Wars Demo
2007-03-30 17:04:07--------d-----wC:\Program Files\Electronic Arts
2007-03-22 22:58:54262,144----a-wC:\WINDOWS\system32\default_user_class.dat
2007-03-17 13:43:01292,864----a-wC:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28577,536----a-wC:\WINDOWS\system32\user32.dll
2007-03-08 15:36:2840,960----a-wC:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28281,600----a-wC:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:481,843,584----a-wC:\WINDOWS\system32\win32k.sys

part 2 of combo fix log

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll [2006-10-26 11:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx [2001-03-02 14:02]
{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}=C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll [2006-01-10 12:09]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 17:29]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-12-06 03:05]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 06:25]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.usr" []
"AeXAgentLogon"="C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2007-05-27 17:36]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-27 17:41]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-27 17:37]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.usr -atboottime" []
"PrevxOne"="C:\Program Files\Prevx1\PXConsole.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"WIAWizardMenu"=RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"RunLogonScriptSync"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)
"NoTaskGrouping"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= AMINIT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wwSecSvc"=2 (0x2)
"iPodService"=3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1cf7bc02-071b-11dc-a703-0014a54bb7e3}]
AutoRun\command- E:\Installer.exe

Contents of the 'Scheduled Tasks' folder
2007-04-25 01:29:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-30 19:00:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

********************************************************************

Completion time: 2007-05-30 19:01:52
C:\ComboFix-quarantined-files.txt ... 2007-05-30 19:01

--- E O F ---
Quote

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"RunLogonScriptSync"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)
"NoTaskGrouping"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)

Have you messed with your registry to make changes to your computer?

Download The Avenger by Swandog46, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your desktop
Run avenger.exe by double-clicking on it.
Check the 'Input script manually' box.
Click on the magnifying glass icon.
Copy everything in the Quote box below, and PASTE it in the box that opens:

Quote

Files to delete:
C:\WINDOWS\USR_Shohdi_Photo_USR.exe
C:\WINDOWS\ua2.dll

Now click the 'Done' button.
Click on the traffic light icon and OK the prompt.
You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
A log file from Avenger will be produced at C:\avenger.txt Post that.

I know you're having problems with executables, but see if you can manage to scan with TrojanHunter, AVG Anti-Spyware, and SUPERAntiSpyware. It's a longshot, I know, but it could really help.Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

Solve : W32.Shodi Removal?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment