Explore topic-wise InterviewSolutions in .

The other day I opened an email from a friend. There was one word in the body of the email and it was "bitten". Since then, I have had close to 10,000 emails come into my inbox, all with the word "bitten" in the body of the letter. The subject line simply says; FWD;FWD;FWD all the way across the subject line. Can someone help me get rid of this mess? Thank you so much.Print these instructions out.

1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until MENU appears; select Safe Mode; you'll see "Safe Mode" in all FOUR corners of your screen

* Open SUPERAntiSpyware.
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RESTART COMPUTER!

2. Download Malwarebytes' Anti-Malware: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the END, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

3. Download HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.Thank you. I'm printing out the instructions now and will begin to follow them. I'll let you know if this works. I truly appreciate your help.You're welcome Here is my log printed out .... the problem has not been fixed though. I followed all of your instructions .. any other suggestions?









SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/26/2008 at 05:02 PM

Application Version : 4.0.1154

Core Rules Database Version : 3448
Trace Rules Database Version: 1440

Scan type : Complete Scan
Total Scan Time : 00:55:50

Memory items scanned : 179
Memory threats detected : 0
Registry items scanned : 4274
Registry threats detected : 5
File items scanned : 44965
File threats detected : 64

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][6].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][4].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][3].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][7].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][8].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][5].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][9].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt

Browser Hijacker.Deskbar
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version
does incredimail have a filter/spam system? You could filter out the messages with the word "bitten" in it for the time being while searching for an answer to why this happened?Good IDEA, but I've already tried to do that to no avail. It's not paying any attention to the command ... or at least that's the way it appears. Let me tell you something else. Earlier today I sent myself an email from another email address. I just simply wrote "testing" in the subject line. When it came into the inbox I'm trying to fix .... it had my FULL name in CAPITOL LETTERS as the person it was coming from, but then the next 6 or 7 emails after that had the word "testing" in it followed by the letters FWD: Every email that came in after that added another FWD: to the subject line, and the time on each email is exactly one minute apart from one another. Does any of that make sense??I need two other logs.
Don't expect anything being fixed, since we barely started.

mcxeb52!
Please, don't interrupt.I'll be patient .... I'm sorry, I didn't realize that last post was from someone else.Also, I meant to send you the log from the Malware that I downloaded.

Malwarebytes' Anti-Malware 1.11
Database version: 687

Scan type: Full Scan (C:\|)
Objects scanned: 80111
Time elapsed: 47 minute(s), 16 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 15
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
c:\program files\the weather channel fw\desktop weather\desktopweather.exe (Adware.Hotbar) -> Unloaded process successfully.

Memory Modules Infected:
c:\program files\the weather channel fw\framework\wxfw.dll (Adware.Hotbar) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DW4 (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows update loader (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\the weather channel fw\desktop weather\desktopweather.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\program files\the weather channel fw\framework\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelNE.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelQC.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelqx.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelSlnchr.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelUpdate.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\WiseInstallUtility.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Did you INSTALL it? HJT doesn't show, it's installed.

I cannot install. Error on C drive.

Is there any way of getting RID of the infection(s) FIRST? I mean before installing the SP.Possible.
Quote

Error on C drive.

I had originally posted this in another thread, but as it wasn't totally relevant. I wasn't sure where to put it, so I guess here will do

I bought my computer brand new about 5 MONTHS ago, and I've noticed it has severely slowed down. It's taking about 10 MINTUES to start up, 5 minutes to shut down, and general applications take a long time to load - and even when they load, they are extremely slow/jumpy.

Here's a quick run-down of my computer's stats:


Acer Aspire M5630

Processor: Intel Core 2 Quad CPU @ 2.40GHz 2.40GHz
RAM: 2GB
Hard Drive: 250GB
O/S: Windows Vista Home Premium
Antivirus: AVG Free, Trend and Spybot


It's even struggling to keep up with my typing!! It wasn't like this when I got it, but it seems to be deteriorating very quickly... Also, I've noticed the computer tower is making that 'chugging' noise it makes on startup, only it just keeps on going.

Any ideas how to fix this? Is it likely to be a virus?

Thanks in advanceQuote

AVG Free, Trend

Quote

resident came up with a lot of registry changes from YAHOO Pager, MSN messenger and some other, I denied them all for the moment

But if antivir, spybot etc can't stop those, who/what can?

Also, I hope you dont mind if I put a link to this forum on my website:
www.darwinnewsblog.com ?

You're welcome Quote from: kimiisme

So, when I'm done installing those, I WOULD have (for EXAMPLE) :
Avast, Zone Alarm, AND Spyware Blaster all INSTALLED?

I have done a search of this virus on the internet and the only thing I can get is in other languages. I have tried quarantining the virus and it is locked. I have used multiple anti-virus programs in normal and safe mode. I am lost at this point and don't know what to do. I am also getting a winlogin.exe error message sometimes. Also over the weekend my computer caught something really funny and blocked it. It was called a port scan that my firewall detected. I am not sure if all these issues are related but I was wondering if I could get some HELP!! THANKSAntiVir PersonalEdition Classic
Report file date: Monday, March 31, 2008 16:56

Scanning for 1172454 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
USERNAME: SYSTEM
Computer name: BW1026

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 21:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 20:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 23:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 20:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 22:27:15
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 18:05:18
ANTIVIR2.VDF : 7.0.3.85 434176 Bytes 3/27/2008 18:06:54
ANTIVIR3.VDF : 7.0.3.98 60416 Bytes 3/31/2008 18:02:30
AVEWIN32.DLL : 7.6.0.78 3408384 Bytes 3/28/2008 18:07:16
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 18:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 15:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 21:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 3/25/2008 18:05:18
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 15:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 20:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 15:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 19:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 20:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 20:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 17:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Deviating risk categories........: +APPL,+PCK,+SPR,

Start of the scan: Monday, March 31, 2008 16:56

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'qbupdate.exe' - '1' Module(s) have been scanned
Scan process 'wben.exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'pctsTray.exe' - '1' Module(s) have been scanned
Scan process 'OpenXpAuto.exe' - '1' Module(s) have been scanned
Scan process 'ps2.EXE' - '1' Module(s) have been scanned
Scan process 'ALCXMNTR.EXE' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'MXTask.exe' - '1' Module(s) have been scanned
Scan process 'bcmwltry.exe' - '1' Module(s) have been scanned
Scan process 'wltrysvc.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'MXTask.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'pctsSvc.exe' - '1' Module(s) have been scanned
Scan process 'pctsAuxs.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
40 processes with 40 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '38' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\cdosysh.dll.bak
[DETECTION] Is the Trojan horse TR/Agent.AGWX
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\mvpfufx.bak
[DETECTION] Is the Trojan horse TR/Agent.AGWX
[INFO] The file was moved to '48625198.qua'!
C:\WINDOWS\system32\ndjwi.bak
[DETECTION] Is the Trojan horse TR/Agent.AGWX
[INFO] The file was deleted!
Begin scan in 'D:\'


End of the scan: Tuesday, April 01, 2008 08:41
Used time: 15:44:31 min

The scan has been done completely.

4493 Scanning directories
653709 Files were scanned
3 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
1 files were deleted
0 files were repaired
1 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
653706 Files not concerned
13482 Archives were scanned
3 Warnings
0 Notes


Download and rename HijackThis (HJT)

• Double-click on HJTInstall.
• Click on the Install button.
  
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
  
• Upon install, HijackThis should open for you.
• Close HijackThis and rename it.
  
• Go to C:\Program Files\Trend Micro\HijackThis.exe
  
• Right click on HijackThis.exe and select Rename.
  
• Type in sniper.exe and press Enter.
  
• Right-click on sniper.exe and select Send To > Desktop (create shortcut)
  
• From the desktop open Hijackthis.
• If using Windows Vista, Right-click and Run As Administrator.
  
• Click on the Do a system scan and save a log file button
  
• Hijackthis will scan and then a log will open in notepad.
• Copy and then PASTE the entire contents of the log in your post.
  
  • Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

• Virustotal
  
• Jotti's malware scan
  
• VirSCAN.org

• At the upload site, click once inside the window next to Browse.
  
• Press Ctrl+V on the keyboard (both at the same time) to paste the file path in the window.
  
• Next click Send File/Submit/Upload (depending on the site)
  • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Please wait for all of the scanning engines to complete.
• Copy and then Paste the results in the next reply.

• Link 1
  
• Link 2

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad.
• Please copy and paste the log into your next reply

• Launch Malwarebytes' Anti-Malware.
• Click the Logs tab.
  
• Double-click log-mm.dd.yyyy [xxxxxx].txt

• Under the Main tab, put a check next to Select All.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  
• If you use the Firefox browser:
  Click on Firefox at the top and put a check next to Select All.
  If you would like to keep your saved passwords, click No at the prompt.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  
• If you use the Opera browser:
  Click on Opera at the top and put a check next to Select All.
  If you would like to keep your saved passwords, click No at the prompt.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

Hello everyone

I have a serious problem with my laptop at the moment.

Bluntly it won't start properly lights on but no diskdrive light flashing or screen output

I decided it was time for a spyware check so started an AOL spyware scan and left it for about 2 HOURS closed (screen down). After returning to it the lights were on but the screen will not show anything after TRYING most of the buttons I tryed restarting only to find it unable to boot properly the light on the keyboard will show but nothing is responsive.

On power button it BOOTS up I can hear the sound of it booting up then suddenly it stops and dies down...but with lights still on with no screen output

If anyone could help me with this matter I would be very gratefull

~system

Can you boot into safe mode?Quote from: evilfantasy on April 01, 2008, 12:08:06 PM

Can you boot into safe mode?

Not sure what is going on. HD failure?

Might be time for a repair shop diagnosis. You might try posting in the Computer Hardware forum. They will probably know a few things to try.

Can anybody help with a solution for the removal of the above TROJAN thanksPrint these instructions out.

1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the RIGHT, under "Complete Scan", choose PERFORM Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you WANT to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RESTART COMPUTER!

2. Download Malwarebytes' Anti-Malware: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\DOCUMENTS and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

3. Download HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.

Hi Every one! my XP SP2 is really slow me down it takes like more than 5minutes to restart and SHUTDOWN. I have done uninstall last program, cleaned registry, scanned spyware, disable some starup progs still have no luck. any other idea to cut down this slower startup and shutdown? Please! Thanks You so MUCH.

Firewall: COMODO Pro >Freeware
Anti Virus:NOD32 DISK defrag? Scandisk? Yes I have done that. Also I unplug all the removable device out of USB.How much Memory (ram) do you have? Plus, processor speed, hard drive size/free space.I have:
CPU 2.6+
Ram 2G
2HD 120GB Each
Some interesting things to read here http://www.windows-help-central.com/windows-xp-shutdown.html and here http://www.windows-help-central.com/windows-xp-slow-shutdown.html

Read through it and it may answer your question. It talks about possible causes to slow shutdown and some work a rounds.Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
Click on Download HijackThis Installer
Post HijackTHis log.

I'd like to see what's running there.Quote from: Broni on March 30, 2008, 08:47:30 AM

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
Click on Download HijackThis Installer
Post HijackTHis log.

I'd like to see what's running there.

Just noticed this with the new update.

Quote

March 29, 2008 avast! now contains a built-in anti-rootkit PROTECTION, built-in anti-spyware protection and new self-defense function to prevent active MALWARE from terminating avast! processes as well as corrupting avast! files and registry items

You're WELCOME

Avira AntiVir PersonalEdition Classic is a reliable FREE antivirus solution, that constantly and rapidly scans your COMPUTER for malicious programs (such as viruses, Trojans, backdoor programs, hoaxes, worms, dialers etc.), .... this software is helpful for your computer, you can read more and DOWNLOAD in this link: http://www.dotqn.com/software.php?software=Avira%20AntiVir%20PersonalEdition%20Classic%207.06.00.268I RECOMMEND you get it directly from Avira instead.
http://www.free-av.com/en/download/index.html

here goes

[recovering space - ATTACHMENT deleted by admin]that was easy.
Sorry to SAY,it's my fault,that I did'nt do it this way,before.
Ichecked my back correspondance,and EVIL fantasy had explained how to do it,some time ago.
FrankHello
I posted the logfile,as requested.

So FAR,no response.Do I need to do more?
Frank

I inserted a REMOVABLE disk to my pc, when i scanned it with my nod32 antivirus, no virus was detected. However, when double clicked the icon a dialog box opened showing "Winzip Password". When i checked my ADDRESS bar it was already disabled. Spybot then asked for allow change of value or deny. I chose deny and the log showed this msg.

3/31/2008 12:34:02 PM Denied (based on USER decision) value "AutoRun" (NEW data: "C:\WINDOWS\pc-off.bat") added in Command processor!
3/31/2008 12:34:03 PM Denied (based on user decision) value "UserInit" (new data: "userinit.exe,bar311.exe") changed in Winlogon!

I think this is a new virus. I am hoping for your advice regarding this. Please help me. ThanksStart HERE

One of the malware specialists will be along to help once the LOGS are posted.

can anybody tell me what "zfe3.exe" is,.. it's turned up on my computer trying to change registry values. any and all help WELCOMED. thanks Your PC is infected. The file called ZFE3.EXE is considered unsafe and there may be other infections on your PC.

Please go to this thread and read the instructions for posting the required logs.

Once the logs are posted a member of the malware team will be along to assist you in further removal instructions.can anyone help me answering these question...

iNSTALLING A pc____________/eide HARD DRIVE
2.other equipment the same type as SATA and PATA
3.____________ commonly communicates on PORTS 137,138 and 139
4.A________ is used to refer to the system administrator and a Unix/Linux network and is an individual who has COMPLETE access to a netwotk.
5.wahat is the TERM also known as the net or the web

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fcharset0 Arial;}}
{\*\generator Msftedit 5.41.15.1507;}\viewkind4\uc1\pard\f0\fs20\PAR
Microsoft (R) Windows Debugger Version 6.8.0004.0 X86\par
Copyright (c) Microsoft Corporation. All rights reserved.\par
\par
\par
Loading Dump File [C:\\Documents and Settings\\Owner\\Desktop\\Mini033008-02.dmp]\par
Mini Kernel Dump File: Only registers and stack trace are available\par
\par
Symbol search path is: *** Invalid ***\par
****************************************************************************\par
* Symbol loading may be unreliable without a symbol search path. *\par
* Use .symfix to have the debugger choose a symbol path. *\par
* After setting your symbol path, use .reload to refresh symbol locations. *\par
****************************************************************************\par
Executable search path is: \par
*********************************************************************\par
* Symbols can not be loaded because symbol path is not initialized. *\par
* *\par
* The Symbol Path can be set by: *\par
* using the _NT_SYMBOL_PATH environment variable. *\par
* using the -y argument when starting the debugger. *\par
* using .sympath and .sympath+ *\par
*********************************************************************\par
Unable to load image ntoskrnl.exe, Win32 error 0n2\par
*** WARNING: Unable to verify timestamp for ntoskrnl.exe\par
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe\par
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible\par
Product: WinNt, suite: TerminalServer SingleUserTS Personal\par
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700\par
Debug session time: SUN Mar 30 21:38:09.343 2008 (GMT+1)\par
System Uptime: 0 days 0:47:30.073\par
*********************************************************************\par
* Symbols can not be loaded because symbol path is not initialized. *\par
* *\par
* The Symbol Path can be set by: *\par
* using the _NT_SYMBOL_PATH environment variable. *\par
* using the -y argument when starting the debugger. *\par
* using .sympath and .sympath+ *\par
*********************************************************************\par
Unable to load image ntoskrnl.exe, Win32 error 0n2\par
*** WARNING: Unable to verify timestamp for ntoskrnl.exe\par
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe\par
Loading Kernel Symbols\par
...\par
Loading User Symbols\par
Loading unloaded module list\par
.................\par
*** WARNING: Unable to verify timestamp for hal.dll\par
*** ERROR: Module load completed but symbols could not be loaded for hal.dll\par
*******************************************************************************\par
* *\par
* Bugcheck Analysis *\par
* *\par
*******************************************************************************\par
\par
Use !analyze -v to get detailed debugging information.\par
\par
BugCheck 1000000A, \{80076e90, 2, 1, 806e4a16\}\par
\par
***** Kernel symbols are WRONG. Please fix symbols to do analysis.\par
\par
*************************************************************************\par
*** ***\par
*** ***\par
*** Your debugger is not using the correct symbols ***\par
*** ***\par
*** In order for this command to work properly, your symbol path ***\par
*** must point to .pdb files that have full type information. ***\par
*** ***\par
*** Certain .pdb files (such as the public OS symbols) do not ***\par
*** contain the required information. CONTACT the group that ***\par
*** provided you with these symbols if you need this command to ***\par
*** work. ***\par
*** ***\par
*** Type referenced: nt!_KPRCB ***\par
*** ***\par
*************************************************************************\par
*************************************************************************\par
*** ***\par
*** ***\par
*** Your debugger is not using the correct symbols ***\par
*** ***\par
*** In order for this command to work properly, your symbol path ***\par
*** must point to .pdb files that have full type information. ***\par
*** ***\par
*** Certain .pdb files (such as the public OS symbols) do not ***\par
*** contain the required information. Contact the group that ***\par
*** provided you with these symbols if you need this command to ***\par
*** work. ***\par
*** ***\par
*** Type referenced: nt!_KPRCB ***\par
*** ***\par
*************************************************************************\par
*********************************************************************\par
* Symbols can not be loaded because symbol path is not initialized. *\par
* *\par
* The Symbol Path can be set by: *\par
* using the _NT_SYMBOL_PATH environment variable. *\par
* using the -y argument when starting the debugger. *\par
* using .sympath and .sympath+ *\par
*********************************************************************\par
*********************************************************************\par
* Symbols can not be loaded because symbol path is not initialized. *\par
* *\par
* The Symbol Path can be set by: *\par
* using the _NT_SYMBOL_PATH environment variable. *\par
* using the -y argument when starting the debugger. *\par
* using .sympath and .sympath+ *\par
*********************************************************************\par
Probably caused by : ntoskrnl.exe ( nt+1528a9 )\par
\par
Followup: MachineOwner\par
---------\par
\par
}


I keep getting bsod's thats the memory dump ( please help.Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:17:10, on 30/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Debugging Tools for Windows\windbg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Keiran
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6881 bytes
Thats my hijack this log.I don't think it is malware.

You can have Hijackthis fix this one entry.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

You may want to make a post in the Windows forum describing the problem.

I have some probem with my OS.
I have folder option in Tools menu, But whn I choose to show a FILES and press 'Apply+Ok' it doesnt work.
Hidden fies are not going to show. They remains hidden still.
Pls hep me how to recover this problem......
Do you have administrator privileges?

Post a Hijackthis log so we can see if anything is blocking access.
.
Download and rename HijackThis (HJT)

• Double-click on HJTInstall.
• Click on the Install button.
  
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
  
• UPON install, HijackThis should open for you.
• Close HijackThis and rename it.
  
• GO to C:\Program Files\Trend Micro\HijackThis.exe
  
• Right click on HijackThis.exe and select Rename.
  
• TYPE in sniper.exe and press Enter.
  
• Right-click on sniper.exe and select Send To > Desktop (create shortcut)

• From the desktop open Hijackthis.
• If using Windows Vista, Right-click and Run As Administrator.
  
• Click on the Do a SYSTEM scan and save a log file button
  
• Hijackthis will scan and then a log will open in notepad.
• Copy and then paste the entire contents of the log in your post.
  • Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Hello Again.

Well for some reason it came back with a vengence

I performed all the scans and here are the logs.

Any help would be appreciated.

Thanks in Advance
Mike

[recovering space - attachment deleted by admin]That was quick....I may wonder what web sites you visit, but I won't ask....hehehe

1. Close all windows, except for HijackThis.

2. PUT a checkmark next to the following HijackThis entry:

- F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,

3. Click on "Fix checked" button.

4. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts)

5. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to "Show hidden files, and folders".

6. Delete following files/folders (if present):

- sbwltbxa.exe file from C:\WINDOWS\system32

7. Restart in Normal Mode.

8. Post new HijackThis log.Ebaumsworld Thats waht it was. I wasn't sue the first time, now I am.

[recovering space - attachment deleted by admin]HJT log is clean.

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the LEFT side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, FIND Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on. Create new Restore Point.

4. Download, and install CCLEANER: http://www.ccleaner.com/download/builds. Get "Slim" version.
Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html, and run CCleaner

6. Download, and install free ThreatFire: http://www.threatfire.com/, which will give you real-time protection against malwares.
It won't interfere with your antivirus, nor firewall.

7. Let me know, how your computer is doing.
everythings cool again.

It just annoys me. Ebaums has been OK for years and all of a sudden it gives me headache after headache.

I guess I'm done there.Very well, then.

If you keep all your security up, and up to date, you should be able to visit any site.

here is hijack log part one:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:09, on 26/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AntiVir PersonalEdition Classic\avcenter.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

part 2 of hijack log :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: SpoofBHO Class - {385066e0-23f3-11db-a98b-0800200c9a66} - C:\WINDOWS\se_spoof.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Yahoo!\NAV\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O2 - BHO: (no name) - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: IDA Bar - {C70E30C7-140A-4166-A2E8-43557E62B41A} - C:\Program Files\IDA\idabar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\IRENE TOWNHILL\Application Data\Mozilla\Firefox\Profiles\pdfqk5km.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\IRENE TOWNHILL\Application Data\Mozilla\Firefox\Profiles/pdfqk5km.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Program Files\IDA\idaie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

part 3 of hijack log :

O9 - Extra button: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://atlantis8.bigfishgames.com/Reef/en_DinerDash2/online/DinerDash2.1.0.0.48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097593749703
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150619473359
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - https://register.btinternet.com/templates/btmailcontrol013.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.gamehouse.com/games/tumblebugs/axhost.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/PreQual/files/MotivePreQual.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://webgames.d.tmsrv.com/c=416f2d8e3983e6fe2c207fc01c08fa34/aff=t_25oa_ukca_wg/p/release/popcap/wg_bejeweled2/popcaploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O22 - SharedTaskScheduler: IE Component Categories CACHE daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Yahoo!\NPF\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple COMPUTER, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - (no file)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 1: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

--
End of file - 18283 bytesQuote

Topic: computer crashing and rebooting

• Start HijackThis
  
• Click on the Open the Misc Tools section
  
• Click on the Open Uninstall Manager button.
  
• Click on the Save list button and specify where you would like to save this file and click Save.
  • When you press Save button a notepad will open with the contents of that file.
• Copy and paste that list in your reply.

Following a problem with a ROGUE website the other day, I installed Spybot SEARCH and Destroy which effectively dealt with that problem. HOWEVER I now keep getting messages from Spybot
"Search and Destroy has detected an important registry entry that has been changed.
Category: User-specific browser tool bar
Change: Value added
entry: (F O D 4 B 239-D A 4 B-4 D A F-81 E 4-D F E E 4931 A 4 A)
New data: hex: 39, B2, D 4, F 0, 4 B, D A, AF, 4 D, 81, E 4, D F, E E,)
Clicking on"?" Brings up:
Event TeaTimer [/i]
Spybot - Search & Destroy has detected a change to an Internet Explorer toolbar........

User interactions TeaTimer
Did you just try to install some Internet Explorer plugin? If it is not shown as a BAD one, you should proceed. If this happens out of the blue sky while surfing the web, you should get cautious."


How can I tell if this is GOOD or bad? I cannot find the answer in the Spybot tutorial.
I have always opted to deny the change elected for Spybot to remember that. Was that the correct decision ?
You may want to ask about that at the Spybot forums. http://forums.spybot.info/index.php

Are you 100% positive the malware is gone?Thanks, I will do that. Spybot reports no problems and Adaware also shows nothing. Is there anything else I should be doing to search for malaware?Work through this guide to check for malware.

As you may gather I am not too switched on in the COMPUTER business.
Perhaps someone can put me right in relation to Firewalls. I am running Vista Home Premium.
On my XP machine I used to run a Firewall (disabled Windows Firewall first), but am unsure with Vista whether I should run a firewall or just depend on Windows Defender? If I should run an additional firewall, should I disable Defender first?
I am twitchy about getting malware etc.
Cheers
Henry (Please ignore the AUSTRALIAN spelling Windows Defender won't interfere with a firewall.

Good third party firewalls include:
Comodo (in ADVANCED mode)
Zone Alarm
PC Tools FREE FirewallThanks mate, I have run Zone Alarm before and have a handle on how it works, so will give it a whirl.
Thanks again.
H

Not sure what it is about.

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the blue progress bar goes away

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labled Restrictive Policies
• On the main window, check the box in section 4, labled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
• Check all boxes in Section 5, labled Registration Center.
• Click Go
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done

I was having some COMPUTER issues lately... some programs refuse to start up... UNLESS you try to OPEN it enough times... Firefox sometimes randomly starts up (it happened twice) then it gets real slow when starting up.

So I scanned with spybot, avast!, super anti spyware, and Kaspersky online SCANNER (I think I SPELT it wrong)
it found nothing.

So I ran Hijackthis... the log is in the next post.I deleted the 2 & 3rd posts and I uploaded the log file to this post.



[recovering space - attachment deleted by admin]

Hi,

I'm manged to run Combofix from the start/run way and it has rebooted my pc but seems to be taking a long time to prepare the log. Not sure how long i should wait or what to do next as it seems to have stalled.

SteveIf it goes too long then reboot again. The log can be found in C:\combofix.txtHi,

I can't seem to find the log file but when i rebooted the icon came up that i had no anti virus installed which i've not seen before. Also i was able to install AVG wihout anything blocking me. I think you may have finaly nailed the Bagle from *censored*.
Do you need me to do anything else or am i clean for now.

Cheers

SteveIf the log isn't in C:\combofix.txt then run Combofix again and post the log. It is important.Hi..

I ran combofix again and here's the log.
Let me know what you think.
Cheers
Steve



[recovering space - attachment deleted by admin]Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally and will help secure the work you have done.
.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

• Once you are on the Panda SITE click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button
  
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan
• Note: It may take a couple of minutes

• When download is complete, click on My Computer to start the scan
  
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
  
• Post the contents of the ActiveScan report in the next reply.

• Go to Start > All Programs > ACCESSORIES > System Tools > System Restore
  
• Select Create a restore point, and click Next.
  
• Next, go to Start > Run and type in cleanmgr
  
• Select the More options tab
  
• Next to System Restore click Clean up...

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

PC Guard FOUND this on our machine but cannot delete it.

Any suggestions?Welcome to the COMPUTER Hope Computer Viruses and Spyware Forum.

In order to help you clean any malware on the computer we will need some more information from you and about the computer. Please GO to this thread and read the INSTRUCTIONS for posting the required logs.

Once the logs are posted a member of the malware TEAM will be along to assist you in further removal instructions.

I have recently discovered the Achilles' Heel of all Viruses, and I wish to share it with you. Since I have a Pentium III Computer, it is not practical for me to use a Firewall which makes my Computer unacceptably slow. The problem with Viruses is getting worse since last summer. I recently had a Virus download itself onto my system, and then replicate itself hundreds of times over!!! An unbelievable horror for the average person, but being Computer savvy I managed well. Using Shell, it only took me a few hours to find and DELETE all copies of the Virus. In case you're unaware, the detestable spammers who send out these Viruses use random IP numbers which means that they find you -- you don't have to download or open the Virus (as an attachment) yourself. Be aware that those irritating E-Mails you get telling you to forward it on to others can contain the instructions for downloading a Virus onto your Computer. So, DON'T OPEN THOSE E-MAILS! Also be aware that those "Windows Messenger Service" pop-up messages don't necessarily mean that your Computer has a Virus. They can come via your IP Address. You can disable the Messenger Service by entering the following Command in Shell: net stop "messenger".

Now, what is the Achilles' Heel of a Virus? Very simply, it is the DATE. A Virus downloaded onto your Computer will be given the current Date. All Windows System Files will have the original Date from Microsoft, or the Date you formatted the Hard Drive or you downloaded a Service Pack. This makes it easy to identify Viruses since they end in ".exe", ".com" or ".bat". Now, it is much much easier to find Viruses using Shell (Command Prompt) instead of the Windows File Manager. Attached are a couple Batch Commands I've written to make it easy to find Viruses in the System Directories, and to help protect your Hard Drive from being infected while logged onto the Internet. You will need to FAMILIARIZE yourself with using Shell if you aren't familiar with it -- check Windows Help.

The attached Batch Commands, for use in Shell, are as follows (you need to remove the ".txt" from the Filename):
virus_check -- which LISTS the contents of Windows Directories (Hidden and non-Hidden) beginning with the newest dates. This makes it quick and easy to find any new Virus. To find all potential Viruses on your Hard Drive, enter the following Command in Shell under the Root Directory : dir /a /o:-d /p /s. This will list all Files beginning with the newest dates.

virus_protect -- read its contents or use it with "?" to get a full description. This can only provide a small amount of protection to your system. You're still at risk while on the Internet.

logon.admin.bat -- backs up personal Files for the Administrator from "My Documents" to c:\backup. You can add other Users as desired. It also backs up c:\personal which I use for my personal Files. Rather than storing personal Files in Software-specific Directory Folders which makes it hard to backup your Files, I use this central personal Directory. I recommend that you do the same.

autoexec.bat -- This Command will add "c:\cmds" to your Computer's Command Path. I would suggest saving these four Commands to a new Directory "c:\cmds". The "autoexec.bat" Command is normally placed under the Root "c:\" Directory. If the "autoexec.bat" Command Name doesn't presently EXIST under c:\, you can copy this there. If "autoexec.bat" already exists, you can add the one line in this Command File to your existing "autoexec.bat" File using Notepad or Wordpad.

NOTE: If a Virus File has given itself the "Hidden", "System" or "Read Only" Attribute, you must remove these Attributes in order to delete the Virus File. In Shell use: attrib VIRUS -h -s -r. In the Windows Properties Box, you can only remove H and R.
This manual technique has worked for me. You do need to regularly LOG OFF of the Internet whenever you aren't using it. This is the best way to stop spammers. Also, when accessing the Internet, Log onto your Computer as a regular "User" instead of "Administrator". This will provide some additional protection. Good luck in removing your Viruses.

Mr. Terry Mester

[recovering space - attachment deleted by admin]

Not sure these came out the way they should...Long Scans...

[recovering space - attachment deleted by admin]New HJT...

[recovering space - attachment deleted by admin]Yea, the bdscan results are in html format so I just have to save it to my PC as html and then view the results online.... But the BitDefender online scan is again my favorite now they have upgraded it.

I am baffled that you are still stuck in Safe mode. Have you gone into MSCONFIG under BOOT.INI and checked that it is not set to boot in safe mode? Also click check boot paths.

HJT looks MUCH better then when we started. There is one entry that needs to be examined.

O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - c:\windows\$ntservicepackuninstall$\svchost.exe (file missing)

This is running from the system32 folder so "could" be malicious.

Try to scan that file path with www.virustotal.com and see what results are given please.



Wakeup EF...i have managed to get this beast back into normal mode.....
There was a reference in startup called Windows\driver.bat......
Thinking an unknown batch file was conspicious i disabled it. This is because even with hidden files and folders on Search found nothing...
In normal mode i'm now getting rid of any unneeded apps and doing a general cleaning.
One hangupi'm having though isthere are still some Admin functions that are acting up...
Once again THANX a TON and let me know what's next.

patio.Nice find!!!!

Since we are now booting normal then we should take a look at a new HJT log. Could be some new nasties in the startups.Almost forgot. I ran across this not long ago researching another fix. It won't do anything for the malware but might fix the admin SETTINGS and give you some more control.

Download to your Desktop this self-extracting ZIP archive FixPolicies.exe

• Double-click FixPolicies.exe
  
• Click the Install button on the bottom toolbar of the box that will open.
  
• The program will create a new Folder called FixPolicies
  
• Double-click to Open the new Folder, and then double-click the file named Fix_Policies.cmd
  
• A black box will briefly appear and then close. This will enable your Control Panel, Task Manager and stop any Administrative warnings.
• Delete the FixPolicies files and folders.

• Choose Yes to create a Restore Point
  
• Click Check For Updates > Yes
  
• Choose the Options tab > Heuristics and check Disable Heuristics
  
• Now choose Home > Scan System
  • Once The Cleaner is finished click Scan Report
    
  • Click Select All
    
  • Click Save Report as HTML
    
  • Name the report The Cleaner
    
  • Save it where it can easily be found like the Desktop and click Save
• Next click Repair Selected and choose Yes to accept the changes.
  • Now in The Cleaners Toolbar cilck File > Report
    
  • Once the report is generated, in Notepad click File > Save As
    
  • Name it TCReport and save it to the desktop.
  
  
• This log will be huge and MUST be added as an attachment in the next post
  
• Exit The Cleaner.
  
• Restart the Computer.

• When finished exit out of OTMoveIt2

Well, then we're stuck. I think, some of your system files got corrupted, so we need that CD. Can you borrow it from a friend?yes i will notice U when i get the cd
thanks OK.hi
i did find a way to fix the problem with a program called PRT
thank you for all
What the heck is PRT ? ?

here is a link to the program
http://www.download.com/PRT-Perlovga-Removal-Tool-/3000-2239_4-10668817.html?tag=lst-1
it did fix the problem
thx$9.95 is pretty STEEP price for a program, which claims to be good for removing just ONE PARTICULAR virus, especially when there are programs, which will do it for free.i KNOW but i did try it for free ...

hi, i need help how to remove this monaronadona spyware from my computer...can anyone please give me some instructions...Download and rename HIJACKTHIS (HJT)

• Double-click on HJTInstall.
• Click on the Install button.
  
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
  
• Upon install, HijackThis should open for you.
• Close HijackThis and rename it.
  
• Go to C:\Program Files\Trend Micro\HijackThis.exe
  
• Right click on HijackThis.exe and select Rename.
  
• Type in sniper.exe and press Enter.
  
• Right-click on sniper.exe and select Send To > Desktop (create shortcut)
  
• From the desktop open Hijackthis.
• If using Windows Vista, Right-click and Run As Administrator.
  
• Click on the Do a system scan and save a log file button
  
• Hijackthis will scan and then a log will open in notepad.
• Copy and then paste the ENTIRE contents of the log in your post.
  
  • Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or EVEN required.
    
  .
  Although we have renamed Hijackthis to sniper, we will still refer to it as Hijackthis or HJT.
  
  Post the HJT log back here.

Hello,

I'll try to make this short and sweet without leaving out details. Basically, a few days ago, I would turn my computer on... a laptop running vista, and it would start to become very sluggish. After using the laptop for a while, it would completely freeze up, mouse wouldnt move, nothing. After I give it about a minute of being froze, it will all of the sudden come to... but when it does, my anti-virus software automatically disables itself, the notification pops up stating that I dont have any anti-virus software running, and then mcAfee restarts itself and the message goes away, and everything goes back to normal. Soon after everything is up and running again, superfetch crashes, and my whole computer slows down completely.. and then we start the cycle all over again. If I open any program on my computer, even pictures, music, etc... the computer freezes, anti-virus disables, then enables, and superfetch crashes.

I'm not sure if this is a virus? possibly a problem with McAfee, or something completely different which lead me to post this topic =)

Thanks!Go HERE and scroll down to the Hijackthis instructions. Post that log so we can take a look.Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:38 PM, on 3/25/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\COMPAQ Connections\3572475\Program\Compaq Connections.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\mobsync.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\WerCon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=PRESARIO&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=PRESARIO&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://albertsons.coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9057 bytes
You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". See Viewpoint to Plunge Into Adware

It is suggested to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player
  
• Viewpoint Toolbar
  
• Viewpoint Experience Technology

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
  
• Copy everything in the Code box below, and paste it into the Input script here window:

• Now click the Execute button.
  
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will POPUP for you to view when you login after reboot.

• Please add the Avenger log in your next post.

• Link #1
  
• Link #2
  
• Link #3

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time PROTECTION before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• 
  
  • From the keyboard select 1 and press Enter
  • When finished, it will produce a log for you.
  • Post that log in your next reply.
  Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall
  
  • If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
    
  • Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.
  ----------
  
  Next post
  Avenger log
  Combofix log
  

• Under the Main tab, put a check next to Select All.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  
• If you use the Firefox browser:
  Click on Firefox at the top and put a check next to Select All.
  If you would like to keep your saved passwords, click No at the prompt.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  
• If you use the Opera browser:
  Click on Opera at the top and put a check next to Select All.
  If you would like to keep your saved passwords, click No at the prompt.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

• Link 1
  
• Link 2

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad.
• Please copy and paste the log into your next reply

• Launch Malwarebytes' Anti-Malware.
• Click the Logs tab.
  
• Double-click log-mm.dd.yyyy [xxxxxx].txt

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Hello-

My brother-in-law, was telling me that his computer is RUNNING slow. I told him about you GREAT people. They can't use word as WELL. Is Winword.exe a virus?

I ran AVG, Super Anti-spyware and Hijack this. Attached is the hijack this. For some reason I can't get the superspyware log. Thanks for the help.

[recovering space - attachment deleted by ADMIN]There is no indication of any malware.

Computer info, please.

Winword.exe is NOT a virus. It's part Of Micro$oft Word.

can u pls tell me wot this is my zone alarm say it is RUNNING but i have 2 close that 2 get on 2 google & use AVG

my curser keeps shooting all over the place sometimes

here is the hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:42:12, on 22/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\APPLE\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\Memory Card Utility\iP6220D\PDUiP6220DMon.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Conquer 2.0\Conquer.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Conquer 2.0\Conquer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

the rest of the log to big sorry

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone LABS\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PDUiP6220DMon] C:\Program Files\Canon\Memory Card Utility\iP6220D\PDUiP6220DMon.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Registry Helper] "C:\Program Files\Registry Helper\RegistryHelper.Exe" /boot
O4 - HKCU\..\Run: [Disk Cleaner] "C:\Program Files\Disk Cleaner\DiskCleaner.Exe" /boot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1197919246171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196690537421
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - UNKNOWN owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10261 bytes
thank you 4 the help agin if poss If ZA is blocking your internet then you need to adjust the settings to allow it.

Or try a different firewall.

Comodo in advanced mode has been getting great reviews.

If you don't use it I would go to add/remove programs and uninstall the Ask Toolbar.thank you once again 4 helping me out

An active xp trojan got downloaded into my LAPTOP and when I tried to run spybot ,I get a blue screen error and win xp reboots.. It only does this under my admin acct, but my other acct has limited access,so I really cant do a virus scan .. I tried rebooting into safemode and I still get blue screen error message, even if I chose to run antivirus or spybot with run as in my limited acct..I don,t have my original boot disk that CAME with my pc... I am clueless how to get my limit acct to rid my pc of this trojan,without logging into or using run as with my admin acct... please help =/

the virus was called virus heat or something ..


also I tried running super antivirus,it crashed again, and crashed even running the ccleaner I did manage to get hijack to not crash , but it said was unable to locate host files



[recovering space - attachment deleted by admin]Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O18 - Protocol: bw10s - {10700710-7EF7-470F-AE6D-E4DC2905F961} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll <-- FIX ALL OF THE 018 - Protocal: ENTRIES!

IMPORTANT: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.


We will NEED some more information from you and about the computer. Please go to this thread and read the instructions for posting the required logs.

Post the logs back here when FINISHED, including a new Hijackthis log.

Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 6.0.1
Adobe® Photoshop® Album Starter Edition 3.2
Apple Software Update
Athlon 64 Processor Driver
Avanquest update
avast! Antivirus
Battlefield 2142
BitSpirit v3.3.2.100 Stable
CA Yahoo! Anti-Spy (remove only)
CABAL Online v3.3
GG E-Sports Platform
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Internet Download Manager
Java(TM) 6 Update 2
Java(TM) 6 Update 3
K-Lite Codec Pack 2.50 Full
LimeWire 4.16.4
Malwarebytes' Anti-Malware
Megaupload Toolbar
Messenger Plus! Live & Sponsor (CiD)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office PUBLISHER MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.12)
Nero 7 Premium
NVIDIA ForceWare Network Access Manager
QuickTime
Realtek AC'97 Audio
Security Update for Excel 2007 (KB946974)
Security Update for Office 2007 (KB947801)
Security Update for Outlook 2007 (KB946983)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sony Ericsson PC Suite 3.102.00
TeamSpeak 2 RC2
Ulead Straight-to-Disc SDK
Update for Outlook 2007 Junk Email Filter (kb947945)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
WavePad Uninstall
Winamp
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinFast PVR
WinFast(R) Display Driver
WinFox Setup
WinRAR archiver
Xfire (remove only)
XP Codec Pack
Yahoo! Toolbar
Yahoo! Toolbar

My pc is better now,at least it didn't call me to download anymore anti-virus since the trojans are remove using Malwarebytes.But,there is still one of the pop-ups still up.Hearte.exeDid you update java and uninstall the old versions?

Go to add/remove programs and uninstall:

Messenger Plus! Live & Sponsor (CiD) <- This program is not trusted. It contains adware (popups) and also trojans.

----------

PLEASE download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
  
• Link #2
  
• Link #3

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• 
  
  • From the keyboard select 1 and press Enter[/COLOR]
  • When finished, it will produce a log for you.
  • Post that log in your next reply.
  Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall
  
  • If Combofix RUNS into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
    
  • Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.
  .
  ----------
  
  Next post
  Combofix log
  

• Save it to your desktop.
  
• Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

• Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window.
  IMPORTANT -- Paste only into the bottom input panel (under the Yellow bar), The top panel will not help you.
  Right-click and choose Paste.
  
• Click the red Moveit! button.
  

hi guys,
recently my pc has been very slow by which i mean UTTERLY unusable. i have a lot of programs and stuff on it, most of which i dont KNOW what theyre for. i got a virus through msn but after several unsuccesful attempts to GET rid of it i left it because it only affected msn a bit. the pc was very slow BEFORE i got the virus. anyway it was very slow so i turned it off last night and, now my pc wont start up, when i switch it on, before the home screen comes on this message is displayed:
windows could not start because following file is missing or corrupt:
/windows/system32/config/system
you can attempt to repair this file by starting windows setup using the original setup CD-rom. select "r" to attempt to repair it.

i dont know what cd theyre talking about, i was going to do a RECOVERY but it means that id lose all my files. some of which i REALLY dont want to get rid of if possible. i can go into setup but i dont know what to do from there. i pressed r and nothing happened.
any advice or anything is greatly appreciated Lets try to remove the virus and the damage it has done then see if a repair is still needed.

Start HERE

Hi

Compaq presario C350EA
Windows XP media edition
SP2

I installed an unsigned driver for a webcam (Logitech) & I think it has caused some problems as my son started complaining of random shutdowns.

I noticed some KIND of error message upon restart along the lines of checksum error & advising me to check time/date (it was quite QUICK so I didn't have time to write the full message down).

The time & date had indeed been changed to February 2006.

I ran scans with Superantispyware, McAfee, Spybot & MalwareBytes with only the latter finding anything (which it managed to clean). I rescanned with MalwareBytes just make sure & it found no problems.

I have attached a HJT log if someone would be so kind as to check it for me, to see if there is any concerns I should have.

Thanks guys...



[recovering space - attachment deleted by admin]Don't see any malware.

An unsigned driver isn't a;ways a bad thing. It just means it is unsigned by Microsoft.

Try this.

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the blue progress bar goes away

RUNDLL "error loading c:\WINDOWS\system32\tlilvaym.dll" "access is denied" I get this error message everytime my windows xp service 2 starts. please, someone guide me solve this problem.. Print these instructions out.

1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close BROWSERS before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will APPEAR with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RESTART COMPUTER!

2. Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the PROMPTS to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

3. Download HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.Scan Log Result:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/13/2008 at 01:35 AM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1409

Scan type : Complete Scan
Total Scan Time : 01:34:39

Memory items scanned : 164
Memory threats detected : 2
Registry items scanned : 5556
Registry threats detected : 98
File items scanned : 59265
File threats detected : 6

Trojan.Unclassifed/AffiliateBundle
C:\WINDOWS\SYSTEM32\XXYABCC.DLL
C:\WINDOWS\SYSTEM32\XXYABCC.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27A82D47-9A2A-4B39-B4EC-792BBDFD03FA}
HKCR\CLSID\{27A82D47-9A2A-4B39-B4EC-792BBDFD03FA}
HKCR\CLSID\{27A82D47-9A2A-4B39-B4EC-792BBDFD03FA}\InprocServer32
HKCR\CLSID\{27A82D47-9A2A-4B39-B4EC-792BBDFD03FA}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{27A82D47-9A2A-4B39-B4EC-792BBDFD03FA}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\xxyabcc
C:\WINDOWS\SYSTEM32\NNNLMNK.DLL
C:\WINDOWS\SYSTEM32\GEBBCYA.DLL

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\AWTSQ.DLL
C:\WINDOWS\SYSTEM32\AWTSQ.DLL

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{EE9E2BDA-112A-45D1-881F-9BF5C85229AA}
HKCR\CLSID\{EE9E2BDA-112A-45D1-881F-9BF5C85229AA}
HKCR\CLSID\{EE9E2BDA-112A-45D1-881F-9BF5C85229AA}\InprocServer32
HKCR\CLSID\{EE9E2BDA-112A-45D1-881F-9BF5C85229AA}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE9E2BDA-112A-45D1-881F-9BF5C85229AA}

Trojan.Smitfraud Variant/IE Anti-Spyware
HKLM\Software\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}

Adware.Tracking Cookie
C:\Documents and Settings\HENRY\Cookies\[emailprotected][2].txt

Malware.VirusProtect
HKCR\TypeLib\{CFAFA83C-855B-4E3D-92B9-A587995B675A}
HKCR\TypeLib\{CFAFA83C-855B-4E3D-92B9-A587995B675A}\1.0
HKCR\TypeLib\{CFAFA83C-855B-4E3D-92B9-A587995B675A}\1.0\0
HKCR\TypeLib\{CFAFA83C-855B-4E3D-92B9-A587995B675A}\1.0\0\win32
HKCR\TypeLib\{CFAFA83C-855B-4E3D-92B9-A587995B675A}\1.0\FLAGS
HKCR\TypeLib\{CFAFA83C-855B-4E3D-92B9-A587995B675A}\1.0\HELPDIR
HKCR\Interface\{0979850F-6C3E-4294-B225-B3D3C4A6F2A1}
HKCR\Interface\{0979850F-6C3E-4294-B225-B3D3C4A6F2A1}\ProxyStubClsid
HKCR\Interface\{0979850F-6C3E-4294-B225-B3D3C4A6F2A1}\ProxyStubClsid32
HKCR\Interface\{0979850F-6C3E-4294-B225-B3D3C4A6F2A1}\TypeLib
HKCR\Interface\{0979850F-6C3E-4294-B225-B3D3C4A6F2A1}\TypeLib#Version
HKCR\Interface\{1BB2DA5F-B78F-44EA-BDA1-771CBE1DEC68}
HKCR\Interface\{1BB2DA5F-B78F-44EA-BDA1-771CBE1DEC68}\ProxyStubClsid
HKCR\Interface\{1BB2DA5F-B78F-44EA-BDA1-771CBE1DEC68}\ProxyStubClsid32
HKCR\Interface\{1BB2DA5F-B78F-44EA-BDA1-771CBE1DEC68}\TypeLib
HKCR\Interface\{1BB2DA5F-B78F-44EA-BDA1-771CBE1DEC68}\TypeLib#Version
HKCR\Interface\{2A4E73C5-BA3C-4391-B7E5-FFE8D3BD6245}
HKCR\Interface\{2A4E73C5-BA3C-4391-B7E5-FFE8D3BD6245}\ProxyStubClsid
HKCR\Interface\{2A4E73C5-BA3C-4391-B7E5-FFE8D3BD6245}\ProxyStubClsid32
HKCR\Interface\{2A4E73C5-BA3C-4391-B7E5-FFE8D3BD6245}\TypeLib
HKCR\Interface\{2A4E73C5-BA3C-4391-B7E5-FFE8D3BD6245}\TypeLib#Version
HKCR\Interface\{44A923CA-F430-4F85-9F84-5153ECDB882E}
HKCR\Interface\{44A923CA-F430-4F85-9F84-5153ECDB882E}\ProxyStubClsid
HKCR\Interface\{44A923CA-F430-4F85-9F84-5153ECDB882E}\ProxyStubClsid32
HKCR\Interface\{44A923CA-F430-4F85-9F84-5153ECDB882E}\TypeLib
HKCR\Interface\{44A923CA-F430-4F85-9F84-5153ECDB882E}\TypeLib#Version
HKCR\Interface\{4E6E21EC-9D72-4164-8A53-74786A467872}
HKCR\Interface\{4E6E21EC-9D72-4164-8A53-74786A467872}\ProxyStubClsid
HKCR\Interface\{4E6E21EC-9D72-4164-8A53-74786A467872}\ProxyStubClsid32
HKCR\Interface\{4E6E21EC-9D72-4164-8A53-74786A467872}\TypeLib
HKCR\Interface\{4E6E21EC-9D72-4164-8A53-74786A467872}\TypeLib#Version
HKCR\Interface\{631E9E48-B066-43DA-92AC-6DADF61B173B}
HKCR\Interface\{631E9E48-B066-43DA-92AC-6DADF61B173B}\ProxyStubClsid
HKCR\Interface\{631E9E48-B066-43DA-92AC-6DADF61B173B}\ProxyStubClsid32
HKCR\Interface\{631E9E48-B066-43DA-92AC-6DADF61B173B}\TypeLib
HKCR\Interface\{631E9E48-B066-43DA-92AC-6DADF61B173B}\TypeLib#Version
HKCR\Interface\{65C1361C-E696-4AF0-9E21-81910193F352}
HKCR\Interface\{65C1361C-E696-4AF0-9E21-81910193F352}\ProxyStubClsid
HKCR\Interface\{65C1361C-E696-4AF0-9E21-81910193F352}\ProxyStubClsid32
HKCR\Interface\{65C1361C-E696-4AF0-9E21-81910193F352}\TypeLib
HKCR\Interface\{65C1361C-E696-4AF0-9E21-81910193F352}\TypeLib#Version
HKCR\Interface\{77DCE805-C8CE-48AA-A47F-BFA6CC7704B3}
HKCR\Interface\{77DCE805-C8CE-48AA-A47F-BFA6CC7704B3}\ProxyStubClsid
HKCR\Interface\{77DCE805-C8CE-48AA-A47F-BFA6CC7704B3}\ProxyStubClsid32
HKCR\Interface\{77DCE805-C8CE-48AA-A47F-BFA6CC7704B3}\TypeLib
HKCR\Interface\{77DCE805-C8CE-48AA-A47F-BFA6CC7704B3}\TypeLib#Version
HKCR\Interface\{8D42769F-07D8-494D-AAB4-AA1652C541FA}
HKCR\Interface\{8D42769F-07D8-494D-AAB4-AA1652C541FA}\ProxyStubClsid
HKCR\Interface\{8D42769F-07D8-494D-AAB4-AA1652C541FA}\ProxyStubClsid32
HKCR\Interface\{8D42769F-07D8-494D-AAB4-AA1652C541FA}\TypeLib
HKCR\Interface\{8D42769F-07D8-494D-AAB4-AA1652C541FA}\TypeLib#Version
HKCR\Interface\{A1922071-390C-418D-916D-91209E95D286}
HKCR\Interface\{A1922071-390C-418D-916D-91209E95D286}\ProxyStubClsid
HKCR\Interface\{A1922071-390C-418D-916D-91209E95D286}\ProxyStubClsid32
HKCR\Interface\{A1922071-390C-418D-916D-91209E95D286}\TypeLib
HKCR\Interface\{A1922071-390C-418D-916D-91209E95D286}\TypeLib#Version
HKCR\Interface\{A1F8CD95-CFB3-43D1-A956-63441CC058C1}
HKCR\Interface\{A1F8CD95-CFB3-43D1-A956-63441CC058C1}\ProxyStubClsid
HKCR\Interface\{A1F8CD95-CFB3-43D1-A956-63441CC058C1}\ProxyStubClsid32
HKCR\Interface\{A1F8CD95-CFB3-43D1-A956-63441CC058C1}\TypeLib
HKCR\Interface\{A1F8CD95-CFB3-43D1-A956-63441CC058C1}\TypeLib#Version
HKCR\Interface\{A63B46AD-96A7-4A2C-BD8F-8CD097E1593A}
HKCR\Interface\{A63B46AD-96A7-4A2C-BD8F-8CD097E1593A}\ProxyStubClsid
HKCR\Interface\{A63B46AD-96A7-4A2C-BD8F-8CD097E1593A}\ProxyStubClsid32
HKCR\Interface\{A63B46AD-96A7-4A2C-BD8F-8CD097E1593A}\TypeLib
HKCR\Interface\{A63B46AD-96A7-4A2C-BD8F-8CD097E1593A}\TypeLib#Version
HKCR\Interface\{A65F98DD-2360-468C-B76E-B1B84C0D547C}
HKCR\Interface\{A65F98DD-2360-468C-B76E-B1B84C0D547C}\ProxyStubClsid
HKCR\Interface\{A65F98DD-2360-468C-B76E-B1B84C0D547C}\ProxyStubClsid32
HKCR\Interface\{A65F98DD-2360-468C-B76E-B1B84C0D547C}\TypeLib
HKCR\Interface\{A65F98DD-2360-468C-B76E-B1B84C0D547C}\TypeLib#Version
HKCR\Interface\{AE2AEED0-BE1B-4BA2-826E-20D1991081B8}
HKCR\Interface\{AE2AEED0-BE1B-4BA2-826E-20D1991081B8}\ProxyStubClsid
HKCR\Interface\{AE2AEED0-BE1B-4BA2-826E-20D1991081B8}\ProxyStubClsid32
HKCR\Interface\{AE2AEED0-BE1B-4BA2-826E-20D1991081B8}\TypeLib
HKCR\Interface\{AE2AEED0-BE1B-4BA2-826E-20D1991081B8}\TypeLib#Version
HKCR\Interface\{D7F73787-6206-4BBA-BDC0-7CFA9940DBCB}
HKCR\Interface\{D7F73787-6206-4BBA-BDC0-7CFA9940DBCB}\ProxyStubClsid
HKCR\Interface\{D7F73787-6206-4BBA-BDC0-7CFA9940DBCB}\ProxyStubClsid32
HKCR\Interface\{D7F73787-6206-4BBA-BDC0-7CFA9940DBCB}\TypeLib
HKCR\Interface\{D7F73787-6206-4BBA-BDC0-7CFA9940DBCB}\TypeLib#Version
HKCR\Interface\{E770F739-2968-4ED9-A63C-DC1938DC82A2}
HKCR\Interface\{E770F739-2968-4ED9-A63C-DC1938DC82A2}\ProxyStubClsid
HKCR\Interface\{E770F739-2968-4ED9-A63C-DC1938DC82A2}\ProxyStubClsid32
HKCR\Interface\{E770F739-2968-4ED9-A63C-DC1938DC82A2}\TypeLib
HKCR\Interface\{E770F739-2968-4ED9-A63C-DC1938DC82A2}\TypeLib#Version

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\HENRY\FAVORITES\ONLINE SECURITY TEST.URL


[recovering space - attachment DELETED by admin]Scan Log Result:

Malwarebytes' Anti-Malware 1.08
Database version: 483

Scan type: Full Scan (A:\|C:\|E:\|)
Objects scanned: 84006
Time elapsed: 33 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Helper (Adware.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{0ACA77E4-5B1A-4279-8FB8-B1F3D723CF32}\RP76\A0018429.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0ACA77E4-5B1A-4279-8FB8-B1F3D723CF32}\RP76\A0018430.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0ACA77E4-5B1A-4279-8FB8-B1F3D723CF32}\RP76\A0018432.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.


[recovering space - attachment deleted by admin]Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:11:35 AM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Fujifilm FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {490db18e-a2c9-b71a-a514-9a80db15e9b7} - {7b9e51bd-08a9-415a-a17b-9c2ae81bd094} - C:\WINDOWS\system32\nexuhart.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [245a084b] rundll32.exe "C:\WINDOWS\system32\tlilvaym.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BM27693bd7] Rundll32.exe "C:\WINDOWS\system32\owwjtsfc.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8120 bytes


[recovering space - attachment deleted by admin]*** Is Windows firewall ON?

*** You need to update your Java:
http://java.sun.com/javase/downloads/index.jsp
#4 - Java Runtime Environment (JRE) 6 Update 5
Uninstall all previous versions of Java through Add\Remove.

1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put a checkmark next to the following HijackThis entries (some entries will be checkmarked to disable unnecessary startups; in those cases (marked with *), no actual program will be removed):

- O2 - BHO: {490db18e-a2c9-b71a-a514-9a80db15e9b7} - {7b9e51bd-08a9-415a-a17b-9c2ae81bd094} - C:\WINDOWS\system32\nexuhart.dll (file missing)
- *O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
- *O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
- *O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
- *O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
- *O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
- *O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
- *O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
- *O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
- *O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
- O4 - HKLM\..\Run: [245a084b] rundll32.exe "C:\WINDOWS\system32\tlilvaym.dll",b
- O4 - HKLM\..\Run: [BM27693bd7] Rundll32.exe "C:\WINDOWS\system32\owwjtsfc.dll",s
- *O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
- *O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
- *O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
- *O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
- *O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
- O4 - Global Startup: Exif Launcher.lnk = ?


4. Click on "Fix checked" button.

5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts)

6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to "Show hidden files, and folders".

7. Delete following files/folders (if present):

- owwjtsfc.dll, tlilvaym.dll, nexuhart.dll files from C:\WINDOWS\system32

8. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

9. Restart in Normal Mode.

10. Turn System Restore on.

11. Post new HijackThis log.Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:55 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\WINDOWS\system32\hphmon06.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 6006 bytes


[recovering space - attachment deleted by admin]Nice, and clean

Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "Slim" version.
Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html, and run CCleaner

Let me know afterwards, how your computer is doing.hey, thanks again for your help.. really, i do appreciate your help.. now my computer is working fine. just an info, this last 3 days, i find it hard to view this website. is there any problem or just my computer?I'm glad, your computer is doing fine...
Nothing wrong with this web site, as far, as I know. What exactly HAPPENS, and in what browser?" the page cannot displayed" im using yahoo browser. but now its working just fine.. is there any problem with it?With Yahoo browser? I don't know...never used it.You can set your homepage to open in any browser...you don't need to use Yahoo's for all the same features...it's just a butchered version of IE anyways...which was butchered enough before Yahoo started using it.

I guess this question is for the hardcore MALWARE removal SPECIALISTS. What are the most common directories/places in an operating SYSTEM that viruses like Zlob, VIRTUMONDE, hotbar hide??

Where are the places I could MANUALLY search in C: to see if there were abnormalities?The most common areas.

Zlob - http://www.symantec.com/security_response/writeup.jsp?docid=2005-042316-2917-99&tabid=2

Virtumonde - http://www.symantec.com/security_response/writeup.jsp?docid=2003-120914-4108-99&tabid=2

Hotbar - http://www.symantec.com/security_response/writeup.jsp?docid=2003-080410-3847-99&tabid=2

What brought me here is a problem reinstalling my adobe CS1 - I had problems with acrobat and had to uninstall the entire suite. I was unable to reinstall...it got just so far and then just 'hung'. I spoke the the DELL cust. svc person who insisted I had to reinstall windows (which is a last resort). I thought I may have an intruder on my computer so I followed all the directions or what to do BEFORE I post my question...all the downloads, scans and logs. I am currenly running windows xp professional on a dell laptop. I am posting my logs and hope someone can HELP ME!!

[recovering space - ATTACHMENT deleted by admin]Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

I don't see anything malicious, have you tried to do any repairs to windows?

Here are a few methods to try.

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the blue PROGRESS bar goes away

I am now downloading Smitfraudfix. I should mention though that otmoveit.exe seems to be a dead link, taking me only to "Problem loading page..." plus the same for "Spybot Searchand Destroy"All links fixed.
Uh - as far as I can tell, they are all dead links. TRIED 'em all - I remain in idle.

Bill By the way, I downloaded SmitFraudFix and can't seem to open it. The icon is there but it doesn't go anywhere. It toes to a "message" stating "Process exe file missing."

Bill.I just now opened each link.

Lets try this instead of smitfraudfix Bill, I'm Kevin.

Please download MALWAREBYTES' Anti-Malware (MBAM) to your desktop from either of these two links.

• Link 1
  
• Link 2

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Click Finish.
  
• If an update is found, it will download and install the latest VERSION.
• Once the program has loaded, select Perform full scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad.
• Please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

ok.. Did as you said here is fresh HJT log. seemed to be faster already!

[recovering space - attachment deleted by admin]Open HJT, and checkmark following line:
- O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll (file missing)
Click "Fix checked".

Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "Slim" version.
Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html, and run CCleaner

When you're done, install extra RAM, and let me know, how your machine is doing.Ok.. did as you said and is running like a champ now! extra ram helped alot! Still don't have the full 512mb but have 480mb and is alot better than the 223mb it had before. Thank you so much?
Now that all being said. I still cannot change the background? When I go to> display properties > desktop, I can change the color and that is all, the wallpaper in the window is all grayed out and won't let me change anything?
So I was thinking it was due to a virus, but hasn't been fixed? So do you think I need to start a new TOPIC on this problem?
Any suggestions is greatly appreciated!
Again thanks so much for the help!I'm glad, computer is running fine

Quote

Still don't have the full 512mb but have 480mb

Ok DIFFERENT computer this time. My computer is running really slow...I ran a hijack this log which i will post for you to look at. I have windows 2000 professional on this one and I dont know much about anything else because i got it off my dad from his work place. It was free. I have AVG anti virus on here and spybot. I ran those and AVG picked up kernell.dll and user32.dll,ntoskrnl.exe,shell32.dll. I dont know if thats any concern but it just says changed and it comes up everytime i scan for viruses.
I am also running this off belkin wireless.



[recovering space - attachment deleted by admin]*** You need to update your Java:
http://java.sun.com/javase/downloads/index.jsp
#4 - Java Runtime Environment (JRE) 6 Update 5
Uninstall all previous versions of Java through Add\Remove.

*** Post computer specs: processor speed, amount of RAM, hard drive size/free space.

Print these instructions out.

1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be CREATED on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful ITEMS that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RESTART COMPUTER!

2. Download Malwarebytes' Anti-Malware: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

3. Post NEW HijackThis log.

Hi evilfantasy

I've been AWAY with work but I'm back to see if we can sort this thing out!!

I have no idea how to disable my antivirus / anti spyware protection... I've looked through the list of gides provided via the link but I'm not sure it covers the programs that run on my computer.

I've got:

SUPERAntiSpyware Free Edition
Hijack This
AVG 7.5
CCleanerJust turn off AVG. Click here to see how.OK i've run the Combo scanner - the log is attached here:

[recovering space - attachment deleted by admin]Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

• Click Start , then Run
  
• Type notepad.exe in the Run Box.
  

The HJT log looks fine. TRY this.

Please download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labled Restrictive Policies
• On the main window, check the box in section 4, labled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
• Check all boxes in Section 5, labled Registration Center.
• Click Go
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done

• First go here to Download IE 7 to the desktop. (Don't install it yet)

• Uninstall the version of IE you have installed now, to do so follow these steps:
• Click Start
  
• Click Control Panel
  
• Double click Add or Remove PROGRAMS
  
• Scroll down until you find Internet Explore
  
• Then click Change/Remove, and follow the prompts.

• Note: If you are UNABLE to see IE7 in Add or Remove Programs follow these steps:

• Click Start
  
• Click Run
  
• Type or copy and paste, into the text box:

• %windir%\ie7\spuninst\spuninst.exe

• Then Press Enter
  
• Restart your computer.
  • Install the fresh version of Internet Explorer 7.

I was going to suggest making a new thread after the malware was gone. You may just need to reinstall the drivers.

Time to do some cleanup and secure the work you have done.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it installed)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to BEGIN cleanup process?)
5. Once complete exit out of OTMoveIt2

This is a good time to clear your infected system restore points and establish a new clean restore point:

• Go to Start > All Programs > Accessories > System Tools > System Restore
  
• Select Create a restore point, and click Next.
  
• Next, go to Start > Run and type in cleanmgr
  
• Select the More options tab
  
• Next to System Restore click Clean up...

I was going to suggest making a new thread after the malware was gone. You may just need to reinstall the drivers.

Time to do some cleanup and secure the work you have done.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it installed)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

This is a good time to clear your infected system restore points and establish a new clean restore point:

• Go to Start > All Programs > Accessories > System Tools > System Restore
  
• Select Create a restore point, and click Next.
  
• Next, go to Start > Run and type in cleanmgr
  
• Select the More options tab
  
• Next to System Restore click Clean up...

This will remove all restore points except the new one you just created.

Here are some great tools to help you keep from getting infected again.

Spybot Search & Destroy - A safe and effective spyware scanner.
* Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

AVG Anti-Spyware Free Edition - Very reliable with a high detection rate.
* AVG Anti-Spyware User Manual

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware

Comodo BOClean - Stops trojans and many more malicious attacks.

Use a Firewall - It can not be stressed enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over.
* Click here for a list of free firewalls.
* Why would I consider a third party firewall?
* Understanding and Using Firewalls

UPDATE!!! UPDATE!!! UPDATE!!! - If you do not have automatic updates enabled then visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer.
* Help with Windows updates

Learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Let us know if anything else comes up.

Part 2

[1].txt
C:\Documents and Settings\Owner\COOKIES\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
[1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt

[2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][3].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][4].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][5].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\INSTALL.DAT
C:\DOCUMENTS AND SETTINGS\TEMP\APPLICATION DATA\INSTALL.DAT

Adware.OneStepSearch
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP956\A0449909.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP956\A0450905.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP956\A0450906.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP956\A0450907.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP956\A0450912.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP956\A0450927.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP956\A0450928.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP956\A0450929.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP959\A0479739.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP959\A0480729.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP959\A0480730.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP959\A0480731.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP962\A0487820.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP962\A0487824.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP962\A0487825.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP962\A0487826.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP963\A0503147.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP963\A0503149.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP963\A0503150.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP963\A0503151.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP967\A0517594.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP967\A0517835.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP967\A0517836.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP967\A0517837.EXE

Adware.eZula
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP974\A0526011.EXE

Trojan.Downloader-CREW
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP974\A0526525.DLL

Adware.Unknown Origin
C:\WINDOWS\SHOPPING.ICO

Adware.TrustInCash
C:\WINDOWS\SPYWAREREMOVAL.ICO

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\HGJLM.BAK2
C:\WINDOWS\SYSTEM32\HGJLM.INI
C:\WINDOWS\SYSTEM32\LNNMP.INI2
C:\WINDOWS\SYSTEM32\PQTSS.BAK1
C:\WINDOWS\SYSTEM32\PQTSS.BAK2
C:\WINDOWS\SYSTEM32\PQTSS.INI

Trace.Known THREAT Sources
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7ERMBC7\upgrade[3].cab


On an aditional note the Anti-Virus program I downloaded was Avira AntiVir and it kept finding many copies of viruses in a directory called C:\System Volume Information\_restore(then some .dll or exe file) Antivir most were called "Dldr.ConHook.Gen

Thanks again for the helpLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:18:52 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Quote

it kept finding many copies of viruses in a directory called C:\System Volume Information\_restore

• Go to Start > All Programs > Accessories > System Tools > System Restore
  
• Select Create a restore point, and click Next.
  
• Next, go to Start > Run and type in cleanmgr
  
• Select the More options tab
  
• Next to System Restore click Clean up...

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the blue progress bar goes away

Great place to find answers, read it every day.

I run a Dell Dimension 8400, Windows XP with all the latest UPDATES, and i
run Norton Internet Security 2008 version, with all updates turned on automatically.

I SEE a lot in the forums about MALWARE and different things to download, and just
wondered do i need malware protection or is Norton doing this as well.

From what i read about malware it seems as if Norton protects me, but i'm a novice and very curious.

Thanks in ADVANCE for any answers, not a hot priority, not having any problems jsut trying to learn about these things. I have both a antivirus and adware/malware program. I think to fully protect you, you have to have both...And I had norton before and didn't like it at all. SLOWS down the computer alot...I have norton and spy sweeper

AVG-http://free.grisoft.com/

Avast-http://www.avast.com/

and for firewall

Comodo http://www.personalfirewall.comodo.com/#



I would say keep norton if you want to feel safe but those 3 working together might do good Also I use the almighty
Firefox ---> http://www.mozilla.com/en-US/firefox/

Its faster, safer and very customizable you can choose from tons of add ons and skins....
Internet explorer can be filled with viruses
You should never have more than anti-virus program running at the same time.

Having more than one installed and running can create conflicts that at worst will leave your Windows installation unbootable.
Thanks for all the info, really a great forum.

Dear Experts,

Kindly really need your help to fix my problem, every time I turn on my computer, when first windows desktop open, there is a message box as follow:

16 Bit Ms-DOS Subsystem

C:\WINDOWS\system32\logcomd.exe
The NTVDM CPU has encountered an ILLEGAL instruction.
CS: 056a IP: 8100 OP: 63 74 6c 79 2E Choose 'Close' to terminate the application.

Kindly please ADVICE how to fix this problem...Thank you very much for your kind help Smiley

Regards,

JessieDo you KNOW what that file is?

If not then start HERE