PDA

View Full Version : Kaspersky says I have 7 viruses


morganfam7
2007-12-29, 08:34
Symptoms: My computer has been extremely slow the last few weeks. May be unrelated due to monitor or onboard video: My monitor image shrinks to 1/3 normal size located in the center top of the screen. I have adjusted the refresh rate but that doesn't help. Turning the monitor off and on sometimes helps. Restarting always fixes it.

1) My son said to look for spoolsv. I found 5 copies of spoolsv by searching my hard drive. I scanned each one with Virus Total. Two of them said that there were known vulnerabilities but otherwise they were all OK.
2) I booted in safe mode and scanned with Spybot. No threats were found.
3) I rebooted and scanned with Kaspersky online which said I was infected with 7 viruses in zip files contained in Application Data/Spybot..../Recovery/MyTotalSearchBar... Some of these say "Infected: not a virus...."
4) I rebooted in safe mode and scanned with Spybot. No threats found.
5) Then I ran Hijackthis.

Thanks for your help!

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, December 28, 2007 1:57:21 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/12/2007
Kaspersky Anti-Virus database records: 498958
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
H:\

Scan Statistics:
Total number of scanned objects: 147927
Number of viruses found: 7
Number of infected objects: 23
Number of suspicious objects: 0
Duration of the scan process: 02:53:14

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar1.zip/MTSSRCAS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bf skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar10.zip/F3WPHOOK.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar10.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar11.zip/F3SCRCTR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar11.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar13.zip/F3REPROX.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar13.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar14.zip/F3CJPEG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar14.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar18.zip/MTSHTMMU.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bi skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar18.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar5.zip/MTSOESTB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ap skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar6.zip/MTSOEPLG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar6.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar7.zip/MTSOEMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar7.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar8.zip/MTSHTMMU.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bi skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar9.zip/MTSBAR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar9.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Autokad\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Autokad\Local Settings\Application Data\Identities\{F9E14D1B-BA6E-4B06-BD62-D822BDEA170B}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Autokad\Local Settings\Application Data\Identities\{F9E14D1B-BA6E-4B06-BD62-D822BDEA170B}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Autokad\Local Settings\Application Data\Identities\{F9E14D1B-BA6E-4B06-BD62-D822BDEA170B}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\Autokad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Autokad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Autokad\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Autokad\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Autokad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Autokad\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Autokad\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\f3PSSavr.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch.bg skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\spool\PRINTERS\00015.SPL Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_728.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

--------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:16 PM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ATWTUSB.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Autokad.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hgtv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [atwtusb] RUNDLL32 FuncKey.DLL,ExtFuncCall AA
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_8742.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_8742.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_8742.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_8742.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_8742.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_8742.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9066 bytes
pskelley
2007-12-29, 23:57
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I really don't believe your monitor problems have anything to do with malware.

What is SPOOLSV.EXE >>> http://www.google.com/search?hl=en&q=SPOOLSV.EXE&btnG=Search
You have to be careful, while hackers can and do call their junk what they wish, this item is usually:

Note: spoolsv.exe could also be a Microsoft Windows system executable which handles the printing process. This program is important for the stable and secure running of your computer and should not be terminated.
If you want to check a file to find out if it is valid, right click it and look at the information in Properties. If it is a Microsoft file, it will say so. You can also use free online scans to find out:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

All of the items Kaspsersky is locating except one are safely stored in the Spybot S&D Recovery folder, clean out that folder.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< that one
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1

C:\WINDOWS\system32\f3PSSavr.scr <<< delete that file

Empty the Recycle Bin on your Desktop and your next Kaspersky scan should be clean.

I see no malware in the HJT log. Have a look here for information to speed up your computer.
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

The monitor issues are another problem, and tough to troubleshoot. The best way is to either borrow another monitor and try it, if there are no issues, you know it's the monitor, and you can also ask a friend to try your monitor on their computer.
Here are some troubleshooting ideas:
http://www.google.com/search?hl=en&q=troubleshoot+monitor+issues&btnG=Search

You can also run a free diagnostic at PCPitStop. The monitor is one of the hardware items checked during the diagnostic.
http://www.pcpitstop.com/pcpitstop/
If you register free, you will be able to save your Test Results and post a link for me to view them. I would be glad to see if I spot anything.
(I do not object to PCPitStop trying to sell stuff, I just do not suggest you purchase anything you do not want, and the diagnostic is totally free)

Thanks
morganfam7
2007-12-30, 07:27
Thanks for helping me! I did purge the recover file and I am scanning again with Kaspersky. I don't have a windows/system32 folder - at least I can't find it. I will search for the file to see if it is located elsewhere, but I won't delete until I hear that it's alright.

On our network, my son's computer had SmitFraud in his Spybot recover tab since March! Does that mean that I also have that? Does that mean that he is infected? He is currently running Kaspersky on his machine now and will upload logs in a new thread when he finishes HJT.

Again, thanks for your help!
pskelley
2007-12-30, 12:13
Thanks for the feedback, your System32 folder is in the C:\WINDOWS\system32\f3PSSavr.scr <<< delete that file
It may be that the folder is hidden, see this:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

So...open the C:\Windows\ folder and look alphabetically for the System32 folder and then look alphabetically for that file: f3PSSavr.scr and delete it. Then empty the Recycle Bin.
See this: http://www.google.com/search?hl=en&q=+f3PSSavr.scr+&btnG=Google+Search

Spybot S&D does remove some of the Smitfraud infection. Understand the "Recovery" folder is similiar to a quarantine folder. In "Recovery" it can do you no harm but you still have access in case an item was removed that should not have been (In ten years of using Spybot, this has never happened, but I have heard it can) and you need to return an item. Clean anything Spybot removes out of "Recovery" on a timely basis.
There is not much more I can say about your son's computer without seeing a HJT log and Kaspersky report.

Thanks
morganfam7
2007-12-30, 17:16
Yeah, I found it. I was looking in the files rather than folders. :oops:

I scanned with Kaspersky and it says I'm clean. I will now go on to the other items you suggested and post back a log. Thanks so much!

My son's HJT and Kaspersky logs are located here:
http://forums.spybot.info/showthread.php?t=21944

It says his computer has the downloader.bat.ftp.ca trojan. I did not find that particular trojan listed in the malware encyclopedia at Kaspersky, but an earlier variant/entry said it downloads and executes files without the users knowledge. bat means batch and ftp means file transfer protocol, right?, but what does ca mean? Also I noticed in his logs it lists bitcomet which is p2p. I insisted a few years ago that he remove the p2p software due to the legalities and malware that seemed obvious. I don't know if I should be asking that here or if he should ask there, so if I'm breaking protocol please forgive me. I would love to know if p2p is still operating and how to completely be free from it. Also my other son's computer is also on the network. Should all the logs have been posted under one thread or does each machine get a thread with a note that they are on the same network?

I really appreciate your time and help! It's so relieving to know that someone knows for sure and I don't have to navigate through my teens' knowledge. Now we can all learn together.
pskelley
2007-12-30, 17:33
I sent you a private message, watch for it. Here is closing information for you.

For your information:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

As far at p2p programs like BitComet go, you hit the nail on the head. It is available and can be used safely but is it legal. I will bet someone, somewhere is in court everyday trying to convice a judge they did nothing wrong "stealing" copywrited information.
http://forums.spybot.info/showthread.php?t=282
http://www.nutnworks.com/SafeHex/file_sharing.htm