Post by: johnmci123 on November 02, 2007, 06:50:16 AM
i have been having trouble with pc for number of weeks now, im very computer literate as im doing a degree in the subject, but bneed some advice,
i started getting constant virus attacks, which avg kept telling me about, every time i delete them they just repopulate, so i get annoying messages quite often, the computer was rebooting and i was getting the blue screen sometimes, and when rebooted it would come back on, so i found msn messanger beta was the fault for that.
the trouble is i dont have the time to reinstall everything on the pc as im busy with it for study, any help would be greatly apreciated, system restore fails to work when i tried it also, no matter which piont i chose.
here is my HJT log, thanks
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:54, on 02/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ (http://\"http://www.google.co.uk/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {435D08DD-665E-474F-B977-5EE75A2BDCB2} - C:\WINDOWS\system32\vtuvwxw.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab (http://\"http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversFWBInitialSetup1.0.0.15-3.cab\")
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab (http://\"http://www.crucial.com/controls/cpcScanner.cab\")
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx (http://\"https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx\")
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://66.98.196.24/DGTx.CAB (http://\"http://66.98.196.24/DGTx.CAB\")
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: vtuvwxw - C:\WINDOWS\SYSTEM32\vtuvwxw.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\RpcSandraSrv.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
--
End of file - 6421 bytes
Post by: guestolo on November 02, 2007, 06:55:08 AM
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
It's default location is C:\Combofix.txt
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post back the combofix log please
Post by: johnmci123 on November 02, 2007, 01:52:10 PM
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
It's default location is C:\Combofix.txt
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post back the combofix log please[/quote]
thanks for time and effort, much appreciated.
here is the log you requested, also, i had lots of virus alerts from avg one after the other while combofix was working, all of which i moved to vault. also , and an error message request to microsoft about something, i never sent it.
ComboFix 07-11-01.1 - john 2007-11-02 18:43:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1509 [GMT 0:00]
Running from: C:\Documents and Settings\john\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\FunWebProducts
C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\gebcy.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\system32\pmkhe.dll
C:\WINDOWS\system32\pmkhg.dll
C:\WINDOWS\system32\pmnooom.dll
C:\WINDOWS\system32\ssqpn.dll
C:\WINDOWS\system32\ssqqrrr.dll
C:\WINDOWS\system32\sstqn.dll
C:\WINDOWS\system32\sstqq.dll
C:\WINDOWS\system32\ttvwa.bak1
C:\WINDOWS\system32\ttvwa.ini
C:\WINDOWS\system32\vtsqp.dll
C:\WINDOWS\system32\vtuvwxw.dll
.
((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 )))))))))))))))))))))))))))))))
.
2007-11-02 18:42 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-02 11:28 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-01 23:32 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-30 17:48 <DIR> d-------- C:\Program Files\Skyline Screensaver
2007-10-28 15:06 <DIR> d-------- C:\Program Files\Disc2Phone
2007-10-28 14:53 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-10-24 12:51 <DIR> d-------- C:\WINDOWS\Cameleon Clock
2007-10-24 12:51 <DIR> d-------- C:\Program Files\Cameleon Clock
2007-10-23 15:12 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-10-23 15:12 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-10-23 15:12 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-10-23 04:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\tcpIQ
2007-10-23 02:12 <DIR> d-------- C:\Program Files\SiSoftware
2007-10-23 02:00 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-10-22 23:48 25,600 --a------ C:\WINDOWS\system32\drivers\hidbth.sys
2007-10-22 23:48 25,600 --a--c--- C:\WINDOWS\system32\dllcache\hidbth.sys
2007-10-22 23:48 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-10-22 23:48 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-22 23:17 <DIR> d-------- C:\Documents and Settings\john\Application Data\Printer Info Cache
2007-10-22 23:17 <DIR> d-------- C:\Documents and Settings\john\Application Data\Image Zone Express
2007-10-21 17:16 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2007-10-21 17:00 <DIR> d-------- C:\Program Files\RMClock
2007-10-21 16:59 <DIR> d-------- C:\WINDOWS\CPU & Ram Meter
2007-10-21 16:59 <DIR> d-------- C:\Program Files\CPU & Ram Meter
2007-10-21 16:53 <DIR> d-------- C:\Program Files\tcpIQ
2007-10-21 16:52 <DIR> d-------- C:\Program Files\Cablenut
2007-10-21 16:08 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys
2007-10-21 16:08 38,016 --a--c--- C:\WINDOWS\system32\dllcache\bthmodem.sys
2007-10-21 15:44 100,992 --a------ C:\WINDOWS\system32\drivers\bthpan.sys
2007-10-21 15:44 100,992 --a--c--- C:\WINDOWS\system32\dllcache\bthpan.sys
2007-10-19 00:41 <DIR> d-------- C:\Documents and Settings\john\Application Data\Skype
2007-10-19 00:40 <DIR> d-------- C:\Program Files\Skype
2007-10-19 00:40 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-10-19 00:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2007-10-18 22:20 <DIR> d-------- C:\Program Files\PowerISO
2007-10-18 15:29 274,304 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2007-10-18 15:29 274,304 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys
2007-10-18 15:29 18,944 --a------ C:\WINDOWS\system32\drivers\BTHUSB.SYS
2007-10-18 15:29 18,944 --a--c--- C:\WINDOWS\system32\dllcache\bthusb.sys
2007-10-18 14:48 <DIR> d-------- C:\Program Files\Allok RM RMVB to AVI MPEG DVD Converter
2007-10-18 10:27 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-10-18 10:26 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-18 10:26 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-10-18 10:26 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-17 10:40 <DIR> d-------- C:\Program Files\SpeedFan
2007-10-16 16:46 <DIR> d-------- C:\Documents and Settings\john\Application Data\Media Player Classic
2007-10-12 21:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-12 21:54 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-10-12 17:29 <DIR> d-------- C:\WINDOWS\pss
2007-10-12 11:12 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-11 19:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-10-11 15:41 <DIR> d-------- C:\temp
2007-10-11 15:41 <DIR> d-------- C:\HP
2007-10-11 15:41 19,072 --a------ C:\WINDOWS\system32\drivers\PS2.sys
2007-10-11 15:37 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-10-11 15:00 <DIR> d-------- C:\Program Files\uTorrent
2007-10-11 15:00 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-10-11 15:00 <DIR> d-------- C:\Documents and Settings\john\Application Data\uTorrent
2007-10-11 14:55 <DIR> d-------- C:\World of Warcraft
2007-10-11 14:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2007-10-11 14:37 <DIR> d-------- C:\Documents and Settings\john\Application Data\HP
2007-10-11 14:36 <DIR> d-------- C:\Program Files\Common Files\HP
2007-10-11 14:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2007-10-11 14:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-10-11 14:35 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-10-11 14:35 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-10-11 14:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-10-11 14:35 258,048 -ra------ C:\WINDOWS\system32\hpzids01.dll
2007-10-11 14:35 117,760 --a------ C:\WINDOWS\system32\hpzll4v2.dll
2007-10-11 14:35 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-10-11 14:35 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-10-11 14:34 675,840 -ra------ C:\WINDOWS\system32\hpowiax3.dll
2007-10-11 14:34 569,344 -ra------ C:\WINDOWS\system32\hpotscl3.dll
2007-10-11 14:34 364,544 -ra------ C:\WINDOWS\system32\hppldcoi.dll
2007-10-11 14:34 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll
2007-10-11 14:34 294,912 -ra------ C:\WINDOWS\system32\hpovst10.dll
2007-10-11 14:34 21,568 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2007-10-11 14:34 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-10-11 14:34 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-10-11 14:30 <DIR> d-------- C:\Program Files\HP
2007-10-11 14:30 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-11 14:30 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-10-11 14:30 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-10-11 14:30 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-10-11 14:27 130,958 --a------ C:\WINDOWS\hpoins12.dat
2007-10-11 14:27 1,470 --------- C:\WINDOWS\hpomdl12.dat
2007-10-11 14:01 <DIR> d-------- C:\Program Files\Serif
2007-10-11 14:01 21,008 --a------ C:\WINDOWS\system32\CTL3D.DLL
2007-10-11 13:49 <DIR> d-------- C:\Documents and Settings\john\Application Data\Ahead
2007-10-11 13:47 <DIR> d-------- C:\Program Files\Nero
2007-10-11 13:47 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-10-11 13:45 <DIR> d-------- C:\Documents and Settings\john\Application Data\vlc
2007-10-11 13:44 <DIR> d-------- C:\Program Files\VideoLAN
2007-10-11 13:18 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-10-11 13:15 <DIR> d-------- C:\Program Files\Windows Desktop Search
2007-10-11 13:15 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-10-11 13:14 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2007-10-11 12:52 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-11 12:52 <DIR> d-------- C:\Documents and Settings\john\Contacts
2007-10-11 12:51 <DIR> d-------- C:\Program Files\Windows Live
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 15:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-11 14:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-11 11:58 --------- d-----w C:\Program Files\Google
2007-10-11 11:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-11 11:37 61,440 ----a-w C:\WINDOWS\system32\vuins32.dll
2007-10-11 11:37 43,008 ----a-w C:\WINDOWS\system32\drivers\fetnd5bv.sys
2007-10-11 11:35 --------- d-----w C:\Program Files\Realtek
2007-10-11 11:21 --------- d-----w C:\Program Files\VIA
2007-10-11 11:09 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-11 11:03 --------- d-----w C:\Program Files\microsoft frontpage
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-13 17:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-13 17:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-13 17:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-13 17:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-13 17:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-13 17:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-13 17:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-13 17:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-13 17:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 17:04 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 15:58 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-08 13:54]
"nwiz"="nwiz.exe" [2006-08-08 13:54 C:\WINDOWS\system32\nwiz.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-23 14:30]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 15:44]
"Ashampoo FireWall"="C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" [2007-04-05 13:57]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awvtt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^john^Start Menu^Programs^Startup^CPU & Ram Meter.lnk]
backup=C:\WINDOWS\pss\CPU & Ram Meter.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys
S3 RTCore32;RTCore32;\??\C:\Program Files\RMClock\RTCore32.sys
S3 se59bus;Sony Ericsson Device 089 driver (WDM);C:\WINDOWS\system32\DRIVERS\se59bus.sys
S3 se59mdfl;Sony Ericsson Device 089 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se59mdfl.sys
S3 se59mdm;Sony Ericsson Device 089 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se59mdm.sys
S3 se59mgmt;Sony Ericsson Device 089 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se59mgmt.sys
S3 se59nd5;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (NDIS);C:\WINDOWS\system32\DRIVERS\se59nd5.sys
S3 se59obex;Sony Ericsson Device 089 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se59obex.sys
S3 se59unic;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (WDM);C:\WINDOWS\system32\DRIVERS\se59unic.sys
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-11-02 18:46:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-02 18:47:27 - machine was rebooted
.
--- E O F ---
Post by: guestolo on November 02, 2007, 02:21:00 PM
Can you do the following for me please
Supply the below information
Create a .bat file for me
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as export.bat
Save this file on the desktop
Code: [Select]
regedit /e Export.txt "HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa" Double click on export.bat
A text file called Export.txt will appear on desktop
Copy>>paste back here the contents please
In addition, can you supply the following
1. Post a fresh hijackthis log
2. Post an uninstall list from hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents
Post by: johnmci123 on November 02, 2007, 02:34:32 PM
Can you do the following for me please
Supply the below information
Create a .bat file for me
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as export.bat
Save this file on the desktop
Code: [Select]
regedit /e Export.txt "HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa" Double click on export.bat
A text file called Export.txt will appear on desktop
Copy>>paste back here the contents please
In addition, can you supply the following
1. Post a fresh hijackthis log
2. Post an uninstall list from hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents[/quote]
again many thanks for speedy reply, first log to follow then others as requested.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,43,\
00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,\
73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,61,00,77,00,76,00,74,00,74,00,2e,\
00,64,00,6c,00,6c,00,00,00,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"LsaPid"=dword:000003b0
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"enabledcom"="y"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Audit]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Audit\PerUserAuditing]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Audit\PerUserAuditing\System]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Data]
"Pattern"=hex:6c,0b,bb,49,7d,43,ae,f5,89,7a,10,2e,c1,ab,45,c1,66,31,35,34,61,\
36,33,38,00,fd,07,00,67,49,00,00,34,fa,07,00,56,82,7c,75,20,fa,07,00,40,fd,\
07,00,4c,fd,07,00,42,84,f0,98,fe,82,54,17,be,b2,84,f1
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\GBG]
"GrafBlumGroup"=hex:60,59,37,6b,3c,ea,67,ae,66
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\JD]
"Lookup"=hex:03,32,dc,8e,b5,f6
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos\Domains]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos\SidCache]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Skew1]
"SkewMatrix"=hex:88,f1,a6,c8,74,bb,7e,56,96,81,18,16,ba,f1,71,7b
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SSO]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com (http://\"http://www.passport.com\")"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache]
"Time"=hex:4a,0d,ba,12,fc,0b,c8,01
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031
fresh HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:31:19, on 02/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ (http://\"http://www.google.co.uk/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab (http://\"http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversFWBInitialSetup1.0.0.15-3.cab\")
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab (http://\"http://www.crucial.com/controls/cpcScanner.cab\")
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx (http://\"https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx\")
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://66.98.196.24/DGTx.CAB (http://\"http://66.98.196.24/DGTx.CAB\")
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\RpcSandraSrv.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
--
End of file - 6231 bytes
uninstall log
32 Bit HP CIO Components Installer
Adobe Reader 7.0.8
Allok RM RMVB to AVI MPEG DVD Converter 1.3.4
Ashampoo Burning Studio 6
Ashampoo FireWall 1.20
Ashampoo Music Studio 2007
AVG 7.5
AVG Anti-Spyware 7.5
Cablenut 4.08
Cameleon Clock
CPU & Ram Meter
Disc2Phone
Enhanced Multimedia Keyboard Solution
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915800)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
HP Customer Participation Program 8.0
HP Deskjet All-In-One Software 8.0
HP Imaging Device Functions 8.0
HP Photosmart Essential
HP Solution Center 8.0
HP Update
HPSSupply
K-Lite Mega Codec Pack 1.53
Line Speed Meter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Project Standard 2003
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Virtual PC 2007
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero 7 Premium
PowerISO
Realtek High Definition Audio Driver
Registry Mechanic 6.0
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Serif DrawPlus 6.0
SiSoftware Sandra Lite XIIc
Skyline Screensaver
Skypeâ„¢ 3.5
SpeedFan (remove only)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VIA Platform Device Manager
VIA Rhine-Family Fast Ethernet Adapter
VideoLAN VLC media player 0.8.6c
Windows Desktop Search 3.01
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Photo Gallery Beta
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinFast® Display Driver
World of Warcraft
there you go!
Post by: guestolo on November 02, 2007, 03:00:03 PM
Can I have you manually edit the registry please
Go to START>>RUN>>type in regedit
Hit OK
Navigate to this key
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
By doing the following
Expand
(+)HKEY_LOCAL_MACHINE
(+)system
(+)currentcontrolset
(+)control
Left click once on lsa on the left to highlight it
On the right hand side look for
Authentication Packages
Double click on Authentication Packages to open
Under Value Data it should Only look like the following
msv1_0
Leave only that above entry but remove the aftertext
C:\WINDOWS\system32\awvtt.dll <-remove this
Ok and exit out of the registry editor
Do a "System scan only" with Hijackthis and put a check next to these entries:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab (http://\"http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab\")
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://66.98.196.24/DGTx.CAB (http://\"http://66.98.196.24/DGTx.CAB\")
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot the computer
Back in Windows
I suggest that you do the following
add SpywareBlaster to your protection software
SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
- *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
Post one last fresh hijackthis log and let me know how things are running please
Post by: johnmci123 on November 02, 2007, 03:50:23 PM
Can I have you manually edit the registry please
Go to START>>RUN>>type in regedit
Hit OK
Navigate to this key
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
By doing the following
Expand
(+)HKEY_LOCAL_MACHINE
(+)system
(+)currentcontrolset
(+)control
Left click once on lsa on the left to highlight it
On the right hand side look for
Authentication Packages
Double click on Authentication Packages to open
Under Value Data it should Only look like the following
msv1_0
Leave only that above entry but remove the aftertext
C:\WINDOWS\system32\awvtt.dll <-remove this
Ok and exit out of the registry editor
Do a "System scan only" with Hijackthis and put a check next to these entries:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab (http://\"http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab\")
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://66.98.196.24/DGTx.CAB (http://\"http://66.98.196.24/DGTx.CAB\")
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot the computer
Back in Windows
I suggest that you do the following
add SpywareBlaster to your protection software
SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
- *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
Post one last fresh hijackthis log and let me know how things are running please[/quote]
her you go again, thanks for your help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:46:09, on 02/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ (http://\"http://www.google.co.uk/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab (http://\"http://www.crucial.com/controls/cpcScanner.cab\")
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx (http://\"https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx\")
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\RpcSandraSrv.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
--
End of file - 6006 bytes
shall i do virus scan perhaps
Post by: guestolo on November 02, 2007, 03:57:51 PM
Quote
shall i do virus scan perhapsYour log looks good
However, it's not a bad idea
I use AVG on one of my computers, BUT
I still like a second opinion once in awhile
Why not try an online virus scan
First, I disable AVG realtime scanner
Double click the AVG icon by the clock
Right click Resident Shield
Select Properties>>UNCHECK "Turn on AVG Resident Shield Protection"
Apply it and close AVG
Close the prompts by Windows Security Center
Using browser Internet Explorer
Run an online virus scan at [color=\"#2E8B57\"]Kaspersky's[/color] (http://\"http://www.kaspersky.com/virusscanner\")
At the link click the button Kaspersky Online Scanner
Accept the prompt at the Welcome screen
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now under select a target to scan:
Select My Computer
- This program will start and scan your system.
- The scan will take a while so be patient and let it run.
- Once the scan is complete it will display if your system has been infected.
***Now click on the Save as Text button:
- Save the file to your desktop.
Post back that report please
Reactivate AVG realtime protection also
Post by: johnmci123 on November 02, 2007, 04:11:30 PM
However, it's not a bad idea
I use AVG on one of my computers, BUT
I still like a second opinion once in awhile
Why not try an online virus scan
First, I disable AVG realtime scanner
Double click the AVG icon by the clock
Right click Resident Shield
Select Properties>>UNCHECK "Turn on AVG Resident Shield Protection"
Apply it and close AVG
Close the prompts by Windows Security Center
Using browser Internet Explorer
Run an online virus scan at [color=\"#2e8b57\"]Kaspersky's[/color] (http://\"http://www.kaspersky.com/virusscanner\")
At the link click the button Kaspersky Online Scanner
Accept the prompt at the Welcome screen
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now under select a target to scan:
Select My Computer
- This program will start and scan your system.
- The scan will take a while so be patient and let it run.
- Once the scan is complete it will display if your system has been infected.
***Now click on the Save as Text button:
- Save the file to your desktop.
Reactivate AVG realtime protection also[/quote]
i have a dual boot on my other system one with norton on a drive and avg on other, this system im on has not got a second drive but when i put dual boot i find that running one on each is much more efficient, ill do that but have to head to work will get have to get back to you, thanks for help so far, its been very informative for me.
Post by: johnmci123 on November 02, 2007, 09:09:57 PM
i ran avg scan on full system before foing the kaspersky online scan, while doing the scan on my computer i .avg started showing most viruses that i have been presented with at one so far. all of which were in " c:/system volume information/_restore{CDFAD6EB-F95D-42BE-B02C-DABD38276C4E}\RP75\A00#####.dll" the hash indecates random numbers which differ on each.
log from kaspersky to follow
Post by: johnmci123 on November 02, 2007, 09:13:10 PM
KASPERSKY ONLINE SCANNER REPORT
Saturday, November 03, 2007 2:11:27 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/11/2007
Kaspersky Anti-Virus database records: 450652
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 40439
Number of viruses found: 3
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 00:17:14
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.3.Crwl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.3.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles0010001.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles0010002.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles0010003.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles0010004.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles0010005.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles0010006.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles0010007.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles0010008.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles0010009.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles001000F.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles0010013.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles0010017.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles0010017.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles0010017.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy5.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_844.dat Object is locked skipped
C:\Documents and Settings\john\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Messenger\bighairymoomooEmail Removed\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Messenger\bighairymoomooEmail Removed\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Messenger\bighairymoomooEmail Removed\SharingMetadata\Working\database_5630_4FB6_304F_9BBD\dfsr.db Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Messenger\bighairymoomooEmail Removed\SharingMetadata\Working\database_5630_4FB6_304F_9BBD\fsr.log Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Messenger\bighairymoomooEmail Removed\SharingMetadata\Working\database_5630_4FB6_304F_9BBD\fsrtmp.log Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Messenger\bighairymoomooEmail Removed\SharingMetadata\Working\database_5630_4FB6_304F_9BBD\tmp.edb Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Windows Live Contacts\bighairymoomooEmail Removed\real\members.stg Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Windows Live Contacts\bighairymoomooEmail Removed\shadow\members.stg Object is locked skipped
C:\Documents and Settings\john\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\History\History.IE5\MSHist012007110320071104\index.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temp\~DF5D24.tmp Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temp\~DF5E3B.tmp Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temp\~DFCABB.tmp Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temp\~DFCCC1.tmp Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temp\~DFE98D.tmp Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temp\~DFE99B.tmp Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\john\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\john\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\pmnooom.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.bmm skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ssqqrrr.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.bmm skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\vtuvwxw.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.bmm skipped
C:\qoobox\Quarantine\catchme2007-11-02_184632.09.zip/vtuvwxw.dll Infected: Trojan-PSW.Win32.OnLineGames.bmm skipped
C:\qoobox\Quarantine\catchme2007-11-02_184632.09.zip/vtuvwxw.dll.1 Infected: Trojan-PSW.Win32.OnLineGames.bmm skipped
C:\qoobox\Quarantine\catchme2007-11-02_184632.09.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP45\A0010386.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP45\A0010387.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP45\A0010388.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP45\A0010389.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP46\A0010421.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP46\A0010422.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP46\A0010423.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP46\A0010424.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP46\A0010425.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP46\A0010426.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP46\A0010427.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP46\A0010428.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP46\A0010429.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP46\A0010430.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP46\A0010431.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP46\A0010432.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP46\A0010433.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP48\A0011995.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP48\A0012025.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP48\A0012026.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP53\A0015291.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP53\A0015292.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP53\A0015293.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP53\A0015294.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP53\A0015295.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP53\A0015296.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP55\A0017342.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP55\A0017343.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP55\A0017389.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP55\A0017390.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP55\A0017391.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP55\A0017392.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP55\A0017393.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP55\A0017394.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP55\A0017395.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP55\A0017407.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP55\A0017467.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP55\A0017468.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP55\A0017469.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP56\A0019515.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP56\A0019516.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP56\A0019517.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP56\A0019518.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP56\A0019519.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP56\A0019520.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP56\A0020542.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP64\A0026729.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP64\A0026730.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP64\A0026731.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP64\A0026732.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP64\A0026733.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP64\A0026734.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP64\A0027749.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP75\A0031951.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP75\A0031952.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP75\A0031953.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP75\A0031954.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP75\A0031955.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP75\A0031956.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP75\A0031957.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP75\A0031958.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP75\A0031961.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP75\A0031962.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP75\A0031963.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP75\A0031964.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP75\A0031965.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP75\A0031967.dll Infected: Trojan-PSW.Win32.OnLineGames.bmm skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP75\A0031968.dll Infected: Trojan-PSW.Win32.OnLineGames.bmm skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP75\A0031969.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP75\A0031970.dll Object is locked skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP75\A0031974.dll Infected: Trojan-PSW.Win32.OnLineGames.bmm skipped
C:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP76\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP50\A0013081.exe/stream/Script Infected: Trojan-Dropper.Win32.Agent.btr skipped
D:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP50\A0013081.exe/stream Infected: Trojan-Dropper.Win32.Agent.btr skipped
D:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP50\A0013081.exe NSIS: infected - 2 skipped
D:\System Volume Information\_restore{CDFAD6EB-F95D-42BE-B02C-DABD3827C64E}\RP76\change.log Object is locked skipped
Scan process completed.
note during this scan multi viruses moved to vault by avg.
Post by: guestolo on November 02, 2007, 09:22:53 PM
Concerning entries in this folder
C:\qoobox
That was created by combofix and moved bad files to it's directory
Let's remove that right now
Go to START>>RUN>>Copy and paste the next command to the open field
ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.
This will uninstall Combofix, delete its related folders and files
Quote
i ran avg scan on full system before foing the kaspersky online scan, while doing the scan on my computer i .avg started showing most viruses that i have been presented with at one so far. all of which were in " c:/system volume information/_restore{CDFAD6EB-F95D-42BE-B02C-DABD38276C4E}\RP75\A00#####.dll" the hash indecates random numbers which differ on each.
Let's deal with that right now also
These are files in your system restore folders
Harmless, unless you restore to an infected point
Please do the following
Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Give it a name and click Create
Windows will prompt when it has been successful created
When that's done
Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating
Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made
Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning
The rest looks good
You can empty AVG Virus vault if there is no need to restore any entries
Hope that helps
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: johnmci123 on November 03, 2007, 08:13:34 AM
thank you for all your help, you are a credit to your profession.
when i first got a pc, before a started my studies i tried a forum like this one for help with issues i had, and i found them to not respond well and in most cases not at all, this is meen the best that i have found and i will be insuring to tell others of the great service provided to me. I also found some of the steps very infomative and great exercize for the mind and help to home my pc skills further. The help recieved has saved me from having to put a clean install and lots of software re-installs, not to mention saved me from starting WOW from scratch and that perticular install takes forever due to patches,lol
i plan to donate come payday at end of month , and hopefully not need your services for a while, but who knows!
Post by: guestolo on November 03, 2007, 09:11:21 AM
As your problems appear resolved, I'll lock this topic
Take care johnmci123
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />