View Full Version : Unwanted Popups and disabled Control Panel
grateful26
2007-10-03, 03:50
Hi,
For the last day, I keep getting a pop up every 5 minutes saying
Windows Security Alert "warning! potential spyware operation! Your computer is making unauthorized copies of your system and Internet files. Run full scan now to pervent any unathorised access to your files! Click YES to download spyware remover ... " :oops:
I use AVG Free edition, and it recognized the virus, named "Trojan Horse Downloader.Small.AJY", and put it in the Vault. But there is one file that AVG also found, but it says the file is not a threat. This one:
C:\WINDOWS\System 32\drivers\etc\hosts :mad:
So I still have 2 problems: 1. the incessant popup mentioned above, and 2. I cannot access things like my Control Panel, or the Date function at the bottom right cornet, there is a Restrictions error message saying: "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator".
It seems the 'hosts' file is the problem, but is something important so I likely shouldn't delete it.
I have done a few things like installing and running AVG Anti-Spyware 7.5 in safe mode, and it detected a few things and put them into Quarantine, but the problem persists. The other apps I used didn't find much. :sick:
Here is the HijackThis report from an hour ago:
Logfile of HijackThis v1.99.1
Scan saved at 6:47:30 PM, on 02/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\printer.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\sulimo.dat
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
You rock for helping the online community, and its refreshing to see people helping others. :angel:
I really appreciate any help regarding this problem. :)
Hi grateful26
1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post:
- a fresh HijackThis log
- combofix report
grateful26
2007-10-03, 20:46
okay ... so I ran Combofix, and it made some changes (FYI - I'm running Spybot S&D, and it asked me if the changes that were proposed were okay, and I accepted them all - I dunno if that makes any difference) :sad:
Here is the log it produced:
ComboFix 07-10-03.7 - Pooria&Maryam 2007-10-03 13:25:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.93 [GMT -4:00]
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\Pooria&Maryam\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Pooria&Maryam\Start Menu\Programs\Startup\system.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\WinAvXX.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-03 to 2007-10-03 )))))))))))))))))))))))))))))))
.
2007-10-03 13:25 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-02 18:46 218,112 --a------ C:\Program Files\HijackThis.exe
2007-10-02 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-02 00:44 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-02 00:31 <DIR> d-------- C:\VundoFix Backups
2007-10-01 17:31 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-01 17:04 12,288 --a------ C:\WINDOWS\svhjdsah.exe
2007-10-01 16:53 39,424 --a------ C:\WINDOWS\system32\vtr.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-02 18:47 4702 --a------ C:\Program Files\hijackthis.log
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-22 13:21 229732 --a------ C:\WINDOWS\Burn4Free_Toolbar_Uninstaller_5703.exe
2007-07-22 02:32 765952 --------- C:\WINDOWS\UNNERO.exe
2007-07-22 02:32 532480 --------- C:\WINDOWS\system32\imagx5.dll
2007-07-22 02:32 507904 --------- C:\WINDOWS\system32\imagr5.dll
2007-07-22 02:32 35328 --------- C:\WINDOWS\system32\picn20.dll
2007-07-22 02:32 275312 --------- C:\WINDOWS\system32\ImagXpr5.dll
2007-07-22 02:32 106496 --------- C:\WINDOWS\system32\TwnLib20.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2001-10-27 01:32 C:\WINDOWS\system32\atiptaxx.exe]
"HydarVisionDesktopManager"="" []
"SoundMan"="SOUNDMAN.EXE" [2002-09-10 22:57 C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-01 05:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-17 01:21]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-26 15:03]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2001-10-02 16:23]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"Shareaza"="C:\Program Files\Shareaza\Shareaza.exe" [2007-02-05 05:05]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\sulimo.dat
R2 ATITUNEP;ATI WDM TV Tuner;C:\WINDOWS\System32\DRIVERS\atintuxx.sys
R2 ATIXSAudio;ATI WDM TV Audio Crossbar;C:\WINDOWS\System32\DRIVERS\atinxsxx.sys
R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\System32\DRIVERS\CINEMSUP.SYS
R2 PCDCODEC;ATI WDM Specialized PCD Codec;C:\WINDOWS\System32\DRIVERS\atinpdxx.sys
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys
R3 ativraxx;ATI WDM Rage Theater Audio;C:\WINDOWS\System32\DRIVERS\atinraxx.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-03 13:27:50
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
----- and this is the updated HijackThis log -----
Logfile of HijackThis v1.99.1
Scan saved at 1:40:45 PM, on 03/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\sulimo.dat
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Thanks for your continued help Shaba! U rock. :cool:
Hi grateful26
This is the next step:
We can definitely help you, but first you need to help us. You are quite behind on your Windows Updates and Patches!!
The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here to get WinXP SP1a: http://www.microsoft.com/downloads/details...&DisplayLang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=0136e5f8-1684-4202-b2d0-c6a43430f12a&DisplayLang=en)
Apply the update, reboot, then go to Windows Update and install all the Critical Updates (Note: Except for WinXP SP2)
Click here for Windows Update: http://www.windowsupdate.com/ (http://www.windowsupdate.com/)
After installing all the Patches and updates, reboot, then post a fresh Hijack This log.
grateful26
2007-10-04, 07:00
I tried to download Service Pack 1 from the link, but received the following error message:
Service Pack 1 Setup Error - Setup has detected that the Service Pack version of the system installed is newer than the update you are applying to it. You can only install this update on Service Pack 1.
My operating system disks came with Service Pack 2, and maybe it's not showing as being up to date, but I'm sure it has Service Pack 2.
Now I'll try to download all the updates...
grateful26
2007-10-04, 07:32
sorry ... I made a mistake ... pls completely disregard my post above. :oops:
okay, so I followed the SP 1a link and I get the "cannot find server" site, but every other site works! :eek:
I tried it both through Firefox and Int. Explorer.
It's weird ... is it possible that this is due to the virus/trojan thing?
Hi
Can you try download using some other computer and eg. burn it CD?
grateful26
2007-10-08, 20:36
I have a laptop, but it doesn't have a CD burner ... I don't know if this is being caused by the malware ... it likely that it is because I can access every other website BUT Microsoft's.
By the way, FYI, as of a couple of days ago, I can now access my Control Panel and all other Administrative functions, but AVG Anti-virus still finds the "non-threatening" file called "hosts", and I still cannot access the Microsoft website. I'm surprised that I was suddenly able to access my control panel and such so spontaneously. :eek:
So, I'm wondering ... is it possible to get rid of the malware first, so that I can download from Microsoft's website?
Thanks!
Hi
First thing is to install service pack 1.
Can you ask some friend to burn it for you to CD?
grateful26
2007-10-08, 20:52
By the way, I'm also running Residentshield and every 3 seconds or so, it keeps telling me that my default browser is being requested to change to another and do I authorise this. I said "deny change" and set it to "don't ask me again", but I see that every couple of seconds there is a new entry in that application asking the same question, and it automatically denies it.
Weird huh??? What do u think?
Thanks!
Hi
Not weird at all as you still have active viruses.
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
Re-opened upon request.
See here (http://forums.techarena.in/showthread.php?t=252257)
and tell me if that helped.
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
Re-opened.
grateful26, please post a fresh HijackThis log and tell me if my link helped.
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
grateful26
2007-12-12, 17:44
Okay here is the HijackThis log; I wanted to mention that I clicked on 'Do a System Scan and Save a Logfile' and it almost immediately gave me the result. I found that a bit odd because there is usually a longer time taken to scan, but maybe this program is different ... I thought it was worth mentioning. Nonetheless, here it is:
Logfile of HijackThis v1.99.1
Scan saved at 10:39:51 AM, on 12/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\printer.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\parentalcontrol\parentalcontrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O2 - BHO: (no name) - {7AC00675-4BA7-4E21-8C47-1B5365B594BB} - c:\windows\system32\atippaxxd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKLM\..\Run: [parentalcontrol] "C:\Program Files\parentalcontrol\parentalcontrol.exe" "C:\Program Files\parentalcontrol\parentalcontrol.dll" "parentalcontrol"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\sulimo.dat
O20 - Winlogon Notify: fzjetldg - C:\WINDOWS\SYSTEM32\atippaxxd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Hi
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
1. Download combofix from one of these links and save it to Desktop:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://subs.geekstogo.com/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Post:
- a fresh HijackThis log
- combofix report
grateful26
2007-12-17, 20:29
ComboFix 07-12-17.1 - Pooria&Maryam 2007-12-17 13:19:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.67 [GMT -5:00]
Running from: C:\Documents and Settings\Pooria&Maryam\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Pooria&Maryam\Start Menu\Programs\Startup\system.exe
C:\WINDOWS\svhjdsah.exe
C:\WINDOWS\system32\atippaxxd.dll
C:\WINDOWS\system32\drivers\izgmngwg.dat
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\vtr.dll
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\Tasks.\At1.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_JOVOHQYR
-------\LEGACY_POOF
-------\LEGACY_QVNVESLE
-------\jovohqyr
-------\kprof
-------\poof
-------\qvnvesle
((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.
2007-12-06 23:04 . 2007-12-06 23:04 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-06 23:04 . 2005-02-24 22:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-06 22:58 . 2007-12-06 22:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-18 14:26 . 2007-11-18 14:26 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-11-18 14:26 . 2007-11-18 14:26 <DIR> d-------- C:\WINDOWS\ehome
2007-11-18 14:17 . 2002-08-29 05:40 1,180,672 --a------ C:\WINDOWS\system32\d3d8.dll
2007-11-17 18:07 . 2007-11-17 18:07 229,732 --a------ C:\WINDOWS\Burn4Free_Toolbar_Uninstaller_8734.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-17 17:04 --------- d-----w C:\Documents and Settings\Pooria&Maryam\Application Data\AVG7
2007-12-12 15:39 5,104 ----a-w C:\Program Files\hijackthis.log
2007-11-18 00:53 --------- d-----w C:\Program Files\Burn4Free
2007-10-31 14:35 --------- d-----w C:\Program Files\parentalcontrol
2007-10-31 14:33 1,210,816 ----a-w C:\Program Files\parentalcontrolsetup.exe
2005-02-16 15:06 218,112 ----a-w C:\Program Files\HijackThis.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 05:41]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2001-10-02 15:23]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"Shareaza"="C:\Program Files\Shareaza\Shareaza.exe" [2007-02-05 04:05]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2001-10-27 00:32 C:\WINDOWS\system32\atiptaxx.exe]
"HydarVisionDesktopManager"="" []
"SoundMan"="SOUNDMAN.EXE" [2002-09-10 21:57 C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-01 04:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-26 14:03]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"parentalcontrol"="C:\Program Files\parentalcontrol\parentalcontrol.exe" [2006-08-31 09:25]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 05:41]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-05-14 04:49]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\System32\DRIVERS\CINEMSUP.SYS [2001-10-01 15:29]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2001-10-25 01:42]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 13:22:48
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-17 13:24:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-03 12:28
C:\ComboFix2.txt ... 2007-10-03 12:28
Thanks :bigthumb:
Hi
How about a fresh HijackThis log? :)
grateful26
2007-12-17, 23:10
:oops:
Logfile of HijackThis v1.99.1
Scan saved at 4:08:07 PM, on 17/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\parentalcontrol\parentalcontrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [parentalcontrol] "C:\Program Files\parentalcontrol\parentalcontrol.exe" "C:\Program Files\parentalcontrol\parentalcontrol.dll" "parentalcontrol"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Hi
Looks much cleaner now :)
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post:
- a fresh HijackThis log
- kaspersky report
grateful26
2007-12-19, 05:48
Logfile of HijackThis v1.99.1
Scan saved at 10:47:13 PM, on 18/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\parentalcontrol\parentalcontrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [parentalcontrol] "C:\Program Files\parentalcontrol\parentalcontrol.exe" "C:\Program Files\parentalcontrol\parentalcontrol.dll" "parentalcontrol"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
grateful26
2007-12-19, 05:49
KASPERSKY ONLINE SCANNER REPORT
Tuesday, December 18, 2007 10:44:37 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/12/2007
Kaspersky Anti-Virus database records: 486870
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 27860
Number of viruses found 9
Number of infected objects 29
Number of suspicious objects 0
Duration of the scan process 00:34:10
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cert8.db Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\history.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\key3.db Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\parent.lock Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2d8e7278-5af4ac72.zip/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2d8e7278-5af4ac72.zip/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2d8e7278-5af4ac72.zip/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2d8e7278-5af4ac72.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Pooria&Maryam\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\NTUSER.DAT.LOG Object is locked skipped
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe.vir Infected: Trojan.Win32.Qhost.rw skipped
C:\qoobox\Quarantine\C\Documents and Settings\Pooria&Maryam\Start Menu\Programs\Startup\system.exe.vir Infected: Trojan.Win32.Qhost.rw skipped
C:\qoobox\Quarantine\C\WINDOWS\svhjdsah.exe.vir Infected: Trojan.Win32.Small.rt skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\izgmngwg.dat.vir Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\printer.exe.vir Infected: Trojan.Win32.Qhost.rw skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\vtr.dll.vir Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\WinAvXX.exe.vir Infected: Trojan.Win32.Qhost.rw skipped
C:\qoobox\Quarantine\catchme2007-12-17_132236.82.zip/izgmngwg.dat Infected: Rootkit.Win32.Agent.ql skipped
C:\qoobox\Quarantine\catchme2007-12-17_132236.82.zip ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-2000478354-789336058-725345543-500\Dc1 Infected: Trojan.Win32.Qhost.my skipped
C:\SDFix\backups\backups\backups\autorun.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\SDFix\backups\backups\backups\movedfile.ren Infected: Trojan.Win32.Qhost.rw skipped
C:\SDFix\backups\backups\backups\printer.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\SDFix\backups\backups.zip/backups/autorun.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\SDFix\backups\backups.zip/backups/movedfile.ren Infected: Trojan.Win32.Qhost.rw skipped
C:\SDFix\backups\backups.zip/backups/printer.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\SDFix\backups\backups.zip ZIP: infected - 3 skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000070.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000071.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000072.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000073.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000074.exe Infected: Trojan.Win32.Small.rt skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000075.dll Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP7\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\atippaxxd.dll.bak Infected: Trojan-Clicker.Win32.Delf.lk skipped
C:\WINDOWS\system32\cmpropsv.dll Infected: Trojan-Spy.Win32.BZub.btx skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.20071008-141506.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hi
Empty these folders:
C:\Documents and Settings\Pooria&Maryam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar
C:\qoobox\Quarantine\
C:\SDFix\backups
Delete these:
C:\WINDOWS\system32\drivers\etc\hosts.20071008-141506.backup
C:\WINDOWS\system32\atippaxxd.dll.bak
C:\WINDOWS\system32\cmpropsv.dll
Empty Recycle Bin.
Re-scan with kaspersky.
Post:
- a fresh HijackThis log
- kaspersky report
grateful26
2007-12-19, 17:15
Hi
I emptied and deleted all except one which I cannot find:
C:\Documents and Settings\Pooria&Maryam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar
I can go up to C:\Documents and Settings\Pooria&Maryam but then there is no 'Application Data' folder to go into. :sad:
Nevertheless, here is the Kaspersky report:
KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 19, 2007 10:14:39 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/12/2007
Kaspersky Anti-Virus database records: 488985
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 28037
Number of viruses found 6
Number of infected objects 14
Number of suspicious objects 0
Duration of the scan process 00:37:13
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cert8.db Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\history.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\key3.db Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\parent.lock Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Shareaza\Data\TigerTree.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2d8e7278-5af4ac72.zip/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2d8e7278-5af4ac72.zip/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2d8e7278-5af4ac72.zip/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2d8e7278-5af4ac72.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Pooria&Maryam\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_0552f0203612dd79a239df42729cdc9e.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_1553b6de522d91383123f62704ca0840.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_54a2da6f66e6c33869879b998f676e48.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_5b3d16699b7a1f94ea5051ef0983ffdc.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_63e68b10dcde4d93d3182a26158e68dd.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_6c78817eb35e3cd0fe03c3d3067c10af.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_7f8e939679ccef406eb5c61e72edcd78.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_bb6c733f5eb822908ec51b6c897bac96.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_bc848cd51238502c454068e06006987b.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_d866661214d9079c51c0d5a6108349bd.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_ed22c922bdcc660bdbba823c734ccb5a.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\History\History.IE5\MSHist012007121920071220\index.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\NTUSER.DAT.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-2000478354-789336058-725345543-500\Dc1 Infected: Trojan.Win32.Qhost.my skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000070.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000071.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000072.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000073.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000074.exe Infected: Trojan.Win32.Small.rt skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000075.dll Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP7\A0000152.dll Infected: Trojan-Spy.Win32.BZub.btx skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP7\A0000156.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP7\A0000157.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP7\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
grateful26
2007-12-19, 17:17
Logfile of HijackThis v1.99.1
Scan saved at 10:17:16 AM, on 19/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\parentalcontrol\parentalcontrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [parentalcontrol] "C:\Program Files\parentalcontrol\parentalcontrol.exe" "C:\Program Files\parentalcontrol\parentalcontrol.dll" "parentalcontrol"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Hi
That folder is hidden by default.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
And let me know if you can now find it :)
grateful26
2007-12-19, 20:55
Hi
Thanks... found it and deleted! :D:
Here's the resulting Kaspersky:
KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 19, 2007 1:51:16 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/12/2007
Kaspersky Anti-Virus database records: 489076
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 27196
Number of viruses found 5
Number of infected objects 10
Number of suspicious objects 0
Duration of the scan process 00:33:20
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cert8.db Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\history.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\key3.db Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\parent.lock Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Application Data\Shareaza\Data\TigerTree.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_0552f0203612dd79a239df42729cdc9e.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_1553b6de522d91383123f62704ca0840.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_54a2da6f66e6c33869879b998f676e48.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_5b3d16699b7a1f94ea5051ef0983ffdc.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_63e68b10dcde4d93d3182a26158e68dd.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_6c78817eb35e3cd0fe03c3d3067c10af.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_7f8e939679ccef406eb5c61e72edcd78.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_bb6c733f5eb822908ec51b6c897bac96.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_bc848cd51238502c454068e06006987b.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_d866661214d9079c51c0d5a6108349bd.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Application Data\Shareaza\Incomplete\ed2k_ed22c922bdcc660bdbba823c734ccb5a.partial Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\History\History.IE5\MSHist012007121920071220\index.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Temporary Internet Files\Content.IE5\YDIHEJCD\Portfolio[1] Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\Local Settings\Temporary Internet Files\Content.IE5\YDIHEJCD\Portfolio[2] Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Pooria&Maryam\NTUSER.DAT.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-2000478354-789336058-725345543-500\Dc1 Infected: Trojan.Win32.Qhost.my skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000070.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000071.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000072.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000073.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000074.exe Infected: Trojan.Win32.Small.rt skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000075.dll Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP7\A0000152.dll Infected: Trojan-Spy.Win32.BZub.btx skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP7\A0000156.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP7\A0000157.exe Infected: Trojan.Win32.Qhost.rw skipped
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP7\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
grateful26
2007-12-19, 20:56
Logfile of HijackThis v1.99.1
Scan saved at 1:55:53 PM, on 19/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\parentalcontrol\parentalcontrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [parentalcontrol] "C:\Program Files\parentalcontrol\parentalcontrol.exe" "C:\Program Files\parentalcontrol\parentalcontrol.dll" "parentalcontrol"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Hi
Logs look good.
All viruses are in system restore and inactive.
I give you later instructions how to empty it.
Other than that, any problems left?
grateful26
2007-12-20, 08:55
Thank you for your help. My PC still has some issues:
1. my AVG Free Edition Anti-Virus comes up with the following in the scan:
kernel32.dll C:\Windows\System32\kernel32.dll
user32.dll C:\Windows\System32\user32.dll
shell32.dll C:\Windows\System32\shell32.dll
ntoskrnl.exe C:\Windows\System 32\ntoskrnl.exe
hosts C:\Windows\System 32\drivers\etc\hosts
The 'hosts' file was the first one that appeared when I got this virus/trojan, then after 2 months or so, the other 4 appeared simultaneously in the scan results.
After the scan, it says that it changed the 'hosts' file to fix it, but these files consistently come up in the scans.
2. Registry files - I may have deleted some of the registry files when trying to clean up the computer. Now when I plug in my camera or ipod, there is no pop-up asking what i want to do with the content.
3. My computer's processing time is much slower in the past yr. and it seems like it might be due to Adware or Spyware
-here is my AVG Anti-Spyware scan results; it says it cleaned all of them, but when I scan again, they all show up again.
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 6:16:41 PM 19/12/2007
+ Scan result:
C:\WINDOWS\system32\b4fm.dll -> Adware.BurnFree : Cleaned.
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000075.dll -> Not-A-Virus.Hoax.Win32.Renos.lq : Cleaned.
:mozilla.189:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.190:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.208:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.29:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.30:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.212:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.213:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.214:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.64:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.65:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.66:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.67:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.74:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.77:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.57:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.43:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.55:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.63:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.42:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.44:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.45:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.46:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.47:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.48:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.53:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.54:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.56:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.58:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.59:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.60:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.61:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.62:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.33:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.122:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.123:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.14:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.15:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.87:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.88:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.89:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.92:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.97:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.163:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.49:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.50:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.51:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.52:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.34:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.183:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.184:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.185:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.186:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.187:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.188:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.107:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.178:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.179:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.180:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.96:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.98:C:\Documents and Settings\Pooria&Maryam\Application Data\Mozilla\Firefox\Profiles\7ytnk9cz.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\S-1-5-21-2000478354-789336058-725345543-500\Dc1 -> Trojan.Qhost.my : Cleaned.
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000070.exe -> Trojan.Qhost.rw : Cleaned.
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000071.exe -> Trojan.Qhost.rw : Cleaned.
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000072.exe -> Trojan.Qhost.rw : Cleaned.
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000073.exe -> Trojan.Qhost.rw : Cleaned.
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP7\A0000156.exe -> Trojan.Qhost.rw : Cleaned.
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP7\A0000157.exe -> Trojan.Qhost.rw : Cleaned.
C:\System Volume Information\_restore{AAC115B9-188A-403F-B173-1C2D4511B6FC}\RP6\A0000074.exe -> Trojan.Small.rt : Cleaned.
::Report end
Hi
1. Does it show that these are infected?
kernel32.dll C:\Windows\System32\kernel32.dll
user32.dll C:\Windows\System32\user32.dll
shell32.dll C:\Windows\System32\shell32.dll
ntoskrnl.exe C:\Windows\System 32\ntoskrnl.exe
If not, they are all windows own files and safe.
2. Using what program you did that or do you have backups?
3. Windows tends to get slower with time. Majority of those are tracking cookies which come back because of incorrect browser settings. We'll fix that later.
grateful26
2007-12-21, 01:15
Hi
1. You're right, it doesn't show them as being infected, but shows them as 'threats' while scanning. However, in the results of the scan, it only shows the 'hosts' file being fixed, not the rest. I am concerned because the 'hosts' file originally showed up at exactly the time i got the trojan/virus, so by that logic, I thought when it was fixed, I would not see that file or the others showing up on the AVG scanner.
2. Not realizing the importance of the registry, I did not make any backups. The only thing I remember about the program is that the application's symbol was all red ... something like 'RegCleaner'. I searched but couldn't find it on the net or my computer. So unless there is a place on the web to download the files or the computer has an automatic backup of them for dumbasses like myself... I dunno. :sad:
3. Okay, anything you can do to optimize the speed would be great, because I am beginning to use this PC much more for business related activities, and as they say 'time is of the essence'. The speed is a bit slower than a normal computer when surfing the net, but when opening or closing applications or things that require the computer's processing resources, it is considerably slower. :angel:
Thanks for your help. At least Now I'm above water :snorkle:
happy holidays :present:
Hi
1. That's good news :)
2. Ok, so then there are no backups. You may try to install/re-install camera/ipod software to see if that helps.
3. For tracking cookies, see here (http://www.spybot.info/en/faq/37.html)
For general slowness, see here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html) and post back if it helped :)
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
If it had been 10 days or more since your last post, and especially if the helper assisting you posted a response to that post to which you did not reply, the topic will not be reopened.
In that situation, if you still require help, it would be best to start a new topic and include a fresh HijackThis log with a link to your original thread.
Everyone else please begin a New Topic.