Explore topic-wise InterviewSolutions in .

I'm using a BT home hub and when surfing the WEB it seems to frequently crash a lot and I have to unplug it at the mains and restart it to get back on the web (did not have this problem with my old voyager modem) I have found out that If I go in the settings and DISABLE the HUBS built-in firewall everything is OK can any one tell me if I need to RUN a software firewall as well as the hardware firewall and if I'm compromising my security by turning it off.. -PS I'm using zone alarm Any help will be welcome Anna

Obviously the firewall shouldn't be MAKING the modem crash, so it might be worth checking whether any firmware updates are available. A firmware update will upgrade the software in the modem.
If you got the modem from an ISP you should check with them.

You aren't compromising your security by disabling the hardware firewall though when you have a software firewall in place. But there's nothing wrong in having both a hardware and software firewall between you and the big bad web.

Alright, just SCANNED with AVG Antispyware in normal mode. There's this very stubborn file on my system that doesn't delete when I delete it. AVG Anti-spyware identified it as Not-A-Virus.Adware.BHO. Here's the LOG.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:4:51:22 PM 2/02/2008

+ Scan result:



C:\Documents and Settings\John\Local Settings\Temp\{17480E83-7BAD-4E32-86EB-EC919C66535B}\_extra\objects\cmdline.dll -> Not-A-Virus.Adware.BHO : Ignored.
C:\Documents and Settings\\Local Settings\Temp\{4DD377A2-607A-4D53-AA1E-A67911D8A3E4}\_extra\objects\cmdline.dll -> Not-A-Virus.Adware.BHO : Ignored.


::Report end

Win.2k Pro SP4 - AVG Free, Zone Alarm Free, SpywareBlaster - Adaware SE Pro, CCLEANER, SpyBot s&d.

Ever since a clean INSTALL have been getting the attached popups at random intervals. Have scanned and nothing found by any maintenance program including online scanners. Msconfig>Startup shown nothing abnormal.

Apart from the annoying popups the system is running well.

Any ideas what is causing the popups please?

[file cleanup - saving space - attachment deleted by admin]Download, and run Shoot Messenger: HTTP://www.grc.com/stm/shootthemessenger.htmThank you Broni, I found the answer by disabling Messenger in Services, took me a while to think of Googling for Messenger Services, should have known better

Sure THING.

My friend fell for the stupid MSN virus that sends itself to people and he had some viruses a few months ago. I ran through Broni's usual instructions, here are the logs.

ESET:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=Unknown
# vers_standard_module=2829 (20080128)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=a383a53b196cb94f92cb2eca6ec83c6c
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-01-29 12:39:11
# local_time=2008-01-28 07:39:11 (-0500, Eastern Standard Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 2
# scanned=407599
# found=0
# scan_time=4425


SUPERantispyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/29/2008 at 00:35 AM

Application Version : 3.9.1008

Core Rules Database Version : 3389
Trace Rules Database Version: 1383

Scan type : Complete Scan
Total Scan Time : 04:40:42

Memory items scanned : 175
Memory threats detected : 0
Registry items scanned : 7122
Registry threats detected : 0
File items scanned : 171523
File threats detected : 44

Adware.Tracking Cookie
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][2].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][1].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][1].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][2].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][2].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][2].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][1].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][1].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][1].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][1].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][1].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][1].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][1].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][1].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][1].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][1].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][1].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][1].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][1].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][1].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][2].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][2].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][1].txt
C:\Documents and Settings\Dmitri Shatrov\Cookies\dmitri [emailprotected][2].txt

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

Trace.Known Threat Sources
C:\Documents and Settings\Dmitri Shatrov\Local Settings\Temporary Internet Files\Content.IE5\S5IJ4X6N\Chriss%20Angel%20Gets%20Hit%20By%20A%20Car_size_large[1].jpg
C:\Documents and Settings\Dmitri Shatrov\Local Settings\Temporary Internet Files\Content.IE5\01234567\Crazy%20scateboard%20dude_size_large[1].jpg
C:\Documents and Settings\Dmitri Shatrov\Local Settings\Temporary Internet Files\Content.IE5\4DYJCDEF\Chris%20Angel%20does%20aWood%20Chipper%20Illusion_size_large[1].jpg
C:\Documents and Settings\Dmitri Shatrov\Local Settings\Temporary Internet Files\Content.IE5\05YZO16V\Chris%20Angel%20Can%20Fly_size_large[1].jpg
C:\Documents and Settings\Dmitri Shatrov\Local Settings\Temporary Internet Files\Content.IE5\4DYJCDEF\Chris%20Angel%20predicts%20the%20future_size_large[1].jpg
C:\Documents and Settings\Dmitri Shatrov\Local Settings\Temporary Internet Files\Content.IE5\05YZO16V\VG_zango_300x250_11[1].gif
C:\Documents and Settings\Dmitri Shatrov\Local Settings\Temporary Internet Files\Content.IE5\4DYJCDEF\Bungee%20Jumping_size_large[1].jpg
C:\Documents and Settings\Dmitri Shatrov\Local Settings\Temporary Internet Files\Content.IE5\05YZO16V\Break%20Dancing_size_large[1].jpg
C:\Documents and Settings\Dmitri Shatrov\Local Settings\Temporary Internet Files\Content.IE5\4DYJCDEF\Bungee%20Jumping%20in%20Africa_size_large[1].jpg
C:\Documents and Settings\Dmitri Shatrov\Local Settings\Temporary Internet Files\Content.IE5\01234567\30%20Second%20Rubik's%20Cube_size_large[1].jpg
C:\Documents and Settings\Dmitri Shatrov\Local Settings\Temporary Internet Files\Content.IE5\S5IJ4X6N\Cyril%20Card%20Through%20Glass_size_large[1].jpg
C:\Documents and Settings\Dmitri Shatrov\Local Settings\Temporary Internet Files\Content.IE5\01234567\Chris%20Angel%20Levitation_size_large[1].jpg
C:\Documents and Settings\Dmitri Shatrov\Local Settings\Temporary Internet Files\Content.IE5\S5IJ4X6N\Chriss%20Angel%20Knives%20Stunt_size_large[1].jpg
C:\Documents and Settings\Dmitri Shatrov\Local Settings\Temporary Internet Files\Content.IE5\05YZO16V\7%20Year%20Old%20Pool%20Shark_size_large[1].jpg
C:\Documents and Settings\Dmitri Shatrov\Local Settings\Temporary Internet Files\Content.IE5\05YZO16V\Chris%20Angel%20walks%20through%20glass%20window%20without%20breaking%20it!_size_large[1].jpg
C:\Documents and Settings\Dmitri Shatrov\Local Settings\Temporary Internet Files\Content.IE5\01234567\Chicken%20Dance_size_large[1].jpg
C:\Documents and Settings\Dmitri Shatrov\Local Settings\Temporary Internet Files\Content.IE5\01234567\Cool%20DJ%20Battle_size_large[1].jpg
C:\Documents and Settings\Dmitri Shatrov\Local Settings\Temporary Internet Files\Content.IE5\4DYJCDEF\JS_zango_300x250_3[1].gif
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:25 PM, on 30/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Diskeeper\DkService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Comodo\Firewall\cpf.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *Blocked Russian URL*
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Microsoft Update Machine] zxpbkt.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\RunServices: [Microsoft Update Machine] zxpbkt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Microsoft Update Machine] zxpbkt.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O8 - Extra context menu ITEM: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{63C17329-8E16-4ECC-9DCA-C0DEB8F9917D}: NameServer = 64.71.255.198
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7572 bytesOpen Hijackthis and select Do a system scan only.

Place a check MARK next to the following entries:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

• RESTART your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard).
  
• Finally add the contents of the Report.txt in your next post.

• Go to Start > All Programs > Accessories > System Tools > System Restore
  
• Select Create a restore point, and click Next.
  
• Next, go to Start > Run and type in cleanmgr
  
• Select the More options tab
  
• Next to System Restore click Clean up...

Hi BRONI,

I did what "neljan" suggested (Post 59) and it seems to have sorted out my AVI problem - not sure how. Going to download a couple of AVI files, to see how I get on.

I would like to thank you for all your time and trouble.

Belvin Hi neljan,

Went through your posting and suggested DOWNLOADS. Seems to have sorted out my AVI problem. Not sure which programme sorted it, as I did the lot before checking.

I'd like to thank you though.

BelvinAnytime Blevin, I'm very HAPPY for you!

May I also say how pleasent it was talking to you, you were more than WORTHY of my time!

All the best...Way to go, guys!!! What a team a Broni?

I didn't do anything....LOL

My msn automatically sends files to everyone online

like: Me says: heyyy are you on this picture??
Me says: (file name)

I fell for it and now im a carrier

Help Please!
Hickjack THIS LOG part 1


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:45 PM, on 30/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\vVX6000.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\sbmsp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\RTHDCPL.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BITCOMET\BitComet.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Hijackthis log PART 2

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: The ensfolr - {A037112F-183D-4E98-8CEA-1A0D93BA9F48} - C:\WINDOWS\ensfolr.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [DISCover] "C:\Program Files\DISC\DISCover.exe"
O4 - HKLM\..\Run: [DiscUpdateManager] "C:\Program Files\DISC\DiscUpdateMgr.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] "c:\Program Files\Norton Internet Security\UrlLstCk.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [sbmsp] C:\WINDOWS\system32\sbmsp.exe
O4 - HKLM\..\Run: [jndx] C:\WINDOWS\system32\jndx.exe
O4 - HKLM\..\RunServices: [sbmsp] C:\WINDOWS\system32\sbmsp.exe
O4 - HKLM\..\RunServices: [jndx] C:\WINDOWS\system32\jndx.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /BACKGROUND
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /TRAY
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
HickJackthis log part 3

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Print Spooler Service (mvzu2yo3k) - Unknown owner - C:\WINDOWS\system32\jndx.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe1. Run free ESET Online Scanner at: http://www.eset.com/onlinescan/
Note: This Scanner is for Internet Explorer Only
1. You will notice that the "Start" button is grayed out. Place a check mark at "Yes, I accept the Terms of use". The "Start" button will become visible. Click on it.
2. If it wants to install an ActiveX component allow it
3. You will be asked to install an ActiveX, click the "Install" button (Note: If you have a Firewall install you may have to approve the installation)
4. Once ActiveX control is installed click on the "Start" button to initialize the scanner
5. After initialization is complete uncheck\untick "Remove found threats"
6. Check\tick "Scan unwanted applications"
7. Click the "Scan" button
8. Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt
Post ESET's log.

2. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

Print these instructions out.

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four CORNERS of your screen

* Open SUPERAntiSpyware.
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were DETECTED. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply with a new HijackThis log.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

3. Post new HijackThis log.[/B]k all the logs
help

[file cleanup - saving space - attachment deleted by admin]*** Go Start>Control Panel>Add\Remove, and uninstall SpyNoMore - worthless.

*** Disable TeaTimer, since it'll interfere with the cleaning process:
* Right click Spybot's TeaTimer System Tray Icon > click Exit Spybot-S&D Resident.
o TeaTimer closes.

*** Disable Windows Defender, as it'll interfere with cleaning process:
* Open Windows Defender
* Click Tools
* Click General Settings
* Scroll down to Real Time Protection Options
* Uncheck Turn on Real Time Protection
* After you uncheck this, click on the Save button
* Close Windows Defender


1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put a checkmark next to the following HijackThis entries (some entries will be checkmarked to disable unnecessary startups; in those cases (marked with *), no actuall program will be removed):

- O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
- *O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
- *O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
- *O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
- *O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
- *O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
- *O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
(I recommend, you unistall Adobe Acrobat Reader, which is enormous hog, and install FoxIt Reader (http://www.foxitsoftware.com/pdf/rd_intro.php), which is much smaller, and faster.)
- O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
- O4 - HKLM\..\Run: [jndx] C:\WINDOWS\system32\jndx.exe
- *O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
- *O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
- O4 - HKLM\..\RunServices: [jndx] C:\WINDOWS\system32\jndx.exe (2nd occurrence)
- *O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
- *O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
- *O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
- *O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
- *O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
- *O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
- *O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
- O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
- O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
- O15 - Trusted Zone: http://*.trymedia.com (HKLM) (If you did not add these pages to your trusted pages, they should be fixed)
- O23 - Service: Print Spooler Service (mvzu2yo3k) - Unknown owner - C:\WINDOWS\system32\jndx.exe (file missing)

4. Click on "Fix checked" button.

5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts)

6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to "Show hidden files, and folders".

7. Delete following files/folders (if present):

- SpyNoMore folder from C:\Program Files
- jndx.exe file from C:\WINDOWS\system32

8. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

9. Restart in Normal Mode.

10. Turn System Restore on.

11. Post new HijackThis log.new hijackthis log
thanks for the help

[file cleanup - saving space - attachment deleted by admin]It looks MUCH better. We're almost there....

If you uninstalled Adobe Acrobat Reader, as I suggested, open HJT one more time, checkmark this:
- O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
Click "Fix checked".
Close HJT.

Go Start>Run, type in:
regedit
Click OK.
Registry Editor will open.
Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions folder
In the above folder, you'll see (left pane) alphanumeric subfolders.
Find:
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
Right click on it, click Delete

Go Start>Run, type in:
services.msc
Click OK.
Services window will open.
Find:
Print Spooler Service
If it's listed as Running, right click on it, click Stop
Right click again, click Properties, and under Startup type, select Disable from drop-down menu.

Go Start>Run, type in:
sc delete mvzu2yo3k (<----watch for "spaces")
Click OK.

Restart computer.
Post new HJT log.new log

[file cleanup - saving space - attachment deleted by admin]The log is clean

1. Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "Slim" version.
2. Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html, and run CCleaner

How is your computer doing?

Can anyone help me with this problem? A blue rectangular window has appeared in the centre of my screen. It is about 4 inches (10 cm) wide by 3.5 inches TALL. It floats on top of everything else, blocking out text beneath it. It has commands in it for screen settings: brightness, contrast, horizont position, vertical position, ETC. I cannot find any way of removing it or accessing it. It just seemed to appear for no apparent reason.
It appears at STARTUP during the bootup process, before Windows loads.
I have loaded an updated driver for the display

Operating SYSTEM: Windows XP SP2, 1.7GB, 40GB hard disk
Screen: Neovo LCD 19inch
RAM: 512

This sounds like the controls for your monitor.
The monitor should have buttons that let you move through the controls and some way of closing it. There's usually arrow or +/- buttons and an ok/MENU button.

Thanks deerpark
It definitely seems to be the monitor menu. The control buttons on the front of the monitor are inactive - must be something wrong with them. They don't respond when they are pushedIt sounds like a defective monitor to be honest.
If you can, connect it to another computer just to rule out the possibility of it being a defect in the computer that's causing this.

Quote

see HJT log

What was it? Is Generic9 an actual malicious infection?

I know one of you folks made a comment somewhere to their disatisfaction with Tea Timer before.

As soon as I am re-employed, I OWE you guy's--no bull I'll do it.

Hi!

I'm still getting notifications from Symantec about Trojan.Packed.NsAnti that look like this:

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Risk: Trojan.Packed.NsAnti
File: C:\Users\kittymaroon\AppData\Local\Temp\DWH1167.tmp
Location: Quarantine
Computer: KITTYMAROON-PC
User: Victoria Chao
Action taken: Quarantine succeeded : Access denied
Date found: Monday, April 27, 2009 4:09:22 PM

My symantec antivirus should be up-to-date (Version: 6/1/2009 rev. 3). SOMETIMES I'll go a few days without getting any virus WARNINGS--other days, I'll get over 50 in a half hour.

If it's at all helpful, I have a Dell Inspiron 1420 running Windows Vista. I have SP1 installed on it. I've also attached my logs, THOUGH I'd be happy to post them as WELL. Thanks so much for your help--I look forward to your reply!


[attachment deleted by admin]Download DDS by sUBs and save it to your desktop. Alternate DDS download link

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

I was so grateful to find this site, and have followed all the steps and CREATED the logs, which I will try to attach. Any help you can give me would be very much appreciated.

I have Windows XP and run AVG 3 times a week. The scan on 5/31/09 was fine, but today (6/2/09) I found three files infected with Trojan Horse Agent 2.JCS. AVG would not remove them because "the moved object is bigger than the archive size limit". All three infected files are in old computer files from my previous computer (copied to this one's hard drive) and are in My Pictures/Sample Pictures. I am sure I don't need those files, so could I just delete them? Would that solve the problem? I wasn't sure, so I didn't do anything.

Following your steps, I removed Viewpoint Manager (remove only) and Viewpoint Media Player. I ran the CCleaner, the superantispyware, and mbam. I had a very old Java, which I updated.

I had not been updating Windows, and the day before I found the infection I went through the process of getting SP3 and also downloaded 2 or 3 optional updates. I wondered if that had anything to do with getting the Trojan Horse.

I am going to attach the mbam log and hijink log.

Superantispyware is at

http://www.filedropper.com/superantispywarescanlog-06-02-2009-19-03-08

THANKS so much! I have to go to bed, but I will check back in the morning.

Alta Price
Bettendorf, Iowa




[attachment DELETED by admin]Interesting! Concerned that the Trojan might be spreading (I don't even know if they spread), I scanned my computer this morning and it didn't find any infection.

Does that mean the steps I followed yesterday took care of it?

Maybe I am done?

Thanks!

AltaHi again.

I read on the other thread that this trojan is a false positive.

I did try to do the hijack this self help thing last night, and there were 2 things that came up it said I should correct. However, I have no idea how to correct those things, so if you wouldn't mind looking at that for me I would really appreciate it!

No hurry, though. I am not sure if I have "bumped" my thread by posting REPLIES. I didn't understand that part of your directions, and apologize if I am not following them. Even if it puts me to the end of the line, I suspect my problems aren't as severe as others anyway.

Thanks again.

Alta Re: trojan hoarse agent2.jcs
Posted by: sevcikp - AVG Team (IP Logged)
Date: June 1, 2009 09:53PM

Hello,

no need to sent the file to AVG Tech. We can confirm, that this detection really is false alarm. Update fixing this false is currently being prepared and should be released soon.Everything looks OK.

You can have HijackThis fix this:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Realtek AC97 Audio - Event Monitor. "Sypware" file USED surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Before answering your question about how my computer is running now (it seems to be fine), I ran a complete scan of the whole computer with my AVG 8.5 and learned that AVG just this MORNING found and successfully moved to the virus vault 11 infections and a bunch of tracking cookies. See list below.

I have just changed my IE settings to block all cookies and accept only those I have allowed by exception. Maybe that will take care of the tracking cookie problem but is there something I can do prevent picking up these infections? AVG says everything is up to date and working.

I will wait for your response before doing anything else and I've not yet followed your last instruction to uninstall ComboFix. Let me know if you STILL want me to do that uninstall right now.

Thanks alot, I appreciate it. wildbjk.

INFECTIONS:

"C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP16\A0001001.sys";"Trojan horse Pakes.DPC";"Moved to Virus Vault"

"C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP16\A0001002.dll";"Trojan horse Rootkit-Pakes.A";"Moved to Virus Vault"

"C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP16\A0001003.dll";"Trojan horse Generic13.ATOC";"Moved to Virus Vault"

"C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP16\A0001004.dll";"Trojan horse Generic13.ATOB";"Moved to Virus Vault"

"C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP16\A0001026.dll";"Trojan horse Agent2.IBE";"Moved to Virus Vault"

"C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP16\A0001027.dll";"Trojan horse Agent2.IBE";"Moved to Virus Vault"

"C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP16\A0001029.exe";"Trojan horse SHeur2.AGJH";"Moved to Virus Vault"

"C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP16\A0001030.exe";"Trojan horse Agent2.IBG";"Moved to Virus Vault"

"C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP16\A0001031.exe";"Trojan horse Small.BKI";"Moved to Virus Vault"

"C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP17\A0001228.exe";"Trojan horse Small.BKI";"Moved to Virus Vault"

"C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP17\A0001229.dll";"Trojan horse Downloader.Generic8.AOLC";"Moved to Virus Vault"

TRACKING COOKIES:

"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\advertising.com.1820df7a";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\advertising.com.203aa218";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\advertising.com.1dfa2206";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\advertising.com.b624fa46";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\advertising.com.f62113d5";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][1].txt";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][1].txt:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][1].txt";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][1].txt:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\questionmarket.com.3eb5a9f1";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\questionmarket.com.4dd5e426";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][1].txt";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][1].txt:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][1].txt:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][1].txt:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][1].txt:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][1].txt:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][1].txt:\serving-sys.com.c9034af6";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\tacoda.net.27341d57";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\tacoda.net.4366831a";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\tacoda.net.5935e89";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\tacoda.net.c4fe2ebb";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\tacoda.net.ed9c50d1";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\trafficmp.com.a00e30b4";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\Jim\Cookies\[emailprotected][2].txt:\zedo.com.27f1639b";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
Nothing found by AVG is actually a threat.

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly CREATED clean one.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Hi,
I am getting multiple virus warnings from McAfee. They all refer to different infected files, so I have listed a couple below:

C:\SYSTEM VOLUME INFORMATION\_RESTORE{5B4B794D-8560-419A-B57D-EB3E8743B493}\RP166\A0045805.EXE
W32/Trats

C:\SYSTEM VOLUME INFORMATION\_RESTORE{5B4B794D-8560-419A-B57D-EB3E8743B493}\RP166\A0045811.EXE\A0045811.EXE
Downloader-AWM.gen

I have attached the requested scan logs - any help would be appreciated.

Thanks

Nick


[file cleanup - saving space - attachment deleted by admin]Thanks for following the guide before posting. It looks LIKE it got rid of alot. There is still some cleaning to do.

Open HJT and select Do a system scan only and then place a check mark next to:


O2 - BHO: (no name) - {5C3F6257-3E00-45C2-88D5-CB0F3A17BF0E} - (no file)O2 - BHO: (no name) - {5C3F6257-3E00-45C2-88D5-CB0F3A17BF0E} - (no file)
O2 - BHO: (no name) - {6F87F145-DC2D-4766-AF03-3A3B96FFAD98} - (no file)
O20 - Winlogon Notify: agvfqnaa - agvfqnaa.dll (file missing)
O20 - Winlogon Notify: efcyyyy - efcyyyy.dll (file missing)
O20 - Winlogon Notify: winaqc32 - winaqc32.dll (file missing)

Close all windows except for Hijackthis and click Fix checked.

EXIT Hijackthis.

----------

Download Vundofix.exe to your desktop.

• Double-click VundoFix.exe to run it.
  
• Put a check next to Run VundoFix as a task.
  
• You will receive a message saying vundofix will close and re-open in a MINUTE or less. Click OK
  
• When VundoFix re-opens, click the Scan for Vundo button.
  
• Once it's done scanning, click the Remove Vundo button.
  
• You will receive a prompt asking if you want to remove the files, click YES
  
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
  
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

hq.autocab.com is the domain that the PC was on.

• Click Options...
  
• Make sure the arrow is set to Standard CleanUp!
  
• Uncheck the following: (if checked)
  • Delete Newsgroup cache
    
  • Delete Newsgroup Subscriptions
• Click OK

• When finished exit out of OTMoveIt2

• On the Desktop, right-click My Computer.
  
• Click Properties.
  
• Click the System Restore tab.
  
• Check Turn off System Restore.
  
• Click Apply, and then click OK.

• On the Desktop, right-click My Computer.
  
• Click Properties.
  
• Click the System Restore tab.
  
• UN-Check Turn off System Restore.
  
• Click Apply, and then click OK.

I have WIndows XP service pack 2 and need anti-virus. My microprocessor(Celeron) has 996 Hz and I have 128 MB of RAM and I have 2.72 GB of FREE space. I previously had Norton Internet Security. I have a free cd of Norton ANti-virus, but it says I have to have 256 MB of Ram. If I had Norton Internet Security 2007 and I believe it requires 256MB of RAM too, then can I use my cd of Norton ANti-Virus? If not, any recommendations?Honestly Norton will slow down your computer and there are much better free alternatives.

Antivirus Click here
Suggested options are EITHER Avast, AVG or Avira.

Firewall Click here
Suggestions are Comodo, Sunbelt or Zone Alarm. (zone alarm can be heavy on resources so keep that in mind)

Note: If you choose Comodo it must be run in Advanced Mode to provide full protection. Basic mode is strongly NOT suggested.Straight to AVG's site is: http://free.grisoft.com


From here, http://free.grisoft.com/doc/download-free-anti-virus/us/frt/0
I see:

Minimum system requirements

* CPU Intel 486 133 MHz
* 30 MB free hard drive space (for installation)
* 32 MB RAM



RAM is pretty inexpensive these days...if you add another 512Mg. you, XP and your machine will be alot happier.Quote

RAM is pretty inexpensive these days...if you add another 512Mg

My flash was infected by virus that create each folder with .exe EXTENSION, and make all folders hidden.

After cleaning with antivirus (kaspersky 6), all folders are still disappeared. But when i create those folders again, it show the message folder are ALREADY exists. So, i try to tick "show hidden files and folders" in explorer but folders still invisible.

Is there anyway to make them visible?

Thanks.It sounds like there is still something that wasn't removed.

Download HijackThis.exe

* Double-click on the installer you just downloaded.
* Click on the Install BUTTON to install.
* It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
* Please do not change the default install location.
* Upon install, HijackThis should open for you.

* Next click on the Do a system scan and save a log file button.
* HijackThis will scan and then a log will open in notepad.
* Copy and then paste the log in your next reply.Urgently using it, I have formatted it. Sorry and Thanks for ur help. QUOTE from: khmerguy on February 01, 2008, 02:41:03 AM

Urgently using it, I have formatted it. Sorry and Thanks for ur help.

I did all t his. Should I keep going? What's next?

Thanks

Dr. d'EliaLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:13 PM, on 6/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\XpertVision\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
E:\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
E:\reza\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\All USERS\Application Data\Skype\Plugins\Plugins\9E0D937F462E4362A83B254A9F8AB3F8\InnerPassFileSharing.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\freecell.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\JAVA\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TBPanel] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "E:\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\reza\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Innerpass] C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\9E0D937F462E4362A83B254A9F8AB3F8\InnerPassFileSharing.exe autostart
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] E:\reza\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199258053546
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFCF1F9A-D083-495F-868C-0F6558AD7FE5}: NameServer = 85.15.1.13 85.15.1.10
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9667 bytes
This entry.

Quote

O4 - HKCU\..\Run: [Innerpass] C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\9E0D937F462E4362A83B254A9F8AB3F8\InnerPassFileSharing.exe

P.S. should I tell the skype people that the program they are offering as an option has adware?

Hello: Last night I received a warning from my AVG Anti-Virus Free security that the computer was being attacked. I did a scan and found that there were two infections:
Both were Trojan Horse Agent 2JCS. One was lodged here:
C:\\Windows\System32\dllcache\logagent.exe That was "removed and healed"
Another was lodged here:
C:\\Windows\system32\logagent.exe This is listed in the AVG as "not healed" . When I click on the "infections" tab in the scan report, it says, "Object is white listed critical system file that should not be removed.

So what happens next? How do I get rid of the infection? Is it safe to keep using the computer when the infection hasn't been dealt with?

I'm using XP professional, version 5, service pack 3. I usually use a Firefox browser, although I also have IE on the system.

Thanks for your help.
In peace
Dr. D.

Thank you for looking at this thread.

I have just changed to a new(ish) computer. It is a Celeron 2.8 Ghz with 1/2 gig ram, running Windows XP SP3. It has an 80 Gig SATA hard drive.

Being new, I would have THOUGHT it was a clean machine.
The drive was brand new and hardly used, except on the net for finding the drivers for the sound card and a few odd bits that didn't WORK properly.

Now when I go to web sites I hear a pop noise when I open some web pages.

Should my computer make such a noise?

Is this pop something that Windows has as a DEFAULT.

I swapped from the other computer for just exactly the same reason. I lost faith in the fact that these noises came too frequently, thinking it may have a virus or infection somewhere.
The computer doesn't make these pops all the time or from each web page I open.

If someone COULD give me some guidance I would very much LIKE to hear from you.

Thank you for your help. ImnoGuruGo to control panel>sounds and audio>sounds>select windows default sound scheme in the dropdown box ....see if that helps....you can make sound changes from here also....could also be a pop up blocker......TOOLS>popup blocker...toggle on/off ...see if it helpsThanks Karnac, for your help.
I'll try that now then.

I know Windows has a default sound section, and what I'm thinking is that if it were switched on there would be multiple sounds, say during several different operations, ie: opening/closing windows, saving data, restore up/down and so on.
I used to play with these things in my early years on computers, but long since found them distracting and annoying and thus forgot where I used to find them. (a bit like clipart stuff always loading new clipart that just took lots of space and never got used.)

If anything perhaps the popup blocker. That has better cred to me. Ok lets find out then.
Thanks again ImnoGuru. Ok then, I went through the section you outlined Karnac.

I found the sound was Windows XP Balloon.wav, under the Windows default sound scheme, system notification.
However I cant find how to delete just that one sound.

If I can delete just that sound, I can save that then as a new sound scheme.

I can set up a new scheme and name that, but I cant just delete the one notification or a group of sounds, nor can I do any other variation of sounds from it, (IT being the windows default sounds).
I was trying to find out if it was indeed just that sound that I'm hearing. (Well it is that sound, it just freaks me out that it is the only sound that occurs.) I would have thought I'd hear all of them but I don't.

So am I on the right track then, or should I run something like the HJT, SAS, MBAM or some other program to check the system?

Thank you ImnoGuru. I don't know if you've been down this path....

Control panel>Sounds and Audio>Program events>system notification>use the Sounds dropdown box to change the sound to NONE>click apply>click OK...This should turn off the balloon.wav pop

If this doesn't work, then consider a malware problem......there are instances where this file corrupts.Thanks Karnac, I'll give that a go, test it out for a day and see if that makes any difference.

I would think that the drive is clean really...
I haven't used it for some time and since it was new, as in brand new in the packet and sat idle for the most part, I cant really see how it would have become contaminated. (but there's always a way I suppose)

I should put AVG or some virus protection on it before doing anything else.
Many thanks Karnac ImnoGuru. Ah I see the drop down box now....
I didnt realise there was another box in there to use.
I've set it to none now. so I'll test it for a day and let you know.
Thanks again. ImnoGuru.

This is a two-hour BASIC course, through which you will acquire a basic KNOWLEDGE on viruses and on how to be PROTECTED against them.

You can read it at your own pace. You can stop and start again where you left off, repeat it COMPLETELY, or just those chapters you LIKED the most. If you think this course is useful, recommend it to your friends.

Panda Security: Basic Virus Course

Note: You'll need to register to take the course...This will work good well for school

Thanks, i'll check it out.thx

Sorry forgot the report.

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 2
X86-based PC ( Uniprocessor Free : AMD Athlon(tm) 64 Processor 3500+ )
BIOS : Phoenix - AwardBIOS v6.00PG
USER : User ( Administrator )
BOOT : Normal boot
Antivirus : AVG Anti-Virus 8.5 (Not Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:87 Go (Free:25 Go)
D:\ (CD or DVD)
E:\ (CD or DVD)
F:\ (USB)
G:\ (USB)
H:\ (Local Disk) - NTFS - Total:98 Go (Free:85 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [2] ( 01/06/2009|21:02 )


\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\


--------------------\\ Listing folders in APPLIC~1

[06/04/2007|17:25] C:\DOCUME~1\ADMINI~1\APPLIC~1\Microsoft

[09/04/2009|17:42] C:\DOCUME~1\ADMINI~1.BAS\APPLIC~1\Microsoft
[04/11/2008|21:12] C:\DOCUME~1\ADMINI~1.BAS\APPLIC~1\Spearit
[04/10/2008|13:18] C:\DOCUME~1\ADMINI~1.BAS\APPLIC~1\WinCare2008


[12/05/2007|16:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\4p-r9-67-55-p3-26
[18/08/2007|09:55] C:\DOCUME~1\ALLUSE~1\APPLIC~1\55-66-54-16-s6-0o
[12/05/2007|20:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\96-05-46-2p-3p-r9
[16/05/2007|19:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ACD Systems
[14/05/2009|18:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
[06/04/2007|10:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
[21/04/2008|20:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
[11/05/2007|17:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
[28/03/2009|22:01] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avanquest
[30/05/2009|14:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg8
[22/06/2008|17:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\AVS4YOU
[28/03/2009|22:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRP Software
[22/04/2007|07:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
[21/10/2008|06:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Documents
[29/02/2008|20:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
[11/11/2008|17:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD X Studios
[15/01/2008|19:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
[31/10/2008|21:01] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
[02/09/2008|17:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Hewlett-Packard
[31/10/2008|10:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
[31/10/2008|10:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP Product Assistant
[31/10/2008|09:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\HPSSUPPLY
[10/05/2007|21:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\JollyBear
[01/06/2009|21:01] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kontiki
[30/05/2009|16:49] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
[27/07/2007|05:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft(2)
[30/05/2009|21:07] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
[09/01/2009|22:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Memory-Map-License
[04/11/2008|18:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[21/04/2008|20:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
[07/03/2009|17:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NortonInstaller
[14/05/2009|18:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NOS
[05/04/2007|20:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NVIDIA
[12/04/2007|20:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Quest
[12/06/2008|19:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\RoboForm
[10/12/2007|19:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Softdisk LLC
[04/11/2008|21:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spearit
[03/04/2009|19:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
[14/02/2009|10:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
[08/04/2008|19:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TreeCardGames
[22/06/2008|10:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\UDL
[22/06/2008|19:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\vsosdk
[02/09/2008|19:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WEBREG
[14/04/2007|07:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[17/12/2008|19:17] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
[19/09/2008|18:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
[11/11/2008|22:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\XOOM

[16/05/2009|18:51] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Macromedia
[22/04/2008|19:03] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft
[04/11/2008|21:12] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Spearit

[07/06/2008|21:02] C:\DOCUME~1\LOCALS~1\APPLIC~1\Acronis
[02/04/2008|05:53] C:\DOCUME~1\LOCALS~1\APPLIC~1\Adobe
[30/05/2009|05:51] C:\DOCUME~1\LOCALS~1\APPLIC~1\Macromedia
[09/04/2009|17:42] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft

[09/04/2009|17:42] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft

[11/05/2007|17:34] C:\DOCUME~1\User\APPLIC~1\ACD Systems
[14/05/2009|18:38] C:\DOCUME~1\User\APPLIC~1\Adobe
[16/08/2007|17:34] C:\DOCUME~1\User\APPLIC~1\AdobeUM
[07/04/2007|08:48] C:\DOCUME~1\User\APPLIC~1\Ahead
[18/11/2007|15:38] C:\DOCUME~1\User\APPLIC~1\Alien Skin
[15/08/2007|16:45] C:\DOCUME~1\User\APPLIC~1\Andrex Puppy
[25/05/2007|07:03] C:\DOCUME~1\User\APPLIC~1\Apple Computer
[28/03/2009|22:02] C:\DOCUME~1\User\APPLIC~1\Avanquest
[22/06/2008|17:16] C:\DOCUME~1\User\APPLIC~1\AVS4YOU
[22/06/2008|18:07] C:\DOCUME~1\User\APPLIC~1\AVSMedia
[22/04/2007|07:56] C:\DOCUME~1\User\APPLIC~1\CyberLink
[19/08/2007|08:47] C:\DOCUME~1\User\APPLIC~1\DMCache
[13/05/2007|17:50] C:\DOCUME~1\User\APPLIC~1\EPSON
[29/03/2009|08:15] C:\DOCUME~1\User\APPLIC~1\EurekaLog
[21/04/2007|09:05] C:\DOCUME~1\User\APPLIC~1\fltk.org
[29/11/2007|18:19] C:\DOCUME~1\User\APPLIC~1\FontHit
[29/03/2008|16:22] C:\DOCUME~1\User\APPLIC~1\GetRightToGo
[05/04/2007|19:48] C:\DOCUME~1\User\APPLIC~1\Google
[07/04/2007|18:33] C:\DOCUME~1\User\APPLIC~1\Help
[06/03/2009|21:11] C:\DOCUME~1\User\APPLIC~1\HideIP
[08/09/2008|17:23] C:\DOCUME~1\User\APPLIC~1\HP
[02/09/2008|17:34] C:\DOCUME~1\User\APPLIC~1\HPAppData
[02/04/2007|11:59] C:\DOCUME~1\User\APPLIC~1\Identities
[07/04/2007|18:16] C:\DOCUME~1\User\APPLIC~1\ieSpell
[31/08/2007|18:06] C:\DOCUME~1\User\APPLIC~1\InterTrust
[06/04/2007|11:04] C:\DOCUME~1\User\APPLIC~1\IsolatedStorage
[25/07/2007|18:26] C:\DOCUME~1\User\APPLIC~1\Lavasoft
[06/01/2008|20:31] C:\DOCUME~1\User\APPLIC~1\LimeWire
[12/08/2007|07:40] C:\DOCUME~1\User\APPLIC~1\LogicWeave Software
[14/04/2007|18:43] C:\DOCUME~1\User\APPLIC~1\Macromedia
[08/04/2008|19:40] C:\DOCUME~1\User\APPLIC~1\MahJong Suite
[30/05/2009|21:10] C:\DOCUME~1\User\APPLIC~1\Malwarebytes
[02/05/2009|21:38] C:\DOCUME~1\User\APPLIC~1\Microsoft
[31/07/2007|21:08] C:\DOCUME~1\User\APPLIC~1\Mozilla
[14/12/2007|23:26] C:\DOCUME~1\User\APPLIC~1\Nero
[21/04/2007|21:32] C:\DOCUME~1\User\APPLIC~1\Opera
[26/12/2007|13:14] C:\DOCUME~1\User\APPLIC~1\SecuROM
[13/02/2009|19:08] C:\DOCUME~1\User\APPLIC~1\Simply Super Software
[04/11/2008|21:12] C:\DOCUME~1\User\APPLIC~1\Spearit
[02/08/2007|17:21] C:\DOCUME~1\User\APPLIC~1\Sun
[10/05/2008|16:39] C:\DOCUME~1\User\APPLIC~1\SUPERAntiSpyware.com
[03/04/2009|19:04] C:\DOCUME~1\User\APPLIC~1\Symantec
[17/01/2009|17:53] C:\DOCUME~1\User\APPLIC~1\U3
[25/06/2008|20:58] C:\DOCUME~1\User\APPLIC~1\Vso
[27/07/2008|10:46] C:\DOCUME~1\User\APPLIC~1\WinCare2008
[05/04/2007|19:28] C:\DOCUME~1\User\APPLIC~1\WinRAR

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[01/06/2009 11:01][--a------] C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job
[01/06/2009 11:01][--ah-----] C:\WINDOWS\tasks\SA.DAT
[28/02/2006 13:00][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[01/02/2009|11:21] C:\Program Files\1 Click PC Fix
[30/05/2009|07:31] C:\Program Files\A1Click Ultra PC Cleaner
[14/05/2009|18:39] C:\Program Files\Adobe
[01/06/2009|18:22] C:\Program Files\Advanced Diary
[25/02/2009|18:53] C:\Program Files\AgataSoft
[21/04/2008|21:00] C:\Program Files\Ahead
[18/11/2007|15:25] C:\Program Files\Alien Skin
[15/08/2007|16:44] C:\Program Files\Andrex Puppy
[14/11/2007|22:28] C:\Program Files\Astro Gemini Software
[02/02/2009|07:44] C:\Program Files\Atomic Clock Sync
[18/02/2009|18:11] C:\Program Files\audiograbber
[28/03/2009|21:56] C:\Program Files\Avanquest
[31/08/2007|17:07] C:\Program Files\AvantGo Connect
[23/11/2008|08:01] C:\Program Files\AVG
[22/06/2008|18:40] C:\Program Files\AVSMedia
[24/04/2007|07:36] C:\Program Files\Backup
[27/07/2007|05:53] C:\Program Files\BearSharePro
[01/05/2007|20:40] C:\Program Files\Bodrag
[10/11/2007|23:21] C:\Program Files\Bonjour
[30/05/2009|17:17] C:\Program Files\CCleaner
[31/01/2009|08:36] C:\Program Files\Christmas Time 3D Screensaver
[24/04/2007|07:49] C:\Program Files\cm2gpx
[24/04/2007|07:49] C:\Program Files\CmConvert
[14/05/2009|18:38] C:\Program Files\Common Files
[02/04/2007|11:49] C:\Program Files\ComPlus Applications
[24/04/2007|07:54] C:\Program Files\data
[08/12/2008|19:13] C:\Program Files\Driver Checker
[01/02/2009|21:33] C:\Program Files\Driver-Soft
[04/08/2007|19:08] C:\Program Files\DVD Shrink
[11/11/2008|17:54] C:\Program Files\DVD X Studios
[04/04/2009|20:33] C:\Program Files\EASEUS
[30/05/2009|17:14] C:\Program Files\Enigma Software Group
[11/11/2007|22:05] C:\Program Files\Fantasy Moon 3D Screensaver
[22/05/2009|21:20] C:\Program Files\File Renamer
[29/11/2007|18:19] C:\Program Files\FontHit Software
[12/05/2007|16:21] C:\Program Files\GameHouse
[31/05/2009|15:19] C:\Program Files\GASK
[19/04/2008|07:02] C:\Program Files\GetRight
[31/05/2009|19:39] C:\Program Files\Google
[17/08/2007|17:59] C:\Program Files\Grisoft
[26/12/2007|13:14] C:\Program Files\Hasbro
[31/10/2008|10:04] C:\Program Files\Hewlett-Packard
[31/10/2008|09:35] C:\Program Files\HP
[06/04/2007|18:11] C:\Program Files\ieSpell
[09/01/2008|18:07] C:\Program Files\images
[28/03/2009|21:57] C:\Program Files\InstallShield Installation Information
[15/04/2009|22:06] C:\Program Files\Internet Explorer
[19/10/2007|18:29] C:\Program Files\iPAQ Download Agent
[19/10/2007|18:36] C:\Program Files\iTRIS
[31/05/2009|06:50] C:\Program Files\Java
[19/10/2007|18:38] C:\Program Files\JewelMine
[18/04/2009|07:19] C:\Program Files\Jigsaw Puzzle Platinum Edition
[19/10/2007|18:50] C:\Program Files\Kakuro
[14/10/2008|20:54] C:\Program Files\Kontiki
[27/11/2008|21:10] C:\Program Files\Lavalys
[05/05/2008|21:32] C:\Program Files\LogicWeave
[16/04/2009|20:03] C:\Program Files\LSoft Technologies
[07/03/2008|18:31] C:\Program Files\Mahjong Fortuna 2 Deluxe
[08/04/2008|19:39] C:\Program Files\MahJong Suite
[30/05/2009|21:10] C:\Program Files\Malwarebytes' Anti-Malware
[29/05/2008|17:00] C:\Program Files\Memory-Map
[12/01/2008|17:46] C:\Program Files\Messenger
[30/05/2009|17:13] C:\Program Files\Microsoft ActiveSync
[28/03/2009|07:45] C:\Program Files\Microsoft AutoRoute
[19/09/2008|21:59] C:\Program Files\Microsoft CAPICOM 2.1.0.2
[06/04/2007|07:35] C:\Program Files\microsoft frontpage
[22/05/2007|17:16] C:\Program Files\Microsoft IntelliPoint
[22/05/2007|17:15] C:\Program Files\Microsoft IntelliPoint 5.5
[02/02/2009|07:15] C:\Program Files\Microsoft IntelliType Pro
[01/11/2008|21:10] C:\Program Files\Microsoft IntelliType Pro 5.2
[26/04/2009|17:41] C:\Program Files\Microsoft Office
[26/10/2008|11:54] C:\Program Files\Microsoft Works
[26/04/2009|17:41] C:\Program Files\Microsoft.NET
[15/10/2007|17:29] C:\Program Files\MobiMate
[23/04/2009|18:04] C:\Program Files\Moffsoft Calculator 2
[26/04/2007|18:07] C:\Program Files\Motorola
[02/04/2007|11:49] C:\Program Files\Movie Maker
[07/12/2007|18:31] C:\Program Files\MSI
[02/04/2007|11:48] C:\Program Files\MSN
[02/04/2007|11:48] C:\Program Files\MSN Gaming Zone
[27/04/2007|06:58] C:\Program Files\MSXML 4.0
[02/02/2009|07:14] C:\Program Files\MSXML 6.0
[14/12/2007|23:24] C:\Program Files\Nero
[02/04/2007|11:49] C:\Program Files\NetMeeting
[14/05/2009|18:29] C:\Program Files\NOS
[02/04/2007|14:39] C:\Program Files\NVIDIA Corporation
[30/04/2009|21:14] C:\Program Files\Outlook Express
[19/10/2007|18:52] C:\Program Files\PAQmanP
[14/06/2007|19:03] C:\Program Files\Paragon Software
[18/01/2009|08:34] C:\Program Files\PCNetSoftware
[09/11/2007|18:20] C:\Program Files\Picasa2
[08/12/2007|09:15] C:\Program Files\Plus!
[27/10/2007|18:02] C:\Program Files\PopCap Games
[09/01/2008|18:07] C:\Program Files\QSort2000
[27/07/2007|05:54] C:\Program Files\QSort2000(2)
[12/04/2007|20:12] C:\Program Files\Quest
[11/05/2007|17:31] C:\Program Files\QuickTime
[17/01/2009|23:00] C:\Program Files\RCLogon
[01/02/2009|22:35] C:\Program Files\Realtek AC97
[10/05/2007|22:19] C:\Program Files\ReflexiveArcade
[21/01/2009|22:41] C:\Program Files\RegistryFix
[01/06/2009|18:49] C:\Program Files\RegVac Registry Cleaner
[26/05/2009|19:00] C:\Program Files\ReNamer
[05/04/2007|18:34] C:\Program Files\SAGEM
[10/12/2007|21:20] C:\Program Files\Santas Workshop
[07/04/2007|20:53] C:\Program Files\ScanSoft
[08/12/2007|09:18] C:\Program Files\Setup Files
[05/04/2007|19:35] C:\Program Files\Siber Systems
[09/12/2008|21:50] C:\Program Files\SIW -Technicians v1.71 (Build 636) +Businness License
[01/02/2009|11:21] C:\Program Files\Spotmau WinCare 2008
[30/05/2009|17:14] C:\Program Files\SpywareBlaster
[19/10/2007|18:54] C:\Program Files\SuDokuV2
[31/05/2009|22:01] C:\Program Files\SUPERAntiSpyware
[06/01/2008|20:32] C:\Program Files\temp
[18/04/2008|19:15] C:\Program Files\Tetris 5000
[05/04/2007|18:26] C:\Program Files\Tiscali Broadband
[02/05/2009|18:41] C:\Program Files\Top Password
[31/05/2009|08:28] C:\Program Files\Trend Micro
[14/02/2009|15:41] C:\Program Files\Trojan Remover
[02/04/2007|11:59] C:\Program Files\Uninstall Information
[07/04/2007|18:32] C:\Program Files\UserImages
[11/07/2008|20:10] C:\Program Files\VideoLAN
[22/06/2008|19:01] C:\Program Files\VSO
[19/09/2008|18:41] C:\Program Files\Windows Live
[09/01/2008|18:07] C:\Program Files\Windows Media Connect 2
[22/02/2008|23:17] C:\Program Files\Windows Media Player
[02/04/2007|11:48] C:\Program Files\Windows NT
[02/04/2007|11:50] C:\Program Files\WindowsUpdate
[24/11/2008|19:23] C:\Program Files\WinRar
[17/12/2008|19:16] C:\Program Files\WinZip
[30/05/2009|15:20] C:\Program Files\ww
[02/04/2007|11:51] C:\Program Files\xerox
[11/11/2008|22:01] C:\Program Files\XOOM

--------------------\\ Listing Folders in C:\Program Files\Common Files

[16/11/2008|09:45] C:\Program Files\Common Files\Adobe
[14/05/2009|18:38] C:\Program Files\Common Files\Adobe AIR
[31/12/2007|09:11] C:\Program Files\Common Files\Adobe Systems Shared
[21/04/2008|20:50] C:\Program Files\Common Files\Ahead
[28/03/2009|22:40] C:\Program Files\Common Files\AntiVirus
[22/06/2008|18:40] C:\Program Files\Common Files\AVSMedia
[26/04/2009|17:42] C:\Program Files\Common Files\DESIGNER
[05/04/2007|20:05] C:\Program Files\Common Files\EPSON
[02/09/2008|17:31] C:\Program Files\Common Files\Hewlett-Packard
[02/09/2008|17:31] C:\Program Files\Common Files\HP
[13/05/2007|17:05] C:\Program Files\Common Files\InstallShield
[02/08/2007|17:24] C:\Program Files\Common Files\Java
[10/11/2007|23:16] C:\Program Files\Common Files\Macrovision Shared
[27/04/2009|07:00] C:\Program Files\Common Files\Microsoft Shared
[26/04/2007|18:07] C:\Program Files\Common Files\Motorola Shared
[02/04/2007|11:49] C:\Program Files\Common Files\MSSoap
[04/05/2008|15:35] C:\Program Files\Common Files\Nero
[02/04/2007|14:39] C:\Program Files\Common Files\NVIDIA Shared
[02/04/2007|12:17] C:\Program Files\Common Files\ODBC
[12/04/2007|20:12] C:\Program Files\Common Files\Quest
[02/04/2007|11:49] C:\Program Files\Common Files\Services
[02/04/2007|12:17] C:\Program Files\Common Files\SpeechEngines
[03/04/2009|19:46] C:\Program Files\Common Files\Symantec Shared
[26/04/2009|17:41] C:\Program Files\Common Files\System
[19/09/2008|18:41] C:\Program Files\Common Files\WindowsLiveInstaller
[31/05/2009|22:01] C:\Program Files\Common Files\Wise Installation Wizard

--------------------\\ Process

( 50 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-01 21:03:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden files ...
disk error: C:\WINDOWS\System32\
please note that you need administrator rights to perform deep scan

--------------------\\ Searching for other infections


No other infections found !

[F:26][D:1]-> C:\DOCUME~1\User\LOCALS~1\Temp
[F:2][D:0]-> C:\DOCUME~1\User\Cookies
[F:7][D:6]-> C:\DOCUME~1\User\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 01/06/2009|19:53 - Option : [1]
2 - "C:\Lop SD\LopR_2.txt" - 01/06/2009|20:45 - Option : [1]
3 - "C:\Lop SD\LopR_3.txt" - 01/06/2009|21:00 - Option : [1]
4 - "C:\Lop SD\LopR_4.txt" - 01/06/2009|21:03 - Option : [2]

--------------------\\ Scan completed at 21:03:56
Did you run Option 2 with Lop S&D?

Right click on ComboFix and choose Rename. Rename it to Combo-Fix and then try running it again.I manualy deleated the files be for using option2 the last time.
Renaming has no effect on combofix or HIJACK this.
Kevin.Try this.

Use the ESET Online Antivirus Scanner

This scanner requires Internet Explorer

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.I think you may have done it.
[emailprotected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=7.00.6000.16827 (vista_gdr.090226-1506)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=783d5aced2f9e143b9fd733630d2c369
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-01 09:14:37
# local_time=2009-06-01 10:14:37 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1027 21 83 59 2955140781250
# scanned=84235
# found=2
# cleaned=2
# scan_time=1842
C:\Program Files\AgataSoft\AgataSoft ShutDown Pro\AgataSoft_ShutDown_Pro.exeprobably unknown NewHeur_PE virus (deleted - quarantined)00000000000000000000000000000000
H:\RECYCLER\S-4-6-13-100016428-100020748-100010818-9216.coma variant of Win32/Kryptik.QY trojan (cleaned by deleting - quarantined)00000000000000000000000000000000
Combo fix now works see log.
ComboFix 09-05-31.06 - User 01/06/2009 22:23.23 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1023.647 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\Application Data\EurekaLog
c:\documents and settings\User\Application Data\EurekaLog\EurekaLog.ini
c:\windows\system32\drivers\gxvxcrvamexmyxvnpskbfxmhfulnkffxmkiex.sys
c:\windows\system32\gxvxcrqrdyyudpmxxtobaawmwkqbuwgwviaii.dll
c:\windows\system32\gxvxcufytiteomnrxoppxqpjcfpwnswqwkpvm.dll
H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.

2009-06-01 20:41 . 2009-06-01 20:41--------d-----w-c:\program files\ESET
2009-06-01 18:51 . 2009-06-01 20:03--------d-----w-C:\Lop SD
2009-05-31 19:34 . 2009-05-31 19:34--------d-----w-C:\_OTMoveIt
2009-05-31 05:50 . 2009-05-31 05:50--------d-----w-c:\program files\Java
2009-05-30 20:51 . 2009-05-31 07:28--------d-----w-c:\program files\Trend Micro
2009-05-30 20:10 . 2009-05-30 20:10--------d-----w-c:\documents and settings\User\Application Data\Malwarebytes
2009-05-30 20:07 . 2009-05-26 12:2040160----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 20:07 . 2009-05-30 20:10--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2009-05-30 20:07 . 2009-05-30 20:07--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-30 20:07 . 2009-05-26 12:1919096----a-w-c:\windows\system32\drivers\mbam.sys
2009-05-30 16:26 . 2009-05-31 05:50410984----a-w-c:\windows\system32\deploytk.dll
2009-05-30 16:26 . 2009-05-30 16:26152576----a-w-c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-30 15:41 . 2009-05-30 15:41698---ha-w-C:\aaw7boot.cmd
2009-05-30 14:20 . 2009-05-30 14:20--------d-----w-c:\program files\ww
2009-05-30 04:51 . 2009-05-30 04:51--------d-----w-c:\windows\system32\config\systemprofile\Application Data\HPAppData
2009-05-14 17:38 . 2009-05-14 17:38--------d-----w-c:\program files\Common Files\Adobe AIR
2009-05-14 17:29 . 2009-05-14 17:29--------d-----w-c:\documents and settings\All Users\Application Data\NOS
2009-05-14 17:29 . 2009-05-14 17:29--------d-----w-c:\program files\NOS
2009-05-13 10:04 . 2009-05-13 10:042051864----a-w-c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-13 10:04 . 2009-05-13 10:043288856----a-w-c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-13 10:04 . 2009-05-13 10:04423424----a-w-c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-13 10:04 . 2009-05-13 10:041262880----a-w-c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-05-13 10:04 . 2009-05-13 10:04177432----a-w-c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-13 10:03 . 2009-05-13 10:03755992----a-w-c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-13 10:03 . 2009-05-13 10:031085208----a-w-c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 21:23 . 2008-10-14 19:12--------d-----w-c:\documents and settings\All Users\Application Data\Kontiki
2009-06-01 19:02 . 2007-04-02 15:1733488----a-w-c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-01 17:49 . 2007-11-28 06:32--------d-----w-c:\program files\RegVac Registry Cleaner
2009-06-01 17:22 . 2008-09-07 15:39--------d-----w-c:\program files\Advanced Diary
2009-05-31 21:01 . 2007-11-30 22:50--------d-----w-c:\program files\SUPERAntiSpyware
2009-05-31 21:01 . 2007-10-12 21:30--------d-----w-c:\program files\Common Files\Wise Installation Wizard
2009-05-31 18:39 . 2007-04-05 18:46--------d-----w-c:\program files\Google
2009-05-31 14:19 . 2008-01-10 20:41--------d-----w-c:\program files\GASK
2009-05-30 19:01 . 2007-04-26 19:0229----a-w-c:\windows\popcinfo.dat
2009-05-30 16:17 . 2008-04-19 05:55--------d-----w-c:\program files\CCleaner
2009-05-30 16:14 . 2007-09-17 17:52--------d-----w-c:\program files\SpywareBlaster
2009-05-30 16:14 . 2007-05-08 15:50--------d-----w-c:\program files\Enigma Software Group
2009-05-30 16:13 . 2007-04-20 18:40--------d-----w-c:\program files\Microsoft ActiveSync
2009-05-30 15:49 . 2008-04-23 16:31--------d-----w-c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-30 13:29 . 2009-04-08 18:49--------d-----w-c:\documents and settings\All Users\Application Data\avg8
2009-05-30 06:37 . 2008-02-29 20:3510697----a-w-c:\documents and settings\All Users\Application Data\DVD X Studios\DVD X Player 4.1 Professional\DVDXPlayer.dll
2009-05-30 06:31 . 2008-01-06 19:23--------d-----w-c:\program files\A1Click Ultra PC Cleaner
2009-05-26 18:00 . 2009-02-19 19:50--------d-----w-c:\program files\ReNamer
2009-05-26 17:57 . 2007-12-08 13:42249856------w-c:\windows\Setup1.exe
2009-05-26 17:57 . 2007-12-08 13:4273216----a-w-c:\windows\ST6UNST.EXE
2009-05-22 20:20 . 2008-10-01 18:58--------d-----w-c:\program files\File Renamer
2009-05-02 17:41 . 2009-05-02 17:40--------d-----w-c:\program files\Top Password
2009-04-30 10:19 . 2009-04-08 18:5011952----a-w-c:\windows\system32\avgrsstx.dll
2009-04-30 10:19 . 2009-04-08 18:50325896----a-w-c:\windows\system32\drivers\avgldx86.sys
2009-04-30 10:19 . 2009-04-08 18:5027784----a-w-c:\windows\system32\drivers\avgmfx86.sys
2009-04-30 10:19 . 2009-04-08 18:50108552----a-w-c:\windows\system32\drivers\avgtdix.sys
2009-04-26 16:41 . 2008-05-30 16:45--------d-----w-c:\program files\Microsoft.NET
2009-04-23 17:04 . 2009-04-23 17:04--------d-----w-c:\program files\Moffsoft Calculator 2
2009-04-18 06:19 . 2007-12-27 11:15--------d-----w-c:\program files\Jigsaw Puzzle Platinum Edition
2009-04-16 19:03 . 2009-04-16 19:03--------d-----w-c:\program files\LSoft Technologies
2009-04-04 19:33 . 2009-04-04 19:33--------d-----w-c:\program files\EASEUS
2009-04-03 18:47 . 2009-04-03 17:50--------d-----w-c:\documents and settings\All Users\Application Data\Symantec
2009-04-03 18:46 . 2007-04-05 17:15--------d-----w-c:\program files\Common Files\Symantec Shared
2009-04-03 18:04 . 2009-04-03 18:04--------d-----w-c:\documents and settings\User\Application Data\Symantec
2009-03-19 13:03 . 2009-04-04 19:331907712----a-w-c:\windows\system32\BootMan.exe
2009-03-13 15:03 . 2008-11-11 21:029110----a-w-c:\documents and settings\All Users\Application Data\XOOM\X-OOM DVD Player 4 Deluxe\BlazeDVD.dll
2009-03-06 14:44 . 2006-02-28 12:00283648----a-w-c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect0]
@="{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}"
[HKEY_CLASSES_ROOT\CLSID\{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}]
2007-12-02 16:05348160----a-w-c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect1]
@="{8A814C29-D3CD-4F9E-9770-DF8704503ACA}"
[HKEY_CLASSES_ROOT\CLSID\{8A814C29-D3CD-4F9E-9770-DF8704503ACA}]
2007-12-02 16:05348160----a-w-c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\progra~1\MICROS~2\wcescomm.exe" [2006-06-26 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-11 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-30 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-31 148888]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]
"AgataSoft ShutDown Pro"="" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-03-24 160592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05356352----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-30 10:1911952----a-w-c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\SECURITY center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/04/2009 19:50 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/04/2009 19:50 108552]
R1 FolderProtectDriver;FolderProtectDriver;c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectDriver.sys [27/07/2008 10:46 15616]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [09/04/2009 17:39 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/04/2009 19:49 298776]
R2 FolderProtectService;FolderProtectService;c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe [27/07/2008 10:46 10240]
S1 SASKUTIL;SASKUTIL;

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

• Delete: ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

HELLO AGAIN !!

Sorry but the link of Dr.Web CureIt! that u have given to me is BROKEN i have downloaded it on download.com but the KEY liscence is expired .
COULD u give me a valide link please

PS: now i lost windows media PLAYER on my PC this virus KEEP destroye my PC

Ran this this morning.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:40:15, on 01/07/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot MODE: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Sony\Marketing Tools\MarketingTools.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\aol\1206988110\ee\aolsoftware.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Sony\Network Utility\LANUtil.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\EPC\Toolbar\EPSIBar.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Windows\System32\GRVSA.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\AOL 9.0 VR\waol.exe
C:\Program Files\AOL 9.0 VR\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.easyspace.com/webmail_login.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader LINK Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\PROGRA~1\GOOGLE~1\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MarketingTools] C:\Program Files\Sony\Marketing Tools\MarketingTools.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1206988110\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=041508 serial=DR12CEl-3361936-xty lang=EN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [NSUFloatingUI] "C:\Program Files\Sony\Network Utility\LANUtil.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: EPSI ToolBar.lnk = C:\EPC\Toolbar\EPSIBar.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: RESEARCH - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll,
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: NSUService - Sony Corporation - C:\Program Files\Sony\Network Utility\NSUService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Media Content Collection (VAIOMediaPlatform-UCLS-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe
O23 - Service: VAIO Media Content Collection (HTTP) (VAIOMediaPlatform-UCLS-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Content Collection (UPnP) (VAIOMediaPlatform-UCLS-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11972 bytes
It's still there.

Go back to my post #41, and run those commands one more TIME...
I'm not sure, if I understand your post #42:
Quote

SC open service FAILED 5
Access denied

message?

I opened the properties and attempted to disable it

i am using AVG 8 AV but i am ATTEMPTING to CHANGE AVG to Kaspersky 7.
if i have anti virus exists in my computer then i want to change it, do i need to UNINSTALL the existing AV then reinstall another AV?

please instruct me on this. thnks Yes, you will need to uninstall AVG first, and probably reboot, before installing Kaspersky.

Hope this helps.how about the virus in the virus vault? im afraid that if all virus there will BECOME activate after i uninstall AVGOpen AVG, and go to the virus vault, then REMOVE all the items from it.
However I very much doubt that they will be "set free" by uninstalling AVG.I'm not sure but I think there is an option during uninstall that asks you if you want to clear the vault.

I notice that AVG offers "Trial Pay" for their AVG Internet Security Suite. This basically makes it free, if you remember to cancel the trial you sign up for with an advertising partner.

My question is do I WANT this? I use AVG Free, PC TOOLS Spyware Doctor. I don't seem to GET infected. I only use webmail so SPAM protection is not needed. The spyware and rootkit protection would be a good added bonus but I had problems with the free version of the webshield crashing firefox so I UNINSTALLED it.

What would you do?Quote from: thesecdude on July 04, 2008, 08:43:03 AM

What would you do?

Hey there. A day or so ago, I was surfing the internet, when I came to a page that asked me to install a file to view a movie. I, not thinking, installed it. Usually I'm very good about AVOIDING that sort of thing, but I guess I was tired. In result, I earned my first virus (or something) that visually did something to my laptop.

I'm trying hard to remember what it did, exactly, but a lot happened, and even more of it was brief. My background changed itself to a blue screen with a yellow box that said something along the lines of, "Warning! There is Spyware on your computer. Install an antivirus program immediately." Or something. I'd post a screenshot, but after following the READ this before requesting malware removal help forum, it went away. Let's see... My computer slowed down immensely, it would occasionally show the Blue Screen of Death, and the error would always be something different and weird. I can't remember any of them, but they all seemed like something that wouldn't even be on the computer. Every now and then, the blue screen would cause my computer to reboot, and when it loaded back up, I would get a pop-up error saying something about a script error, and M-Dos would run through something quickly (said it was a system32 file?), and I would usually get a BSoD after that too.

I really can't remember anything else. Like I said, everything that happened was quick, so I didn't get much time to ponder or write it all down. I know that all this has caused Firefox to quit working, and for awhile, IE would close itself down after loading the homepage. I was able to get Firefox to work once or twice (I don't know how) but now it just shows a Close Firefox error that says Firefox is already running. Task Manager claims that it is not.

I had run a couple other programs before following "Read this before requesting malware removal help." Spybot and a-squared a couple times. Both found different things. Spybot found zlob.downloader.vcd, but everytime I'd reboot, it'd find it again. A-squared usually found small adware programs that it claimed weren't dangerous.

Other than that, I followed "Read this before requesting malware removal help" to a T, but neither Super Anti-Spyware or MalwareBytes found anything. I'm not sure if I still have the virus, or if it was removed by Spybot or a-squared, and the remaining problems (Firefox still won't boot, computer is very slow, occasional freezes) are just left-overs.

If anything, I would like help getting Firefox to work. It's my main browser, and I feel weird using IE. Besides, one of the times Firefox -did- open, I noticed that my bookmarks had been deleted and I would like to work on getting those back as soon as possible.

And now, the HijackThis log. Thanks for any help you can give me.

[recovering disk space -- attachment deleted by admin]Open Hijackthis and select Do a system scan only then place a check mark next to:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Close all windows except for Hijackthis then click Fix checked.

EXIT Hijackthis and run CCleaner.

----------

Download Combofix by sUBs from one of the below links.

• Link #1
  
• Link #2

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  
  • Click this link to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix DISCONNECTS your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• Choose Yes to accept the Disclaimers.
• When finished, it will produce a log for you.
• Post that log in your next reply.

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

• Temporary Files
  
• Temporary Internet Files
  
• RecycleBin

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard).
  
• Finally copy and paste the contents of the results file Report.txt in your next reply.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

hello all, and please help me!
i brought a new acer laptop a little over a week ago, and i have already mangaged to put a virus on it.
i have managed to REMOVE the virus i think... after reading over forums i installed malware antivirus, alongside my norton. i started windows in safe mode and ran a scan, then deleted 'trojan tracker'. however when i started the laptop in normal mode i got the same problem, internet will not CONNECT (wireless) and when i click on anything that uses the internet; msn or update for software the computer shows and blue screen with black writting which says 'windows has shut down for your safety...... dumping phyisical memory'
if i run a virus scan in normal mode when it hits on the file it comes up with the blue screen.
i deleted all the FILES that i have downloaded using torrent, limewire etc, but still no look. please help!
oh, and it will not SYSTEM restore, it goes through the whole process and when it turns back on it says unable to restore to point. whats wrong? have i deleted the file but changed settings, not allowing it on internet programs?? operating system is vistaSince it's new laptop, I assume, you don't have much personal data on it, yet. Use Recovery DVD to restore it to day one condition.it didn't come with any reformat cd, i made a restore point onto some cd's but when i got into the bios and try and format from the disks it doesn't work, any ideas on how to reformat harddrive etc..?
thanksits come up with the error code;
stop 0x0000008c (0xc0000005, 0x00000000, 0x8a08ca48, 0x00000000)
can some please help!
thanlsQuote

i got into the bios and try and format from the disks

how to reformat harddrive etc..?

Hey Gents, I too got a similar problem,

The log file looks like below

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Norton SECURITY Scan\Nss.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF READER Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Microsoft Office.lnk = C:\MSOFFICE\MSOFFICE.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\MSOFFICE\MSOFFICE.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\MSOFFICE\MSOFFICE.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194142966984
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe



Can somebody help me please jayaprakashgopal
Next time, you need to start your own topic, when posting about your computer problem. This time, I'll create new topic for you.Please, repost HJT log, including its missing header.

Quote from: Broni on June 30, 2008, 09:28:50 PM

Yes, I'd definitely reinstall it. Your computer is clean now, but all those infections might have MESSED up Norton.

I tell you what...Since you got it for free, uninstall that crappy tool, which is really poor antivirus program, and install one of two free antivirus programs:
- Avast! free antivirus: http://filehippo.com/download_avast_antivirus/
- Avira free antivirus: http://www.free-av.com/en/download/index.html

I'm glad, we have one less computer "infected" with Norton.
I suggest, you run Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039 to remove Norton's leftovers. I assure you, they're there.

Did you try System Restore?

In what ways is it running slow?

I suggest Defragmenting your Hard Drive and downloading CCleaner.
With CCleaner, RUN tick System (and anything else you would like to remove) and run the cleaner. Then run a scan through the Registry a couple of times.

Now, go to Start --> Run --> msconfig and press Enter
Head over to the Startup tab and untick anything you don't need on startup.
Note: if you untick something like itunes, it will still work with no problems.My computer was running slow after i logged in but after adjusting some things in msconfig that is fixed. After analyzing a message comes up saying that i do not have to defragment at this time.

My computer is runing alot faster than before.

Thank youQuote

Now, go to Start --> Run --> msconfig and press Enter
Head over to the Startup tab and untick anything you don't need on startup

Quote

Now, go to Start --> Run --> msconfig and press Enter
Head over to the Startup tab and untick anything you don't need on startup

This was taken care of while working with HJT log.

After analyzing a message comes up saying that i do not have to defragment at this time.

Many things have happened, after MoveIt ran and I REBOOTED, the avenger log came up:

Avenger log-

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!
ImagePath: \systemroot\system32\drivers\UACrhbyyetusiutewx.sys
Start Type: 1 (System)

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

Then the MoveIt log came up:

MoveIt log-
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
Service\Driver UACd not found.
Service\Driver UACd not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys\modules\\ not found.
Unable to delete registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys\modules\\ .
========== FILES ==========
File/Folder \\?\globalroot\systemroot\system32\uacnmsfijuybienyic.dll not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\kevin\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05202009_222711

Files moved on Reboot...

THEN AVG came up and said that there were infections and did I want to move them to the vault. I clicked YES but it said access denied and did I want to delete them. I clicked yes and they were deleted. I checked the vault to be sure, and they were there. I deleted the contents of the vault.

And finally Norton360 popped up and said that Backdoor.tidserv was detected and that a restart was needed. I did that but the Norton360 alert came up again.

I checked the info that Norton had and it shows the affected areas as: 2 services, 15 files, 6 registry entries, 3 system actions and 1 browser cache.

A lot of progress but it looks like new problems are appearing.On a whim I clicked on Malwarebytes setup and it opened up and ran through the install with no problems. It is scanning now...got my fingers crossed.whew, almost an hour scanning and Malwarebytes found 9 things, and they were removed. I rebooted and so far nothing has popped up again. Below is the log:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/21/2009 1:24:12 AM
mbam-log-2009-05-21 (01-24-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 142272
Time elapsed: 54 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP0\A0000007.exe (Adware.Cinmus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common\helper.sig (Trojan.Agent) -> Quarantined and deleted successfully.

Success? I certainly hope so. Thanks for all the helpWoke up at 4:30 and the Norton360 scan was done. There were only tracking cookies and those were deleted easily. I will be running the scans on all of the accounts on the laptop, but it looks good for the infections to be gone.

I will let you know if anything bad is found again, but for now


THANK YOU EVILFANTASY!!Glad it finally worked.

Lets run another scan just to DOUBLE check.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix
Here is the Combofix log

ComboFix 09-05-19.08 - Joe 05/21/2009 13:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.413 [GMT -4:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\setup.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-21 17:14 . 2009-05-21 17:146736----a-wc:\windows\system32\drivers\PROCEXP90.SYS
2009-05-21 04:25 . 2009-05-21 04:25--------d-----wc:\documents and settings\kevin\Application Data\Malwarebytes
2009-05-21 04:25 . 2009-04-06 19:3215504----a-wc:\windows\system32\drivers\mbam.sys
2009-05-21 04:25 . 2009-04-06 19:3238496----a-wc:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 04:25 . 2009-05-21 04:25--------d-----wc:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-21 04:25 . 2009-05-21 04:25--------d-----wc:\program files\Malwarebytes' Anti-Malware
2009-05-21 02:27 . 2009-05-21 02:27--------d-----wC:\_OTMoveIt
2009-05-18 19:19 . 2009-05-18 19:19--------d-----wc:\program files\Driver Magician Lite
2009-05-17 18:59 . 2009-05-17 19:00--------d-----wc:\documents and settings\kevin
2009-05-17 17:06 . 2009-05-17 17:54--------d-----wc:\documents and settings\Joe\.housecall6.6
2009-05-17 16:00 . 2009-05-17 15:3615688----a-wc:\windows\system32\lsdelete.exe
2009-05-17 15:36 . 2009-05-17 15:3564160----a-wc:\windows\system32\drivers\Lbd.sys
2009-05-17 15:35 . 2009-05-21 12:24--------d-----wc:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-17 15:35 . 2009-05-21 17:21--------d-----wc:\program files\Spybot - Search & Destroy
2009-05-17 15:34 . 2009-05-17 15:34--------dc-h--wc:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-17 15:34 . 2009-05-17 15:34--------d-----wc:\program files\Lavasoft
2009-05-17 15:34 . 2009-05-17 15:36--------d-----wc:\documents and settings\All Users\Application Data\Lavasoft
2009-05-17 15:28 . 2009-05-17 15:28--------d-----wc:\program files\Windows Media Connect 2
2009-05-17 15:26 . 2009-05-17 15:27--------d-----wc:\windows\system32\drivers\UMDF
2009-05-17 15:26 . 2009-05-17 15:26--------d-----wc:\windows\system32\LogFiles
2009-05-15 02:17 . 2009-05-21 04:55--------d--h--wC:\$AVG8.VAULT$
2009-05-15 02:13 . 2009-05-15 02:1311952----a-wc:\windows\system32\avgrsstx.dll
2009-05-15 02:13 . 2009-05-15 02:13108552----a-wc:\windows\system32\drivers\avgtdix.sys
2009-05-15 02:13 . 2009-05-15 02:13325896----a-wc:\windows\system32\drivers\avgldx86.sys
2009-05-15 02:13 . 2009-05-17 16:24--------d-----wc:\windows\system32\drivers\Avg
2009-05-15 02:12 . 2009-05-15 02:12--------d-----wc:\program files\AVG
2009-05-15 02:12 . 2009-05-15 02:12--------d-----wc:\documents and settings\All Users\Application Data\avg8
2009-05-14 23:16 . 2009-05-14 23:1653248----a-wc:\windows\system32\drivers\UACjhmyrlvskbrrwov.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 17:25 . 2005-12-16 08:32--------d-----wc:\program files\Common Files\Symantec Shared
2009-05-21 05:24 . 2008-10-24 20:38--------d-----wc:\program files\Common
2009-05-17 15:25 . 2005-12-16 05:28--------d-----wc:\program files\Windows Media Connect
2009-05-17 15:25 . 2007-01-14 14:47126----a-wc:\documents and settings\Joe\Local Settings\Application Data\fusioncache.dat
2009-05-16 01:39 . 2005-12-16 08:28--------d-----wc:\program files\Quicken
2009-04-18 14:36 . 2008-10-26 18:36--------d-----wc:\program files\Norton 360
2009-04-04 19:49 . 2008-04-06 14:2420---h--wc:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-04-04 19:48 . 2008-04-06 14:2120---h--wc:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-03-06 14:22 . 2005-12-16 02:51284160----a-wc:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-23 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-25 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-25 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-25 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-11-29 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-30 7335936]
"Switcher.exe"="c:\program files\Sony\Wireless Switch SETTING Utility\Switcher.exe" [2005-11-24 167936]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-01 69632]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-17 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-15 1947928]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-17 516440]

c:\documents and settings\Joe\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-15 02:1311952----a-wc:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:4273728----a-wc:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/17/2009 11:36 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/14/2009 10:13 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/14/2009 10:13 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/14/2009 10:13 PM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 953168]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 7:26 PM 101936]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [12/15/2005 10:52 PM 28800]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [12/15/2005 10:52 PM 217472]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-05-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:35]
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = proxy:8002
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 13:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1300)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(4928)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\VAScanner\comHost.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint\ApntEx.exe
.
**************************************************************************
.
Completion time: 2009-05-21 13:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-21 17:29

Pre-Run: 78,696,206,336 bytes free
Post-Run: 78,620,049,408 bytes free

198--- E O F ---2009-05-17 19:11

Is this good news?
Yes there is still one left.

You need to uninstall either Norton or AVG. Two antivirus actually offers less protection because they "argue" with each other.

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

File::
c:\windows\system32\drivers\UACjhmyrlvskbrrwov.sys

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeHere is the latest ComboFix log

ComboFix 09-05-19.08 - Joe 05/21/2009 14:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.443 [GMT -4:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joe\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\drivers\UACjhmyrlvskbrrwov.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\UACjhmyrlvskbrrwov.sys

.
((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-21 17:14 . 2009-05-21 17:296736----a-wc:\windows\system32\drivers\PROCEXP90.SYS
2009-05-21 04:25 . 2009-05-21 04:25--------d-----wc:\documents and settings\kevin\Application Data\Malwarebytes
2009-05-21 04:25 . 2009-04-06 19:3215504----a-wc:\windows\system32\drivers\mbam.sys
2009-05-21 04:25 . 2009-04-06 19:3238496----a-wc:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 04:25 . 2009-05-21 04:25--------d-----wc:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-21 04:25 . 2009-05-21 04:25--------d-----wc:\program files\Malwarebytes' Anti-Malware
2009-05-21 02:27 . 2009-05-21 02:27--------d-----wC:\_OTMoveIt
2009-05-18 19:19 . 2009-05-18 19:19--------d-----wc:\program files\Driver Magician Lite
2009-05-17 18:59 . 2009-05-17 19:00--------d-----wc:\documents and settings\kevin
2009-05-17 17:06 . 2009-05-17 17:54--------d-----wc:\documents and settings\Joe\.housecall6.6
2009-05-17 16:00 . 2009-05-17 15:3615688----a-wc:\windows\system32\lsdelete.exe
2009-05-17 15:36 . 2009-05-17 15:3564160----a-wc:\windows\system32\drivers\Lbd.sys
2009-05-17 15:35 . 2009-05-21 12:24--------d-----wc:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-17 15:35 . 2009-05-21 17:21--------d-----wc:\program files\Spybot - Search & Destroy
2009-05-17 15:34 . 2009-05-17 15:34--------dc-h--wc:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-17 15:34 . 2009-05-17 15:34--------d-----wc:\program files\Lavasoft
2009-05-17 15:34 . 2009-05-17 15:36--------d-----wc:\documents and settings\All Users\Application Data\Lavasoft
2009-05-17 15:28 . 2009-05-17 15:28--------d-----wc:\program files\Windows Media Connect 2
2009-05-17 15:26 . 2009-05-17 15:27--------d-----wc:\windows\system32\drivers\UMDF
2009-05-17 15:26 . 2009-05-17 15:26--------d-----wc:\windows\system32\LogFiles
2009-05-15 02:17 . 2009-05-21 04:55--------d--h--wC:\$AVG8.VAULT$
2009-05-15 02:13 . 2009-05-15 02:1311952----a-wc:\windows\system32\avgrsstx.dll
2009-05-15 02:13 . 2009-05-15 02:13108552----a-wc:\windows\system32\drivers\avgtdix.sys
2009-05-15 02:13 . 2009-05-15 02:13325896----a-wc:\windows\system32\drivers\avgldx86.sys
2009-05-15 02:13 . 2009-05-17 16:24--------d-----wc:\windows\system32\drivers\Avg
2009-05-15 02:12 . 2009-05-15 02:12--------d-----wc:\program files\AVG
2009-05-15 02:12 . 2009-05-15 02:12--------d-----wc:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 18:54 . 2005-12-16 08:32--------d-----wc:\program files\Common Files\Symantec Shared
2009-05-21 05:24 . 2008-10-24 20:38--------d-----wc:\program files\Common
2009-05-17 15:25 . 2005-12-16 05:28--------d-----wc:\program files\Windows Media Connect
2009-05-17 15:25 . 2007-01-14 14:47126----a-wc:\documents and settings\Joe\Local Settings\Application Data\fusioncache.dat
2009-05-16 01:39 . 2005-12-16 08:28--------d-----wc:\program files\Quicken
2009-04-18 14:36 . 2008-10-26 18:36--------d-----wc:\program files\Norton 360
2009-04-04 19:49 . 2008-04-06 14:2420---h--wc:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-04-04 19:48 . 2008-04-06 14:2120---h--wc:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-03-06 14:22 . 2005-12-16 02:51284160----a-wc:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((( [emailprotected]_17.25.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-21 18:55 . 2009-05-21 18:5516384 c:\windows\Temp\Perflib_Perfdata_4f4.dat
+ 2009-05-21 18:54 . 2009-05-21 18:5416384 c:\windows\Temp\Perflib_Perfdata_2a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-23 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-25 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-25 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-25 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-11-29 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-30 7335936]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2005-11-24 167936]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-01 69632]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-17 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-15 1947928]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-17 516440]

c:\documents and settings\Joe\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-15 02:1311952----a-wc:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:4273728----a-wc:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/17/2009 11:36 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/14/2009 10:13 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/14/2009 10:13 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/14/2009 10:13 PM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 953168]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 7:26 PM 101936]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [12/15/2005 10:52 PM 28800]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [12/15/2005 10:52 PM 217472]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-05-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = proxy:8002
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 14:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1300)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(3512)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\VAScanner\comHost.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-05-21 15:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-21 19:02
ComboFix2.txt 2009-05-21 17:29

Pre-Run: 78,615,195,648 bytes free
Post-Run: 78,597,533,696 bytes free

201--- E O F ---2009-05-17 19:11


>crosses his fingers

And I am uninstalling AVG, I think the owner has actually paid for Norton

OK we can finish up now.

This should remove all of the tools we used.


• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
.

• The above procedure will:
• Delete the FOLLOWING:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
.
----------

Download

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

Hi Security Guys!

I have just tried 'Sophos Free Standalone Antivirus' Product{its Buzz has started to grow with "Klingon" as its name}. On running a 'Full System Scan', it Quarantined 3 'Suspicious Files' for which I would REQUEST your careful deliberation!

Please find the attached SCREENSHOT & guide whether these are just HOAX(False Positives) or its better to get rid of these !!??

Thanks in advance...!

Please find a "Better" 2nd Screenshot(detailed description)

[attachment deleted by admin]Wopti Utilities woptiinfo.dll http://www.threatexpert.com/files/woptiinfo.dll.html

The other two appear to b efrom iObit Advanced System Care.Hi Guys!

Well, I took this matter to the HOUSE of Sophos. Submitted the samples of the 'Suspicious Files' & it came out to be the HOAX DETECTIONS(False Positives) from their Product!

Read what these Guys have to say:

Hi,

Thanks for the samples.

I have spoken to the Labs and the files that you submitted are not malicious.
The warnings that we have GENERATED for these can be ignored.

If you were running the full Anti-virus product you would be able to to
authorise these files so that they are not detected again. As these were the
only threats detected by the Threat detection test, I am happy to give your
machine a clean bill of health.

Please let me know if I can be of further assistance.

Regards,

James Barker
Sophos Technical Support

Ive got the 3 logs... what do i do next?

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/19/2008 at 05:57 PM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 01:45:05

Memory items scanned : 398
Memory threats detected : 1
Registry items scanned : 5480
Registry threats detected : 52
File items scanned : 181901
File threats detected : 14

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\OPNKLJCY.DLL
C:\WINDOWS\SYSTEM32\OPNKLJCY.DLL

Adware.webHancer
HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\InprocServer32
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\InprocServer32#ThreadingModel
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\ProgID
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\Programmable
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\VersionIndependentProgID
C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0}
HKCR\WhIeHelperObj.WhIeHelperObj
HKCR\WhIeHelperObj.WhIeHelperObj\CurVer
HKCR\WhIeHelperObj.WhIeHelperObj.1
HKCR\WhIeHelperObj.WhIeHelperObj.1\CLSID
HKCR\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}
HKCR\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\ProxyStubClsid
HKCR\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\ProxyStubClsid32
HKCR\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\TypeLib
HKCR\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\TypeLib#Version
HKCR\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}
HKCR\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0
HKCR\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\0
HKCR\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\0\win32
HKCR\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\FLAGS
HKCR\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\HELPDIR
HKLM\Software\WebHancer
HKLM\Software\WebHancer#BaseDir
HKLM\Software\WebHancer\CC
HKLM\Software\WebHancer\CC#DistTag
HKLM\Software\WebHancer\CC#DWLLTM
HKLM\Software\WebHancer\CC#SLNTIND
HKLM\Software\WebHancer\CC#ACCPTPS
HKLM\Software\WebHancer\ESO
HKLM\Software\WebHancer\ESO#aa
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent#DisplayName
C:\Program Files\WEBHANCER\Programs\license.txt
C:\Program Files\WEBHANCER\Programs\readme.txt
C:\Program Files\WEBHANCER\Programs\sporder.dll
C:\Program Files\WEBHANCER\Programs\whagent.ini
C:\Program Files\WEBHANCER\Programs
C:\Program Files\WEBHANCER
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6B5957BF-BA84-49A1-A324-D5FF8FFCC687}\RP241\A0118724.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6B5957BF-BA84-49A1-A324-D5FF8FFCC687}\RP241\A0118734.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6B5957BF-BA84-49A1-A324-D5FF8FFCC687}\RP241\A0118735.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6B5957BF-BA84-49A1-A324-D5FF8FFCC687}\RP241\A0118736.EXE

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}
HKCR\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}
HKCR\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}
HKCR\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\InprocServer32
HKCR\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\InprocServer32#ThreadingModel
HKCR\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\ProgID
HKCR\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\TypeLib
SOCKINS32.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}

Trojan.Vundo-Variant/Small
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67D33942-8B34-4F8E-99B0-4A8C2B989C30}
HKCR\CLSID\{67D33942-8B34-4F8E-99B0-4A8C2B989C30}
HKCR\CLSID\{67D33942-8B34-4F8E-99B0-4A8C2B989C30}\InprocServer32
HKCR\CLSID\{67D33942-8B34-4F8E-99B0-4A8C2B989C30}\InprocServer32#ThreadingModel

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\aoprndtws
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP
HKU\S-1-5-21-1220945662-2052111302-725345543-1004\Software\Microsoft\rdfa

Adware.Tracking Cookie
www.googleadservices.com [ C:\Documents and Settings\Ste\Application Data\Mozilla\Firefox\Profiles\arm6k7ow.default\cookies.txt ]
.winanonymous.com [ C:\Documents and Settings\Ste\Application Data\Mozilla\Firefox\Profiles\arm6k7ow.default\cookies.txt ]
.winanonymous.com [ C:\Documents and Settings\Ste\Application Data\Mozilla\Firefox\Profiles\arm6k7ow.default\cookies.txt ]
.winanonymous.com [ C:\Documents and Settings\Ste\Application Data\Mozilla\Firefox\Profiles\arm6k7ow.default\cookies.txt ]
.winanonymous.com [ C:\Documents and Settings\Ste\Application Data\Mozilla\Firefox\Profiles\arm6k7ow.default\cookies.txt ]
.winanonymous.com [ C:\Documents and Settings\Ste\Application Data\Mozilla\Firefox\Profiles\arm6k7ow.default\cookies.txt ]
.winanonymous.com [ C:\Documents and Settings\Ste\Application Data\Mozilla\Firefox\Profiles\arm6k7ow.default\cookies.txt ]
.winanonymous.com [ C:\Documents and Settings\Ste\Application Data\Mozilla\Firefox\Profiles\arm6k7ow.default\cookies.txt ]
.winanonymous.com [ C:\Documents and Settings\Ste\Application Data\Mozilla\Firefox\Profiles\arm6k7ow.default\cookies.txt ]
.winanonymous.com [ C:\Documents and Settings\Ste\Application Data\Mozilla\Firefox\Profiles\arm6k7ow.default\cookies.txt ]
.winanonymous.com [ C:\Documents and Settings\Ste\Application Data\Mozilla\Firefox\Profiles\arm6k7ow.default\cookies.txt ]
.winanonymous.com [ C:\Documents and Settings\Ste\Application Data\Mozilla\Firefox\Profiles\arm6k7ow.default\cookies.txt ]
shop.winanonymous.com [ C:\Documents and Settings\Ste\Application Data\Mozilla\Firefox\Profiles\arm6k7ow.default\cookies.txt ]
shop.winanonymous.com [ C:\Documents and Settings\Ste\Application Data\Mozilla\Firefox\Profiles\arm6k7ow.default\cookies.txt ]
shop.winanonymous.com [ C:\Documents and Settings\Ste\Application Data\Mozilla\Firefox\Profiles\arm6k7ow.default\cookies.txt ]
shop.winanonymous.com [ C:\Documents and Settings\Ste\Application Data\Mozilla\Firefox\Profiles\arm6k7ow.default\cookies.txt ]
shop.winanonymous.com [ C:\Documents and Settings\Ste\Application Data\Mozilla\Firefox\Profiles\arm6k7ow.default\cookies.txt ]
.adnetserver.com [ C:\Documents and Settings\Ste\Application Data\Mozilla\Firefox\Profiles\arm6k7ow.default\cookies.txt ]

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\SFT.RES

Number 2:

Malwarebytes' Anti-Malware 1.17
Database version: 846

8:38:27 PM 19/06/2008
mbam-log-6-19-2008 (20-38-27).txt

Scan type: Full Scan (C:\|I:\|)
Objects scanned: 230726
Time elapsed: 57 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ftyfgmmu.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\opnklJcY.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5d97396f-ead1-4144-a594-b35c497add05} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5d97396f-ead1-4144-a594-b35c497add05} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{66186f05-bbbb-4a39-864f-72d84615c679} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186f05-bbbb-4a39-864f-72d84615c679} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c4e5b160 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebProxy (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Installer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMc7d682fc (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnkljcy -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnkljcy -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ftyfgmmu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ummgfytf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ummgfytf.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnklJcY.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\YcJlknpo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YcJlknpo.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B5957BF-BA84-49A1-A324-D5FF8FFCC687}\RP240\A0117677.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B5957BF-BA84-49A1-A324-D5FF8FFCC687}\RP241\A0118743.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wbacnvtt.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

and the hijack this log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:51 PM, on 19/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (CHECKERS Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00B0AFA.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Symantec

Am i broken much?Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Now then reboot your computer in Safe Mode by doing the FOLLOWING:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then PROMPT you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard).
  
• Finally copy and paste the contents of the results file Report.txt with a NEW HijackThis log in your next reply.

• Please download LSPFix
  
• Run the LSPFix.exe that you have just finished downloading.
• Check the I know what I'm doing box.
  
• In the Keep box you should see one or more instances of wsock3.dll.
  
• Select every instance of webhdll.dll and move each one to the Remove box by clicking the >> button.
  
• When you are done click Finish>>.
  

• Link #1
  
• Link #2

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  
  • Click this link to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• Choose Yes to accept the Disclaimers.
• When finished, it will produce a log for you.
• Post that log in your next reply.

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

What are some good TOOLS to REMOVE viruses and trojans and spyware ect? Not looking for the actual protection but the removal.How can you have removal without protection?

Is there something you want to remove now?

Are you looking for free antivirus?I have a LOT of computers I'm working on that have viruses worms ect... on them that I first wanted to remove them before I put the protection on. So I was wondering what were some good removal tools for that kind of stuff?If you go ahead and install a free antivirus (AVG Free is highly recommended in the forums), it will SCAN your computer, find all the malware and it should get rid of them.

However, you can follow these instructions but you will have to do it for every computer.
Avast is also a good one to use, I personally LIKE it better then avg. But thats for you to decide.Quote

I first wanted to remove them before I put the protection on

Quote

I first wanted to remove them before I put the protection on

It's the other way around.

Good, but we're not done here, yet.
At least, you're able to work in Normal Mode, now.
However, some INFECTIONS won't show in Safe Mode, so we have to re-run couple of programs.
Re-run Malwarebytes. Post its log.
When done, re-run HijackThis, and post its log.First log:

Malwarebytes' Anti-Malware 1.18
Database version: 895

2:57:25 PM 6/28/2008
mbam-log-6-28-2008 (14-57-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 95198
Time elapsed: 35 MINUTE(s), 11 second(s)

Memory Processes Infected: 0
Memory MODULES Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\owner\Application Data\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP99\A0028502.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP99\A0028503.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP99\A0028504.dll (Trojan.Vundo) -> No action taken.
hjtlog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:41 PM, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IBM ThinkVantage\Common\SCHEDULER\tvtsched.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgr.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.asu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {A40C8CFE-B3A1-4431-B096-B8845A9BC573} - C:\WINDOWS\system32\yayyvuUn.dll (file missing)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\ThinkVantage Fingerprint Software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\Norton SystemWorks\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [amsg] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206561896640
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe

--
End of file - 14176 bytes
BumpYour Malwarebytes log shows "No action taken" after each line. You either posted the log from before the scan, or you did something wrong.
Please, repost.

No reason for "bump". We're all volunteers here. We have to work, eat, sleep, take care of kids, and kiss girlfriend/wife, once in a while. Quote from: Broni on June 28, 2008, 09:01:51 PM

Your Malwarebytes log shows "No action taken" after each line. You either posted the log from before the scan, or you did something wrong.
Please, repost.

No reason for "bump". We're all volunteers here. We have to work, eat, sleep, take care of kids, and kiss girlfriend/wife, once in a while.

Let's do some cleanup and also let me know how the computer is now.

Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally. These steps will also HELP secure the work you have done.
.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean RESTORE Point.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Okay, I came accross this by complete accident.
Here is the link but I dont think many people will want to click on it:
Code: [SELECT]http://www.subculture.com/backdoor.html
You cant actually get a virus just by clicking on it but adult material came up on it also.
It keeps RELOADING the page and I think its CONNECTED to the LOVE-LETTER.TXT.vbs virus.

I was wondering how to report a website like this.

Thanks.

Link editedIf you GOT the URL VIA e-mail report to http://www.antiphishing.org/report_phishing.html but you may want to report it anyway even if you didn't get it from e-mail.
If you use something like trustwatch you can report to them: http://www.trustwatch.com/index.html
You can report to the FBI at the Internet Crime Center http://www.ic3.gov/complaint/


thesecdude -www.security-tech-reviews.com

i TOOK a test on this site i did pretty good actually excellent you wouldn't know it but
one of the questions was could you get a virus through a scanner. i know from the med field that a virus needs a host(a live host) that is specific for it to survive. i chose no and the choice was correct.
i have a question though and the reason why is
i used to never use my d drive for anything
i used to never use a usb mem slap stick either (long ago in college)
recently i have been babbling the satanic verses of the underground computer programs of windows with my mouse (my goal is to start using the keyboard and some commands) during that time i have managed to loose contact with my computer on serveral occasions. i also use the mem stick the same way.
now the question: i got a virus, trojan, a flea, a worm, a roach, in my computer i had downloaded limewire, NEW explorer, mozilla, FOXFIRE, in a short period of time. i noticed if i used explorer the pops happened if i used foxfire it didn.t then it started happening with both. i tried to fight it with my bare hands for a few days no avail (almost)
before i deleted the c drive to start over i used the mem stick to save the windows program because i wanted to study these invaders. so now i have them quarintined in two FOLDERS and some other progrms
could i freely tear them a new DNA without effecting my computer.
how would you and could you explain how to open one of those programs
i can open the ones that look like notepad and it tells you everything it did and how it found you and what it was looking, waiting, and exspecting.
i am as confused as virus in steril file.
i am as confused as trojan at the front door
if you have any idea what i might be trying to ask can you GIVE an attempt to aswer then we might be able to narrow down a pattern.
thank you so much
ruby

hello,
while doing "disc cleanup" the above(subject) appeared. i googled it and arrived at "bleepingcomputer.com".
he said that strange things were happening on his computer. the answer to his post was to reboot in safe mode then double-click SmitfraudFix.exe - #2clean - enter. a Registry cleaning prompt will appear-do you want to clean? - yes - enter - in order to rremove the Desktop background and clean registry keys associated with the infection. then the tool would check to see if wininet.dll is infected. then restart.

although the kinds of things that were happening to him weren't happening to me - just the fact that it showed up in my "disc cleanup" makes me question it. should i follow the posted directions, too?

i'm a neophyte and anything i can do to help save my pc, i'll do.

thank you.

Following directions in other help threads can potentially damage your PC.

Start HERE

Once complete post the logs in this thread and a Malware Removal Specialist will be along to help.dear evilfantasy,
thank you so much for the detailed info.
before i start to follow your directions i did a "IPC"search" of my pc. i was going to scan/send to you, but i received a message that the file was too big. that is because the search was superimposed on my desktop and i don't know how to remove the desktop background & just send the search info.
i will give it to you in this reply and (if you will) you can tell me if i need to proceed w/ your directions, please.
these were in my "search - all files/folders":
Trojan.Zipcodec.dsc,Trojan.ZipCodec.prf,Zipclix.dsc,Zipclix.prf,ipcfg.xml,ipconf.tsp,ipconfig.exe,wmipcima.dll,wmipcima.mfl,wmipcima.mof,SNIPCI.HTM,SNIPCI.TXT.

these are repeated three times on the searchpage.

thank youYou need to follow my instructions. I know how to read the logs from the scans and am not sure what I would do with the IPC Search results.ok, how do i do the scans?Quote from: evilfantasy on June 24, 2008, 07:09:20 PM

Start HERE

• Avast! Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
  
• AVG Free Edition - Free edition of the AVG anti-virus program for Windows.
  
• AntiVir Personal - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.