Explore topic-wise InterviewSolutions in .

I have avast but downloaded a movie or SOMETHING, saw a quick dos program load and now my security center says my virus protection is not found.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/14/2008 at 04:24 PM

Application Version : 4.23.1006

Core Rules Database Version : 3674
Trace Rules Database Version: 1653

Scan type : Complete Scan
Total Scan Time : 02:46:03

Memory items scanned : 457
Memory threats detected : 0
Registry items scanned : 6111
Registry threats detected : 0
File items scanned : 87967
File threats detected : 0
Malwarebytes' Anti-Malware 1.31
Database version: 1499
Windows 5.1.2600 Service Pack 3

12/14/2008 10:35:09 PM
mbam-log-2008-12-14 (22-35-09).txt

Scan type: Quick Scan
Objects scanned: 55768
Time elapsed: 19 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:28 PM, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\XSoft\xworking\sysrts.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Adobe Flash CS4\Flash.exe
C:\Program Files\Adobe\Adobe Photoshop CS4\Photoshop.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [winxld] C:\Program Files\XSoft\xworking\xld.exe a
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Max\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Login Service (SystemLoginService) - Unknown owner - C:\Program Files\XSoft\xworking\sysrts.exe

--
End of file - 7201 bytes



Before you begin the SDFix instructions you should copy these instructions in a Notepad file and save them to your desktop or print them for easy reference. Much of SDFix will be done in Safe mode and you will be unable to access this web page after booting into Safe mode.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double click SDFix.exe and it will extract the files to %systemdrive%
  
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
  
• DO NOT use it just yet.

• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
  
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  
• Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log (from normal boot mode).

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to the following:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
.
----------

Download

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Good stuff!! Playing with the registry always scares me. Ive been bitten by it a few times in the past and had to do rebuilds as a result. lolProblem solved, apparently it was a permissions issue and they sent me a fix.

Malwarebytes' Anti-Malware 1.31
Database version: 1519
Windows 5.1.2600 Service Pack 3

20/12/2008 2:25:01 AM
mbam-log-2008-12-20 (02-25-01).txt

Scan type: Quick Scan
Objects scanned: 55106
Time elapsed: 7 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thank you so much for your time. It has saved me a great deal of anguish and probably money!!

Have a great Christmas.Now we can finish up with the final steps.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide SYSTEM/Hidden files, if required.
• Set a new, clean Restore POINT.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

• Start
• Run
• type: CLEANMGR.EXE
  
• Press Enter.

• Temporary INTERNET Files
• Downloaded Program Files
• Recycle Bin
• Temporary Files

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Hi all!, and thanks for the help.

Twice already, I found some yt8a.exe as a HIDDEN file in my C root directory.

Then, a pendrive seems to have something hidden in some autorun.inf file.
(I guess I might have caught the threat from some other PC, I pluged it to)

So, I kept the pendrive away (will have to deal with it later) and I run the full set of pre-post steps in the guidelines, only to confirm that there were still some menaces hidden (described as an unknown trojan in the attached logs), hopefully gone now (or not?).

Other than that, the only extrange thing that I noted is that sometimes, when double-clicking on the c-drive -or pendrive- ICONS, windows XP will prompt for extension file association type (as if I was trying to open some unknown-to-windows ".xyz" extension file) ... This symptom just happen again, after following the guidelined process!

By the way, if gone from c: and the PC, then how do I now clean the pendrive & avoid re-infecting c: again?

Thanks for the help!

Thanks again!


[Saving space - attachment deleted by admin]Well, for your pendrive, you should try running Flash Disinfector...
http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

Now, as for your computer...that's quite an infection you managed to pick up! But thankfully, the scans appear to have cleaned out almost everything. In fact, your HijackThis log actually looks pretty clean now. But just to be on the safe side, go ahead and follow these instructions...

Download ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay ATTENTION to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls.I run the ComboFix and here is the log attached.

Thanks again!

[Saving space - attachment deleted by admin]Well, not every reference of the infection was removed, but at least the autoruns are gone. Let's try a couple more steps to see if we can get rid of this for good.

Highlight and copy everything in the code box below...
Code: [Select]Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43afb942-84ad-11dd-8fd7-dd0d2c065da3}]
Paste this text into a Notepad file and go to File > Save As. In the Save As Type section, select "All files" and then save the file as remove.reg. Run the file and allow it be MERGED with your registry.

Then go ahead and look for that yt8a.exe file again. Does it still exist? If so, tell me exactly where it is (such as C:\Windows or C:\Windows\system32).Cool... by now I feel like in that "war games" movie, trying to avoid world war 3 by disabling that funky virus from pentagon's automatic misile-launching systems.

I looked for that yt8a.exe and no trace. I went one step further and re-run the combo-fix (hopefully I didn´t mess-up), and it didn´t mention the yt8 either (log attached).

ok... I´m keeping my fingers crossed to see your confirmation on the full-clean-status.


One thousand new thanks for all the help!

[Saving space - attachment deleted by admin]Never saw it, but I'm glad you're having fun with this. Heh.

As long as that file is gone, you should be clean. However, I just re-read your FIRST post and realized that I should've had you look in the C:\ folder as well. Sorry. Go ahead and do that. In fact, you should search the entire C drive with the Windows search function from the Start menu.

Also...since you don't need it anymore, go ahead and uninstall ComboFix. Go to Start > Run and type in combofix /u (note the space) and click OK.Here are some links to that movie... way innocent for today standards
http://en.wikipedia.org/wiki/WarGames
http://www.imdb.com/title/tt0086567/
http://www.youtube.com/watch?v=tAcEzhQ7oqA

OK, checked all c: and yt8a didn´t show up at all.

I also run the pendrive cleaner... so I then checked yt8a there too, and nothing.

I guess I can finally breath now!!!... right?

You guys are great help to the whole community. I thank you again and I extend my thankiness to all envolved who read this post.
Great, everything should be clean now. There are just a couple of quick things you need to do now. First, you need a decent firewall. You're vulnerable without a firewall, so you should look into getting either ZoneAlarm, Kerio Personal Firewall, or Comodo. They're all good free firewalls. Just be sure you only have one installed at a time! Download the firewall of your choice, disconnect from the internet, disable Windows Firewall, and install your new firewall.

You should also clear out your restore points. This is to remove any infected files that have been backed up by Windows. Please follow these steps...

1. Go to Start > Programs > Accessories > System Tools > System Restore
2. Click on System Restore Settings.
3. Check Turn off System Restore and click OK.
4. Restart your computer.
5. Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
6. Create a new restore point and close the program.

System Restore will now be active again. If you would like to learn more about System Restore, go here.



Safe surfing! And I'll be sure to check out that movie when I have some free time this week.

Just removed a trojan ans was wondering if there was an easy way to fix the dependeny that WINDOWS has to C:\Windows\System32\fumohune.dll as for I get a RUNDLL alert "Error Loading C:\Windows\System32\Fumohune.dll The specified module could not be found. [ OK ] message.

System is clean but there is a dependency still pointing to a path the trojan had.

*** Update: I was finally able to find it in MSCONFIG and will deselect check mark and see if that helps... Guessing a registry EDIT may be required.

Thanks,

DaveTo resolve this, download Autoruns for Windows and search for the RELATED entry and then delete it.

• Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click HERE if your not SURE how to do this.)
  
• Open the folder and double-click on autoruns.exe to launch it.
  
• If using Windows Vista, Right-click autoruns.exe and Run As Administrator
  
• Please be patient as it SCANS and populates the entries.
• When done scanning, it will say Ready at the bottom.
  
• Scroll through the list and look for a startup entry related to the file(s) in the error message.
• Right click on the entry and choose delete
  
• Reboot your computer and see if the startup error returns.

For a number of months now, I've been totally blocked from accessing eBay. When I type in the URL, it takes a little longer than NORMAL to connect and then I get this message on a totally white screen: "Can't connect to MySQL server on 'lasolarmall.com' (10060)." Lasolarmall appears to be an inactive shopping site, so I have to wonder whether there's any connection to my problem. EBay says to scan with anti-virus software, but won't help beyond that. I've tried all types of anti-virus, anti-spyware scans and nothing SEEMS to work. I checked my host file to see if someone had gotten into that, but only the local host is showing, which I'm TOLD is normal. I sent a message to the owner of the Lasolarmall site to try and get some help, but no response. I tried the company that hosts the site and they give me essentially the same response as eBay. If anyone has any suggestions, they would be much appreciated. Thanks.Download Malwarebytes' Anti-Malware (MBAM)

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to the following:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click REMOVE Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply.

• Double click on dds to run it.
  
• When done, DDS.txt will open.
• You will receive another prompt after a while. Click Yes at the prompt. It will take another few minutes to scan.
  
• When done, Attach.txt will open.
• Please copy and paste the contents of DDS.txt and Attach.txt in your next reply.

Hi,
This is a question which has been bugging me for some TIME. In the light of the recent Internet Explorer problem, I think it's about time it was asked.

If people can hijack your computer and write viruses & spyware to it through loopholes as in IE, can they also write compromising data to your PC, such as illegal porn images?

If they can, how would the many convictions stand up where people have been convicted of possessing illegal DOWNLOADED images? (Not that I have any, but it is worrying if an innocent person can be framed in such a way).

Is it technically possible?... Please don't try it on me!

ThanksQuote

Please don't try it on me!

If they can, how would the many convictions stand up where people have been convicted of possessing illegal downloaded images? (Not that I have any, but it is worrying if an innocent person can be framed in such a way).

Cheers, It's a bit of a war zone out there on the web! Next we'll be needing bullet proof vests and military style hard hats.

hey, i appear to have aquired a virus of some sort but its quite odd compared to what I'm usually used to DEALING with, Norton didn't pick it up and my ad-aware is being silly and not running fully, I did some research on the problem I was having and ended up DOWNLOADING "Security Task Manager" , It found four things potentially dangours in my system so I quarantined them all.
- Katowola.dll
- nukavuso.dll
- vodesome.dll
- zitakihu.dll (this also is labled as a "brower extention and was hanging out in my IE addons beforei removed the dll)

this fixed the problem but I don't feel comfertable permenently deleting stuff from my system folder without knowing if it is important or not first. I googled all the terms and there was nothing out their on any of them! Please help !

thanks, Nelgraf

P.S. The problem I was having was just a a standard pop-up virus that when ever i was on internet about every 20 SECONDS somthing would come up.

P.P.S. if you need DxDaig or anything just let me knowWhat we need is the LOGS from here.

I just bought a new computer and it came with McCafee coverage for 15 months pre-installed. Is this a good Anti-virus program? If not, which program would you recommend for me to get?
ThanksIt is a trusted program. Try it and see how you like it.

If you are looking for a trusted free solution here is a list.

Remember to only install one antivirus!

1) Avast! Home Free Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Comodo Antivirus
5) PC TOOLS AntiVirus Free Edition

Firewalls.

1) Comodo (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default SEARCH provider" and "Make Comodo Search my homepage" if you CHOOSE this one)
2) Online Armor
3) Sunbelt/Kerio
4) Agnitum
5) PC Tools Firewall Plus

I'm running legal system:
Microsoft Windows XP
Home Edition
Version 2002
Service Pack 3


Computer was acting strange.
Did SCANS that i always do using avg and ccleaner and malwarebytes STUFF, but nothin is working for me.

avg came up with some trojan entries:

1. Infection
Virus name: - Trojan Horse Downloader.Delf.Dum
Path: C:\Documents and settings\Application Data\googleklnxv.19819115.exe
Found: 12/16/08 12:35:50AM

2. Infection
Virus name: - Trojan Horse SHeur2.FJD
Path - C:\WINDOWS\system32\prunnet.exe
Found - 12/16/08 2:53:47 PM

3. Infection
Virus name: Trojan Horse Downloader. Agent. AQCU
Path: C:\Documents and settings\Local Settings\Temporary Internet Files\Content.IE5\TU5FDA7E\winsinstall[1].exe
Found - 12/16/08 2:54:36 PM

4. Infection
Virus name: Trojan Horse Agent. AQCU
Path: C:\Documents and settings\Application Data\gadcom\gadcom.exe
Found: 12/16/08 2:55:50

5. Infection
Virus name: Found registry key with reference to infected file C:\Documents and settings\Application Data\gadcom\gadcom.exe
Path: HKU\s-1-5-21-3087560337-971410402-1518621887-1011\Software\Microsoft\Windows\CurrentVersion\Run\\gadcom
Found: 12/16/08 2:55:50

6. Infection
Virus Name: Trojan Horse Agent.AOQG
Path: C:\Documents and settings\Application Data\gadcom\gadcom.exe
Found: 12/16/08 3:08:22PM

7. Infection
Virus Name: Trojan Horse Sheur2.FJD
Path: C:\Documents and Settings\Local Setting\temp\smxacweonr.tmp
Found: 12/17/08 12:51:23 AM

8. Infection
Virus Name: Trojan Horse Sheur2.FJD
Path: C:\WINDOWS\systems32\prunnet.exe
FoundL 12/17/08 3:20:13 AM



and thats it. sorry thats all I have. I'm not able to do the necessary scans that are needed before you're able to post here in the forum.

in trying to run AVG after reinstalling it I get this:
avgwdsvc.exe has encountered a problem and needs to close.
We are sorry for the inconvenience.

It tells me theses are the files that were sent with the error report:
C:\DOCUME~1\sandra!\LOCALS~1\Temp\WERb255.dir00\avgwdsvc.exe.mdmp
C:\DOCUME~1\sandra!\LOCALS~1\Temp\WERb255.dir00\appcompat.txt

Then out of nowhere all the COMPONENTS become inactive or outdated then become active again except for Anti-virus, Anti-Spyware and update manager. I'm not able to update software it will not connect.

With the rest of the programs CCleaner is not a problem it runs fine, but Malwarebytes Anti Malware will not work at all, when i try to open it nothing happends, same with SUPERAntiSpyware and HIJackthis.

Even when i try to download software my computer will not connect to any page.
It seems pages that will help me out my computer doesn't connect to, and the rest it just connects fine.
I was gonna paste a screen cap or the viruses AVG found, but even paint won't open, when i click on it it says it's unable to prepare a blank document.

Other symptoms: I can google search but cannot click on results, if i do it will send me to a bogus link, so i have to copy and paste url in address bar. When I do that, i get 1 firefox popup and 1 IE popup that starts opening just a bunch of tabs, all which are blank.
Also automatic updates from microsoft, trying turning them on, but nothing happends.
Will post more later.

Can anybody help?
I can't even run the necessary tools that are needed to fix this, and yes i have run them in safemode too.Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

• Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.
  
• Then search for TDSSserv.sys
  
• Let me know if you find this or not.
• If you do find it, right click on it, and select “Disable”. Do not try to uninstall it.
• Also if this is found and you disable it, then reboot and see if you can run the other scans that would not run.

• Double click SDFix.exe and it will extract the files to %systemdrive%
  
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
  
• DO NOT use it just yet.

• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
  
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  
• Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log (from normal boot mode).

I have a problem in the computer's hard disk
The empty area of about 212 GB. When i load a program the virus appears. So cut the CONNECTION. Then I saw that the area of computer's hard disk was 4 MB. What do I DOGO to the malware/virus SECTION of this forum and follow the instructions in the announcement at the top of that forum.

Hello horn1988. I'll give you a heads up when COMBOFIX is back on-line. Hello Horn1988. ComboFix is back on-line. You can run this SCAN.

Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.

ComboFix

Close any open WEB browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be DISABLED and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not MOUSECLICK ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

My computer has Worm.Win32.Netsky. I'm using another computer as I can no longer use my other. (which is why i can't include all the file stuff) Everything was fine till a LAST night. A few webpages where coming up red and saying I was infected or whatever so I closed everything off. It seemed like something fake. I reboot but when I did sign back on everything was messed up.

When I FIRST load up windows it goes to the logon screen like everything is NORMAL but than an error pops up. scvhost.exe Application error. I close that ans sign on. I get the long Spyware Alert message. Saying Security Alert. Worm.Win32.Netsky has been detected. Describes what it is and that I should perform a system scan. During this only my desktop loads up (not my tool bar where you click start)

A few secs later a System Shutdown window pops up saying it is shutting down and it's because of RPC and there is a minute countdown.

I tried to access Task Manager (by keys) and it said it was disabled by ADMIN so tried do some RUN: then going to registry or anything trying to and that also did not work. .It said I was infected. I tried safe boot (any safe boot) but it shows all the text SCROLLING for a bit and then just restarts...

Allot of posts Iv run into talk of downloading things and this and that but I can't even access anything. I'm not a computer expert and really need some help. This all happened quite suddenly. Is there anyway to go delete something without loading up windows? I can access the recovery console but I don't KNOW what to do there..Please, Please help!

*Wanted to mention that I can access the recovery consolePossibly a bootable cd might help. Try burning this to a cd on a computer other than your own.
http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

One of my Dell windows XP computers recently was struck by a virus and it left quite a mess. the COMPUTER works, but just very inefficiently. anybody knows how to fix that?HI, WELCOME the Computer HOPE MESSAGE boards.

I have noticed you have not followed the guidelines set by Evilfantasy. Please follow the guidelines he has posted Here. After you have done them, a malware removal specialist such as Evilfantasy or CBMatt Will come shortly to assist you.

I use firefox
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:08 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot MODE: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\RUN: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210445566982
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - LEXMARK International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - DESKTOP Component 0: Privacy Protection - (no file)

--
End of file - 5056 bytes
Nothing there - clean

Install couple of Firefox add-ons:
- Adblock Plus: https://addons.mozilla.org/en-US/firefox/addon/1865
- Adblock Filterset.G Updater: https://addons.mozilla.org/en-US/firefox/addon/1136ok, thanksLet me know.
Also, even if you don't use IE (like myself), upgrading to version 7 is recommended for security reasons.ok, I'll do that, thanks again.I'm still getting them pop-ups, I just STARTED getting them again today. Run this scan: http://www.pandasecurity.com/homeusers/downloads/docs/product/help/rkc/en/rkc_en.htm?how do I run/download it?Click on:
Scan your computer and remove any rootkits in a few simple steps at the above link.

Hi.. anyone please help me.. !!!

I got this svcipa.exe trojan virus in my computer. Currently my Norton Antivirus can't repaired it..
Can anyone please help me... step by step.. I hope to recover my computer back to normal condition.

Thanks in advance.

Regards,
MarkTravel Here and follow the instructions for removal using PrevX...
After doing so you should update all your protection programs and run the scans.
Post back with the results...Hi Patio,

Thanks for your prompt reply. I had actually downloaded the PrevX and done the scanning.. it had cleaned the virus. But when i use the Norton Antivirus to scan again for virus, the result is tht it still contain the virus.
I'm confuse about this.. What should i do now?

Regards,
MarkDoes Norton happen to report the file location ? ?
It may be hiding in a Restore point.
The method for this would be to disable system restore [ Warning: you will lose all your restore points] and re-boot into safemode and rerun all your scans...Is by disable the system restore and rerun all the scan in safe mode will total make the computer free of virus?
By the way, waht is the best antivirus recommendation to KEEP my computer away from virus as I used to download files from the internet..

Thanks in advance for your help.

Regards,
MarkQuote from: cysmark on August 23, 2007, 11:42:14 PM

Is by disable the system restore and rerun all the scan in safe mode will total make the computer free of virus?

By the way, waht is the best antivirus recommendation to keep my computer away from virus as I used to download files from the internet..

I have been having some major issues with my computer. I can not open programs, I can not use my printer, I can not use System Restore I keep getting script error messages and debugging prompts, I suddenly have icons in my taskbar that I don't know what they are or where they came from. I have been to several message boards for help and I have had no one even respond! I am running Windows XP Home Edition. I use AOL's security systems. I don't know if this is a Virus or what...I have run SpyBot, Adaware,different online scans etc and can not get anywhere. I'm frustrated! Please, please, please take a look at my Hijack This log and tell me if there is anything going on... I appreciate any help in advance. My log will be posted in my next thread...Thanks



Logfile of HijackThis v1.99.1
Scan saved at 7:57:48 AM, on 8/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1155217253\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1155217253\ee\AOLSoftware.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\AOL\1155217253\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\AOL\1155217253\ee\SSCEvtHdlr.exe
C:\Program Files\Common Files\AOL\1155217253\ee\aolsoftware.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\PROGRA~1\MICROS~2\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[emailprotected]
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1155217253\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFEXE] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1155217253\ee\SSCRun.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1155217253\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SERVICE Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (FILE missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187303190343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/sis/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DDA7CB5-3F52-4090-8C4B-F9EEF5EB6681}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1155217253\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Sorry for the wait, LG; life has been pretty busy lately. Just GIVE me a few minutes to get some things sorted out and then I'll take a look at your log and let you know what I see.Wow, my errands took quite a bit longer than I expected. But I took a look at your log and the only issue I see is...

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/sis/popcaploader_v10.cab

Check that entry with HijackThis, CLOSE all other programs/windows, and click on Fix Checked.

How long have you been having your problems?
Can you think of any changes you MADE before this started? Did you install/uninstall any programs?

Go ahead and download ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls.Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

Hey folks, my computer has been basically unusable for many months due to lots of viruses and trojans on it...and I finally decided it was time to clean up this mess. I'm running windows xp, with AVG free edition and super anti-spyware, along with various other generic virus scans here and there. Super anti-spyware found 271 threats when I was in safe mode, and I deleted / quarantined them all only to find many are coming back right when I start up. And doing the virus scans while not in safe mode doesn't work, as they take literally 20 hours to complete the scan, where the viruses just close the results automatically and I can't do anything.

Also my computer takes a good 30 mins to 2 hours to boot up, making getting into safe mode more of a chore than I would like. I've pretty much given up hope on this computer but if you guys could possibly help at all, that would be awesome. Also I'm not really a computer expert so I don't know how to even reformat my computer. Could anyone explain how to do that if worse comes to worse and I decide to just start from scratch?

Thanks
hmm...slightly more info about your pc would be helpful.
what version of windows xp are you running? home? pro? media centre?
what service pack is it?It's windows xp home edition, and I'm not sure what service pack (not a comp genius, don't know what you mean by service pack. This comp was given to me)

Posting a HijackThis log would make it a bit easier to help you. Things are sounding pretty bad right now, though, so we can't make any promises.

Just in case a reformat will be necessary...what CD's do you have for that computer?start menu > run > type winver and it should tell you info about your system

if that doesn't help. open my computer, right click, properties, and should tell you your sp.Hey I'm back, been keeping my computer offline to make sure nothing else gets in, and it seems with a little bit of help from hijack this I've been able to clear mostly everything. I still can't find a reason why my computer takes so long to boot up though, it's gotten slightly better but some days it literally will take 3 hours or more to start up. Could it be a virus / trojan or something that is causing this? Or more of a hardware problem? I've been monitoring my computer closely these past few days and Superantispyware / AVG haven't found anything POPPING up, and no suspicious activity at all so the booting up problem is baffling me.

And CBMatt, by CD's for my computer do you mean the CD's to reformat? I've never DONE a reformat so I don't have the slightest clue of the specifics of it, but people keep telling me you need a CD to reformat the computer, and since this computer was given to me I do not have that CD.You should have posted the log here for assistance...cleaning things on your own can render a machine un-bootable...No it's not that I screwed anything up cleaning it, AVG / Superantispyware cleaned most of the stuff up, I just had a friend who's good with Hijackthis go in and kill the ressurection files. The last time this computer was used was in March where apparently it just froze up and stopped working, and it wouldn't boot up. So yeah, don't worry about that I didn't mess the computer up by cleaning it on my own. If you guys would still like a hijackthis log I'd be happy to post it, since I'm sure there's probably some stuff still lurking around.Quote from: Drin on August 19, 2007, 08:32:55 AM

And CBMatt, by CD's for my computer do you mean the CD's to reformat? I've never done a reformat so I don't have the slightest clue of the specifics of it, but people keep telling me you need a CD to reformat the computer, and since this computer was given to me I do not have that CD.

Oh and one last question that I've been wondering about, when I ran the original virus scans it found svehost.exe to be a virus, and I know svchost in itself is a system process, but is it normal to have 4 svchosts running at the same time? Cause my task manager says theres 4 running at all times and I thought that was weird

Oh and one last question that I've been wondering about, when I ran the original virus scans it found svehost.exe to be a virus, and I know svchost in itself is a system process, but is it normal to have 4 svchosts running at the same time? Cause my task manager says theres 4 running at all times and I thought that was weird

hi chris, thank you for all your help..

i went and purchased that cable.
slaved the hard drive to an old computer.
removed the data i wanted.
now in the process of completely REFORMATTING laptop with new memory and o/s.
should be back to new, shortly.

because it is my works computer, it will now be password protected, so that only i use it. i have learnted a valuable and expensive lesson.

thanks once again.............the information received was very goodAwesome, I'm glad to hear you're getting everything sorted out. Password protecting it is a GREAT idea. You should also check out this guide for improving your overall protection...

http://www.saviour-pc.com/forums/view.php?pg=malware_guideAs this issue appears to be resolved, I am closing this topic. If you are the ORIGINAL poster and you would LIKE this topic to be re-opened for any reason, PM me or another MODERATOR and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

I was recently browsing the internet looking for how to videos on coke and mentos (youtube is not aloowed in this household.) Anyway a popup came us saying I have not got the latest active x controll. Being a fool I accepted and thats where my problems began. First of all it tryed installing a trojan but AVG picked that up. After doing that I did a full system scan of everything on my computer. Using Windows Washer I cleaned any Teporary internet files / cookies. Then I went into controll panel and deleted suspicious looking prgrams. While this did get rid of my extra internet toolbar I'm still recieving popups saying I may have been infected and companies tring to sell me there PRODUCTS to help me get rid of it. As soon as anyone can aid me by telling me to upload a PICTURE I can gladly show you what 1 of the popups are (the're several) are.

I am using Internet Explorer 7
AVG free edition
Windows Firewall and this is an iMac, I have used a program named boot-camp to get into Windows XP. I'm to scared to go into the Mac area of the computer, will it be infected?

Best regards, JamesWith any luck, this will hopefully be a simple fix. Post a HijackThis log so we can take a look at it and see where the problem may be hiding.Quote from: James_Goku on August 21, 2007, 08:47:57 AM

Windows Firewall and this is an iMac, I have used a program named boot-camp to get into Windows XP. I'm to scared to go into the Mac area of the computer, will it be infected?

OS: Windows XP (home and professional)
Rest of the specs = VARIOUS computers.

Hey guys, I'm in a bit of a pickle with this one. Basically, it started off at school (this will be a bit of a long story). Every now and again, a flash drive would get a strange autorun.inf file created on it, and another inctvg.exe (or similar) created file. The combination of these would cause the flash drive to be inaccessible via the usual "double click" from my computer, instead only accessible through explore or auto-play. To fix the flash drives, all files had to be copied off, and the flash drive reformatted. Then it started spreading to home computers. I am one of the two students who has been appointed to find out more about this. So far, this is what I know, but I was wondering if anyone knew any more about this virus, because every google result I get is in chinese, and that would make sense, because no anti-virus software that I have yet found (and I've tried 5 of the best) can remove it. The main dilemma is - ALTHOUGH the server can be reset and started again - it will just take one student with their flash drive still infected to bring the virus back. Anyhow, this is what we know:
-It runs two files at startup which run in the processes (ehjalrp.exe and quqnrtl.exe)
-You end one, and it will respawn the other, and vice versa, so the entire process tree has to be stopped in order for it to stop the virus
-It's effects on the system include changing the file type assosciation of folders to open every file folder as a new search window, it prevents hidden files from being viewed (both while the virus is there, and even after it is stopped - i.e. it just changes the folder options back to not viewing hidden files), any administrative windows apart from task manager are closed straight away (i.e. msconfig, system properties, etc), and safe mode is DISABLED. These are the only ones we have discovered, there may be more.
-It downloads various other keyloggers and trojans, and possibly a virus called the "Like Virus"
-To remove it, it has to have the process killed, and then we have used file-assasin to remove it, because windows doesn't recognise it's existence. Then it doesn't start up again, but it seems that maybe it has other processes or registry keys attatched to it, because after a few days it recreates itself.

So I was wondering the following:
-Does anyone know how to get the viewing of hidden files re-enabled after the damage is done? (i.e. maybe a registry key preventing it or something)
-Does anyone have a fix for this, or know the other assosciated processes with it?
-Does anyone have a server wide fix or any suggestions? Because checking 600 odd flash drives for infection would be quite time consuming. We were thinking an immunity in the registry or something, but this would require knowing what registry keys it affects and modifies, and the knowledge of how to implement it. Thanks guys.

Thanks in ADVANCE for any help that you guys might have to offer. Being a seemingly Asian virus, I don't know of anyone who's heard of it, so it makes it a bit hard. Thanks again

-Phoenix910Please list the protection apps you have run...
It sounds like a self-replicating trojan which most AV programs may not be able to deal with...
Trojans are a different beast.it does sound like a trojan so maybe try superantispyware. its free and really good also dl hijackthis and post a log for me and other members to review. the log my take more than one post.Most of the infected school computers run McAfee (not my favourite), but on the infected computers, I have run Trend-Micro Internet Security 2007, ClamWin, Spybot, Adaware, HijackThis, and Registry Mechanic. From memory I believe that was all. In terms of posting a HijackThis log, I will have to wait until I find another infected computer, so that will be perhaps about a day or two, but along with this virus, I seem to find about 150 different other keyloggers and trojans every time, so I am theorising perhaps it downloads a lot of other viruses itself? Anyhow, thanks for the help so far.

-Phoenix910but try superantispyware dl it install it update it and then unplug the TEST computer( a random infected computer we will work on and try to fix first) from the network then scanAlrighty, I'll try that and let you know how it goes. If this works, any idea on immunities on a server level? I.e. what keys it affects so we can block it from occuring?ummm thats hard to tell but if sas finds it it will tell you what it did just make a log for me to look at

This computer and another one.

What do you mean CHANGE the settings?So the problems occur on more than one computer. What are the similarities? Operating systems? Firewalls? Any recent CHANGES that could have caused this?

Well I thought "changing settings" would be self explanatory. It means changing what and how THINGS happen...

Have you tried logging into your router yet, by typing those ADDRESSES into an address bar.What happens if you type http://www.yahoo.com into your address bar & hit enter?It will go to that page
I have fixed the problem I think
I went to tools internet options and cleared my history, deleted my files and my cookiesGlad to see your problem has been resolved.As this issue appears to be resolved, I am closing this topic. If you are the ORIGINAL poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

I ran AVG free edition in safe mode, and there are the results:

File Result/infection Path

Kernel32.dll Change C:\WINDOWS\system32\kernell32.dll
user32.dll Change C:\WINDOWS\system32\user32.dll
shell32.dll Change C:\WINDOWS\system32\shell32.dll
ntoskrnl.exe Change C:\WINDOWS\system32\ntoskrnl.exe

Can anyone explain me what does ''Change'' mean in that case?

I also ran Adware pro in safe mode, it found 36 tracking cookies, which i deleted.

Heres a HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 22:22:52, on 2007-08-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\MediaSource\Detector\CTDetect.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrateur\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ProgramChecker] C:\Program Files\Zenturi\ProgramChecker\pcheckp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Fichiers communs\Autodesk Shared\acstart16.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~1\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1069019580312
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BC5E698E-77CF-45EF-80A3-090A4B6AAF83} (HGPlugin8USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin8USA.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{85466DA8-AF7A-44D4-BF2D-6FA7A55A1D7A}: NameServer = 206.47.244.133 67.69.184.211
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

HOPE u guys can help me fix my problem. Losing my connection (atm light turns off and dsl one flashes red) isnt pretty FUNNY. I called my internet provider and they told me I had a good signal. Thanks for the help in advance.Are there DSL filters on all the phone jacks in the house ? ?changed means they where changed by a program or an update.

try superantispyware

if your computter/internet is running slow

read here and here

I'm not seeing anything suspicious in your log.

However, you don't appear to have an active firewall. You're vulnerable without a firewall, so you should look into getting either ZoneAlarm, Kerio Personal Firewall, or Comodo. They're all good free firewalls. Just be sure you only have one installed at a time! Download the firewall of your choice, disconnect from the internet, disable Windows Firewall, and install your new firewall.

If something actually is accessing your internet, a firewall should detect it. But part of me thinks this might not be a malware problem.Yes there is a filter on all the phones. What I find weird is that when I disconnect from internet, it automatically tries to reconnect...

I will download Comodo firewall and see if it can block anything..

Lemme see how the firewall reacts.Well i downloaded Comodo Firewall and turned off Windows firewall. Then restarted my comp. When windows opened, tons of alerts about svchost.exe popped-up. COMODO saw a suspicious behaviour for svchost.exe....Some alerts saying svchost.exe is trustable, and others are saying svchost.exe is suspicious

''C:\WINDOWS\explorer.exe tried to use C:\WINDOWS\system32\svchost.exe via OLE Automation, which can be used to hijack other programs''

Tell me what information u guys need to help me further more in my problems...cause I'm pretty sure I'm having a lot.

Thx in advance for ur patiencesvchost.exe is good allow itThe changes reported by AVG happen every time it scans...
Perfectly normal and nothing to worry about.hmmm please do a hijack this log and post it here please upload any files please check For Missmurder.exe in your task manager becus ive found it uses up most of ussage on most things and has been COMMONLY known on some other foroums good day.Quote from: wefr0 on August 29, 2007, 07:27:19 PM

hmmm please do a hijack this log and post it here please upload any files please check For Missmurder.exe in your task manager becus ive found it uses up most of ussage on most things and has been commonly known on some other foroums good day.

I have tried everything from Spybot to vondu to hijackthis and nothing seems to help. I can see the files in the system32 folder but some how my administrative privilages have been taken away. How can that happen? I am the only administrator! Now what? I have no credit card for other "expensive" cures. Plese help. Thankshttp://www.malwarebytes.org/rogueremover.php

RogueRemover is free.If that doesn't help, try posting your HijackThis log here and we'll see what we can do.

TOPIC moved to appropriate section.Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any REASON, PM me or ANOTHER moderator and it can be arranged.

If you are not the original poster and you REQUIRE help, please start a New Topic with information about your computer and your problem.

Hello,

My wifes computer has been running rediculously slow, especially with Internet Explorer. I have ran SpySweeper, and Spybot Search & Destroy. The popups are pretty bad as well.

Can someone help me diagnose this HiJackThis log that I saved?


Thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 3:56:29 PM, on 8/20/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\WLTRAY.exe
C:\Program Files\Common Files\AOL\1152241532\ee\AOLSoftware.exe
C:\Program Files\America Online 9.0\waol.exe
C:\WINNT\system32\wuauclt.exe
C:\program files\common files\aol\1152241532\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1152241532\ee\aolsoftware.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\COMPUTER\Local Settings\Temporary Internet Files\Content.IE5\SZA72PYP\HijackThis[1].exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3f01145d-abe8-45eb-89ec-179a0550fb94} - C:\WINNT\system32\ppcvvku.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CF2F817-721F-4057-89C6-7883733BD2A1} - C:\WINNT\system32\xxywu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINNT\system32\ebmubjxx.dll
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINNT\system32\opnnklj.dll
O3 - Toolbar: @msdxmLC.dll,[emailprotected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINNT\system32\WLTRAY.exe
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1152241532\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: SUN Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topproduceronline.com/downloads/msjavx86.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O18 - PROTOCOL: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: opnnklj - C:\WINNT\SYSTEM32\opnnklj.dll
O20 - Winlogon Notify: xxywu - C:\WINNT\system32\xxywu.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exeIf your malware protection is up-to-date...try running full sytem scans in Safe Mode...

LET them delete and/or quarantine what they find...boot normally and run the scans again.

CBMatt, a Moderator here, can help you with your Hijack This log.First of all, this is in the wrong section, so I'm going to move your thread.

Your HijackThis is in a temporary location. If you leave it there, it (along with its important backups) can and will eventually be deleted. Please download it again and save it to a new permanent folder at C:\Program Files\HJT.

Also...you don't appear to have any sufficient anti-virus protection, which is a big no-no. If you surf the internet without a full arsenal, you will get infected. Until you get some protection, it would be pointless to go any further, as you will simply become infected again. Download AVG Free, install it, update it, and scan in Safe Mode.

Once you have DONE that, you should run VundoFix...
1. Download VundoFix and save it to your desktop.
2. Run VundoFix and click on Scan For Vundo.
3. Once it's done scanning, click on Remove Vundo.
4. When it prompts you to remove the files, click on Yes.
5. Your desktop will go blank as it's removing files. Don't worry, this is normal.
6. It will prompt you to restart your computer, so click OK.
7. When your computer is turned back on, your problem should be gone.
8. The program normally produces a Vundofix.txt file. Please locate this file and paste the contents in your next post.



Now, let's address your log... Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file. Open HijackThis and scan again. Check the following entries, but don't do anything to them yet...

O2 - BHO: (no name) - {3f01145d-abe8-45eb-89ec-179a0550fb94} - C:\WINNT\system32\ppcvvku.dll
O2 - BHO: (no name) - {5CF2F817-721F-4057-89C6-7883733BD2A1} - C:\WINNT\system32\xxywu.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINNT\system32\ebmubjxx.dll
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINNT\system32\opnnklj.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)

O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topproduceronline.com/downloads/msjavx86.exe

O20 - Winlogon Notify: opnnklj - C:\WINNT\SYSTEM32\opnnklj.dll
O20 - Winlogon Notify: xxywu - C:\WINNT\system32\xxywu.dll

Now, close all windows (including this one) besides HijackThis, then click Fix Checked. Close HijackThis and reboot into Safe Mode and enable hidden files and folders.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following (if present)...

Alexa
WinAntiVirus

Please note any other programs that you dont recognize in that list in your next response.

Navigate to and delete the following file(s) if present...

C:\WINNT\system32\ebmubjxx.dll
C:\WINNT\system32\opnnklj.dll
C:\WINNT\system32\ppcvvku.dll
C:\WINNT\system32\xxywu.dll
C:\WINNT\web\related.htm

Once you've done all of this, reboot into Normal Mode and post a new HijackThis log (along with your VundoFix log) so we can see if there's any other junk we need to clean up. Let me know how everything's running now and if you had any problems following my steps.Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

Hi,

Mcfee has reported that i have a trojan/malware infection that could not be cleaned, so I quarantined it. The message contined to appear so I bought Stopzilla/spybot to remove the infection.

However, my pc is still running extremely slowy and
I am unable to access the control panel or the
add/remove programs on XP Windows as a message appears
saying - 'This operation has been cancelled due to
RESTRICTIONS in effect on this computer. Please
contact your system administrator'


I am in the uk so I don't know when someoen will come back, but the soone rthe better - Please! Help!It sounds like you probably accidentally set those restrictions with Spybot. It's fairly common. Post a HijackThis log and I can tell you how to remove the restrictions, as well as anything else on your computer that shouldn't be there.

It's entirely possible that McAfee is slowing down your computer; it's a bit of a resource hog. What are your RAM and CPU?Hi,

I downloaded coyote Hijackthis and it did a scan of my c drive programs installed ie, the antivirus software I have etc. It then ASKED which ones I should keep or kill.
Should I try and delete some?

As I am unable to access 'my computer' I can't give you the RAM or CPU, the pc is a dell 3100, intel pentium 4 running xp.

Quote from: Trevy3 on August 16, 2007, 12:19:04 PM

Should I try and delete some?

i recently tried to download a music file and immediately got a popup from my security suite that there was a VIRUS detected and asked what to do. I opted to delete and navigated away from the page. since then I have a yellow triangle with an exclamation point in it in my system tray that gives me a balloon when i hover over it that says "YOUR COMPUTER IS INFECTED! windows has detected spyware. windows will now download and install the most up-to-date antispyware for you. click here to protect your computer." If i click on it it takes me to an antispyware program. If I dont click on it i get a popup window about every five mins telling entiteled. Windows Security Alert. Warning! POTENTIAL spyware click here to download spyware remover. I can close the box out easy enough but it keeps coming back. Also when I go to Add/Remove programs it wont let me and says this operation has been cancelled due to restrictions on this computer. please CONTACT your system administrator.

I have run my antivirus/spyware several times and deleted several spyware but this remains. Does anyone have any suggestions??

compaq presario, windows xpThis sort of activity is common with sites like FreeRealityMPEGs. Download SUPERAntiSpyware, update it, and scan with it in Safe Mode. Once that's done, reboot into Normal Mode, then scan with HijackThis and post the log here.Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please START a New Topic with information about your computer and your problem.

My EZ ANTIVIRUS keeps telling me about this INFECTION but when I TRY to follow its link to an information page there are no RESULTS. Anyone know what this virus is and how to get rid?Download SUPERAntiSpyware, update it, and scan with it in Safe Mode. You should then scan with HijackThis and post a log here for us to look at.Due to lack of feedback, I am closing this topic. If you are the original poster and you would LIKE this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

i was using aim and i got a message from a friend that said, hey! can i put this picture of us on myspace? i downloaded the file being the complete idiot that i am and the next time i restated my computer it was extremely slow and windows explorer wouldn't open. i don't have the money to fix this so i really need to know if there is a way i can get rid of the hijacker/virus in my computer! i've tried AVG spybot and all of those. i heard about a program called hijackthis and i'm going to try it. i really need this laptop fixed so please if anyone can help me, it would be appreciated. i use windows xp, amd semron, ati radeon xpress 200M, incase that is needed..thanks tons!If its a friend then i doubt its a virus.

Stop downloading random crap. Doing that will most likely install more malware/viruses.

Go to www.avast.com and get the free home edition.

When installing be sure to LEAVE the box labeled "scan on next startup" checked.

That should fix your problem + its great software and the only protection I use.This sort of thing is fairly common. If you've maintained a copy of HijackThis, you should scan with it and post your log here so we can take a look at it.



Quote from: lil_falco on August 12, 2007, 08:31:09 PM

and the only protection I use.

hey all,

I help support a very large group of PC's (on a domain) and other PC's on sperate workgroups.

I have this worm TURNING up on both domain and workgroups PC's.

I have located the the file at the root of the problem c:\windows\system32\hp-1003.exe

On the domain PC's, which have norton installed, norton has quranitined this file but keeps popping up messages every 20min or so and i'm unable to clear out the quranited files.

On the workgroup PC's, which have symanitic installed, i have located and deleted the file in question but a few days later the messages start to pop up again, which by the way are from other pc's workgroup and domain in completely different parts of the country.

All the network admin's have been scraching there heads over this for the LAST week or so.

any ideas? (SORRY about the spelling, been a LONG day and i've had a few!! )

NOTE: all PC's run windows 2000 with latest updates.
Disinfecting a network is always more difficult. Are you disconnecting the computers from the network and working on the separately? If not, they may continue to keep infecting each other, depending on how they're set up.

Also, have you tried scanning with Norton in Safe Mode? When in Normal Mode, infections may still be active, making it harder to remove them. But in Safe Mode, they remain inactive and are much easier to remove. Give that a try and let us know how it goes.Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

I dont belive it... i just DOWNLOAD hotfix kB updates,
they installed ok,tested keyboard and it was fine,
started scan with AVG anti virus and these 2 items
appeared, shell32.dll change c:\windows\system32\shell32 dll
and ntoskml.exe change c:windows\system32\ntoskml.exe
could someone please tell me what they mean please...
thankyou for your time.........It's only a notice to tell you the updates have made a couple of changes, NOTHING to worry about.
There is a way to get rid of the notices but I can't remember it at the moment.
If I think of it I will post it for you or perhaps someone else can chime in.Thankyou so much Fed for quick repley
i thougt is vista going to have problems
everytime KB hot fixes are released...like last time.
wish i stayed with XP pro LONGER this
vista dose my head in(premium)
cheers.p.....

...There are two of them on my Desktop one says "Windows Update" and the other "Help and Support Center" both link to a site called storageprotector.com
Here are the links:
http://storageprotector.com/clean/?p=61&gai=s3rk_8_p61&gli=desktop_shortcut_hscenter&gff=68089_6087541e+2C9F659070F740B3A9FE8DFF018427B8
http://storageprotector.com/clean/?p=60&gai=s3rk_8_p60&gli=desktop_shortcut_wupdate&gff=68089_6087541e+2C9F659070F740B3A9FE8DFF018427B8

OKay...So how do I delete them?Download and run HijackThis.
HijackThis should be run in normal mode and from a folder such as C:\HJT, not the Temporary Folder.

Post the HJT log here.
Someone other than me will read your HJT log.Read post 1 and 2 and follow the directions in this thread Here is the log file.(I also did all this like a month ago...)
LOGFILE of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:42 PM, on 12/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\dslsmynr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ibwhuxr.exe
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [608754b1] rundll32.exe "C:\WINDOWS\system32\eqnvwatc.dll",b
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77765848-D713-4D0B-BFF8-9CF403173596}: NameServer = 208.180.42.68,208.180.42.100
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\dslsmynr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 5836 bytes
Open HijackThis and select Do a system scan only then place a check mark next to:


R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ibwhuxr.exe
O18 - Filter hijack: text/html - (no CLSID) - (no file)


Close all windows except for HijackThis and click Fix checked

---------

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during STARTUP, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be COPIED to Clipboard).
* FINALLY add the contents of the Report.txt in your next post as an Attachment with a new HijackThis logi am having this same problem. any help would be great. heres my log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:03:11 PM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\internet explorer\iexplore.exe
C:\Documents and Settings\CK 1\My Documents\My Files\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\ewpcezfm.dll
O2 - BHO: {a5f8f860-47ab-9399-f0e4-33d1d0eb95ca} - {ac59be0d-1d33-4e0f-9939-ba74068f8f5a} - C:\WINDOWS\system32\eicqcefa.dll
O2 - BHO: (no name) - {CCB0234B-B1C2-4808-B02D-AB34D06BC551} - C:\WINDOWS\system32\geede.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [686ff4bf] rundll32.exe "C:\WINDOWS\system32\qvyscayw.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O20 - Winlogon Notify: ewpcezfm - C:\WINDOWS\SYSTEM32\ewpcezfm.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SupportSoft SPROCKET Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8522 bytes
shmoeco
You need to start your own topic.

All sorts of audio on my laptop plays really choppily, at first it was mainly happening only when I had Internet Explorer windows open, so I switched to opera to try it out which helped a bit but I'm still having problems. I think I should be fine in the RAM department, and my CPU is performing fine, not overworked or anything. This will happen even if I only have a program or 2 open. Could this be a virus?


Also, every once in a while, a blank window will pop up on my computer saying downloading updates, regardless of what programs I'm running, but it doesn't say what it is for or anything, I've attached a picture of what it looks like. Any help is greatly appreciated, I want to get BACK into producing music on my computer but I sure can't with this situation!

- Matt

[saving space - attachment deleted by admin]Let's check it out...

1. Run FREE online scan at: http://housecall.trendmicro.com/
The Housecall log is saved to C:\Documents and Settings\UserName\.housecall\log\
Post HouseCall log.

2. Download and scan with SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

Print these instructions out.

SUPERAntiSpyware should be run in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until MENU appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you ENCOUNTER any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "NEXT" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply with a new HijackThis log.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

3. Download HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.

Hi,
My computer once again is acting like it has a big problem. I have noticed when I start windows, and run just about any programt anytime, the system is slower. Online browsing is delayed, and often has crashes.


I.
I have tried to resolve this problem by

1) Running evilfantasy's guide of
-CCleaner
-SAS
-ESET Online
-Java
-HiJack this

2) I tried to as well run
-Symnatec Anti-Virus
-Ad-Aware
-Spybot Search and Destroy
-eWido


II.
However, there are some problems.
1) Symnatec shows the same VIRUSES nightly.
2) Ad aware no longer works, it keeps freezing.
3) Spybot search and destroy shows no problems in contrast to AVG spware.
4) eWido says errors.
5) All of these were run BEFORE evilfantasy's guide


III.
I wanted to know why these problems are occuring.
1) What is wrong with my computer.
2) Why symnatec shows the same viruses, why Ad adware is not working, why eWido is not working, and Spybot not deteching.
3) If I should drop, remove, or redo some programs and simply keep ONLY what evilfantasyguide says to use.
4) I have posted all logs, they would not attach.
5) I did delete windows defender, which was on my add/remove programs (is that a bad program?)
-I also notice PURE NETWORKS PORT MAGIC.
-Should I delete this?
6) I also have combo fix and fsbl if anything needs help in those areas.



Thanks!SAS Log
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/21/2007 at 04:29 PM

Application Version : 3.9.1008

Core Rules Database Version : 3365
Trace Rules Database Version: 1364

Scan type : Complete Scan
Total Scan Time : 01:12:04

Memory items scanned : 395
Memory threats detected : 0
Registry items scanned : 5326
Registry threats detected : 1
File items scanned : 38722
File threats detected : 28

Adware.Tracking Cookie
C:\Documents and Settings\Trent Berger\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Trent Berger\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Trent Berger\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Trent Berger\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Trent Berger\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Trent Berger\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Trent Berger\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Trent Berger\Cookies\[emailprotected][1].txt
C:\Documents and Settings\All Family\Cookies\all [emailprotected][1].txt
C:\Documents and Settings\All Family\Cookies\all [emailprotected][2].txt
C:\Documents and Settings\All Family\Cookies\all [emailprotected][1].txt
C:\Documents and Settings\All Family\Cookies\all [emailprotected][1].txt
C:\Documents and Settings\All Family\Cookies\all [emailprotected][2].txt
C:\Documents and Settings\All Family\Cookies\all [emailprotected][1].txt
C:\Documents and Settings\All Family\Cookies\all [emailprotected][2].txt
C:\Documents and Settings\All Family\Cookies\all [emailprotected][2].txt
C:\Documents and Settings\All Family\Cookies\[emailprotected][1].txt
C:\Documents and Settings\All Family\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Trent Berger\Cookies\[emailprotected][1].txt

Adware.MyWay
C:\Program Files\MyWay\SrchAstt\1.bin\PARTNER.DAT
C:\Program Files\MyWay\SrchAstt\1.bin
C:\Program Files\MyWay\SrchAstt\Cache\00048C7D
C:\Program Files\MyWay\SrchAstt\Cache\0006A441
C:\Program Files\MyWay\SrchAstt\Cache\0074A62E
C:\Program Files\MyWay\SrchAstt\Cache\files.ini
C:\Program Files\MyWay\SrchAstt\Cache
C:\Program Files\MyWay\SrchAstt
C:\Program Files\MyWay

Trojan.WinAntiSpyware 2007
HKU\S-1-5-21-484763869-630328440-725345543-1003\Software\WinAntiSpyware 2007



ESET Log
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2741 (20071221)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=6df5535ff4342e45bc0ad7ecdcc9370f
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2007-12-21 10:51:40
# local_time=2007-12-21 05:51:40 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=147690
# found=3
# scan_time=2449
C:\AOL Instant Messenger\AIM.exeWin32/Adware.WBug.A application (deleted)00000000000000000000000000000000
C:\AOL Instant Messenger\AIM.exe »WISE »WxBug.EXEWin32/Adware.WBug.A application (error while deleting - operation unavailable for this type of object - was a part of the deleted object)00000000000000000000000000000000
C:\AOL Instant Messenger\AIM.exe »WISE »WxBug.EXE »WISE »MiniBugTransporter.dllWin32/Adware.WBug.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object)00000000000000000000000000000000
Hi Jack This Log
Logfile of HijackThis v1.99.1
Scan saved at 5:58:59 PM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1154149194\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Documents and Settings\Trent Berger\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154149194\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec CORPORATION - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN TRAY Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Your HJT log is fairly clean...

1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put a checkmark next to the following HijackThis entries:

- O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

- O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

- O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

4. Click on "Fix checked" button.

------------------------------------------------------------------------------------

Quote

Symnatec shows the same viruses nightly.

I have an assortment of viruses on my laptop, here's a few of them.

Trojan Horse Downloader.Generic6.ZUK
Trojan Horse Backdoor.Agent.PTA
Obfusat.AAVD
pmkji.dll
CA7LPNME

Plus SUPERAntiSpyware picked up 9 Trojan Horse viruses of unknown sources.

I don't have a lot of stuff on here I need to save other than some pictures I'm going to burn on a CD so I'm planning on using the recovery disc set and start over. My question is after running them, will that get rid of these viruses or will I have a restored system "with" viruses?

Thanks, SteveThe recovery disk will TAKE you back to Day ONE status for that machine and will ELIMINATE any baddies...
However i suggest scanning anything on the CD before opening it afterwards with a reputable AV program...Thanks Patio, that's kind of what I thought. And scanning the cd sounds LIKE a good idea.

Thanks again and Merry CHRISTMAS!!!Same to You and all your friends and family...and stop by anytime ! !If you don't install some protection you will soon be back to square one.

please, anyone help me remove this blank window on my desktop. as its KEEP on appearing EVERYTIME my windows STARTS "cetihpz://errors/blank.htm".. my OS is windows XP service pack 2. If you have HP printer, UNINSTALL it, reboot, and reinstall printer's software.again, thank you very much for your help.. now my computer is working fine..Good job

Would it be possible for someone to take a look at my hijackthis log? I have no idea how to read these. My client was complaining of pop-ups and threat alerts from AVG stating that her personal information was being compromised. I rushed to her house this evening and immediately installed HijackThis and ran a scan, then saved the log. Next, I updated her AVG, and now I am running a scan. So far the scan has found 22 trojan/viruses.

After the scan is complete, my plan of attack is to follow evilfantasy's step by step Guide to removing malware etc. so I can get rid of all that nasty stuff.

Hopefully I am taking the correct steps.
Attached is a copy of the hjt log.

Thanks,
Solotekk


[saving space - attachment deleted by admin]You'll do better, if you start with those steps from evilfantasy's guide.BTW...HJT log looks strange. Only O23 (services) entries listed.Quote from: Broni on December 18, 2007, 08:45:12 PM

BTW...HJT log looks strange. Only O23 (services) entries listed.

• Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
• When finished, it will produce a log for you.
• Attach that log in your next reply.
  

File::
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\system32\rstwa.ini2
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\kpdsrngl.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\windows\system32\kpdsrngl.exe

Folder::
C:\WINDOWS\system32\ineWc01
C:\temp\tpBe12
C:\WINDOWS\system32\mm6
C:\WINDOWS\system32\hv2
C:\WINDOWS\system32\dr1

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\io43mvuiw4kj]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{51-1E-ED-D1-ZN}]

System keeps re-starting and re-starting ....
It won't even start in Safe Mode.
I only get to the Windows XP Logo screen, then PC keeps rebooting.
Please see attached HJT Log prior to PC ACTING up and advise what to do to at least get to my desktop.

Thanks





[saving space - attachment deleted by admin]Please start by PROVIDING us with more information about the computer and the problem. It may not be a virus/malware related issue at all.
Give us the specifications on the hardware in the computer or a computer brand name and model number.
Tell us what version of windows you using.
Tell us when the problem started and whether you noticed or did anything around that time. Like installing or removing software for example.This is a build-up computer running Windows XP home.
I cannot get to the specs as the PC keeps re-starting right up to the Windows XP logo.
I can't even run in Safe Mode...
However, I can get to the AMIBIOS.

Please help getting into PC desktop, then I can get more info...than what's showing in HJT log

Thanks so much.You still haven't answered this question.
Quote from: Deerpark on December 27, 2007, 07:21:12 AM

Tell us when the problem started and whether you noticed or did anything around that time. Like installing or removing software for example.

Ouch... this stop code may indicate a hardware problem.
I really hate repeating myself here... but it would help if you could tell me anything about when this problem started. Have you added or removed any software or hardware or noticed any strange noises or anything else out of the ordinary?
Also, do you by chance have Symantec AntiVirus installed?

Came across a site that is OFFERING AVG Pro for free.

http://www.computeractive.co.uk/avg/index

Was just wondering if ANYONE else has tried it and if it's legit. They also suggest doing a backup before installing...which is why I'm a bit unsure if it's OK.

Any advice would be appreciated. Thanks.If you download it be sure to read all of the information closely. There is nothing free.AVG is indeed FREE but Here is the Official link....

Other sites may try to sell you something in the process.

Make sure to disconnect from the WEB after DLoading and un-install your current Anti-Virus program...

P.S. That DLoad site will not connect and i could find no info on this offer at the Grisoft Forums...
So it's up to you if you want to dive in.OK, after some digging.

vnudownloads.org is similar to the give away a day site. They "give away" a wide variety of software.

Free full versions of popular software, yes.
Limited time REGISTRATION keys, yes.

Like I said, nothing is truly free. Your email address will be sold and resold countless times. Spam is in the future.........Thanks for the advice...always have had the free version...KIND of figured there would be a catch to a free registered Pro version...I do like some of the custom features Pro offers...guess it'll be one of the things that's better paying for.

Happy New Year!

We STILL were not able to remove:
- O2 - BHO: (no name) - {FDEA2C12-A476-A13C-2B4C-A3BD546315C2} - (no file)
That's most likely, because your Spybot TeaTimer is RUNNING.
To temporarily disable it:
Right click Spybot's TeaTimer System Tray Icon > click Exit Spybot-S&D Resident.
o TeaTimer closes.

Open HJT, and put checkmark next to:
- O2 - BHO: (no name) - {FDEA2C12-A476-A13C-2B4C-A3BD546315C2} - (no file)
Click on "Fix checked" button.
Close HJT.

Re-enable TeaTimer:
Using Windows Explorer, navigate to C:\Program Files\Spybot - Search & Destroy.
Double click TeaTimer.exe to start it.

Restart computer.
Open HJT. You don't have to post any new log. Just let me know, if:
O2 - BHO: (no name) - {FDEA2C12-A476-A13C-2B4C-A3BD546315C2} - (no file)
entry is gone.As for Windows firewall....does it say, it's ON, or OFF?it is gone now.

and the fire wall is off and it appears i can not turn it BACK on
Quote

it is gone now.

it was on when i pulled it up as well

O.k. I have been trying all day to get my icons back on my DESK top and I was told that I could maybe back my computer up a few days.I just need to know how I can get there without my icons.Which program do I go into? What OS are you using?
What protection do you have?
How LONG have you been having this problem?
Have you tried opening Task Manager (Ctrl + Alt + DEL) and going to File > New Task and running explorer.exe?

You're trying to use SYSTEM RESTORE, correct? It's not guaranteed to work, but open Task Manager and go to File > New Task. When prompted, type in C:\WINDOWS\system32\restore\rstrui.exe and click OK.

My Avg has detected a couple viruses can some one help me?
I loaded SUPERAntiSpyware and CCleaner i ran both but don't know what to do now
Please HelpPlease read post 1 an 2 in this thread then supply the logs.I have done all the steps
I run my AVG and keep getting C:\Documents and Settings\roger\Application Data\Yahoo!\Companion\Buttons\www.faceplace2002.com.ico & C:\Documents and Settings\roger\Application Data\Yahoo!\Companion\Buttons\www.whtmtnliving.net.ico
i have done everything i could think of to get rid of them , but nothing has worked, please help

[saving space - attachment deleted by admin]That is only one log when 3 were requested.

There are atleast two antivirus running on the computer. This is unnecessary and can cause problems. Uninstall one and keep the other.

----------

Open HijackThis and select Do a system scan only then place a check mark next to:


O2 - BHO: (no name) - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - (no file)
O2 - BHO: (no name) - {21B3F87D-304B-4B88-B58D-B3F493C9EFD7} - (no file)
O2 - BHO: (no name) - {51F51E05-1BB6-41B5-9D5C-51892CB9510e} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8070445D-CFE0-4FB1-BE1D-525ED851D607} - (no file)
O2 - BHO: (no name) - {9ED6111B-2FB3-4CB9-BA2E-0C7EC3BEB43d} - (no file)
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} -
O20 - Winlogon Notify: oppom - C:\WINDOWS\


Close all windows except for HijackThis and click Fix checked

----------

Please download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  
• Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the "Scan tab" and UNcheck "Heuristic analysis"
  
• Back at the main window, click "Select drives" (a red dot will show which drives have been CHOSEN)
  
• Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  
• When done, a message will be displayed at the bottom advising if any viruses were found.
• Click "Yes to all" if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
  (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  
• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  
• Save the DrWeb.csv report to your desktop.
  
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
  

Here's my problem:

I have a laptop and a computer. Both are connected to the internet via wireless adapters. Whenever I turn on my desktop the Internet goes out, but when I only have my laptop on the internet's fine. When the internet does go out because of turning on the desktop I have to turn off the desktop, turn off the routers, wait 5 minutes, and then turn the routers back on. I have Panda Antivirus on the desktop and Norton Antivirus on the laptop. whenever I run the scan on Panda on the desktop it keeps saying theres a trojan/spammer and it always says it has been neutralized, but everytime I scan it it's still there. I found the file that has it but I'm scared to manually delete it because its in the Windows system 32 folder. Its called perfc000.BAT.

-Laptop is Dell Inspiron 8100
-Desktop is an HP
-Wireless ROUTER is Netgear So the Desktop is also connecting wirelessly ? ?
If so travel to Control Panel/System/Hardware/Device Manager...
Right click the wireless adapter and select advanced...under power uncheck "allow Windows to shut this device down to save power"

Re-boot.
Then on the Desktop machine go to Start/Run and type cmd and hit Enter...in the Command window type in ipconfig /all and hit Enter.
Save it to .txt and post it here...It's very unlikely, that you have any legit ".bat" file in system32 folder.

Just to make sure...

1. Run free online scan at: http://housecall.trendmicro.com/
The Housecall log is saved to C:\Documents and Settings\UserName\.housecall\log\
Post HouseCall log.

2. Download and scan with SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

Print these instructions out.

SUPERAntiSpyware should be run in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If ASKED to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking COOKIES.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/LOGS tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text EDITOR.
o Please copy and paste the Scan Log results in your next reply with a new HijackThis log.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

3. Download HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:18 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot MODE: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\HP_Owner.YOUR-03667082DE\Desktop\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, INC. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 4341 bytes


[saving space - attachment deleted by admin]Your HJT log is clean, however...

1. I don't see any firewall running, unless you're using Windows firewall.

2. You need to update Java: http://www.java.com/en/download/index.jsp
Uninstall ALL older Java versions through Add\Remove

Any particular reason, you ran HJT?I was advised to run SUPERAntiSpyware, ESET Nod32 Online Scanner and post a HIJACK log with the search.The only infected files are showing in the recycle Bin and Temp. folders.

Please download ATF Cleaner by Atribune. ATF Cleaner.exe

Make sure that all browser windows are closed.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All and UNCHECK Cookies.
  
• Click the Empty Selected button.
  

• Click Firefox at the top and choose: Select All and UNCHECK Cookies.
  
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

• Click Opera at the top and choose: Select All and UNCHECK Cookies.
  
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

in fact not working so I never HIT print. Could this be a spyware? I have antivirus of course & run spybot all the time too. I just NOTICED this and it seemed odd SINCE I never print.
and does 69,000k seem a lot for Firefox to be using w/one window open, according to TASK manager? can hardly load anything from the net, pc works like molasses in jan & I'm looking for anything that can be causing this, started about 2 wks ago. got cable modem.spoolsv.exe is the Printer Spool service. If you click START, click on Run, type in services.msc and scroll down, you should see Print Spooler service.

Please read this post by evilfantasy and supply the logs.Quote

spoolsv.exe is the Printer Spool service

Hi...I have Windows xp and after logging in, I GET error:Language Library couldnt be Loaded" ...My Panda Security will not LOAD. HELP!!!?? I ran Lavasoft Adware,,,didnt help. Will this error appear in SAFE MODE?What websites have you been on recently?

Originally I had installed McAfee on the computer. Then I un-installed it so that I COULD install Norton. Norton is READY to expire so I want to install AVG.

Issue is that everytime I turn on the computer I get an error
An application component is missing. Please reinstall McAfee Privacy Service Error Code: (7.1.015).

I GUESS McAfee never totally un-installed. So at this point I need to know how to get rid of this annoying error. Get rid of McAfee in completely uninstall Norton.

My other issue is that I can not log on to the internet using Internet Explorer or Mozilla firefox because I have to go into run and stop the firewall for Mcafee.

Please help.

And Thank you in advance.

-Fuzzy19Step 1 - Download and run the McAfee Removal tool

Note: You should first attempt to remove your McAfee consumer products using Add/Remove Programs in the Windows Control Panel (Programs and Features, in Windows Vista). This is the best method. After uninstalling using Windows Add/Remove Programs, run the McAfee Consumer Removal Tool (MCPR.EXE) to ENSURE successful removal of all McAfee references.

1. Download the removal tool from:

http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

2. Click Save and save the file to any folder on your computer.
3. Navigate to the folder where the file is saved.
4. Make sure all McAfee windows are closed.
5. Double-click MCPR.EXE to run the removal tool.

Note: Windows Vista users must right-click MCPR.EXE and select Run as Administrator.

6. Restart your computer after receiving the message CleanUp Successful.

Your McAfee product will not be fully removed until the system is restarted. When the message Cleanup Unsuccessful is displayed, you can view and save your MCPR log files for analysis by Technical Support.

All McAfee products are now removed from your computer.

---------------

Norton Removal Tool for Windows

http://fileforum.betanews.com/detail/Norton_Removal_Tool_for_Windows_2000XPVista/1169144666/1perfect the error is gone and so is norton.

Thanks for your help once again.

Just wondering which ANTI virus I should install from AVG. I have already installed the anti spyware.

Right here http://filehippo.com/download_avg_antivirus/

No problem, safe surfing......

Why does my SCREEN go black after the Windows screen logo appears when I boot?
and when i try to log in using safe mode, it works fine in safe mode and i have tried to adjust using safe mode.
Right click on the desktop and click Properties, and then on the Settings tab.

Now click and drag the Screen Resolution slider to the FAR LEFT ... you want the smallest settings that your screen will support. Typically that'll be 640x480, or 800x600.

Also change the Color Quality dropdown to 256 colors, or whatever is LOWEST. (You probably don't NEED to go as low as 16 colors, if that's presented as an option.)
click ok then i reboot it but still the problem is not solved?
please help me, i have tried this for 2 weeks, but still the problem is there?
thanksMain suspect would be your video card.
When you boot to Safe Mode, your video card driver are NOT loaded, Windows uses its generic VGA driver.
Do you have separate video card, or it's on-board?
Try to update your video drivers, first.
If that doesn't work, borrow video card from a friend, and se, if it works.

hi FOLKS,
when windows xp requests my PASSWORD to enable me to logon a virus(?) takes over my keyboard. for instance when i type 'e' four dots appear in the password box. i am locked out of my computer but i can access safe mode etc but don't know what to do from there. would appreciate some help!!
nerd.
Using Safe Mode....

1. Run free online scan at: http://housecall.trendmicro.com/
The Housecall log is saved to C:\Documents and Settings\UserName\.housecall\log\
Post HouseCall log.

2. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

Print these instructions out.

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program DEFINITIONS, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner OPTIONS make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main MENU.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply with a new HijackThis log.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

3. Download HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.The dots in the text box are normal Windows behaviour...Since you can access safe mode, you can always change your password in the control panel. Double click users and accounts icon, and then click your user name, and then select change password. See if that works.