slow, very slow to start up and won't open...

Welcome Guest ( Login | Register )

Recent Posts

Home » Windows & System Security » Virus & Malware Removal » slow, very slow to start up and won't open......

27 posts, Page 1 of 3

1 2 3 »»»

slow, very slow to start up and won't open......

Rate Topic

Display Mode

Topic Options

Author

Message

irebeer

Posted 5/12/2008 9:54 AM

Associate Member

Group: Forum Members
Last Login: 8/5/2008 3:45 AM
Posts: 465, Visits: 490

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:25 AM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O2 - BHO: (no name) - {2F02D978-0FF6-80F7-60BB-0426224AB7B3} - C:\Program Files\fqwypvme\wvfxmypw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe
O4 - HKLM\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe
O4 - HKLM\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe
O4 - HKLM\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe
O4 - HKLM\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-3942531886-1256799619-874574627-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-3942531886-1256799619-874574627-500\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe (User '?')
O4 - HKUS\S-1-5-21-3942531886-1256799619-874574627-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - S-1-5-21-3942531886-1256799619-874574627-500 Startup: AutoPlay.exe (User '?')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: AutoPlay.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4744F88E-20A6-4B2F-9494-9D385F78C7A5}: NameServer = 85.255.114.104,85.255.112.157
O17 - HKLM\System\CCS\Services\Tcpip\..\{A897ABF5-A8FD-4A27-9311-48287DE45314}: NameServer = 85.255.114.104,85.255.112.157
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.104 85.255.112.157
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.104 85.255.112.157
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.104 85.255.112.157
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: FWService - eAcceleration Corp. - C:\Program Files\eAcceleration\Firewall\FWService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 6975 bytes

Post #239308

RichieUK

Posted 5/12/2008 2:44 PM

Senior Forum Moderator

Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 35,658, Visits: 54,734

Please download FixWareout:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next,then Install,then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load,this is normal.

When your system reboots,follow the prompts.
Afterwards, HijackThis will launch,if it doesn't,launch it manually.
Please click Scan, and checkmark the following items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{4744F88E-20A6-4B2F-9494-9D385F78C7A5}: NameServer = 85.255.114.104,85.255.112.157
O17 - HKLM\System\CCS\Services\Tcpip\..\{A897ABF5-A8FD-4A27-9311-48287DE45314}: NameServer = 85.255.114.104,85.255.112.157
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.104 85.255.112.157
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.104 85.255.112.157
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.104 85.255.112.157

Click 'Fix Checked'.
Close HijackThis,and click OK to proceed.
At the end of the fix you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt into your next reply.

Please Note:
Only do the following if you have connection problems after performing the above steps:
Go to Start>Control Panel,and choose 'Network Connections'.
Then right click on your default connection,usually 'Local Area Connection' or 'Dial-up Connection' if you are using Dial-up,then left click on 'Properties'.
Double-click on the 'Internet Protocol (TCP/IP)' item and select the radio button that says: 'Obtain DNS servers Automatically'.
Click OK twice,restart your computer.

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

* You might want to print/copy the following as you need to be in Safe Mode from here on.

* Please then reboot your computer into Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

If you have previously downloaded ComboFix,please delete that version now.
Download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop

Now close any open browsers.
Double click on Combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window or do anything else on your pc while it's running.
That may cause the program/system to freeze/hang.
Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.

___________________________________________________________

Post #239319

irebeer

Posted 5/12/2008 7:12 PM

Associate Member

Group: Forum Members
Last Login: 8/5/2008 3:45 AM
Posts: 465, Visits: 490

Whew...takes a long time to go through all those scans, etc....

ere is C:\fixwareout\report.txt :

HUsername "Administrator" - 05/12/2008 18:49:14 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdnlt.ren 73784 06/13/2007

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"MoneyStartUp"="C:\\Program Files\\Microsoft Money\\System\\Money Startup.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Here is sdfix report:

SDFix: Version 1.182
Run by Administrator on Mon 05/12/2008 at 07:19 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting SecurityProviders Value
Resetting AppInit_DLLs value

Rebooting

Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049161.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049162.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049163.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049164.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049165.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049166.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049167.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049168.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049169.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049170.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049171.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049172.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049173.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049174.DLL - Deleted
C:\Program Files\MediaVideoCodec\install.ico - Deleted
C:\Program Files\MediaVideoCodec\MediaVideoCodec.ocx - Deleted
C:\Program Files\MediaVideoCodec\Uninstall.exe - Deleted
C:\svchost.exe - Deleted
C:\svchost2.exe - Deleted
C:\WINDOWS\binret.exe - Deleted
C:\WINDOWS\hjoqor.dll - Deleted
C:\WINDOWS\sys.log - Deleted
C:\WINDOWS\system32\drivers\atmapi.sys - Deleted
C:\WINDOWS\system32\rc.dat - Deleted
C:\WINDOWS\system32\rozmchild.dll - Deleted
C:\WINDOWS\trayicons.exe - Deleted
C:\WINDOWS\xcvwer.dll - Deleted
C:\WINDOWS\system32\wowfx.dll - Deleted

Folder C:\Program Files\MediaVideoCodec - Removed
Folder C:\Program Files\SystemDefender - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 19:27:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe:* BigGrin isabled:BackWeb-137903"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AMERIC~1.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\ppldr.exe"="C:\\Documents and Settings\\Owner\\Application Data\\ppldr.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\trant.exe"="C:\\Documents and Settings\\Owner\\Application Data\\trant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Documents and Settings\\Owner\\Application Data\\pcpriv.exe"="C:\\Documents and Settings\\Owner\\Application Data\\pcpriv.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\ppldr.exe"="C:\\Documents and Settings\\Owner\\Application Data\\ppldr.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\trant.exe"="C:\\Documents and Settings\\Owner\\Application Data\\trant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Documents and Settings\\Owner\\Application Data\\pcpriv.exe"="C:\\Documents and Settings\\Owner\\Application Data\\pcpriv.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 21 Jul 2001        94,784 ..SH. --- "C:\WINDOWS\twain.dll"
Mon 30 Aug 2004        54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Mon 30 Aug 2004       156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Mon 30 Aug 2004        31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Thu 9 Aug 2001        64,512 A..H. --- "C:\WINDOWS\SYSTEM32\PackethSvc.exe"
Sun 16 Dec 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

and combofix report:

ComboFix 08-05-11.1 - Administrator 2008-05-12 19:40:33.1 - NTFSx86 NETWORK
Running from: C:\Documents and Settings\Administrator\Desktop\spyware stuff\ComboFix.exe

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\ShoppingReport
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\Owner\Start Menu\XP Antivirus 2008
C:\Documents and Settings\Owner\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk
C:\Documents and Settings\Owner\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Uninst.exe
C:\Program Files\XP Antivirus
C:\Program Files\XP Antivirus\xpantivirus.exe
C:\Program Files\XP Antivirus\xpantivirus.exe.tmp
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\Config.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\WINDOWS\system32\nvrsma.dll
C:\WINDOWS\windisk.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 19:07 . 2008-05-12 19:08 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-12 19:06 . 2008-05-12 19:36 <DIR> d----c--- C:\SDFix
2008-05-12 17:52 . 2008-05-12 18:53 <DIR> d----c--- C:\fixwareout
2008-05-12 14:44 . 2008-05-12 14:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-12 14:44 . 2008-05-12 14:45 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-12 10:22 . 2008-05-12 10:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-11 22:19 . 2008-05-11 22:22 <DIR> d-------- C:\Program Files\Wise Registry Cleaner 3
2008-05-11 21:33 . 2008-05-11 21:33 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-05-11 21:31 . 2008-05-12 11:08 <DIR> d-------- C:\Program Files\AVG
2008-05-11 20:37 . 2008-05-11 20:37 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-11 20:37 . 2008-05-11 22:02 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-11 20:35 . 2008-05-11 21:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-11 20:29 . 2007-11-20 14:57 <DIR> d----c--- C:\Documents and Settings\Administrator\WINDOWS
2008-05-11 20:29 . 2007-11-20 14:56 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-05-11 20:29 . 2008-05-11 20:29 <DIR> d----c--- C:\Documents and Settings\Administrator
2008-05-11 20:29 . 2008-05-12 19:42 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 19:24 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-12 18:52 --------- d-----w C:\Program Files\fqwypvme
2001-07-22 02:45 94,784 --sh--w C:\WINDOWS\twain.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-14 16:27 171448]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-08-27 16:52:06 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.DVSD"= miroDV2avi.DLL
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 19:43:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\cscript.exe
.
**************************************************************************
.
Completion time: 2008-05-12 19:49:22 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-05-12 23:49:18

Pre-Run: 68,808,192,000 bytes free
Post-Run: 68,262,584,320 bytes free

107 --- E O F --- 2007-12-17 12:07:39

Lastly, I tried to do the hijack this but it keeps getting hung up and doesn't finish. I was able, (I think) delete the 017 lines though...

I have been booting in safe mode as it doesn't open to the user selection page as yet and I am using another computer to post results of your directions...the sick one isn't ready for internet yet..i need to load that

What would you like next, please. And ty for all so far...

Post #239349

RichieUK

Posted 5/13/2008 2:34 AM

Senior Forum Moderator

Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 35,658, Visits: 54,734

Find and delete:
C:\Program Files\fqwypvme

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, DSS will open two Notepads: main.txt and extra.txt
* Use Save As to save both Notepad files to your Desktop and post them in your next reply.

___________________________________________________________

Post #239357

irebeer

Posted 5/13/2008 9:46 AM

Associate Member

Group: Forum Members
Last Login: 8/5/2008 3:45 AM
Posts: 465, Visits: 490

ok, I found the file to delete and did so...then I downloaded the scan prog and did a scan. I did it in safe mode. Here is result;

Main txt....

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-13 10:19:47
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Administrator.exe) ---------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-13 10:28:04
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
F:\dss.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: AutoPlay.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = ?
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - CmdMapping - (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\SYSTEM32\msvidctl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: FWService - eAcceleration Corp. - C:\Program Files\eAcceleration\Firewall\FWService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\SYSTEM32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\HPZipm12.exe

--
End of file - 4892 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080512-183744-878 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.104 85.255.112.157

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 aawservice (Ad-Aware 2007 Service) - c:\program files\lavasoft\ad-aware 2007\aawservice.exe
2 FWService - c:\program files\eacceleration\firewall\fwservice.exe

-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Files created between 2008-04-13 and 2008-05-13 -----------------------------

2008-05-12 21:21:01         0 d---s--c- C:\Documents and Settings\Guest\Cookies
2008-05-12 21:21:01         0 dr-h---c- C:\Documents and Settings\Guest\Application Data
2008-05-12 21:21:01         0 d---s--c- C:\Documents and Settings\Guest\Application Data\Microsoft
2008-05-12 21:21:01         0 d------c- C:\Documents and Settings\Guest\Application Data\InterTrust
2008-05-12 21:21:01         0 d------c- C:\Documents and Settings\Guest\Application Data\Identities
2008-05-12 21:21:01         0 d------c- C:\Documents and Settings\Guest\Application Data\Adobe
2008-05-12 21:21:00         0 d------c- C:\Documents and Settings\Guest\WINDOWS
2008-05-12 21:21:00         0 d--h---c- C:\Documents and Settings\Guest\Templates
2008-05-12 21:21:00         0 dr-----c- C:\Documents and Settings\Guest\Start Menu
2008-05-12 21:21:00         0 dr-h---c- C:\Documents and Settings\Guest\SendTo
2008-05-12 21:21:00         0 dr-h---c- C:\Documents and Settings\Guest\Recent
2008-05-12 21:21:00         0 d--h---c- C:\Documents and Settings\Guest\PrintHood
2008-05-12 21:21:00         0 d--h---c- C:\Documents and Settings\Guest\NetHood
2008-05-12 21:21:00         0 dr-----c- C:\Documents and Settings\Guest\My Documents
2008-05-12 21:21:00         0 d--h---c- C:\Documents and Settings\Guest\Local Settings
2008-05-12 21:21:00         0 dr-----c- C:\Documents and Settings\Guest\Favorites
2008-05-12 21:21:00         0 d------c- C:\Documents and Settings\Guest\Desktop
2008-05-12 21:20:59    786432 --ah----- C:\Documents and Settings\Guest\NTUSER.DAT
2008-05-12 19:38:09     68096 --a------ C:\WINDOWS\zip.exe
2008-05-12 19:38:09     49152 --a------ C:\WINDOWS\VFind.exe
2008-05-12 19:38:09    212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-12 19:38:09    136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-12 19:38:09    161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-12 19:38:09     98816 --a------ C:\WINDOWS\sed.exe
2008-05-12 19:38:09     80412 --a------ C:\WINDOWS\grep.exe
2008-05-12 19:38:09     73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-12 19:07:58         0 d-------- C:\WINDOWS\ERUNT
2008-05-12 14:44:54         0 d-------- C:\Program Files\Lavasoft
2008-05-12 14:44:54         0 d------c- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-12 10:22:32         0 d-------- C:\Program Files\Trend Micro
2008-05-11 22:19:57         0 d-------- C:\Program Files\Wise Registry Cleaner 3
2008-05-11 21:33:55         0 d------c- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-05-11 21:31:04         0 d-------- C:\Program Files\AVG
2008-05-11 20:37:22         0 d-a----c- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-11 20:37:07         0 d-------- C:\Program Files\SpywareBlaster
2008-05-11 20:35:13         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-11 20:29:32         0 d------c- C:\Documents and Settings\Administrator\Application Data\Identities
2008-05-11 20:29:32         0 d------c- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-11 20:29:31         0 dr-----c- C:\Documents and Settings\Administrator\Favorites
2008-05-11 20:29:31         0 d------c- C:\Documents and Settings\Administrator\Desktop
2008-05-11 20:29:31         0 d--hs--c- C:\Documents and Settings\Administrator\Cookies
2008-05-11 20:29:31         0 dr-h---c- C:\Documents and Settings\Administrator\Application Data
2008-05-11 20:29:31         0 d------c- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-05-11 20:29:30         0 d------c- C:\Documents and Settings\Administrator\WINDOWS
2008-05-11 20:29:30         0 d--h---c- C:\Documents and Settings\Administrator\Templates
2008-05-11 20:29:30         0 dr-----c- C:\Documents and Settings\Administrator\Start Menu
2008-05-11 20:29:30         0 dr-h---c- C:\Documents and Settings\Administrator\SendTo
2008-05-11 20:29:30         0 dr-h---c- C:\Documents and Settings\Administrator\Recent
2008-05-11 20:29:30         0 d--h---c- C:\Documents and Settings\Administrator\PrintHood
2008-05-11 20:29:30         0 d--h---c- C:\Documents and Settings\Administrator\NetHood
2008-05-11 20:29:30         0 dr-----c- C:\Documents and Settings\Administrator\My Documents
2008-05-11 20:29:30         0 d--h---c- C:\Documents and Settings\Administrator\Local Settings
2008-05-11 20:29:29   1572864 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT

-- Find3M Report ---------------------------------------------------------------

2008-05-12 17:27:56 1632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-11 20:35:13 0 d-------- C:\Program Files\Common Files

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"MoneyStartUp"="C:\Program Files\Microsoft Money\System\Money Startup.exe" [2000-07-19 12:00]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-08-27 16:52:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2008-05-13 10:43:37 ------------

extra txt;

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Unable to create WMI object.

Architecture: X86; Language: English

Percentage of Memory in Use: 27%
Physical Memory (total/avail): 511.53 MiB / 372.59 MiB
Pagefile Memory (total/avail): 1247.88 MiB / 1153.57 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1959.65 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 71.9 GiB total, 64.01 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Removable (FAT)
G: is Removable (FAT)

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-ZE8CXVR8TT
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\YOUR-ZE8CXVR8TT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program files\PC-Doctor for Windows XP\WINDSAPI
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 0 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=000a
ProgramFiles=C:\Program Files
PROMPT=$P$G
SAFEBOOT_OPTION=NETWORK
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=YOUR-ZE8CXVR8TT
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)
Guest (new local, guest)

-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\eAcceleration\Station\station.exe" /UnRegister
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\System32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
AOL Coach Version 1.0(Build:20040229.1 en) --> C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe
AOL Connectivity Services --> C:\PROGRA~1\COMMON~1\AOL\ACS\AcsUninstall.exe /c
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
AOL You've Got Pictures Screensaver --> C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
Atomic Pop --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{93AC2663-6946-490E-B4A4-FD126F318084}\setup.exe"
BlasterBall Wild --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{42450D0B-8F0B-4EA2-90F6-6047F634ACC7}\setup.exe"
DarkOrbit --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6A6FF26C-34A4-11D5-A8E0-00A0CC663B7C}\setup.exe"
Detto Migration Kit --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DA9F6EF5-E48A-4E45-BC57-AA16193763B7}\Setup.exe"
Easy Internet Sign-up --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B5DDB2C-0807-47FD-9C11-80EA761902C0}\Setup.exe"
GemMaster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B40514BB-56EC-11D5-A8E1-00A0CC663B7C}\setup.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
hp center --> C:\WINDOWS\BWUnin-6.1.0.153.exe -AppId 137903
HP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photo Printing Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Printing\Uninstall.isu" -c"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Printing\hpiunPC.dll
HP Photosmart Essential --> MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP PSC & OfficeJet 5.3.B --> "C:\Program Files\HP\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\hpzscr01.exe" -datfile hposcr07.dat
HP RecordNow --> MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Inactive HP Printer Drivers (Remove only) --> RunDll32 hpuninst.dll,InstallHinfSection UninstDefault 132 prntunin.inf
Inactive HP ScanJet Drivers (Remove only) --> RunDll32 hpuninst.dll,InstallHinfSection UninstDefault 132 sjunin.inf
InterVideo WinDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
KazooStudio --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Kazoo3D\KazooStudio\Uninst.isu" -c"C:\Program Files\Kazoo3D\KazooStudio\UnInst.dll"
KBD --> C:\HP\KBD\KBD.EXE uninstalled
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Money 2001 --> MsiExec.exe /I{D085A1B6-90A4-11D3-82B7-00C04FA309DE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works 6.0 --> MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}
Microsoft Works and Money 2001 Setup Launcher --> C:\Program Files\Microsoft Works and Money 2001\Setup\Launcher.exe d:\
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
MUSICMATCH Jukebox --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MusicMatch\MusicMatch Jukebox\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.dll
My Photo Center --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\My Photo Center\Uninst.isu"
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
PC-Doctor for Windows --> C:\WINDOWS\UNWISE.EXE C:\PROGRA~1\PC-DOC~1\INSTALL.LOG
PigPen --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F20ADFD-5679-11D5-A8E1-00A0CC663B7C}\setup.exe"
Protect Your PC Presentation --> MsiExec.exe /I{64E86030-2A6F-4A59-8C44-3060C9A86393}
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Pure Networks Port Magic --> C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe -Uninstall -ShowUI
Python 1.5 combined Win32 extensions --> C:\PROGRA~1\Python\UNWISE~1.EXE C:\PROGRA~1\Python\W32INST.LOG
Python 1.5.2 (final) --> C:\PROGRA~1\Python\UNWISE.EXE C:\PROGRA~1\Python\INSTALL.LOG
Quicken Financial Center --> C:\PROGRA~1\QUICKE~1\rem\UNWISE.EXE /s C:\PROGRA~1\QUICKE~1\rem\INSTALL.LOG
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
S3 Gamma --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3 Gamma'
S3 Savage4 Family Display Switch2 Utility --> S3Uninst.exe -reg 5 HKLM\SOFTWARE\S3\S3Uninst\S3Switch2
SabreWing 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4FD84C01-F268-4E99-A7D5-533D04722C4B}\setup.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Speedway --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{42977380-5628-11D5-A8E1-00A0CC53785B}\setup.exe"
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
StopSign by eAcceleration --> C:\PROGRA~1\COMMON~1\EACCEL~1\INSTAL~1\eaccelsetup.exe -AddRemove
Studio --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Pinnacle\Studio\Studio7.isu" -a -cC:\WINDOWS\Studio7.dll
Tcl 8.0.5 for Windows --> C:\PROGRA~1\Tcl\UNWISE.EXE C:\PROGRA~1\Tcl\INSTALL.LOG
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
War Games Virtual Warfare Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0413C01D-638A-496B-AD24-56309C8775D7}\setup.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"

-- Application Event Log -------------------------------------------------------

Event Record #/Type453 / Error
Event Submitted/Written: 05/12/2008 08:56:35 PM
Event ID/Source: 1803 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to load instances of FirewallProduct from WMI.

Event Record #/Type452 / Warning
Event Submitted/Written: 05/12/2008 08:55:44 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type451 / Warning
Event Submitted/Written: 05/12/2008 08:55:38 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type448 / Warning
Event Submitted/Written: 05/12/2008 08:34:04 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type444 / Error
Event Submitted/Written: 05/12/2008 08:27:09 PM
Event ID/Source: 1803 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to load instances of FirewallProduct from WMI.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type14440 / Error
Event Submitted/Written: 05/13/2008 10:43:16 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

Event Record #/Type14439 / Error
Event Submitted/Written: 05/13/2008 10:41:15 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

Event Record #/Type14438 / Error
Event Submitted/Written: 05/13/2008 10:38:55 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

Event Record #/Type14437 / Error
Event Submitted/Written: 05/13/2008 10:36:55 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

Event Record #/Type14436 / Error
Event Submitted/Written: 05/13/2008 10:34:55 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

-- End of Deckard's System Scanner: finished at 2008-05-13 10:43:37 ------------

ty...will wait for your reply...ty again.

Post #239380

RichieUK

Posted 5/13/2008 10:44 AM

Senior Forum Moderator

Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 35,658, Visits: 54,734

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - Startup: AutoPlay.exe
O9 - Extra button: (no name) - CmdMapping - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)

Download and scan with CCleaner:
http://www.ccleaner.com/downloadbuilds.asp
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free Basic or Slim versions instead of the Standard Build.

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
* Clean all entries in the "Internet Explorer" section except Cookies.
* Clean all the entries in the "Windows Explorer" section.
* Clean all entries in the "System" section.
* Clean all entries in the "Advanced" section.
* Clean any others that you choose.

In the Applications Tab:
* Clean all except cookies in the Firefox/Mozilla section if you use it.
* Clean all in the Opera section if you use it.
* Clean Sun Java in the Internet Section.
* Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "Exit" when done.

Please download/install Avira AntiVir Personal - FREE Antivirus:
http://www.free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html
Perform a full scan with Avira and allow it to delete everything it detects.
Restart your pc when you've done.
After restart,open Avira Antivirus and select "Reports".
Then double click the report from the full scan you have just completed.
Click the "Report File" button,then copy and paste the report into your next reply.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u6'.
3. Click the "Download" button to the right.
4. Select the Platform and Language for your download,then check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language - jre-6u6-windows-i586-p.exe' [15.21 MB] and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Click Start and choose Control Panel:
- In Control Panel double click on the "Programs and Features" icon.
- Here you can find all the programs and items which are installed in Windows Vista.
- Now remove all older versions of Sun Java.
9. Click on any item with Java Runtime Environment (JRE or J2SE) in the name to uninstall/remove it.
10. Repeat as many times as necessary to remove each Java version.
11. Reboot your computer once all Java components are removed.
12. Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

Restart your pc normally,let me know whats happening now.

___________________________________________________________

Post #239381

irebeer

Posted 5/13/2008 12:23 PM

Associate Member

Group: Forum Members
Last Login: 8/5/2008 3:45 AM
Posts: 465, Visits: 490

whew...takes a long time..but there is some improvement, I think. I still am starting computer in safe mode, when I do normal, it takes forever to load and it goes to other than administrator, and I can't get to administrator either. How do I delete all other users? I would like this to be clean as new, without any other users, if possible. Here is scan report:

Let me know what you need next please and once again TY very much.

Avira AntiVir Personal
Report file date: 2008-05-13 12:40

Scanning for 1165085 virus strains and unwanted programs.

Licensed to:      Avira AntiVir PersonalEdition Classic
Serial number:    0000149996-ADJIE-0001
Platform:         Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode:        Save mode with network
Username:         Administrator
Computer name:    YOUR-ZE8CXVR8TT

Version information:
BUILD.DAT     : 8.1.00.295      16479 Bytes 2008-04-09 16:24:00
AVSCAN.EXE    : 8.1.2.12       311553 Bytes 2008-03-18 15:02:56
AVSCAN.DLL    : 8.1.1.0         53505 Bytes 2008-02-07 14:43:37
LUKE.DLL      : 8.1.2.9        151809 Bytes 2008-02-28 14:41:23
LUKERES.DLL   : 8.1.2.1         12033 Bytes 2008-02-21 14:28:40
ANTIVIR0.VDF : 6.40.0.0     11030528 Bytes 2007-07-18 16:33:34
ANTIVIR1.VDF : 7.0.3.2       5447168 Bytes 2008-03-07 19:08:58
ANTIVIR2.VDF : 7.0.3.62       337408 Bytes 2008-03-21 01:12:34
ANTIVIR3.VDF : 7.0.3.68        57856 Bytes 2008-03-25 14:27:50
Engineversion : 8.1.0.28
AEVDF.DLL     : 8.1.0.5        102772 Bytes 2008-02-25 15:58:21
AESCRIPT.DLL : 8.1.0.19       229754 Bytes 2008-04-07 21:34:44
AESCN.DLL     : 8.1.0.12       115060 Bytes 2008-04-07 21:34:44
AERDL.DLL     : 8.1.0.19       418164 Bytes 2008-04-07 21:34:44
AEPACK.DLL    : 8.1.1.0        364918 Bytes 2008-03-18 17:20:42
AEOFFICE.DLL : 8.1.0.15       192889 Bytes 2008-04-07 21:34:44
AEHEUR.DLL    : 8.1.0.15      1147253 Bytes 2008-04-07 21:34:44
AEHELP.DLL    : 8.1.0.11       115061 Bytes 2008-04-07 21:34:43
AEGEN.DLL     : 8.1.0.15       299379 Bytes 2008-04-07 21:34:43
AEEMU.DLL     : 8.1.0.5        430450 Bytes 2008-04-07 21:34:43
AECORE.DLL    : 8.1.0.25       168309 Bytes 2008-04-08 15:58:32
AVWINLL.DLL   : 1.0.0.7         14593 Bytes 2008-01-23 23:07:53
AVPREF.DLL    : 8.0.0.1         25857 Bytes 2008-02-18 16:37:50
AVREP.DLL     : 7.0.0.1        155688 Bytes 2007-04-16 19:26:47
AVREG.DLL     : 8.0.0.0         30977 Bytes 2008-01-23 23:07:49
AVARKT.DLL    : 1.0.0.23       307457 Bytes 2008-02-12 14:29:23
AVEVTLOG.DLL : 8.0.0.11       114945 Bytes 2008-02-28 14:31:31
SQLITE3.DLL   : 3.3.17.1       339968 Bytes 2008-01-22 23:28:02
SMTPLIB.DLL   : 1.2.0.19        28929 Bytes 2008-01-23 23:08:39
NETNT.DLL     : 8.0.0.1          7937 Bytes 2008-01-25 18:05:10
RCIMAGE.DLL   : 8.0.0.35      2371841 Bytes 2008-03-10 20:37:25
RCTEXT.DLL    : 8.0.32.0        86273 Bytes 2008-03-06 18:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 2008-05-13 12:40

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
14 processes with 14 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
      [INFO]      No virus was found!
Master boot sector HD1
      [INFO]      No virus was found!
Master boot sector HD2
      [INFO]      No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\AutoPlay.exe
[DETECTION] Is the Trojan horse TR/Agent.EAD
[NOTE] The file was deleted!

The registry was scanned ( '34' files ).

Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\pagefile.sys
      [WARNING]   The file could not be opened!
C:\sysaqdd.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\sysbddz.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\sysfblv.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\sysfskh.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\sysfwmr.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\sysgqyy.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\syshpoy.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\syshzrt.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\sysmbkg.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\sysmlqy.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\sysopqg.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\syspwql.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\sysqmah.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\sysshcc.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\syssuof.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\systtqy.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\sysxgar.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\sysznwo.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoPlay.exe
      [DETECTION] Is the Trojan horse TR/Agent.EAD
      [NOTE]      The file was deleted!
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\AutoPlay.exe
      [DETECTION] Is the Trojan horse TR/Agent.EAD
      [NOTE]      The file was deleted!
C:\Documents and Settings\Owner\My Documents\codecmpg1459.exe
      [DETECTION] Contains detection pattern of the dropper DR/Dldr.DNSChanger.Gen
      [NOTE]      The file was deleted!
C:\hp\bin\AUTOPLAY.EXE
      [DETECTION] Is the Trojan horse TR/Agent.EAD
      [NOTE]      The file was deleted!
C:\QooBox\Quarantine\C\Program Files\ShoppingReport\Uninst.exe.vir
      [DETECTION] Contains detection pattern of the dropper DR/MartShop.2
      [NOTE]      The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\windisk.dll.vir
      [DETECTION] Is the Trojan horse TR/Dldr.Small.gxo
      [NOTE]      The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nvrsma.dll.vir
[0] Archive type: RSRC
--> Object
      [DETECTION] Is the Trojan horse TR/Drop.Agent.CAN.1
      [NOTE]      The file was deleted!
C:\SDFix\backups\backups.zip
[0] Archive type: ZIP
--> backups/A0049161.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
--> backups/A0049162.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
--> backups/A0049163.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
--> backups/A0049164.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
--> backups/A0049165.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
--> backups/A0049166.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
--> backups/A0049167.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
--> backups/A0049168.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
--> backups/A0049169.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
--> backups/A0049170.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
--> backups/A0049171.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
--> backups/A0049172.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
--> backups/A0049173.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
--> backups/A0049174.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
--> backups/rozmchild.dll
      [DETECTION] Is the Trojan horse TR/Spy.Banker.HR
--> backups/svchost.exe
      [DETECTION] Is the Trojan horse TR/Dldr.Agent.ffl
--> backups/svchost2.exe
      [DETECTION] Is the Trojan horse TR/Dldr.Agent.ffl
--> backups/trayicons.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
--> backups/Uninstall.exe
      [DETECTION] Contains detection pattern of the dropper DR/Dldr.Zlob.AAGR
--> backups/xcvwer.dll
      [DETECTION] Is the Trojan horse TR/Zlob.DCA
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0049137.exe
      [DETECTION] Contains detection pattern of the dropper DR/Dldr.Zlob.AAGR
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052129.exe
      [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052131.exe
      [DETECTION] Is the Trojan horse TR/Agent.cpt.1
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052132.exe
      [DETECTION] Is the Trojan horse TR/Agent.cpt.1
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052133.exe
      [DETECTION] Is the Trojan horse TR/Agent.cpt.1
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052134.exe
      [DETECTION] Is the Trojan horse TR/Agent.cpt.1
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052135.exe
      [DETECTION] Is the Trojan horse TR/Agent.cpt.1
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052136.dll
      [DETECTION] Is the Trojan horse TR/Agent.cpt.1
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052137.dll
      [DETECTION] Is the Trojan horse TR/Agent.cpt.1
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052138.dll
      [DETECTION] Is the Trojan horse TR/Agent.cpt.1
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052139.dll
      [DETECTION] Is the Trojan horse TR/Agent.cpt.1
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052140.dll
      [DETECTION] Is the Trojan horse TR/Agent.cpt.1
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052215.exe
      [DETECTION] Contains detection pattern of the dropper DR/Dldr.Zlob.AAGR
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052216.exe
      [DETECTION] Is the Trojan horse TR/Dldr.Agent.ffl
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052217.exe
      [DETECTION] Is the Trojan horse TR/Dldr.Agent.ffl
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052221.dll
      [DETECTION] Is the Trojan horse TR/Spy.Banker.HR
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052222.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052223.dll
      [DETECTION] Is the Trojan horse TR/Zlob.DCA
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052260.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052261.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052262.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052263.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052264.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052265.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052266.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052267.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052268.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052269.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052270.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052271.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052272.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052273.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052280.dll
      [DETECTION] Is the Trojan horse TR/Spy.Banker.HR
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052281.exe
      [DETECTION] Is the Trojan horse TR/Dldr.Agent.ffl
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052282.exe
      [DETECTION] Is the Trojan horse TR/Dldr.Agent.ffl
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052283.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052284.exe
      [DETECTION] Contains detection pattern of the dropper DR/Dldr.Zlob.AAGR
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052286.dll
      [DETECTION] Is the Trojan horse TR/Zlob.DCA
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052328.exe
      [DETECTION] Contains detection pattern of the dropper DR/MartShop.2
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052329.dll
[0] Archive type: RSRC
--> Object
      [DETECTION] Is the Trojan horse TR/Drop.Agent.CAN.1
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0052330.dll
      [DETECTION] Is the Trojan horse TR/Dldr.Small.gxo
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055007.exe
      [DETECTION] Is the Trojan horse TR/Agent.EAD
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055008.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055009.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055010.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055011.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055012.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055013.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055014.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055015.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055016.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055017.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055018.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055019.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055020.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055021.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055022.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055023.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055024.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055025.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055026.exe
      [DETECTION] Is the Trojan horse TR/Agent.EAD
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055027.exe
      [DETECTION] Is the Trojan horse TR/Agent.EAD
      [NOTE]      The file was deleted!
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP47\A0055028.EXE
      [DETECTION] Is the Trojan horse TR/Agent.EAD
      [NOTE]      The file was deleted!
C:\WINDOWS\1ku07guf.exe
      [DETECTION] Is the Trojan horse TR/Delf.KH.12
      [NOTE]      The file was deleted!
C:\WINDOWS\5qe218pe.exe
      [DETECTION] Is the Trojan horse TR/Delf.KH.12
      [NOTE]      The file was deleted!
C:\WINDOWS\z3xaz4wt.exe
      [DETECTION] Is the Trojan horse TR/Dldr.Alphabet.LH1
      [NOTE]      The file was deleted!

End of the scan: 2008-05-13 13:13
Used time: 33:28 min

The scan has been done completely.

   3443 Scanning directories
195979 Files were scanned
    112 viruses and/or unwanted programs were found
      2 Files were classified as suspicious:
     93 files were deleted
      0 files were repaired
      0 files were moved to quarantine
      0 files were renamed
      1 Files cannot be scanned
195867 Files not concerned
11763 Archives were scanned
      1 Warnings
     93 Notes

Post #239384

irebeer

Posted 5/13/2008 1:15 PM

Associate Member

Group: Forum Members
Last Login: 8/5/2008 3:45 AM
Posts: 465, Visits: 490

I forgot to say that it takes about 7 minutes for the computer to start "normally", 2 minutes to go to add/remove and another 2 min to get to see the all programs screen....that is why I am still doing safe mode..it is quite a bit faster. What do you think??

Post #239388

RichieUK

Posted 5/13/2008 2:18 PM

Senior Forum Moderator

Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 35,658, Visits: 54,734

Wow,this pc is certainly badly infected,there's no wonder you're experiencing issues.

Download/install and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under 'Action (Default)',using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.

If you require help see this CounterSpy V2 tutorial:
http://www.2-spyware.com/news/post202.html

Run F-Secure Online Scanner.
Note:
This scanner is for Internet Explorer only.
* Click on Online Services and then Online Scanner.
* Accept the License Agreement.
* Once the ActiveX installs,click Full System Scan.
* Once the download completes,the scan will begin automatically.
* The scan will take some time to finish,so please be patient.
* When the scan completes, click the Automatic cleaning (recommended) button.
* Click the Show Report button then copy and paste the entire report into your next reply.

___________________________________________________________

Post #239391

irebeer

Posted 5/13/2008 4:57 PM

Associate Member

Group: Forum Members
Last Login: 8/5/2008 3:45 AM
Posts: 465, Visits: 490

Well now, it took 3x to get the counterspy loaded.....and it won't load when puter is in safe mode either. It still takes forever to load and forever to access all programs too. When I click on something to open it there is at least a five minute interval before something happens. I finally got through the scan and am trying to get to notebook to save results file to add here.......i see where someone said patients is a virtue. I finally had to shut it down and reboot in safe mode to access the file, load it in mem stick to send via another computer. Also I am still unable to access internet as yet with this beast, although I haven't really tried.

results of scan....

Scan History Details
Start Date: 2008-05-13 04:36:32
End Date: 2008-05-13 05:22:38
Total Time: 46 Min 6 Sec
Detected security risks

KaZaA P2P Program more information...
Details: KaZaA is a peer-to-peer (P2P) application that allows its users to join together in a network via the Internet and share files from each other's hard drives.
Status: Ignored

Registry entries detected
HKEY_USERS\S-1-5-21-3942531886-1256799619-874574627-1003\SOFTWARE\KAZAA
HKEY_USERS\S-1-5-21-3942531886-1256799619-874574627-1003\SOFTWARE\KAZAA\LocalContent

Bifrost Backdoor more information...
Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
Status: Quarantined

Registry entries detected
HKEY_USERS\S-1-5-21-3942531886-1256799619-874574627-1003\SOFTWARE\WGET

Cookie: Tracking Cookies Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\owner\cookies\owner@ad.yieldmanager[1].txt
c:\documents and settings\owner\cookies\owner@adopt.specificclick[2].txt
c:\documents and settings\owner\cookies\owner@amazon[2].txt
c:\documents and settings\owner\cookies\owner@atdmt[1].txt
c:\documents and settings\owner\cookies\owner@doubleclick[1].txt
c:\documents and settings\owner\cookies\owner@questionmarket[2].txt
c:\documents and settings\owner\cookies\owner@roiservice[1].txt
c:\documents and settings\owner\cookies\owner@tribalfusion[2].txt

next, please...TY ty

Post #239402

« Prev Topic | Next Topic »

27 posts, Page 1 of 3

1 2 3 »»»

All times are GMT -6:00, Time now is 12:17am