I would really appreciate any help you could give me.
I think I have a number of viruses one of which is smitfraud.
I have run countless times spybot, symantec and firewall, all of which I always update before I scan. This does not remove all the viruses and the most stubborn is the smitfraud one.

I stupidly have not backed up any of my work or photos and would be devastated if I had to format my drive to get rid of these viruses.:sad:

Any help you could give would be very much appreciated.

With thanks in advance,

Alison.:red:

Following this post are the logs as requested in your forum, as I could not fit them all onto one post.

Cont.

Online scan log report.

File Infection Status Path
BackWeb-8876480.exe Win32/Athsap!generic infected C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
tmp2.tmp.exe Win32/Vundo.CM infected D:\Documents and Settings\Alison\Local Settings\Temp\
tmp3.tmp.exe Win32/Darksma.AF infected D:\Documents and Settings\Alison\Local Settings\Temp\
tmp6.tmp.exe Win32/Vundo.CM infected D:\Documents and Settings\Alison\Local Settings\Temp\
tmp7.tmp.exe Win32/Darksma.AF infected D:\Documents and Settings\Alison\Local Settings\Temp\
smysmymr20070406[1] Win32/Vundo.CM infected D:\Documents and Settings\Alison\Local Settings\Temporary Internet Files\Content.IE5\6TZFGUC4\
apdproxy.exe Win32/Athsap!generic infected D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\
InCD.exe Win32/Athsap!generic infected D:\Program Files\Ahead\InCD\
ccApp.exe Win32/Athsap!generic infected D:\Program Files\Common Files\Symantec Shared\
PDVDServ.exe Win32/Athsap!generic infected D:\Program Files\CyberLink\PowerDVD\
daemon.exe Win32/Athsap!generic infected D:\Program Files\DAEMON Tools\
GoogleToolbarNotifier.exe Win32/Athsap!generic infected D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\
iTunesHelper.exe Win32/Athsap!generic infected D:\Program Files\iTunes\
jusched.exe Win32/Athsap!generic infected D:\Program Files\Java\jre1.5.0_11\bin\
ISStart.exe Win32/Athsap!generic infected D:\Program Files\Logitech\Video\
LogiTray.exe Win32/Athsap!generic infected D:\Program Files\Logitech\Video\
ManifestEngine.exe Win32/Athsap!generic infected D:\Program Files\Logitech\Video\
PicasaMediaDetector.exe Win32/Athsap!generic infected D:\Program Files\Picasa2\
qttask.exe Win32/Athsap!generic infected D:\Program Files\QuickTime\
VPTray.exe Win32/Athsap!generic infected D:\Program Files\Symantec AntiVirus\
ADeck.exe Win32/Athsap!generic infected D:\Program Files\VIAudioi\SBADeck\
kheebc.dll Win32/Vundo.CM infected D:\WINDOWS\
qonnkk.dll Win32/Vundo.CM infected D:\WINDOWS\
lsasss.exe Win32/Athsap!generic infected D:\WINDOWS\system32\
LVCOMSX.EXE Win32/Athsap!generic infected D:\WINDOWS\system32\
NeroCheck.exe Win32/Athsap!generic infected D:\WINDOWS\system32\
E_S4I0F2.EXE Win32/Athsap!generic infected D:\WINDOWS\system32\spool\drivers\w32x86\3\
tmp3.tmp.dll Win32/Darksma.AF infected D:\WINDOWS\system32\
tmp7.tmp.dll Win32/Darksma.AF infected D:\WINDOWS\system32\



Thanks,

Alison.

Cont.

Hijack this log report.


Logfile of HijackThis v1.99.1
Scan saved at 16:47:19, on 20/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\ehome\ehtray.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\eHome\ehmsas.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
D:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
D:\VSTASCAN\vsaccess.exe
D:\Program Files\Common Files\Teleca Shared\Generic.exe
D:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Alison\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - D:\WINDOWS\system32\tmp2.tmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {bbc03794-4697-4d17-9c35-8ddebc7c7ae5} - D:\WINDOWS\system32\msd12n.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AudioDeck] D:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] D:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "D:\WINDOWS\kheebc.dll",realset
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "D:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: UMAX VistaAccess.lnk = D:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: msd12n - D:\WINDOWS\SYSTEM32\msd12n.dll
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe


Hope I've given you everything you need for now,

thanks in anticipation,

Alison.:red:

Hi and welcome to the Board

I'm Blade and I am going to try to help you with your problem. Please take a note of five things.


I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.



Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

http://siri.urz.free.fr/Fix/Bitmaps/Folder.png

______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter

http://siri.urz.free.fr/Fix/Bitmaps/Fix01b.jpg

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a RiskTool; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between
good and malicious use of such programs, therefore they may alert the user.

Please post:
C:\rapport.txt


Please download
VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4)
to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click YES
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click OK.
Please post the contents of C:\vundofix.txt and a new
HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from
Click the Scan for Vundo button when VundoFix appears at reboot.

Hi Blade, and thank you for taking the time out to help me with this problem.

Below are the log results as requested,

Hope you have everything you need for the time being.

SmitFraudFix v2.171

Scan done at 13:21:26.48, 26/04/2007
Run from D:\Documents and Settings\Alison\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\WINDOWS\ehome\ehtray.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
D:\WINDOWS\system32\svehost.exe
D:\WINDOWS\system32\clcl6.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\system32\dllhost.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
D:\VSTASCAN\vsaccess.exe
D:\Program Files\Common Files\Teleca Shared\Generic.exe
D:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
D:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» D:\


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Alison


»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Alison\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» D:\DOCUME~1\Alison\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» D:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" "


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: SMC EZ Connect USB/Ethernet Series Converter - Packet Scheduler Miniport
DNS Server Search Order: 194.168.8.100
DNS Server Search Order: 194.168.4.100

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1D032803-B1DC-43B3-A627-B3D25B2E9A84}: DhcpNameServer=194.168.8.100 194.168.4.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1D032803-B1DC-43B3-A627-B3D25B2E9A84}: DhcpNameServer=194.168.8.100 194.168.4.100
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1D032803-B1DC-43B3-A627-B3D25B2E9A84}: DhcpNameServer=194.168.8.100 194.168.4.100
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.8.100 194.168.4.100
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.8.100 194.168.4.100
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.168.8.100 194.168.4.100


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 13:28:00 26/04/2007

Listing files found while scanning....

D:\WINDOWS\system32\tmp7.tmp.dll

Beginning removal...

Performing Repairs to the registry.
Done!


Logfile of HijackThis v1.99.1
Scan saved at 13:47:28, on 26/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\ehome\ehtray.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
D:\WINDOWS\system32\svehost.exe
D:\WINDOWS\system32\clcl6.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
D:\WINDOWS\system32\dllhost.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
D:\VSTASCAN\vsaccess.exe
D:\Program Files\Common Files\Teleca Shared\Generic.exe
D:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
D:\Documents and Settings\Alison\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - D:\WINDOWS\system32\tmp2.tmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Intel system tool] D:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [clcl6] D:\WINDOWS\system32\clcl6.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "D:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: UMAX VistaAccess.lnk = D:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe


Thanks once again,

Alison.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Don't run AVG yet. Will do it a bit later.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop. Don't run ATF yet. Will do it a bit later.


Running HijackThis
-------------------

Start hjt, click do a system scan only, check:
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - D:\WINDOWS\system32\tmp2.tmp.dll
O4 - HKLM\..\Run: [Intel system tool] D:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [clcl6] D:\WINDOWS\system32\clcl6.exe

Close all browsers & other windows and click fix checked.



==============================

Reboot into safe mode (press F8 before Windows' loading screen and select safe mode)



Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Deleting files
------------------------

Delete following files, if found:
D:\WINDOWS\system32\tmp2.tmp.dll
D:\WINDOWS\system32\svehost.exe
D:\WINDOWS\system32\clcl6.exe



Running temp cleaner & AVG Anti-Spyware
---------------------------------------



Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the
Save Scan Report
button before you did hit the
Apply all Actions
button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.




Download FindAWF (http://noahdfear.geekstogo.com/FindAWF.exe)

Save to desktop and run. Output is to awf.txt

If a DOS window does not stay open throughout the search (approx a minute) you need to change how the program runs. Heres how:

1. Locate the file
2. Right-click and select Properties
3. Select Compatibility and select Run this program in compatibility mode for: Windows 98/Windows ME and click OK.
4. The tool should now work.


Post AVG Anti-Spyware log, a fresh HJT log and contents of awf.txt

Hi Blade,

Managed to do everything you said until rebooting in safe mode when my computer just froze before reboot was complete. This is where I have come unstuck and need further advice.

Previously you gave me three items to check and delete in HJT I could only find one of them so have deleted that one only, it was:

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - D:\WINDOWS\system32\tmp2.tmp.dll


Could this be the reason my computer won't boot up in safe mode?

I await further instructions from you,
thanks again,

Alison.

Hi


Managed to do everything you said until rebooting in safe mode when my computer just froze before reboot was complete. This is where I have come unstuck and need further advice.

If you can't access safe mode then try to do those steps in normal mode.



Previously you gave me three items to check and delete in HJT I could only find one of them so have deleted that one only, it was:

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - D:\WINDOWS\system32\tmp2.tmp.dll
All those hjt lines may not be found anymore.

Post me the logs when you've finished. :)

Hi Blade,

The full avg scan would not perform at all it just kept freezing so I did the next scan on the list, here is the log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:10:24 28/04/2007

+ Scan result:



D:\Documents and Settings\Alison\Cookies\alison@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
D:\Documents and Settings\Alison\Cookies\alison@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.


::Report end

This is not showing some other spyware which was picked up before it froze on the full scan.


I was uanble to scan with AWF as this just froze completely.


Sorry it's taken me so long to get back to you but I just kept trying it again and again thinking it might just work:sad:

Thanks again,

Alison.

Hi Blade,

Have just found these reports on my desktop, don't know if they are of any use to you, not sure if they are complete, but they seem to be from the AWF scan.


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\LOGITECH\DESKTO~1\8876480\PROGRAM\BAK

14/01/2007 19:41 20,480 BackWeb-8876480.exe
1 File(s) 20,480 bytes

Directory of D:\PROGRA~1\DAEMON~1\BAK

12/11/2006 11:48 157,592 daemon.exe
1 File(s) 157,592 bytes

Directory of D:\PROGRA~1\ITUNES\BAK

30/10/2006 10:36 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of D:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of D:\PROGRA~1\PICASA2\BAK

01/02/2007 03:52 366,400 PicasaMediaDetector.exe
1 File(s) 366,400 bytes

Directory of D:\PROGRA~1\QUICKT~1\BAK

25/10/2006 19:58 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of D:\PROGRA~1\SYMANT~1\BAK

27/05/2006 13:40 124,656 VPTray.exe
1 File(s) 124,656 bytes

Directory of D:\WINDOWS\EHOME\BAK

10/08/2004 05:04 59,392 ehtray.exe
1 File(s) 59,392 bytes

Directory of D:\WINDOWS\SYSTEM32\BAK

10/08/2004 13:00 15,360 ctfmon.exe
08/10/2004 12:52 221,184 LVCOMSX.EXE
09/07/2001 11:50 155,648 NeroCheck.exe
3 File(s) 392,192 bytes

Directory of D:\PROGRA~1\AHEAD\INCD\BAK

23/03/2006 18:06 1,398,272 InCD.exe
1 File(s) 1,398,272 bytes

Directory of D:\PROGRA~1\COMMON~1\SYMANT~1\BAK

25/03/2006 05:14 53,408 ccApp.exe
1 File(s) 53,408 bytes

Directory of D:\PROGRA~1\CYBERL~1\POWERDVD\BAK

02/11/2004 21:24 32,768 PDVDServ.exe
1 File(s) 32,768 bytes

Directory of D:\PROGRA~1\LOGITECH\VIDEO\BAK

18/01/2005 18:47 458,752 ISStart.exe
18/01/2005 18:37 217,088 LogiTray.exe
18/01/2005 18:07 196,608 ManifestEngine.exe
3 File(s) 872,448 bytes

Directory of D:\PROGRA~1\VIAUDIOI\SBADECK\BAK

03/12/2006 15:29 512,000 ADeck.exe
1 File(s) 512,000 bytes

Directory of D:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

04/02/2007 11:39 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of D:\PROGRA~1\JAVA\JRE15~2.0_1\BIN\BAK

15/12/2006 04:23 75,520 jusched.exe
1 File(s) 75,520 bytes

Directory of D:\PROGRA~1\SONYER~1\MOBILE2\APPLIC~1\BAK

0 File(s) 0 bytes

Directory of D:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

07/06/2005 00:46 57,344 apdproxy.exe
1 File(s) 57,344 bytes

Directory of D:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

11/09/2003 04:00 99,840 E_S4I0F2.EXE
1 File(s) 99,840 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

BACKWE~1.EXE
DAEMON.EXE
ITUNES~1.EXE
PICASA~1.EXE
QTTASK.EXE
VPTRAY.EXE
EHTRAY.EXE
CTFMON.EXE
LVCOMSX.EXE
NEROCH~1.EXE
INCD.EXE
CCAPP.EXE
PDVDSERV.EXE
ISSTART.EXE
LOGITRAY.EXE
MANIFE~1.EXE
ADECK.EXE
GOOGLE~1.EXE
JUSCHED.EXE
APDPROXY.EXE
E_S4I0F2.EXE


Thanks,

Alison.:oops:

Open Notepad!
Copy and Paste everything from the Quote box into Notepad:

if exist C:\PROGRA~1\LOGITECH\DESKTO~1\8876480\PROGRAM\BackWeb-8876480.exe del /q C:\PROGRA~1\LOGITECH\DESKTO~1\8876480\PROGRAM\BackWeb-8876480.exe
copy /y C:\PROGRA~1\LOGITECH\DESKTO~1\8876480\PROGRAM\BAK\BackWeb-8876480.exe C:\PROGRA~1\LOGITECH\DESKTO~1\8876480\PROGRAM\BackWeb-8876480.exe

if exist D:\PROGRA~1\DAEMON~1\daemon.exe del /q D:\PROGRA~1\DAEMON~1\daemon.exe
copy /y D:\PROGRA~1\DAEMON~1\BAK\daemon.exe D:\PROGRA~1\DAEMON~1\daemon.exe

if exist D:\PROGRA~1\ITUNES\iTunesHelper.exe del /q D:\PROGRA~1\ITUNES\iTunesHelper.exe
copy /y D:\PROGRA~1\ITUNES\BAK\iTunesHelper.exe D:\PROGRA~1\ITUNES\iTunesHelper.exe

if exist D:\PROGRA~1\PICASA2\PicasaMediaDetector.exe del /q D:\PROGRA~1\PICASA2\PicasaMediaDetector.exe
copy /y D:\PROGRA~1\PICASA2\BAK\PicasaMediaDetector.exe D:\PROGRA~1\PICASA2\PicasaMediaDetector.exe

if exist D:\PROGRA~1\QUICKT~1\qttask.exe del /q D:\PROGRA~1\QUICKT~1\qttask.exe
copy /y D:\PROGRA~1\QUICKT~1\BAK\qttask.exe D:\PROGRA~1\QUICKT~1\qttask.exe

if exist D:\PROGRA~1\SYMANT~1\VPTray.exe del /q D:\PROGRA~1\SYMANT~1\VPTray.exe
copy /y D:\PROGRA~1\SYMANT~1\BAK\VPTray.exe D:\PROGRA~1\SYMANT~1\VPTray.exe

if exist D:\WINDOWS\EHOME\ehtray.exe del /q D:\WINDOWS\EHOME\ehtray.exe
copy /y D:\WINDOWS\EHOME\BAK\ehtray.exe D:\WINDOWS\EHOME\ehtray.exe

if exist D:\WINDOWS\SYSTEM32\ctfmon.exe del /q D:\WINDOWS\SYSTEM32\ctfmon.exe
copy /y D:\WINDOWS\SYSTEM32\BAK\ctfmon.exe D:\WINDOWS\SYSTEM32\ctfmon.exe

if exist D:\WINDOWS\SYSTEM32\LVCOMSX.EXE del /q D:\WINDOWS\SYSTEM32\LVCOMSX.EXE
copy /y D:\WINDOWS\SYSTEM32\BAK\LVCOMSX.EXE D:\WINDOWS\SYSTEM32\LVCOMSX.EXE

if exist D:\WINDOWS\SYSTEM32\NeroCheck.exe del /q D:\WINDOWS\SYSTEM32\NeroCheck.exe
copy /y D:\WINDOWS\SYSTEM32\BAK\NeroCheck.exe D:\WINDOWS\SYSTEM32\NeroCheck.exe

if exist D:\PROGRA~1\AHEAD\INCD\InCD.exe del /q D:\PROGRA~1\AHEAD\INCD\InCD.exe
copy /y D:\PROGRA~1\AHEAD\INCD\BAK\InCD.exe D:\PROGRA~1\AHEAD\INCD\InCD.exe

if exist D:\PROGRA~1\COMMON~1\SYMANT~1\ccApp.exe del /q D:\PROGRA~1\COMMON~1\SYMANT~1\ccApp.exe
copy /y D:\PROGRA~1\COMMON~1\SYMANT~1\BAK\ccApp.exe D:\PROGRA~1\COMMON~1\SYMANT~1\ccApp.exe

if exist D:\PROGRA~1\CYBERL~1\POWERDVD\PDVDServ.exe del /q D:\PROGRA~1\CYBERL~1\POWERDVD\PDVDServ.exe
copy /y D:\PROGRA~1\CYBERL~1\POWERDVD\BAK\PDVDServ.exe D:\PROGRA~1\CYBERL~1\POWERDVD\PDVDServ.exe

if exist D:\PROGRA~1\LOGITECH\VIDEO\ISStart.exe del /q D:\PROGRA~1\LOGITECH\VIDEO\ISStart.exe
copy /y D:\PROGRA~1\LOGITECH\VIDEO\BAK\ISStart.exe D:\PROGRA~1\LOGITECH\VIDEO\ISStart.exe

if exist D:\PROGRA~1\LOGITECH\VIDEO\LogiTray.exe del /q D:\PROGRA~1\LOGITECH\VIDEO\LogiTray.exe
copy /y D:\PROGRA~1\LOGITECH\VIDEO\BAK\LogiTray.exe D:\PROGRA~1\LOGITECH\VIDEO\LogiTray.exe

if exist D:\PROGRA~1\LOGITECH\VIDEO\ManifestEngine.exe del /q D:\PROGRA~1\LOGITECH\VIDEO\ManifestEngine.exe
copy /y D:\PROGRA~1\LOGITECH\VIDEO\BAK\ManifestEngine.exe D:\PROGRA~1\LOGITECH\VIDEO\ManifestEngine.exe

if exist D:\PROGRA~1\VIAUDIOI\SBADECK\ADeck.exe del /q D:\PROGRA~1\VIAUDIOI\SBADECK\ADeck.exe
copy /y D:\PROGRA~1\VIAUDIOI\SBADECK\BAK\ADeck.exe D:\PROGRA~1\VIAUDIOI\SBADECK\ADeck.exe

if exist D:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\GoogleToolbarNotifier.exe del /q D:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\GoogleToolbarNotifier.exe
copy /y D:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK\GoogleToolbarNotifier.exe D:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\GoogleToolbarNotifier.exe

if exist D:\PROGRA~1\JAVA\JRE15~2.0_1\BIN\jusched.exe del /q D:\PROGRA~1\JAVA\JRE15~2.0_1\BIN\jusched.exe
copy /y D:\PROGRA~1\JAVA\JRE15~2.0_1\BIN\BAK\jusched.exe D:\PROGRA~1\JAVA\JRE15~2.0_1\BIN\jusched.exe

if exist D:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\apdproxy.exe del /q D:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\apdproxy.exe
copy /y D:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK\apdproxy.exe D:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\apdproxy.exe

if exist D:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S4I0F2.EXE del /q D:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S4I0F2.EXE
copy /y D:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK\E_S4I0F2.EXE D:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S4I0F2.EXE


Go to File > Save As
Save File name as
Fix.bat
(including quotes)
Save the file to your Desktop.

Don't do anything with this yet!

We'll try to make avg scan soon again so have the instructions ready (get those from my earlier reply if needed). Run windows defragment against your hard drives (Right-click hard drive in my computer screen and select properties. On tools tab click defragment now.).


Reboot into safe mode.

Double-click on fix.bat you created earlier. After that run avg as instructed. reboot back into normal mode. Post a fresh hjt log and avg log.

Hi Blade,

I tried to defrag both my drives but it would only work on D: drive, the following message came up when I tried to scan C: drive.



Disk Defragmenter has detected that chkdsk is scheduled to run on the volume: Local disk (C:).
Please run chkdsk/f.

Do you still want me to proceed with fix.bat in safe mode and AVG?

Cheers,

Alison.:scratch:

Sorry that message should read:

Disk Defragmenter has detected that chkdsk is scheduled to run on the volume: Local disk (C:).
Please run chkdsk/f.

Alison.

Hi

Looks like your C: drive has errors that prevents defragmenting. Follow these four steps and then try to defrag again.

1. Boot your computer with the Windows XP CD.
2. Select the option to use the "Repair with Recovery Console"
3. Type chkdsk C: /r [Enter] (use the bad drive letter)
4. When it's finished, enter EXIT to restart.

Hi Blade,

Have looked everywhere for the windows xp cd, and can't find it. Is there any other way to get round this problem or am I going to have to go out and buy one?

Sorry about this,

Alison.:oops:

Hi

If you've got a friend with XP media ask him/her if you could borrow it. Otherwise there isn't much we can do.

Hi Blade,

Will ask around and let you know in the next day or two, sorry for any inconvenience.

Thanks,

Alison.:red:

Hi Blade,

My nephew in London has the xp cd and is going to bring it up to Manchester for me on Tuesday.:bigthumb:

Hope you don't mind waiting this long and haven't given up on me!!:banghead:

thanks again,

Alison.:red:

Hi Alison

Thanks for letting us know. I'll be waiting :)

Hi Blade,

I now have the xp cd.:yes:

Could you please advise me how to get my computer to boot from the cd as when I have put it in before rebooting it just boots up normally and I can't seem to find "repair with recovery console" when I look on the disks contents.:oops:

Many thanks,

Alison.:bigthumb:

Hi

Looks like you need to change boot order thru BIOS. Check 'Configuring Your Computer to Boot from CD' part (in first post) here (http://www.geekstogo.com/forum/How-to-repair-Windows-XP-t138.html)

Hi Blade,

Have managed to start booting up with cd but then it asks for the administrator password, I have typed this in and it is not recognising it. :sad:

Is there a way round this or will I have to find another disk with the correct administrator password?

I'm so sorry for all this inconvenience but really appreciate your patience.:red:

Many thanks,

Alison.

Hi

It seems you're trying to use wrong account's password. If you don't know administrator password then I'm afraid you need to reinstall system. :sad: Administrator password doesn't depend on the disc you use.

Hi Blade,

Will I lose all the information I have on the C drive if I reinstall the cd?

Cheers,

Alison.:red:

Yes, unfortunately you'll lose all files. If you have pictures, videos or something else that needs to be backuped I recommend to do so. Here (http://spyware-free.us/tutorials/reformat/) are very good and detailed instructions about reformatting XP.

Hi Blade,:greeting:

I'll back up my work and then reformat the drive.

Thanks for the info, it will probably be a day or two before I can get if all done, once again many thanks for your patience.

Alison.:flowers:

Hi Blade,

Have now backed up all my work but when I clicked on your link for help with formatting xp it only opened up an empty window.
Just wondered if you could tell me how to go about only formatting my C drive as I don't want to lose anything off my D drive.

Thanks,

Alison. :red:

Hi

This (http://spyware-free.us/tutorials/reformat/main.html) one should work.

Hi Blade,

:sad:sorry no luck with that one either.
It just said that the requested document was not found on this server.

Alison.

Hi

Now it's here (http://spyware-free.us/tutorials/reformat/) again. Looks like wng_z3r0 has made some updates to it.

This topic has been moved to archives to prevent others with similar issues posting to it. :)

If you need the thread re-opened, please send me a private message (pm) and provide a link.

Applies only to the original poster, anyone else with similar problems please start your own topic.

Re-opened upon request. :)

Hi Blade,

Sorry not been in touch sooner but have been ill.:sad:

I am stuggling to format the old drive as I don't understand what to do about the partitioning, does this have anything to do with me having two drives? Like would it think that because I have two drives there is a partition there dividing one drive into two??:scratch:

Sorry if I sound dumb but really unsure what to do.:red:

Many thanks,

Alison.

Hi!

Partitioning means dividing selected physical drive into one or more pieces. I'll try to bring more light to this thing with following example.

Let's assume we have two physically different drives. I format first one and decide to share the space for two different partitions. On one of these I install Windows. After installation is done and Windows has started up I can see in My Computer window three different hard drives (plus cd/dvd drive(s) if installed).

If you need further help with formatting and reinstalling Windows I recommend to ask help at forums like PC Pitstop (http://forums.pcpitstop.com/). We focus mainly on malware removing here. :)