Hi

Firstly I would like to say thanks to Shaba for helping me on my last post. :bigthumb:

I have 4 computers in my network and when one was infected through a link in msn messenger. I decided to scan my other computers and found that the Kaspersky online scan has detected 1 Virus & 5 infected files on another in my network. The scary thing is that the infected files are displaying my email address, which I have edited with ##### in the scan log for obvious reasons.

My Antivirus, Trojan Remover 6.6.0, Ad-aware or spybot detected nothing but I do have problems in shutting the system down. I have problems with deleting my recycle bin on occasions with nothing showing in there even though I know I have deleted files that should be visible and also with .avi files.

The error messages I get are

Error message when trying to delete recycle bin.
Cannot Delete Dc12 Access is Denied
Make sure the disk is not full or write protected
and that the file is currently not in use.

Clicking on .avi movie files I get an error box as follows

OS Windows XP Pro SP2
CPU AuthenticAMD, AMD AMD Athlon(tm)64
Processor 3500+ MMX @2220Mhz
Aplication Data
This has numerous scrambled letters & numbers to much to post here unless it may have some relation to the infection or not.



Firstly my HiJackThis log

Logfile of HijackThis v1.99.1
Scan saved at 12:37:47 AM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\VideoMate\ComproRemote.exe
C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ptec/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ptec/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ComproRemote.lnk = C:\Program Files\Common Files\VideoMate\ComproRemote.exe
O4 - Global Startup: ComproSchedulerDTV.lnk = C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe



Kaspersky online scan

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 15, 2007 12:34:03 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 14/05/2007
Kaspersky Anti-Virus database records: 320277
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 92098
Number of viruses found: 2
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 01:05:19

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Main Family\Application Data\Mozilla\Firefox\Profiles\f5bdrrdh.default\cert8.db Object is locked skipped
C:\Documents and Settings\Main Family\Application Data\Mozilla\Firefox\Profiles\f5bdrrdh.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Main Family\Application Data\Mozilla\Firefox\Profiles\f5bdrrdh.default\history.dat Object is locked skipped
C:\Documents and Settings\Main Family\Application Data\Mozilla\Firefox\Profiles\f5bdrrdh.default\key3.db Object is locked skipped
C:\Documents and Settings\Main Family\Application Data\Mozilla\Firefox\Profiles\f5bdrrdh.default\parent.lock Object is locked skipped
C:\Documents and Settings\Main Family\Application Data\Mozilla\Firefox\Profiles\f5bdrrdh.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Main Family\Application Data\Mozilla\Firefox\Profiles\f5bdrrdh.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Main Family\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Main Family\Local Settings\Application Data\Identities\{FC0BA1AE-1E1D-4B9B-988E-0A4E9B694403}\Microsoft\Outlook Express\Sent Items.dbx/[From "Gav & Linda" <#########@iinet.net.au>][Date Sat, 24 Mar 2007 00:23:18 +0800]/UNNAMED/setupwavtomp3.rar/setupwavtomp3.exe/WISE0016.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Main Family\Local Settings\Application Data\Identities\{FC0BA1AE-1E1D-4B9B-988E-0A4E9B694403}\Microsoft\Outlook Express\Sent Items.dbx/[From "Gav & Linda" <#########@iinet.net.au>][Date Sat, 24 Mar 2007 00:23:18 +0800]/UNNAMED/setupwavtomp3.rar/setupwavtomp3.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Main Family\Local Settings\Application Data\Identities\{FC0BA1AE-1E1D-4B9B-988E-0A4E9B694403}\Microsoft\Outlook Express\Sent Items.dbx/[From "Gav & Linda" <#########@iinet.net.au>][Date Sat, 24 Mar 2007 00:23:18 +0800]/UNNAMED/setupwavtomp3.rar Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Main Family\Local Settings\Application Data\Identities\{FC0BA1AE-1E1D-4B9B-988E-0A4E9B694403}\Microsoft\Outlook Express\Sent Items.dbx/[From "Gav & Linda" <#########@iinet.net.au>][Date Sat, 24 Mar 2007 00:23:18 +0800]/UNNAMED Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Main Family\Local Settings\Application Data\Identities\{FC0BA1AE-1E1D-4B9B-988E-0A4E9B694403}\Microsoft\Outlook Express\Sent Items.dbx Mail MS Outlook 5: infected - 4 skipped
C:\Documents and Settings\Main Family\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Main Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Main Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Main Family\Local Settings\Application Data\Mozilla\Firefox\Profiles\f5bdrrdh.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Main Family\Local Settings\Application Data\Mozilla\Firefox\Profiles\f5bdrrdh.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Main Family\Local Settings\Application Data\Mozilla\Firefox\Profiles\f5bdrrdh.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Main Family\Local Settings\Application Data\Mozilla\Firefox\Profiles\f5bdrrdh.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Main Family\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Main Family\Local Settings\History\History.IE5\MSHist012007051420070515\index.dat Object is locked skipped
C:\Documents and Settings\Main Family\Local Settings\Temp\~DF82C8.tmp Object is locked skipped
C:\Documents and Settings\Main Family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Main Family\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Main Family\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Main Family\UserData\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{57B4767C-9F2E-428A-9AD6-527F3737BE5F}\RP4\A0000569.exe/stream/data0006 Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\System Volume Information\_restore{57B4767C-9F2E-428A-9AD6-527F3737BE5F}\RP4\A0000569.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\System Volume Information\_restore{57B4767C-9F2E-428A-9AD6-527F3737BE5F}\RP4\A0000569.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{57B4767C-9F2E-428A-9AD6-527F3737BE5F}\RP9\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\AMD3500.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\WindowsPowerShell.evt Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT06d87.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT06d8a.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
Thanks for your time

Gavin

Please do not take this as a bump post or anything to hurray you along, I know by the number of posts that are here that you guys are pretty busy.

All I am posting for is to let you know that when you respond please don't take no reply from me over the next couple of days as resolved or similar as I will be away through work commitments over the next few days.

I will wait as required for your time the same as with all other users

Again thanks for your time

Gavin

G'Day Gavin, appears you did not see the information our administrator pinned to the thop of the forum for you:
If you have waited FOUR days for advice post here. http://forums.spybot.info/showthread.php?t=1137

I don't know if I can help or not, but I will give it a try if you still need help. I would like to look at a HJT log using the new Beta version, if you still need help, please do this:

1) Download Trend Micro Hijack This™
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download
Download it to your Program Files folder.
Doubleclick the HijackThis_V2.exe to start it.
Click "Do a System Scan and save a logfile"
This will create a HijackThis log.
Copy and paste the contents of the log in your next reply

2) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

3) Post any error messages you receive "word for word"

Cheers

Hi there

Thanks for your reply but if you mean post in the wait four days thread, I did do that on the 21st.

I have the new HijackThis_V2 and the logs you requested below. I didn't rename the HijackThis.exe just let me know if I need to

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:26:34 AM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Common Files\VideoMate\ComproRemote.exe
C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Hijackthis\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ptec/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ptec/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ComproRemote.lnk = C:\Program Files\Common Files\VideoMate\ComproRemote.exe
O4 - Global Startup: ComproSchedulerDTV.lnk = C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 7200 bytes





AC3Filter (remove only)
Acoustica CD/DVD Label Maker
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9 Plugin
Adobe Photoshop 7.0
Adobe Reader 8
Age of Empires III
Alchemy 1.2sw
All Video Joiner 3.8
ArcSoft PhotoImpression
Athlon 64 Processor Driver
Auto Gordian Knot 2.27
AVG Anti-Spyware 7.5
AVI ReComp 1.2.3
AVI2Clipboard 2.18
AviSynth 2.5
Azureus
BookWorm Deluxe 1.01
BootSkin
Canon iP6600D
Canon iP6600D Memory Card Utility
Canon PhotoRecord
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
CD-LabelPrint
CoffeeCup Flash Photo Gallery - Registered
CoffeeCup Free DHTML Menu Builder
CoffeeCup Google SiteMapper
CoffeeCup PC TuneUp Pro
CoffeeCup Website Color Schemer
ComproDTV 2.5
ComproDVD 2
DAMN NFO Viewer Setup
Diamond Mine 1.5sw
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter 3.5.4.0
DVD Shrink 3.2
Easy-WebPrint
EPSON TWAIN 5
ffdshow (remove only)
GoldWave v5.19
Gordian Knot Rip Pack 0.35.0
High Definition Audio Driver Package - KB888111
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hijackthis 1.99.1
HijackThis 2.0.0
Hotfix for MSXML 2 (KB887606)
Hotfix for Windows XP (KB319740)
Hotfix for Windows XP (KB889527)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB897338)
Hotfix for Windows XP (KB898900)
Hotfix for Windows XP (KB903234)
Hotfix for Windows XP (KB904412)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB907865)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB912461)
Hotfix for Windows XP (KB912817)
Hotfix for Windows XP (KB913538)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB917021)
Hotfix for Windows XP (KB918005)
Hotfix for Windows XP (KB918093)
Hotfix for Windows XP (KB918766)
Hotfix for Windows XP (KB919071)
Hotfix for Windows XP (KB924867)
Hotfix for Windows XP (KB924941)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
IconDeveloper Professional
IconPackager
Ipswitch WS_FTP Pro
Java(TM) SE Development Kit 6 Update 1
Java(TM) SE Runtime Environment 6 Update 1
Jazz Jackrabbit 2-Christmas Chronicles
Jazz Jackrabbit 2-The Secret Files
Kaspersky Online Scanner
LimeWire 4.12.11
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
Mozilla Firefox (2.0.0.3)
MSXML 4.0 SP2 (KB927978)
MSXML 6.0 Parser (KB927977)
Mummy Maze Deluxe 1.1
Mystery Case Files Huntsville
Mystery Case Files Prime Suspects
Mystery Case Files Ravenhearst
Nero 6 Ultra Edition
New Folder Here
NingPo MahJong Deluxe 1.04
Noah's Ark Deluxe 1.1
NVIDIA Drivers
Pack Vista Inspirat 1.1
PeerGuardian 2.0
Photo2DVD Studio Build 4.8.9.0
PHP Designer 2007 - Professional - version 5.3
PowerDVD
ProjectX 0.90.1
Realtek High Definition Audio Driver
Rocket Mania 1.01
RogueRemover 1.18
RollerCoaster Tycoon 3 Platinum
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Seven Seas Deluxe 1.13
SkinStudio
SolSuite
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Stronghold Crusader
SUPER © Version 2007.bld.22 (Mar 14, 2007)
Trojan Remover 6.6.0
Unlocker 1.8.5
Update for Windows XP (KB897663)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB907265)
Update for Windows XP (KB908521)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB916846)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922120)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
VideoLAN VLC media player 0.8.6a
VideoMate Hybrid TV driver
VideoMate Hybrid TV driver
VideoReDo/Plus Version 2.5.3.500
VobSub v2.23 (Remove Only)
Winamp (remove only)
Window Washer
WindowBlinds
Windows Communication Foundation
Windows Imaging Component
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB884883
Windows XP Hotfix - KB885222
Windows XP Hotfix - KB886677
Windows XP Hotfix - KB886716
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB894395
Windows XP Hotfix - KB896626
WinRAR archiver
WinZip
XviD 1.1 final uninstall
XviD MPEG4 Video Codec (remove only)
ZoneAlarm Anti-virus
Zuma Deluxe 1.0



Thaks for your time

G'Day Gavin, sorry, I did not see you had posted to the four day list at time I was looking at your HJT log.
Kaspersky is a good tool but alas it does not remove anything and the log is complex and frustrating. I will look at it but let's do some cleaning and see if we can't get your computer working properly.

Uninstall list: I am looking for security issues and malware, it's a chance for you to look for stuff you no longer use.

You have viewed this information: http://forums.spybot.info/showthread.php?t=7344

LimeWire 4.12.11 (your call)
http://www3.ca.com/securityadvisor/pest/Pest.aspx?id=453088059 and see this:
http://www.spywareinfo.com/articles/p2p/
http://pcpitstop.com/spycheck/p2p.asp
http://pcpitstop.com/spycheck/badtorrent.asp

Not a lot I can see but I do not know many of your programs, look to make sure nothing is there you do not know.


1) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

2) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(these R1's are adware and yes, Yahoo is in bed with the enemy)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
see this: http://www.bleepingcomputer.com/startups/ALCMTR.EXE-240.html (optional)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run AVG Anti-Spyware according to the instructions in this link, make sure you delete or quarantine what it finds and post the scan report.
http://forums.security-central.us/showthread.php?t=3165


5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

6) Please run System File Checker in case a corrupt or missing system file is causing your error messages:
http://www.updatexp.com/scannow-sfc.html

Restart the computer and post a new HJT log, the AVG Scan Report and your feedback/comments.

If you receive error messages, it is very important that you post them "word for word" just as Windows gives them to you.

Cheers...Phil

Hi Phil

Sorry it took a while but with work commitments I can't always get online.

I think the error messages that I get as in first post

Recycle Bin - (The Dc12 number is not always the same number.)
I googled this sometime ago and found that it may be a damaged or corrupt recycle bin. It doesn't do it all the time and appears to be linked when I have problems with the .avi files again not all the time.... After a reboot it is ok for a while. Some conflict or something and probably a separate issue to the virus.

Anyway I ran the AVG Spy scan & HijackThis but I can't seem to run the sfc /scannow all I get is a quick glimpse of a black box then nothing. Looks like similar to DOS box or something

I use the ATF Cleaner about once a week already along with updated ZoneAlarmAV, Adaware, spybot, AVGAntispyware, SpywareBlaster, Spybot - Search & Destroy & Window Washer.

You would think with this I should be ok :sad:

I am wondering if it is remnants of mIRC that is causing the infections to show on the Kaspersky, but why the Outlook Express infections showing my email address. Maybe I could do a scan through Trend Micro online scan.



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:27:04 AM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Common Files\VideoMate\ComproRemote.exe
C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ComproRemote.lnk = C:\Program Files\Common Files\VideoMate\ComproRemote.exe
O4 - Global Startup: ComproSchedulerDTV.lnk = C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 6565 bytes






---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:02:56 AM 5/28/2007

+ Scan result:



:mozilla.14:C:\Documents and Settings\Main Family\Application Data\Mozilla\Firefox\Profiles\f5bdrrdh.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Main Family\Cookies\main_family@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.


::Report end




Ta for your time.

Oh yeah I forgot to mention that all programs in my program list are accounted for and none that I don't know about.

Thanks for the feedback, let me say I don't use Kaspersky much because of the fact it will not fix what it finds. It is a good sacanner though. Navigate to those stored emails and clean them all out. Looks like they are stored sent items that may be infected. Scan again and see if you can get these:
Number of viruses found: 2
Number of infected objects: 8
to 0 (I do not need to see the scan results unless you have a question about a specific line item, then just post the item.

I will post instructions to run another good scan that will delete anything bad it finds.

Try this for the recycle bin issue:
http://www.dougknox.com/xp/scripts_desc/rec_bin.htm

System File Checker, have a look at this information, sounds like your issue:
http://groups.google.com/group/24hoursupport.helpdesk/browse_thread/thread/27dfd3df7937dad8/dcd16bd5c7c769b6?lnk=st&q=repair+system+file+checker&rnum=6&hl=en#dcd16bd5c7c769b6

You can also look though this list for anything that will help any of your issues:
http://www.kellys-korner-xp.com/xp_tweaks.htm


I have problems with the .avi files again not all the time..http://groups.google.com/groups/search?hl=en&q=avi+files+do+not+open&qt_s=Search

Let me know if any of the information helps.

Wondering why this is running all of the time? Looks to have to do with a camera's memory card? Can you tell me more about it.
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe

AVG Anti-Spyware...do you own that program?

Let's try this scan to see what it will find and fix:
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.


Post those results and any information I requested.

Thanks...Phil

Hi Phil

Still ahaving probs with the sfc

Tried typing cmd into the run command and then sfc. I got to the File Checker but still no go.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Main Family>sfc

Microsoft(R) Windows XP Windows File Checker Version 5.1
(C) 1999-2000 Microsoft Corp. All rights reserved

Scans all protected system files and replaces incorrect versions with correct Mi
crosoft versions.

SFC [/SCANNOW] [/SCANONCE] [/SCANBOOT] [/REVERT] [/PURGECACHE] [/CACHESIZE=x]


/SCANNOW Scans all protected system files immediately.
/SCANONCE Scans all protected system files once at the next boot.
/SCANBOOT Scans all protected system files at every boot.
/REVERT Return scan to default setting.
/PURGECACHE Purges the file cache.
/CACHESIZE=x Sets the file cache size.

C:\Documents and Settings\Main Family>scannow
'scannow' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Main Family>/SCANNOW
'/SCANNOW' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Main Family>SCANNOW
'SCANNOW' is not recognized as an internal or external command,
operable program or batch file.

------------------


I added the recycle reg patch so will see how it goes. I haven't had an error since I have been trying to get this worked

out. I haven't seen the error message when I select a .avi file yet. The .avi will play ok but when I get the error just

selecting the file or when the folder is in thumb view and the .avi is loading I get an error box that is different to any

normal error message. It wouldn't have anything to do with the hidden thumb.db cache file would it.

------------------

Wondering why this is running all of the time? Looks to have to do with a camera's memory card? Can you tell me more about

it.
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe

I am assuming it is the memory card slot in our printer and we also get a removable disk E from the printer. It is a Canon

Pixma iP6600D.

------------------

AVG Antispyware. I got this about 3 weeks ago when my daughters computer was overun. It is still in the trial mode atm. I

don't have it starting with windows as I try to keep the number of processes starting during boot up to a minimum.

------------------

I have deleted the files in Outlook Express. I didn't even know they were in there. I have unchecked save a copy of sent

items now. The files that I sent were not infected but somehow the ones in the sent items were.

------------------

A thumbs up you so far have it from

Number of viruses found: 2
Number of infected objects: 8

down to

Number of viruses found: 1
Number of infected objects: 3

These below are still being detected "Client-IRC.Win32.mIRC.62"

C:\System Volume Information\_restore{57B4767C-9F2E-428A-9AD6-527F3737BE5F}\RP4\A0000569.exe/stream/data0006 Infected:

not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\System Volume Information\_restore{57B4767C-9F2E-428A-9AD6-527F3737BE5F}\RP4\A0000569.exe/stream Infected:

not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\System Volume Information\_restore{57B4767C-9F2E-428A-9AD6-527F3737BE5F}\RP4\A0000569.exe NSIS: infected - 2

skipped


Just ran the Dr.Web

The Dr.Web has detected a program that I rely on and use frequently. It is associated with encoding guess what? .avi files when I require to convert a video capture from 50FPS to 25FPS and 2.1 stereo to 5.1 surround sound.

But after reading http://www.bleepingcomputer.com/startups/super.exe-7561.html
I think it will have to go.
Notice the "Added by the W32/Agobot-QT WORM/IRC". Bit of a coincidence you think with my problems and the infected.

Log File (Only detected 2)

SUPER.exe;C:\Program Files\eRightSoft\SUPER;Probably DLOADER.Trojan;Incurable.Moved.;
A0000038.dll;C:\System Volume Information\_restore{57B4767C-9F2E-428A-9AD6-527F3737BE5F}\RP1;Probably

BACKDOOR.Trojan;Incurable.Moved.;

Thanks again for your help

O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe

I am assuming it is the memory card slot in our printer and we also get a removable disk E from the printer. It is a Canon I understand about the need to have it installed, I am questioning the need to run it everytime you boot, do you use it everytime you boot?
http://www.netsquirrel.com/msconfig/ <<< see this information
http://www.google.com/search?hl=en&q=System+Configuration+Utility&btnG=Search

_____________________________________

C:\System Volume Information\_restore <<< these are items backed up in your system restore files, they are protected files and the only way to clean them is like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

That will take care of any of those items being seen by different programs.

http://support.microsoft.com/kb/306084
http://www.google.com/search?hl=en&q=using+system+restore+in+Windows+XP&btnG=Google+Search

__________________________________________

System Files Checker is an important part of Windows, it is the only automatic way to scan System Files for missing or corrupt files and replace them from the Windows CD. I will post a few more links, but I have to believe that Microsoft will give you help with that issue if you ask for it. You would do that here:
http://support.microsoft.com/ <<< here you can get help by:

Need more help?
Contact a support professional by e-mail, online chat, or telephone.I would search for help for Windows XP. The folks are good about doing all they can to help, if you are patient.

I also bet there is something at the Kelly's Korner link if you take the time to look for it.

http://msdn2.microsoft.com/en-us/library/aa382541.aspx
http://www.google.com/search?hl=en&q=how+to+repair+System+File+Checker+&btnG=Search
There is even one free program: RJ System File Checker 2.0
You may be able to download and use. I would see what Technical Support can do first. This is the first time I have run into an issue of it not working.

Let me know if this information helps and share any information you get from Microsoft.

Thanks Phil

Ok I'll do the system restore and see what I can get done about the System file checker.

I have disabled the Memory Card Utility. I just thought it had to be part of the boot to make it work.

Thanks and I will see how it goes. Don't know if it is me but it appears to be running a little quicker and smoother

:bigthumb:

I have disabled the Memory Card Utility. I just thought it had to be part of the boot to make it work.Unless I miss my guess, you should have an entry in Start > All Programs > for this program:
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe

If you need to use it, simply go to the entry and start the program. The same can be done with any program you are running in MSConfig that you only need once in a while. This will save resources and make the computer boot faster and run better.

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.