Help - Search - Members - Calendar
Full Version: Antivirus 2008
BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal
   
pinkgirl
Jun 27 2008, 06:19 PM
It just refuses to go away. I have tried a couple of other forums, and this thing will not go away. The icon is gone and the background is gone. Its not in the start-up either and no pop-ups. However when I start up the old background, "warning: computer infected with spyware" flashes. Also, my add and remove programs do not work. Please help.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:02 PM, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spelman.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566....gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://prince.spelman.edu/iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10162 bytes
SifuMike
Jul 3 2008, 10:54 PM
Hello pinkgirl,

QUOTE
I have tried a couple of other forums, and this thing will not go away. The icon is gone and the background is gone. Its not in the start-up either and no pop-ups. However when I start up the old background, "warning: computer infected with spyware" flashes.


Please tell me what you have done to try and fix this?

What forums did you post at previously?
pinkgirl
Jul 4 2008, 12:16 AM
I tried the tutorial that you got set up for the antiviurs but it didnt work. a guy from suggestafix, gave me the link.
Here is the link that i tried.

http://www.bleepingcomputer.com/forums/topic111715.html

I did what the link said and it didnt go away. Before that the other methods that I tried included removing it from the start menu, changed the background, ect. and fixing it with hijackthis. I also tried to fix it with malwarebytes.

Any help would be appreciated. Thanks.
SifuMike
Jul 4 2008, 12:30 AM
Hello pinkgirl,

QUOTE
and fixing it with hijackthis.


HijackThis is an advanced tool, and therefore requires advanced knowledge about Windows and operating systems in general. If you delete items that it shows, without knowing what they are, it can lead to other problems such as your Internet no longer working or problems with running Windows itself.

If you do not have advanced knowledge about computers you should NOT fix entries using HijackThis without consulting an expert on using this program.


I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player

If you uninstalled, please navigate to and delete the following folders
C:\Program Files\Viewpoint



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Sun Java Runtime Environment 6 Update 6.
  • Scroll down to where it says "Sun Java Runtime Environment 6 Update 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.




We need to create a Deckard's System Scanner (DSS) Log.
Please download Deckard's System Scanner (DSS) from one of the links below and save to your Desktop.
Primary Mirror
Secondary Mirror

DSS will do the following:
1. Create a new System Restore point in Windows XP and Vista.
2. Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
3. Check some important areas of your system and produce a report for an analyst to review.
4. Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.

Note: You must be logged onto an account with administrator privileges when using Deckard's System Scanner.

1. Close all applications and windows.
2. Double-click on dss.exe to run it and follow the prompts.

3. If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
4. When the scan is complete, two text files will open in Notepad:
main.txt <-- Will be maximized
extra.txt <-- Will be minimized
5. If not, they both can be found in the C:\Deckard\System Scanner folder.
6. Please copy (<Control>+C) and paste (<Control>+V) the contents of main.txt and extra.txt in your next reply.

Note: When running DSS, some firewalls may warn that DSS is trying to access the Internet; especially if you are asked to download the most current version of HijackThis. Please ensure that DSS is given permission to access the internet.
Note: If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

In your next reply, I need to see the following reports:
DSS Main.txt
DSS Extra.txt
pinkgirl
Jul 4 2008, 12:33 PM
I downloaded the update for Java. However, I neglected to mention that the virus disabled my add/remove programs. Add/Remove programs will open but it doesn't have the icon to actual remove anymore. So i couldnt delete Viewpoint Manager or the older versions of Java.

Also I already have Deckards, so I didnt get an extra.txt. However, this is the main.txt.

Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-04 13:27:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:23 PM, on 7/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\freecell.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spelman.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566....gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://prince.spelman.edu/iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10089 bytes

-- Files created between 2008-06-04 and 2008-07-04 -----------------------------

2008-06-26 01:29:59 61440 --a------ C:\WINDOWS\system32\drivers\otcp.sys
2008-06-26 00:54:37 61440 --a------ C:\WINDOWS\system32\drivers\weia.sys
2008-06-25 22:24:30 61440 --a------ C:\WINDOWS\system32\drivers\otqw.sys
2008-06-24 23:14:00 0 d-------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Application Data\Identities
2008-06-24 23:14:00 0 d-------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Application Data\AOL
2008-06-24 23:13:59 0 d-------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\WINDOWS
2008-06-24 23:13:59 0 d--h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Templates
2008-06-24 23:13:59 0 dr------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Start Menu
2008-06-24 23:13:59 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\SendTo
2008-06-24 23:13:59 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Recent
2008-06-24 23:13:59 0 d--h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\PrintHood
2008-06-24 23:13:59 0 d--h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\NetHood
2008-06-24 23:13:59 0 dr------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\My Documents
2008-06-24 23:13:59 0 d--h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Local Settings
2008-06-24 23:13:59 0 dr------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Favorites
2008-06-24 23:13:59 0 d-------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Desktop
2008-06-24 23:13:59 0 d---s---- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Cookies
2008-06-24 23:13:59 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Application Data
2008-06-24 23:13:59 0 d-------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Application Data\You've Got Pictures Screensaver
2008-06-24 23:13:59 0 d-------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Application Data\SampleView
2008-06-24 23:13:59 0 d---s---- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Application Data\Microsoft
2008-06-24 23:13:58 786432 --ah----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\NTUSER.DAT
2008-06-23 19:09:23 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-06-23 19:09:06 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-23 19:09:05 68096 --a------ C:\WINDOWS\zip.exe
2008-06-23 19:09:05 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-23 19:09:05 98816 --a------ C:\WINDOWS\sed.exe
2008-06-23 19:09:05 80412 --a------ C:\WINDOWS\grep.exe
2008-06-23 19:09:05 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-23 19:09:04 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-23 19:09:04 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-23 18:57:12 0 d-------- C:\Program Files\CCleaner
2008-06-22 17:15:50 94208 --a------ C:\WINDOWS\system32\pphc3whj0eea1.exe
2008-06-22 17:14:06 60928 --a------ C:\WINDOWS\system32\blphc3whj0eea1.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-06-22 17:14:01 109056 --a------ C:\WINDOWS\system32\lphc3whj0eea1.exe
2008-06-17 23:03:02 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-17 23:02:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 23:02:44 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 01:25:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-16 21:43:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-16 21:17:04 0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-06-16 21:16:25 0 d-------- C:\WINDOWS\Downloaded Installations
2008-06-15 00:49:57 4 --a------ C:\WINDOWS\system32\hljwugsf.bin


-- Find3M Report ---------------------------------------------------------------

2008-07-04 13:25:05 0 d-------- C:\Program Files\Java
2008-06-29 22:59:31 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-06-18 21:38:38 0 d-------- C:\Program Files\Common Files
2008-06-18 21:36:02 0 d-------- C:\Program Files\Trend Micro
2008-06-15 15:00:50 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-24 21:30:49 256 --a------ C:\WINDOWS\system32\pool.bin
2008-05-22 18:38:14 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-05-22 18:36:45 0 d-------- C:\Program Files\Yahoo!
2008-05-22 18:22:20 0 d-------- C:\Program Files\Google


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"VTTimer"="VTTimer.exe" [03/08/2005 08:33 AM C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [11/01/2005 09:15 AM C:\WINDOWS\system32\VTTrayp.exe]
"AGRSMMSG"="AGRSMMSG.exe" [10/14/2005 07:29 PM C:\WINDOWS\AGRSMMSG.exe]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [09/03/2006 04:04 AM]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 08:51 PM]
"Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" []
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"@"="" []
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [08/16/2007 08:56 AM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 05:22 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"AIM"="C:\Program Files\AIM\aim.exe" [08/01/2006 04:35 PM]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
V CAST Music Monitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe [11/30/2005 11:32:10 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/22/2006 4:33:24 PM]
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [1/18/2006 8:52:09 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [5/3/2005 10:07:32 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"




-- End of Deckard's System Scanner: finished at 2008-07-04 13:27:56 ------------

SifuMike
Jul 4 2008, 12:45 PM
Hi pinkgirl,

QUOTE
I tried the tutorial that you got set up for the antiviurs but it didnt work. a guy from suggestafix, gave me the link.
Here is the link that i tried.
http://www.bleepingcomputer.com/forums/topic111715.html


I cant tell anything by the link you posted, as you have been removing stuff and that has wiped all the signs of the infection. sad.gif

I would like to see your SuggestAFix link. Please post the link.

You said you deleted items with Hijackthis. Just what did you delete?




QUOTE
Also I already have Deckards, so I didnt get an extra.txt.


Extra.txt should be at this location:

C:\Deckard\Extra.txt

Please post it. smile.gif
pinkgirl
Jul 4 2008, 02:18 PM
Here is my other link.

http://www.suggestafix.com/index.php?showtopic=30265

Some traces of the virus is still on the computer bc the i cant add or remove programs, and when the computer starts up the old background popups thats say you have spyware on your computer.


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® M processor 1.40GHz
Percentage of Memory in Use: 67%
Physical Memory (total/avail): 446.04 MiB / 143.92 MiB
Pagefile Memory (total/avail): 671.52 MiB / 275.3 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.93 MiB

C: is Fixed (NTFS) - 51.1 GiB total, 20.24 GiB free.
D: is Fixed (FAT32) - 4.77 GiB total, 2.7 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HTS421260H9AT00 - 55.89 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 51.1 GiB - C:
\PARTITION1 - Unknown - 4.78 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton AntiVirus v2007 (Symantec Corporation)
AV: Norton AntiVirus v2007 (Symantec Corporation) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Roxio\\Digital Home 9\\RoxioUpnpService9.exe"="C:\\Program Files\\Roxio\\Digital Home 9\\RoxioUpnpService9.exe:*:Enabled:RoxioUpnpService9"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1137632486\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1137632486\\EE\\AOLServiceHost.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Disabled:LimeWire swarmed installer"
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:explorer"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:enable"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Roxio\\Digital Home 9\\RoxioUpnpService9.exe"="C:\\Program Files\\Roxio\\Digital Home 9\\RoxioUpnpService9.exe:*:Enabled:RoxioUpnpService9"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-116316AA3E
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\YOUR-116316AA3E
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=YOUR-116316AA3E
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{2BE0C605-9BEC-434D-9FAE-931194E72414}
--> MsiExec.exe /I{48A669A9-76FA-4CA8-BFD5-00C125AC4166}
--> MsiExec.exe /I{726A362E-EBFD-4C3F-8664-6593C2B08386}
--> MsiExec.exe /I{943CB81D-11B9-401E-8305-752528D00AA1}
--> MsiExec.exe /I{E75F019D-98A0-4B39-B1A8-3A01400D2A18}
--> MsiExec.exe /X{F664EDB9-59DF-452A-A3D7-085ED1B8D374}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Agere Systems AC'97 Modem --> agrsmdel
AntivirXP08 --> "C:\Program Files\rhc7whj0eea1\uninstall.exe"
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
AOL You've Got Pictures Screensaver --> C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Ares 2.0.8 --> "C:\Program Files\Ares\uninstall.exe"
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BigFix --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
BlackBerry Desktop Software 4.3 --> MsiExec.exe /i{D793A12F-E362-48BB-B332-1DA5E936B52D}
BlackBerry Desktop Software 4.3 --> MsiExec.exe /I{D793A12F-E362-48BB-B332-1DA5E936B52D}
BlackBerry Device Software v4.3.0 for the BlackBerry 8130 smartphone --> MsiExec.exe /X{573D8008-5F38-4F5F-820B-1D3151332282}
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Citrix Presentation Server Client - Web Only --> MsiExec.exe /X{C49067A8-8212-4A82-A4D9-1519701644F0}
Convert Image To PDF --> "C:\Program Files\Softinterface, Inc\Convert Image To PDF\unins000.exe"
CutePDF Writer 2.6 --> C:\WINDOWS\system32\uninscpw.exe C:\Program Files\
Dell Digital Jukebox Driver --> C:\WINDOWS\UNWISE.EXE C:\WINDOWS\DJBDRV.LOG
EclipseCrossword --> MsiExec.exe /I{A48C9C07-1DE1-4476-8997-AA6290F94D09}
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
GRE POWERPREP --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ETS\PPGRE.ISU"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Image Zone Express --> MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}
Image2PDF v3.2 --> "C:\Program Files\Image2PDF v3.2\unins000.exe"
Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Lexmark 1200 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXCZUN5C.EXE -dLexmark 1200 Series
LG USB Drivers --> C:\PROGRA~1\LGDRIV~1\LGUSBD~1\UNWISE.EXE C:\PROGRA~1\LGDRIV~1\LGUSBD~1\INSTALL.LOG
LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Digital Image Starter Edition 2006 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=11
Microsoft Money 2005 --> C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:120
Microsoft Office Outlook 2003 with Business Contact Manager Update --> MsiExec.exe /I{BA68600E-96D9-4E92-80F2-26B9681B5A63}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Owner\Application Data\Move Networks\ie_bin\Uninst.exe
Move Networks Player for Internet Explorer --> "C:\Documents and Settings\Owner\Application Data\Move Networks\ie_bin\unins000.exe"
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero BurnRights --> C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton AntiVirus (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{830D8CBD-C668-49e2-A969-C2C2106332E0}_14_0_1_89\{830D8CBD-C668-49e2-A969-C2C2106332E0}.exe" /X
Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton AntiVirus SYMLT MSI --> MsiExec.exe /I{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
Norton Spyware Scan provided by Yahoo! --> C:\PROGRA~1\Yahoo!\Common\unynss.exe
OIN Search --> C:\Program Files\OIN Search\Uninstall.exe
pdf4u Printer --> MsiExec.exe /I{0B900A76-82CC-4ADF-82A5-702F784C558E}
PhotoFiltre --> "C:\Program Files\PhotoFiltre\Uninst.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Roxio Media Manager --> MsiExec.exe /X{303379C9-8610-4CCF-AF37-C4BF8998C591}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) -->
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Symantec --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A} /l1033
TypingMaster TypingTest --> "C:\Program Files\TypingMaster\TypingTest\unins000.exe"
V CAST Music --> MsiExec.exe /X{3249FD43-B24B-413F-B786-F8FEA32FA747}
VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VIA/S3G Display Driver --> C:\PROGRA~1\S3\UChromeP\s3minset.exe /u UChromeP.uns
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\WINDOWS\cache\YINSTH~1.DLL
Yahoo! Toolbar for Internet Explorer --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type145980 / Warning
Event Submitted/Written: 06/18/2008 09:58:04 PM
Event ID/Source: 19011 / MSSQL$MICROSOFTSMLBIZ
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type145949 / Warning
Event Submitted/Written: 06/18/2008 08:54:17 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type145854 / Error
Event Submitted/Written: 06/17/2008 06:00:46 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application 16735.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [16735.exe!ws!]

Event Record #/Type145853 / Error
Event Submitted/Written: 06/17/2008 06:00:46 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application 16735.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [16735.exe!ws!]

Event Record #/Type145852 / Error
Event Submitted/Written: 06/17/2008 05:58:47 AM
Event ID/Source: 455 / ESENT
Event Description:
wuaueng.dll (2304) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type37383 / Warning
Event Submitted/Written: 06/24/2008 06:27:39 PM
Event ID/Source: 20 / Print
Event Description:
Printer Driver Microsoft Office Document Image Writer Driver for Windows NT x86 Version-3 was added or updated. Files:- mdigraph.dll, mdiui.dll, mdiui.dll.

Event Record #/Type37382 / Warning
Event Submitted/Written: 06/24/2008 06:27:37 PM
Event ID/Source: 3 / Print
Event Description:
Printer Microsoft Office Document Image Writer was deleted.

Event Record #/Type37381 / Warning
Event Submitted/Written: 06/24/2008 06:27:34 PM
Event ID/Source: 4 / Print
Event Description:
Printer Microsoft Office Document Image Writer is pending deletion.

Event Record #/Type37378 / Warning
Event Submitted/Written: 06/24/2008 06:24:43 PM
Event ID/Source: 20 / Print
Event Description:
Printer Driver Microsoft Office Document Image Writer Driver for Windows NT x86 Version-3 was added or updated. Files:- mdigraph.dll, mdiui.dll, mdiui.dll.

Event Record #/Type37377 / Warning
Event Submitted/Written: 06/24/2008 06:24:41 PM
Event ID/Source: 3 / Print
Event Description:
Printer Microsoft Office Document Image Writer was deleted.



-- End of Deckard's System Scanner: finished at 2008-06-24 18:44:32 ------------

SifuMike
Jul 4 2008, 02:32 PM
Hello pinkgirl,

Looks like this infection has been going on for over three weeks. wacko.gif

Dupicate posting creates backlogs is is greatly frowned on by all forums.
If you want help here the go to you link at SuggestAFix and tell them you close your link.
No sense in tieing up two helpers.

Let me know when you have done that and we shall continue.
SifuMike
Jul 4 2008, 02:36 PM
QUOTE
AV: Norton AntiVirus v2007 (Symantec Corporation) Outdated


Is your Norton antivirus outdated or has it expired?
pinkgirl
Jul 4 2008, 02:41 PM
No, i dont think it is either outdated or expired, bc it was working just fine before I got this virus. I tried to open it just now and it said that it is unable to open Norton. I think that somehow the virus did something to it, bc like I said it was fine before I got the virus.
SifuMike
Jul 4 2008, 02:48 PM
Have you asked that your SuggestAfix post be closed? We cant proceed until you do that.

OK, your Norton anti virus is not working, so do not browse the Internet until we have an antivirus working. Going 3 weeks with no antivirus will get you even more infected. blink.gif
pinkgirl
Jul 4 2008, 03:27 PM
Okay I sent a message asking that it be closed.
SifuMike
Jul 4 2008, 04:16 PM
Hi Pinkgirl,
QUOTE
Okay I sent a message asking that it be closed
.

I dont want you to send a massage asking it to be closed. I cant see that.sad.gif
It needs to posted in the forum.
Please post in the suggestafixforum asking it be closed.
QUOTE
http://www.suggestafix.com/index.php?showt...mp;#entry214279
pinkgirl
Jul 4 2008, 06:42 PM
I posted it in the forum. Thanks.
SifuMike
Jul 4 2008, 06:58 PM
Hi Pinkgirl,

I dont see that you have done that. sad.gif

http://www.suggestafix.com/index.php?showt...mp;#entry214836

You need to post a message asking them to close your post, then we can continue here.
pinkgirl
Jul 4 2008, 07:03 PM
http://www.suggestafix.com/index.php?showt...mp;#entry214836
SifuMike
Jul 4 2008, 07:09 PM
Still no message closing your post. sad.gif

http://www.suggestafix.com/index.php?showt...mp;#entry214836
QUOTE
QUOTE(HKEd @ Jun 26 2008, 01:25 AM)

I didn't think it had run. Please try it again:

Run Avenger.exe and copy/paste the contents of the Code box to the section under 'Input script here':

CODEFiles to delete:
C:\WINDOWS\system32\pphc3whj0eea1.exe
C:\WINDOWS\system32\blphc3whj0eea1.scr
C:\WINDOWS\system32\lphc3whj0eea1.exe
C:\WINDOWS\system32\hljwugsf.bin

Folders to delete:
C:\Documents and Settings\Owner\Application Data\rhc7whj0eea1

Click on Execute and restart the computer when prompted. Post the Avenger log.

If you are not comfortable using Avenger again, you could try restarting in safe mode. See if you can delete the four files and the folder. You may have to make all files and folders visible first. Instructions to do that are here. Once the files are gone, the system should be clean.






Do you know how to add a reply to that forum? Looks to me like you are using the Quote button rather than the Reply button.

So try again.
pinkgirl
Jul 4 2008, 07:25 PM
http://www.suggestafix.com/index.php?showtopic=30265&hl=

Thanks.
SifuMike
Jul 4 2008, 07:53 PM
Hello pinkgirl,

You have some suspicious files we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\drivers\otcp.sys


Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

C:\WINDOWS\system32\drivers\weia.sys
C:\WINDOWS\system32\drivers\otqw.sys
C:\WINDOWS\system32\pphc3whj0eea1.exe
C:\WINDOWS\system32\blphc3whj0eea1.scr
C:\WINDOWS\system32\lphc3whj0eea1.exe
C:\WINDOWS\system32\hljwugsf.bin


Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.



pinkgirl
Jul 4 2008, 08:39 PM

Okay here are the results. I bolded each one and the results.

C:\WINDOWS\system32\drivers\weia.sys

Result: 0/32 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.4.25.2 2008.04.25 -
AntiVir 7.8.0.10 2008.04.25 -
Authentium 4.93.8 2008.04.26 -
Avast 4.8.1169.0 2008.04.26 -
AVG 7.5.0.516 2008.04.26 -
BitDefender 7.2 2008.04.26 -
CAT-QuickHeal 9.50 2008.04.26 -
ClamAV 0.92.1 2008.04.26 -
DrWeb 4.44.0.09170 2008.04.26 -
eSafe 7.0.15.0 2008.04.21 -
eTrust-Vet 31.3.5736 2008.04.26 -
Ewido 4.0 2008.04.26 -
F-Prot 4.4.2.54 2008.04.26 -
F-Secure 6.70.13260.0 2008.04.26 -
FileAdvisor 1 2008.04.26 -
Fortinet 3.14.0.0 2008.04.26 -
Ikarus T3.1.1.26 2008.04.26 -
Kaspersky 7.0.0.125 2008.04.26 -
McAfee 5282 2008.04.25 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3057 2008.04.26 -
Norman 5.80.02 2008.04.25 -
Panda 9.0.0.4 2008.04.26 -
Prevx1 V2 2008.04.26 -
Rising 20.41.52.00 2008.04.26 -
Sophos 4.28.0 2008.04.26 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.26 -
TheHacker 6.2.92.294 2008.04.26 -
VBA32 3.12.6.5 2008.04.26 -
VirusBuster 4.3.26:9 2008.04.26 -
Webwasher-Gateway 6.6.2 2008.04.26 -
Additional information
File size: 61440 bytes
MD5...: 589312a3b46721c5a751e4d5222a89be
SHA1..: 3a497d3968a4f6e3c648d196da38e5f98e75ec30
SHA256: 03cbe6df7f5605a3659ffe27a1184a8d9066436a17d7bac9cceb122de74f69ae
SHA512: c8abe050c97efe34541c3ef293a750e34b82117ae41f41d83db1f1489eb5d776
a1d59d0b4a1e13536e5bebda630693daf4be66cc386f587a69288c76df98cf7b
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1d394
timedatestamp.....: 0x476b398b (Fri Dec 21 03:56:59 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x400 0xd756 0xd780 5.52 e0dc8fff10e3a7c6343455cd02a67954
.rdata 0xdb80 0x10e 0x180 3.44 d2fd0bc28e070ccc67879e04b7cd5302
.data 0xdd00 0xc0 0x100 0.04 66a415a49d751cb335895306ecfb3389
INIT 0xde00 0x376 0x380 5.17 79cc3d62ef3ba8053786e08dc9b6cddc
.reloc 0xe180 0xe2c 0xe80 6.60 4f845320301140370066cbceee4c5e4c

( 1 imports )
> ntoskrnl.exe: ZwWriteFile, wcslen, RtlUpcaseUnicodeChar, ZwClose, ZwCreateFile, RtlInitUnicodeString, wcscat, wcscpy, _wcsicmp, ZwQueryValueKey, ZwOpenKey, ZwDeleteKey, swprintf, ZwEnumerateKey, ExFreePoolWithTag, DbgPrint, ExAllocatePoolWithTag, RtlPrefixUnicodeString, RtlDeleteRegistryValue, ZwSetValueKey, RtlWriteRegistryValue, ZwEnumerateValueKey, ZwOpenFile, ZwSetInformationFile, KeTickCount, ZwQueryInformationFile, KeBugCheck, MmGetSystemRoutineAddress, ZwFlushKey, PsTerminateSystemThread, KeSetPriorityThread, KeGetCurrentThread, RtlCheckRegistryKey, KeDelayExecutionThread, ZwReadFile, PsCreateSystemThread, PsGetVersion

( 0 exports )

C:\WINDOWS\system32\drivers\otqw.sys



Antivirus Version Last Update Result
AhnLab-V3 2008.4.25.2 2008.04.25 -
AntiVir 7.8.0.10 2008.04.25 -
Authentium 4.93.8 2008.04.26 -
Avast 4.8.1169.0 2008.04.26 -
AVG 7.5.0.516 2008.04.26 -
BitDefender 7.2 2008.04.26 -
CAT-QuickHeal 9.50 2008.04.26 -
ClamAV 0.92.1 2008.04.26 -
DrWeb 4.44.0.09170 2008.04.26 -
eSafe 7.0.15.0 2008.04.21 -
eTrust-Vet 31.3.5736 2008.04.26 -
Ewido 4.0 2008.04.26 -
F-Prot 4.4.2.54 2008.04.26 -
F-Secure 6.70.13260.0 2008.04.26 -
FileAdvisor 1 2008.04.26 -
Fortinet 3.14.0.0 2008.04.26 -
Ikarus T3.1.1.26 2008.04.26 -
Kaspersky 7.0.0.125 2008.04.26 -
McAfee 5282 2008.04.25 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3057 2008.04.26 -
Norman 5.80.02 2008.04.25 -
Panda 9.0.0.4 2008.04.26 -
Prevx1 V2 2008.04.26 -
Rising 20.41.52.00 2008.04.26 -
Sophos 4.28.0 2008.04.26 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.26 -
TheHacker 6.2.92.294 2008.04.26 -
VBA32 3.12.6.5 2008.04.26 -
VirusBuster 4.3.26:9 2008.04.26 -
Webwasher-Gateway 6.6.2 2008.04.26 -
Additional information
File size: 61440 bytes
MD5...: 589312a3b46721c5a751e4d5222a89be
SHA1..: 3a497d3968a4f6e3c648d196da38e5f98e75ec30
SHA256: 03cbe6df7f5605a3659ffe27a1184a8d9066436a17d7bac9cceb122de74f69ae
SHA512: c8abe050c97efe34541c3ef293a750e34b82117ae41f41d83db1f1489eb5d776
a1d59d0b4a1e13536e5bebda630693daf4be66cc386f587a69288c76df98cf7b
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1d394
timedatestamp.....: 0x476b398b (Fri Dec 21 03:56:59 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x400 0xd756 0xd780 5.52 e0dc8fff10e3a7c6343455cd02a67954
.rdata 0xdb80 0x10e 0x180 3.44 d2fd0bc28e070ccc67879e04b7cd5302
.data 0xdd00 0xc0 0x100 0.04 66a415a49d751cb335895306ecfb3389
INIT 0xde00 0x376 0x380 5.17 79cc3d62ef3ba8053786e08dc9b6cddc
.reloc 0xe180 0xe2c 0xe80 6.60 4f845320301140370066cbceee4c5e4c

( 1 imports )
> ntoskrnl.exe: ZwWriteFile, wcslen, RtlUpcaseUnicodeChar, ZwClose, ZwCreateFile, RtlInitUnicodeString, wcscat, wcscpy, _wcsicmp, ZwQueryValueKey, ZwOpenKey, ZwDeleteKey, swprintf, ZwEnumerateKey, ExFreePoolWithTag, DbgPrint, ExAllocatePoolWithTag, RtlPrefixUnicodeString, RtlDeleteRegistryValue, ZwSetValueKey, RtlWriteRegistryValue, ZwEnumerateValueKey, ZwOpenFile, ZwSetInformationFile, KeTickCount, ZwQueryInformationFile, KeBugCheck, MmGetSystemRoutineAddress, ZwFlushKey, PsTerminateSystemThread, KeSetPriorityThread, KeGetCurrentThread, RtlCheckRegistryKey, KeDelayExecutionThread, ZwReadFile, PsCreateSystemThread, PsGetVersion

( 0 exports )

C:\WINDOWS\system32\pphc3whj0eea1.exe


Antivirus Version Last Update Result
AhnLab-V3 2008.4.25.2 2008.04.25 -
AntiVir 7.8.0.10 2008.04.25 -
Authentium 4.93.8 2008.04.26 -
Avast 4.8.1169.0 2008.04.26 -
AVG 7.5.0.516 2008.04.26 -
BitDefender 7.2 2008.04.26 -
CAT-QuickHeal 9.50 2008.04.26 -
ClamAV 0.92.1 2008.04.26 -
DrWeb 4.44.0.09170 2008.04.26 -
eSafe 7.0.15.0 2008.04.21 -
eTrust-Vet 31.3.5736 2008.04.26 -
Ewido 4.0 2008.04.26 -
F-Prot 4.4.2.54 2008.04.26 -
F-Secure 6.70.13260.0 2008.04.26 -
FileAdvisor 1 2008.04.26 -
Fortinet 3.14.0.0 2008.04.26 -
Ikarus T3.1.1.26 2008.04.26 -
Kaspersky 7.0.0.125 2008.04.26 -
McAfee 5282 2008.04.25 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3057 2008.04.26 -
Norman 5.80.02 2008.04.25 -
Panda 9.0.0.4 2008.04.26 -
Prevx1 V2 2008.04.26 -
Rising 20.41.52.00 2008.04.26 -
Sophos 4.28.0 2008.04.26 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.26 -
TheHacker 6.2.92.294 2008.04.26 -
VBA32 3.12.6.5 2008.04.26 -
VirusBuster 4.3.26:9 2008.04.26 -
Webwasher-Gateway 6.6.2 2008.04.26 -
Additional information
File size: 61440 bytes
MD5...: 589312a3b46721c5a751e4d5222a89be
SHA1..: 3a497d3968a4f6e3c648d196da38e5f98e75ec30
SHA256: 03cbe6df7f5605a3659ffe27a1184a8d9066436a17d7bac9cceb122de74f69ae
SHA512: c8abe050c97efe34541c3ef293a750e34b82117ae41f41d83db1f1489eb5d776
a1d59d0b4a1e13536e5bebda630693daf4be66cc386f587a69288c76df98cf7b
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1d394
timedatestamp.....: 0x476b398b (Fri Dec 21 03:56:59 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x400 0xd756 0xd780 5.52 e0dc8fff10e3a7c6343455cd02a67954
.rdata 0xdb80 0x10e 0x180 3.44 d2fd0bc28e070ccc67879e04b7cd5302
.data 0xdd00 0xc0 0x100 0.04 66a415a49d751cb335895306ecfb3389
INIT 0xde00 0x376 0x380 5.17 79cc3d62ef3ba8053786e08dc9b6cddc
.reloc 0xe180 0xe2c 0xe80 6.60 4f845320301140370066cbceee4c5e4c

( 1 imports )
> ntoskrnl.exe: ZwWriteFile, wcslen, RtlUpcaseUnicodeChar, ZwClose, ZwCreateFile, RtlInitUnicodeString, wcscat, wcscpy, _wcsicmp, ZwQueryValueKey, ZwOpenKey, ZwDeleteKey, swprintf, ZwEnumerateKey, ExFreePoolWithTag, DbgPrint, ExAllocatePoolWithTag, RtlPrefixUnicodeString, RtlDeleteRegistryValue, ZwSetValueKey, RtlWriteRegistryValue, ZwEnumerateValueKey, ZwOpenFile, ZwSetInformationFile, KeTickCount, ZwQueryInformationFile, KeBugCheck, MmGetSystemRoutineAddress, ZwFlushKey, PsTerminateSystemThread, KeSetPriorityThread, KeGetCurrentThread, RtlCheckRegistryKey, KeDelayExecutionThread, ZwReadFile, PsCreateSystemThread, PsGetVersion

( 0 exports )

C:\WINDOWS\system32\blphc3whj0eea1.scr



Antivirus Version Last Update Result
AhnLab-V3 - - Win-Trojan/Autodelete.94208
AntiVir - - TR/Fakealert.AG
Authentium - - -
Avast - - Win32:Adware-gen
AVG - - Potentially harmful program WinFixer.ATW
BitDefender - - Trojan.FakeAlert.TR
CAT-QuickHeal - - FraudTool.MalwareProtector.d (Not a Virus)
ClamAV - - BAT.AutoDelete.A
DrWeb - - Trojan.Fakealert.949
eSafe - - -
eTrust-Vet - - Win32/FakeAlert.N
Ewido - - -
F-Prot - - -
F-Secure - - Trojan:W32/Renos.DC
Fortinet - - Misc/FakAlert
GData - - Win32:Adware-gen
Ikarus - - BAT.AutoDelete.A
Kaspersky - - not-a-virus:FraudTool.Win32.MalwareProtector.d
McAfee - - FakeAlert-AG
Microsoft - - Trojan:Win32/Renos.BAH
NOD32v2 - - Win32/Adware.WinFixer
Norman - - W32/Renos.XN
Panda - - Adware/MalwareProtector2008
Prevx1 - - Cloaked Malware
Rising - - Trojan.Win32.Undef.ive
Sophos - - Troj/FakAlert-A
Sunbelt - - CWS.DesktopHijack
Symantec - - MalwareProtector2008
TheHacker - - Aplicacion/MalwareProtector.d
TrendMicro - - TROJ_RENOS.ZQ
VBA32 - - Win32.Adware.WinFixer
VirusBuster - - -
Webwasher-Gateway - - Trojan.Fakealert.AG
Additional information
MD5: 45684e238403d720ead129a0fb2e2258
SHA1: 1adab6088f394487d6e57c73931da3d471c30b72
SHA256: daed5971ade8ea2fa88cd4341e467aafef826b3bb620226031161d0aa9395d16
SHA512: b93e937f31758e3e579e5bc33e206f87e97fbde2794b538a16a147b8be516f2e952096208cf41ff2
b139c8765921aa7b9dee79eb66f7899505fde0b04403a418


C:\WINDOWS\system32\lphc3whj0eea1.exe



Antivirus Version Last Update Result
AhnLab-V3 - - Win-AppCare/Xema.716800
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
Fortinet - - Joke/Bluescreen
GData - - -
Ikarus - - -
Kaspersky - - -
McAfee - - potentially unwanted program Joke-Bluescreen
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - Joke.Blusod
TheHacker - - -
TrendMicro - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: 538f9ead95eba12134d95b4fe7082331
SHA1: 527c50b92b5cededdd5b7e3edda71cb13d108dac
SHA256: a416bab39037854c14540edaaf80cff7b5f2e9db31eee235527574e8dedd54e6
SHA512: 4631ff7cf868348585ee0e26591b95be3ee8b232c7980f5013f4464f285b0fbdef41794c44cb8653
d6fb6dc815c0c0a9f4af780bfeb9b23d2f4c3bdc62bf4581



Antivirus Version Last Update Result
AhnLab-V3 2008.6.27.1 2008.06.27 -
AntiVir 7.8.0.59 2008.06.27 TR/Vundo.Gen
Authentium 5.1.0.4 2008.06.27 -
Avast 4.8.1195.0 2008.06.27 -
AVG 7.5.0.516 2008.06.27 -
BitDefender 7.2 2008.06.28 Trojan.Peed.JNF
CAT-QuickHeal 9.50 2008.06.26 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.06.27 -
DrWeb 4.44.0.09170 2008.06.27 Trojan.Packed.512
eSafe 7.0.17.0 2008.06.26 Suspicious File
eTrust-Vet 31.6.5911 2008.06.27 Win32/Bugnraw.I
Ewido 4.0 2008.06.27 -
F-Prot 4.4.4.56 2008.06.27 -
F-Secure 7.60.13501.0 2008.06.26 -
Fortinet 3.14.0.0 2008.06.28 W32/Tibs.JNF!tr
GData 2.0.7306.1023 2008.06.28 -
Ikarus T3.1.1.26.0 2008.06.28 Trojan.Peed.JNF
Kaspersky 7.0.0.125 2008.06.28 -
McAfee 5327 2008.06.27 -
Microsoft 1.3704 2008.06.28 Trojan:Win32/Tibs.GK
NOD32v2 3224 2008.06.27 -
Norman 5.80.02 2008.06.27 -
Panda 9.0.0.4 2008.06.27 -
Prevx1 V2 2008.06.28 Cloaked Malware
Rising 20.50.50.00 2008.06.28 -
Sophos 4.30.0 2008.06.28 -
Sunbelt 3.0.1176.1 2008.06.26 -
Symantec 10 2008.06.28 -
TheHacker 6.2.96.362 2008.06.27 -
TrendMicro 8.700.0.1004 2008.06.27 TROJ_FAKEALER.AR
VBA32 3.12.6.8 2008.06.27 Trojan.Packed.512
VirusBuster 4.5.11.0 2008.06.23 -
Webwasher-Gateway 6.6.2 2008.06.28 Trojan.Vundo.Gen
Additional information
File size: 109056 bytes
MD5...: cbd6aea5c7ac406c76cdcb407af0a8c1
SHA1..: 1d6e7ac8c6459d6bc5dede10e8d38282bf23ccae
SHA256: 7b3287a6001139222c01d78ebf745a5c412ffc0099ab3cadf3468d535b279214
SHA512: 5e7024655a1dced512f23ee3d5963c2cefd1e9a12577e1a79c37222f08b82dc4
8c7291e0ba655664fbc57080f22faaf86d923daa738e011f1282da4b8be5b7df
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x404b8b
timedatestamp.....: 0x485d33e9 (Sat Jun 21 17:01:29 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8fb3 0x6000 7.99 450ba5a2ec56f8b429f680ef3c2d1fb5
.rdata 0xa000 0x2fe3 0x1400 7.96 71ea96343a1ac33db4bebec744f94c30
.data 0xd000 0x25f61 0x11200 8.00 059a4ed0be79eeab1b527434d304b7e7
.rsrc 0x33000 0x2000 0x2000 5.38 c1a69ce9865a1021f23ac6a86f8d7cba

( 3 imports )
> user32.dll: DdePostAdvise, CascadeWindows, ClientToScreen
> msvcrt.dll: _mbccpy, _mbctombb, _mbsdec, _pctype, _snprintf, _snwprintf
> kernel32.dll: CompareFileTime, CopyFileW, CreateThread, DefineDosDeviceW, EnumResourceTypesW, GetCommConfig, GetConsoleWindow, GetDateFormatW

( 0 exports )

Prevx info: http://info.prevx.com/aboutprogramtext.asp...A919E000CF30BDA


C:\WINDOWS\system32\hljwugsf.bin


Antivirus Version Last Update Result
AhnLab-V3 2008.7.4.1 2008.07.04 -
AntiVir 7.8.0.64 2008.07.04 -
Authentium 5.1.0.4 2008.07.04 -
Avast 4.8.1195.0 2008.07.04 -
AVG 7.5.0.516 2008.07.04 -
BitDefender 7.2 2008.07.05 -
CAT-QuickHeal 9.50 2008.07.04 -
ClamAV 0.93.1 2008.07.04 -
DrWeb 4.44.0.09170 2008.07.04 -
eSafe 7.0.17.0 2008.07.03 -
eTrust-Vet 31.6.5929 2008.07.05 -
Ewido 4.0 2008.07.04 -
F-Prot 4.4.4.56 2008.07.04 -
F-Secure 7.60.13501.0 2008.07.03 -
Fortinet 3.14.0.0 2008.07.04 -
GData 2.0.7306.1023 2008.07.04 -
Ikarus T3.1.1.26.0 2008.07.05 -
Kaspersky 7.0.0.125 2008.07.05 -
McAfee 5332 2008.07.04 -
Microsoft 1.3704 2008.07.04 -
NOD32v2 3243 2008.07.04 -
Norman 5.80.02 2008.07.04 -
Panda 9.0.0.4 2008.07.04 -
Rising 20.51.42.00 2008.07.04 -
Sophos 4.31.0 2008.07.05 -
Sunbelt 3.1.1509.1 2008.07.04 -
Symantec 10 2008.07.05 -
TheHacker 6.2.96.371 2008.07.04 -
TrendMicro 8.700.0.1004 2008.07.04 -
VBA32 3.12.6.8 2008.07.04 -
VirusBuster 4.5.11.0 2008.07.04 -
Webwasher-Gateway 6.6.2 2008.07.05 -
Additional information
File size: 4 bytes
MD5...: a82486173cb483e7ca21cf06b4b655b5
SHA1..: e166588ef16e3511647e3f96b72a57ec4876ee86
SHA256: 54d46808a13342ce97779a45c11e657a3a33471830e3efc4ea001239c431b7e7
SHA512: 24d9a80572dfe60dfe111f81f17e4b28ff319f9409c8757fd40f57af40ba084e
6a1f4884ba8dc7930c04917a8d844648a462d85cc260fa3814aeb69c1a0e805e
PEiD..: -
PEInfo: -



SifuMike
Jul 4 2008, 08:49 PM


Please perform this online scan: Kaspersky Webscan

Note that you need to run this scan with Internet Explorer for it to work correctly.

If you have any problem running the scan to completion, disable your Antivirus and/or firewall temporarily, just refrain from surfing around while the scan is running and be sure to re-enable when done.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows Kaspersky to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE,
Scan Options:
Scan Archives
Scan Mail Bases

then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. Once the scan is complete it will display if your system has been infected.
Now click on the Save Report As... button:



Under Save as type select Text file write name for the file and save it to your Desktop.
Locate the file at the Desktop, open it, then copy and paste that information in your next post.
9. Post the Kaspersky scan results in your next reply.
SifuMike
Jul 4 2008, 08:55 PM
Hello pinkgirl,

You forgot to do Virus Total on this file
C:\WINDOWS\system32\drivers\otcp.sys
pinkgirl
Jul 5 2008, 06:06 PM
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 05, 2008 7:05:31 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/07/2008
Kaspersky Anti-Virus database records: 915351
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 91157
Number of viruses found: 8
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 05:10:58

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20080625182818\backup\WINDOWS\temp\TMP0000005DC7C9DED954661B86 Infected: Trojan-Downloader.Win32.Agent.shg skipped
C:\Deckard\System Scanner\20080625182818\backup\WINDOWS\temp\~ie2D.exe Infected: Trojan-Spy.Win32.Zbot.cqh skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-07-05_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\5CEC35B7.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\8EA56FCC.TMP Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Aim\ovolfjpz\quell4u\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Aim\ovolfjpz\quell4u\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.83940 Infected: Trojan-Downloader.Win32.PurityScan.gb skipped
C:\Documents and Settings\Owner\Application Data\Roxio\MediaManager9\Album.ldb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Roxio\MediaManager9\Album.psod Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Ares\My Shared Folder\norton internet security 2007.exe Infected: not-a-virus:Monitor.Win32.Ardamax.k skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Ares\My Shared Folder\super antispyware professional 4 0 0 1138.rar/Installer-Crack-Keygen.exe Infected: P2P-Worm.Win32.Archivarius.a skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Ares\My Shared Folder\super antispyware professional 4 0 0 1138.rar CAB: infected - 1 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008070520080706\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_284.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\My Documents\spymaxx_setup.exe Infected: not-a-virus:FraudTool.Win32.SpyAway.p skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\bf-500.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\conf-100.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\conf-900.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\gather-now.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\ie7conflict.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\notes.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\partner-700.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\subscrip-2000.dat Object is locked skipped
C:\Program Files\BigFix\__Data\__Global\Logs\20080705.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0001014.exe Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0002014.exe Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP11\change.log Object is locked skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP4\A0007062.exe Infected: not-a-virus:FraudTool.Win32.WinFixer.i skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\pphc3whj0eea1.exe Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JETFFCF.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
pinkgirl
Jul 5 2008, 06:10 PM
Here is the VirusTotal for

C:\WINDOWS\system32\drivers\otcp.sys

Antivirus Version Last Update Result
AhnLab-V3 2008.4.25.2 2008.04.25 -
AntiVir 7.8.0.10 2008.04.25 -
Authentium 4.93.8 2008.04.26 -
Avast 4.8.1169.0 2008.04.26 -
AVG 7.5.0.516 2008.04.26 -
BitDefender 7.2 2008.04.26 -
CAT-QuickHeal 9.50 2008.04.26 -
ClamAV 0.92.1 2008.04.26 -
DrWeb 4.44.0.09170 2008.04.26 -
eSafe 7.0.15.0 2008.04.21 -
eTrust-Vet 31.3.5736 2008.04.26 -
Ewido 4.0 2008.04.26 -
F-Prot 4.4.2.54 2008.04.26 -
F-Secure 6.70.13260.0 2008.04.26 -
FileAdvisor 1 2008.04.26 -
Fortinet 3.14.0.0 2008.04.26 -
Ikarus T3.1.1.26 2008.04.26 -
Kaspersky 7.0.0.125 2008.04.26 -
McAfee 5282 2008.04.25 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3057 2008.04.26 -
Norman 5.80.02 2008.04.25 -
Panda 9.0.0.4 2008.04.26 -
Prevx1 V2 2008.04.26 -
Rising 20.41.52.00 2008.04.26 -
Sophos 4.28.0 2008.04.26 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.26 -
TheHacker 6.2.92.294 2008.04.26 -
VBA32 3.12.6.5 2008.04.26 -
VirusBuster 4.3.26:9 2008.04.26 -
Webwasher-Gateway 6.6.2 2008.04.26 -
Additional information
File size: 61440 bytes
MD5...: 589312a3b46721c5a751e4d5222a89be
SHA1..: 3a497d3968a4f6e3c648d196da38e5f98e75ec30
SHA256: 03cbe6df7f5605a3659ffe27a1184a8d9066436a17d7bac9cceb122de74f69ae
SHA512: c8abe050c97efe34541c3ef293a750e34b82117ae41f41d83db1f1489eb5d776
a1d59d0b4a1e13536e5bebda630693daf4be66cc386f587a69288c76df98cf7b
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1d394
timedatestamp.....: 0x476b398b (Fri Dec 21 03:56:59 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x400 0xd756 0xd780 5.52 e0dc8fff10e3a7c6343455cd02a67954
.rdata 0xdb80 0x10e 0x180 3.44 d2fd0bc28e070ccc67879e04b7cd5302
.data 0xdd00 0xc0 0x100 0.04 66a415a49d751cb335895306ecfb3389
INIT 0xde00 0x376 0x380 5.17 79cc3d62ef3ba8053786e08dc9b6cddc
.reloc 0xe180 0xe2c 0xe80 6.60 4f845320301140370066cbceee4c5e4c

( 1 imports )
> ntoskrnl.exe: ZwWriteFile, wcslen, RtlUpcaseUnicodeChar, ZwClose, ZwCreateFile, RtlInitUnicodeString, wcscat, wcscpy, _wcsicmp, ZwQueryValueKey, ZwOpenKey, ZwDeleteKey, swprintf, ZwEnumerateKey, ExFreePoolWithTag, DbgPrint, ExAllocatePoolWithTag, RtlPrefixUnicodeString, RtlDeleteRegistryValue, ZwSetValueKey, RtlWriteRegistryValue, ZwEnumerateValueKey, ZwOpenFile, ZwSetInformationFile, KeTickCount, ZwQueryInformationFile, KeBugCheck, MmGetSystemRoutineAddress, ZwFlushKey, PsTerminateSystemThread, KeSetPriorityThread, KeGetCurrentThread, RtlCheckRegistryKey, KeDelayExecutionThread, ZwReadFile, PsCreateSystemThread, PsGetVersion

( 0 exports )
SifuMike
Jul 5 2008, 06:54 PM
pinkgirl,

QUOTE
C:\Documents and Settings\Owner\Local Settings\Application Data\Ares\My Shared Folder\super antispyware professional 4 0 0 1138.rar/Installer-Crack-Keygen.exe --> P2P-Worm.Win32.Archivarius.a
blink.gif

No wonder you are heavily infected! sad.gif

I see you're not afraid of visiting crack sites - using illegal software.
From the logs I can see that you installed a keygen that appear on crack sites to get access to the cracks.
They install the malware on your system.

If you visit crack sites, use cracks, you'll ALWAYS get infected.

This not only because of the crack itself, but because one single click entering that site may already download and install a huge malware bundle.

You really have to change your surfing habits, because these malware bundles may contain a key logger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers. And this all, because you visited some illegal sites.

Also, keep in mind, malware DAMAGES A LOT!
And the damage can't always be repaired, so a format and reinstall is the only solution in such cases.

So is it really worth it? Get illegal software for "free", but compromise/break your computer instead....
Better to avoid this instead and change your surfing habits. Then this wouldn't have happened.





Please download the
OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
    (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\Owner\Local Settings\Application Data\Ares\My Shared Folder\norton internet security 2007.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Ares\My Shared Folder\super antispyware professional 4 0 0 1138.rar
    C:\Documents and Settings\Owner\My Documents\spymaxx_setup.exe
    C:\WINDOWS\system32\pphc3whj0eea1.exe
    C:\WINDOWS\system32\blphc3whj0eea1.scr
    C:\WINDOWS\system32\lphc3whj0eea1.exe
    C:\WINDOWS\system32\hljwugsf.bin

  • Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt2\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

QUOTE
Caution: Be careful of what you copy and paste with this tool. OTMoveIt2 is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.



pinkgirl
Jul 5 2008, 07:54 PM
C:\Documents and Settings\Owner\Local Settings\Application Data\Ares\My Shared Folder\norton internet security 2007.exe moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Ares\My Shared Folder\super antispyware professional 4 0 0 1138.rar moved successfully.
C:\Documents and Settings\Owner\My Documents\spymaxx_setup.exe moved successfully.
C:\WINDOWS\system32\pphc3whj0eea1.exe moved successfully.
C:\WINDOWS\system32\blphc3whj0eea1.scr moved successfully.
C:\WINDOWS\system32\lphc3whj0eea1.exe moved successfully.
C:\WINDOWS\system32\hljwugsf.bin moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07052008_205417
SifuMike
Jul 5 2008, 09:03 PM


Please run Deckard's System Scanner, post the Main.txt log and tell me how the computer is running.
pinkgirl
Jul 6 2008, 12:50 AM
I still cannot add or remove programs. Thanks for all your help. Here is the Deckard's scan.



Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-06 01:45:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:28 AM, on 7/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spelman.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566....gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://prince.spelman.edu/iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10167 bytes

-- Files created between 2008-06-06 and 2008-07-06 -----------------------------

2008-07-04 22:14:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-04 22:14:55 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-26 01:29:59 61440 --a------ C:\WINDOWS\system32\drivers\otcp.sys
2008-06-26 00:54:37 61440 --a------ C:\WINDOWS\system32\drivers\weia.sys
2008-06-25 22:24:30 61440 --a------ C:\WINDOWS\system32\drivers\otqw.sys
2008-06-24 23:14:00 0 d-------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Application Data\Identities
2008-06-24 23:14:00 0 d-------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Application Data\AOL
2008-06-24 23:13:59 0 d-------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\WINDOWS
2008-06-24 23:13:59 0 d--h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Templates
2008-06-24 23:13:59 0 dr------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Start Menu
2008-06-24 23:13:59 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\SendTo
2008-06-24 23:13:59 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Recent
2008-06-24 23:13:59 0 d--h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\PrintHood
2008-06-24 23:13:59 0 d--h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\NetHood
2008-06-24 23:13:59 0 dr------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\My Documents
2008-06-24 23:13:59 0 d--h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Local Settings
2008-06-24 23:13:59 0 dr------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Favorites
2008-06-24 23:13:59 0 d-------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Desktop
2008-06-24 23:13:59 0 d---s---- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Cookies
2008-06-24 23:13:59 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Application Data
2008-06-24 23:13:59 0 d-------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Application Data\You've Got Pictures Screensaver
2008-06-24 23:13:59 0 d-------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Application Data\SampleView
2008-06-24 23:13:59 0 d---s---- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Application Data\Microsoft
2008-06-24 23:13:58 786432 --ah----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\NTUSER.DAT
2008-06-23 19:09:23 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-06-23 19:09:06 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-23 19:09:05 68096 --a------ C:\WINDOWS\zip.exe
2008-06-23 19:09:05 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-23 19:09:05 98816 --a------ C:\WINDOWS\sed.exe
2008-06-23 19:09:05 80412 --a------ C:\WINDOWS\grep.exe
2008-06-23 19:09:05 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-23 19:09:04 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-23 19:09:04 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-23 18:57:12 0 d-------- C:\Program Files\CCleaner
2008-06-17 23:03:02 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-17 23:02:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 23:02:44 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 01:25:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-16 21:43:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-16 21:17:04 0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-06-16 21:16:25 0 d-------- C:\WINDOWS\Downloaded Installations


-- Find3M Report ---------------------------------------------------------------

2008-07-04 13:25:05 0 d-------- C:\Program Files\Java
2008-06-29 22:59:31 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-06-18 21:38:38 0 d-------- C:\Program Files\Common Files
2008-06-18 21:36:02 0 d-------- C:\Program Files\Trend Micro
2008-06-15 15:00:50 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-24 21:30:49 256 --a------ C:\WINDOWS\system32\pool.bin
2008-05-22 18:38:14 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-05-22 18:36:45 0 d-------- C:\Program Files\Yahoo!
2008-05-22 18:22:20 0 d-------- C:\Program Files\Google


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"VTTimer"="VTTimer.exe" [03/08/2005 08:33 AM C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [11/01/2005 09:15 AM C:\WINDOWS\system32\VTTrayp.exe]
"AGRSMMSG"="AGRSMMSG.exe" [10/14/2005 07:29 PM C:\WINDOWS\AGRSMMSG.exe]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [09/03/2006 04:04 AM]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 08:51 PM]
"Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" []
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"@"="" []
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [08/16/2007 08:56 AM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 05:22 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"AIM"="C:\Program Files\AIM\aim.exe" [08/01/2006 04:35 PM]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
V CAST Music Monitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe [11/30/2005 11:32:10 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/22/2006 4:33:24 PM]
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [1/18/2006 8:52:09 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [5/3/2005 10:07:32 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"




-- End of Deckard's System Scanner: finished at 2008-07-06 01:45:59 ------------




SifuMike
Jul 6 2008, 05:11 PM
Pinkgirl,
  • Please double-click OTMoveIt2.exe to run it.
    (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\drivers\otcp.sys
    C:\WINDOWS\system32\drivers\weia.sys
    C:\WINDOWS\system32\drivers\otqw.sys

  • Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt2\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

QUOTE
Caution: Be careful of what you copy and paste with this tool. OTMoveIt2 is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


Reboot your computer, post the OTMoveIt2 log, and tell me how it is running.




pinkgirl
Jul 7 2008, 06:46 AM
File/Folder C:\WINDOWS\system32\drivers\otcp.sys moved successfully.
File/Folder C:\WINDOWS\system32\drivers\weia.sys moved successfully.
File/Folder C:\WINDOWS\system32\drivers\otqw.sys moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07072008_074339


Its running the same, but I still cannot add/remove programs.
pinkgirl
Jul 7 2008, 07:01 AM
Here is a screen shot of the add/remove programs. Again thanks for all your help.
SifuMike
Jul 7 2008, 09:42 AM



Do you have your Windows Installation CD?
pinkgirl
Jul 7 2008, 10:19 AM
No, i don't. My school installs Windows free of charge for students, and that was a while ago and we didnt get the cd, they just installed in our computer. I also neglected to mention that the pesky blue screen still comes up when i restart the computer, and states that your computer is infected with spyware.
SifuMike
Jul 7 2008, 02:22 PM
Does not look good. sad.gif
We need the Windows Installation CD to repair your system files.

Is your Symantec/Norton a cracked or illegal version?

Like I told you before, installing cracks DAMAGES A LOT of your computer!
The damage can't always be repaired, so a format and reinstall is the only solution in such cases.
I dont know if we can repair the damgage on this computer!




Let's look in a different place for signs.

Open HijackThis 2.0.2
Press the button 'View Misc Tools Section'
Press the button 'open uninstall manager'
Press the button 'save list'
Save it to your desktop.
Press Save. Save it your desktop.
A notepad file will open.
If no notepad opens then it will be on your desktop (where you saved it)
Post the content here in your reply.
Close HijackThis.



Please perform this online scan: Kaspersky Webscan

Note that you need to run this scan with Internet Explorer for it to work correctly.

If you have any problem running the scan to completion, disable your Antivirus and/or firewall temporarily, just refrain from surfing around while the scan is running and be sure to re-enable when done.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows Kaspersky to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE,
Scan Options:
Scan Archives
Scan Mail Bases

then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. Once the scan is complete it will display if your system has been infected.
Now click on the Save Report As... button:



Under Save as type select Text file write name for the file and save it to your Desktop.
Locate the file at the Desktop, open it, then copy and paste that information in your next post.
9. Post the Kaspersky scan results in your next reply.
pinkgirl
Jul 7 2008, 04:13 PM
The Symantec/Norton that I have is one that I have bought and I still have the cd.

Here is what you requested from Hijackthis.

HijackThis 2.0.2
Java™ 6 Update 6
Kaspersky Online Scanner


From what I remember from one of our previous post the online scanner usually takes about 5 hours, so I will post that when it is available. Thanks.
SifuMike
Jul 7 2008, 04:22 PM
QUOTE
Here is what you requested from Hijackthis.

HijackThis 2.0.2
Java™ 6 Update 6
Kaspersky Online Scanner



That is not correct. sad.gif It is far too small.

Your screen shot of the add/remove programs show dozens of programs installed. blink.gif

Try it again and post the complete listing.
pinkgirl
Jul 7 2008, 05:13 PM
This is all that shows up in the log. See attached. Thanks.
SifuMike
Jul 7 2008, 05:28 PM

QUOTE
My school installs Windows free of charge for students, and that was a while ago and we didnt get the cd, they just installed in our computer
.

Is this a school computer?
pinkgirl
Jul 7 2008, 05:52 PM
No, its my own personal laptop. My computer only had Microsoft Works installed so they install Microsoft Office for free. Maybe thats not what you are talking about??? Does this cd come with the computer when you first get it, because if so I might have that. I will go look in my computer box, but i have had my laptop for a couple of years, so i will see what i can find.

So i've been trying to think of a reason why i cannot add or remove programs all of a sudden. When I first got the Antivirus2008 I still could add or remove programs. I remember because i attempted to remove the virus from the list. So i was wondering why all of a sudden did this happen and wanted to see if this could be the reason.

When i was following the instrustions from this tutorial

http://www.bleepingcomputer.com/forums/topic111715.html

it asked me to go into safe mode and use the user with administrator privileges. i have or had two users, my name and administrator. i picked administrator, even though i have never used that user before. After following the instructions, and then restarting in my regular user, my hijackthis log created these files. Could this be a reason why the add or remove feature is gone.


2008-06-25 22:24:30 61440 --a------ C:\WINDOWS\system32\drivers\otqw.sys
2008-06-24 23:14:00 0 d-------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Application Data\Identities
2008-06-24 23:14:00 0 d-------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Application Data\AOL
2008-06-24 23:13:59 0 d-------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\WINDOWS
2008-06-24 23:13:59 0 d--h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Templates
2008-06-24 23:13:59 0 dr------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Start Menu
2008-06-24 23:13:59 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\SendTo
2008-06-24 23:13:59 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Recent
2008-06-24 23:13:59 0 d--h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\PrintHood
2008-06-24 23:13:59 0 d--h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\NetHood
2008-06-24 23:13:59 0 dr------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\My Documents
2008-06-24 23:13:59 0 d--h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Local Settings
2008-06-24 23:13:59 0 dr------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Favorites
2008-06-24 23:13:59 0 d-------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Desktop
2008-06-24 23:13:59 0 d---s---- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Cookies
2008-06-24 23:13:59 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Application Data
2008-06-24 23:13:59 0 d-------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Application Data\You've Got Pictures Screensaver
2008-06-24 23:13:59 0 d-------- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Application Data\SampleView
2008-06-24 23:13:59 0 d---s---- C:\Documents and Settings\Administrator.YOUR-116316AA3E\Application Data\Microsoft
2008-06-24 23:13:58 786432 --ah----- C:\Documents and Settings\Administrator.YOUR-116316AA3E\NTUSER.DAT
2008-06-23 19:09:23 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-06-23 19:09:06 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>



Also i wanted to note that besides the add/remove program and when my computer restarts and the box says "warning adware, ect." that are the only signs that my computer has a virus. The computer runs fine. All of my programs open and run correctly, and I am able to access the internet without any problems. Again, thanks for all your help.
SifuMike
Jul 7 2008, 06:08 PM
QUOTE
My school installs Windows free of charge for students, and that was a while ago and we didnt get the cd, they just installed in our computer



You never answered my question. blink.gif
You said your school put Windows XP on this computer, so why are they doing that? Sounds to me as if this is a school computer.

Due to the cracks you downloaded, I recommend you format and reinstall your Windows... as I already stated before.... it's already too late here and the malware present damaged your system.
We just can't fix all your problems.


pinkgirl
Jul 7 2008, 06:34 PM
I answered the question in my reply. I said that this is my personal laptop. When you asked me the question I just automatically thought of the microsoft suite, and not windows itself.
SifuMike
Jul 7 2008, 06:36 PM


I dont say this often, but I recommend you reformat and reinstall Windows.
pinkgirl
Jul 7 2008, 06:46 PM
If my computer is running fine expect for those two problems why would that cause me to have to reinstall Windows. Could you please explain that to me? Thanks for all your help.
SifuMike
Jul 7 2008, 07:26 PM


Because I cannot fix all the bad stuff downloading cracks cause. sad.gif You have been to two HJT forums and both helpers have removed the malware they saw, but still you are having problems.
I appears that you have damaged windows files and you have no Windows Installation CD.
If you had that then maybe it would fix the system files - but only maybe.

When you download cracks you create many bad files and they are not dectectable by the antivirus and antimalware programs. sad.gif

Sometimes it is best to reformat and reinstall and start with a clean computer. I think this is one of those cases. Of course, that is up to you.

You can go to another forum and see what they say, but the simplest and safest solution is to reformat and reload.
SifuMike
Jul 17 2008, 05:46 PM
Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.