spyware alert on desktop, can't run Spybot

[rogerspat]

Hello,

I got a desktop background that was changed to say my computer is infected with spyware. I have, but can't run Spybot.

I had an external drive with important info connected to the computer when this happened. Should I be doing any of the fixes with it connected or not?

Patrick

Here is the Hijackthis log (run in safe mode since the computer wanted to be slow and cranky in the regular bootup)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:10 PM, on 6/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.npmb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A629F1F-84BB-427E-8D08-0A3A6A6B7C77} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9E728E42-F102-4815-B64F-5449B22A5064} - (no file)
O2 - BHO: BHO - {BAD4551D-9B24-42cb-9BCD-818CA2DA7B63} - C:\WINDOWS\system32\iehelper.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld09.exe
O4 - HKLM\..\Run: [15676874] C:\Documents and Settings\All Users\Application Data\15676874\15676874.exe
O4 - HKLM\..\Run: [95686866] C:\Documents and Settings\All Users\Application Data\95686866\95686866.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5483.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - AppInit_DLLs: owdskp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Alerter AlerterALG (AlerterALG) - Unknown owner - C:\WINDOWS\system32\g.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

[Blade81]

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

[rogerspat]

I have a few questions......

How likely would it be that part of the infection was put onto my external hard drive? I do have needed data on the drive that I don't have a copy elsewhere.

Would this infection have been on my computer for a while, or just since I noticed the desktop changes? I can't remember when I made it, but I have a drive image from several months ago of the computer.

So basically, I am in need of the data on the external drive and just a few files from the computer drive and I will be set. Does this sound reasonable?

Patrick

[Blade81]

How likely would it be that part of the infection was put onto my external hard drive?

Hi Patrick,

Not sure but we can scan external drive to see if any infections are found.

1. Download Flash_Disinfector and save it to your desktop.
2. After downloading, double-click on Flash_Disinfector to run it.
3. Just follow the prompts and continue until it begin scanning.
4. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
5. It will scan removable drives, wait for the scan to finish. Done.

Download the latest version of Kaspersky Virus Removal Tool

* Close all other applications and double-click and run the installer.
* When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
* If malware is detected, don't remove anything.
* After the scan finishes, don't neutralize anything.
* In the Scan window click the Reports button and select Save to file.
* Name the report AVPT.txt, and save it to the Desktop.
* Close AVPTool.
* You will be prompted if you want to uninstall the program; click Yes.
* You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
* Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.

Would this infection have been on my computer for a while, or just since I noticed the desktop changes?

Again, a bit difficult to say without seeing the system before the changes.

[rogerspat]

I have run the Flash_Disinfector, and I am currently running the AVPTool. It currently is saying that it will finish in a few hours.

Several times during the scan the following message popped up "b.exe application error. The instruction at '0x0040ae4a' referenced memory at '0x00000004'. The memory could not be 'read'". Is this something to be concerned about at this time?

I am going to order a new drive for my laptop and copy my drive image to it from a couple of months ago. I am still looking to make sure that my external drive is safe to connect to the computer.

In case you are wondering, I am writing this message on a different computer.

Patrick

[Blade81]

It's infected item messing there. Don't think you have to be concerned much about the error. Shall wait for the scan results.

[rogerspat]

Here is the report

Patrick


Detected
--------
Status Object
------ ------
detected: virus Net-Worm.Win32.Koobface.aba File: c:\windows\ld09.exe
detected: Trojan program Rootkit.Win32.Agent.lrk File: c:\windows\system32\drivers\xkolqhygujjsrlf.sys
detected: virus Worm.Win32.AutoRun.aqfe File: c:\program files\microsoft common\svchost.exe
detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: Patrick(hotmailOLD)\Local Folders\sent\[From:"eBay customer service" <accounts@eBay.com>][Subject:Your eBay account Registration Suspension][Time:2003/12/03 17:51:43]/text/html
detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: Patrick(hotmailOLD)\Local Folders\sent\[From:"eBay support" <support@eBay.com>][Subject:Your eBay account Registration Suspension][Time:2004/01/03 04:05:41]/text/html
detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: Patrick(hotmailOLD)\Local Folders\sent\[From:<support@usbank.com>][Subject:Notification of U.S. Bank Internet Banking Unauthorized Account Access][Time:2004/07/09 11:25:58]/text/html
detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: Patrick(hotmailOLD)\Local Folders\other\[From:<service@paypal.com>][Subject:Notification of PayPal Limited Account Access][Time:2004/01/09 03:28:15]/text/html
detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: Patrick(hotmailOLD)\Local Folders\other\[From:<service@paypal.com>][Subject:Notification of Limited Account Access][Time:2004/03/09 18:54:39]/text/html
detected: Trojan program Trojan-Dropper.Win32.Agent.auci File: C:\Documents and Settings\Patrick Rogers\Local Settings\Temp\c.exe
detected: Trojan program Trojan-Spy.Win32.Zbot.wti File: C:\Documents and Settings\Patrick Rogers\Local Settings\Temp\e.exe
detected: virus Net-Worm.Win32.Koobface.aba File: C:\Documents and Settings\Patrick Rogers\Local Settings\Temp\f.exe
detected: Trojan program Exploit.Win32.Pidief.ayo File: C:\Documents and Settings\Patrick Rogers\Local Settings\Temp\plugtmp-64\plugin-pfre.php
detected: Trojan program Trojan-Downloader.HTML.Agent.ij File: C:\Documents and Settings\Patrick Rogers\Local Settings\Temporary Internet Files\Content.IE5\GXMB8PIR\american-budget-inns[1].htm
detected: Trojan program Trojan.Win32.Monder.abke File: C:\Documents and Settings\Patrick Rogers\Local Settings\Temporary Internet Files\Content.IE5\GXMB8PIR\index[2]
detected: Trojan program Trojan.Win32.Monder.abnh File: C:\Documents and Settings\Patrick Rogers\Local Settings\Temporary Internet Files\Content.IE5\GXMB8PIR\zc113432[1]
detected: new threat not-a-virus:FraudTool.Win32.WinSpywareProtect.vc File: C:\Documents and Settings\Patrick Rogers\Local Settings\Temporary Internet Files\Content.IE5\HWJJ3L0G\install[2].exe
detected: Trojan program Trojan-Downloader.Win32.Small.agvr File: C:\Documents and Settings\Patrick Rogers\Local Settings\Temporary Internet Files\Content.IE5\NZMWWYO7\load[1].exe
detected: Trojan program Trojan.Win32.Monder.abnh File: C:\WINDOWS\system32\glhlswex.dll
detected: Trojan program Trojan.Win32.Monder.gen File: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\89ATCDEF\install2[1].exe
detected: Trojan program Trojan-Downloader.Win32.Agent.cfvg File: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\89ATCDEF\install[1].exe
detected: Trojan program Trojan-PSW.Win32.Agent.nfo File: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\FGZL1Z0A\install[2].exe
detected: Trojan program Trojan-Dropper.Win32.Agent.atmg File: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GZ012LMN\17[1].exe
not found: Trojan program Trojan-Dropper.Win32.Agent.atmg File: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GZ012LMN\17[2].exe
detected: Trojan program Trojan-Downloader.Win32.FraudLoad.etd File: C:\WINDOWS\Temp\a.exe
detected: Trojan program Trojan-Downloader.Win32.FraudLoad.etd File: C:\WINDOWS\Temp\d.exe
detected: Trojan program Trojan.Win32.Monder.gen File: C:\WINDOWS\Temp\rdl14F.tmp
detected: Trojan program Trojan.Win32.Monder.gen File: C:\WINDOWS\Temp\rdl1640.tmp
detected: Trojan program Trojan.Win32.Monder.gen File: C:\WINDOWS\Temp\rdl1644.tmp
detected: Trojan program Trojan.Win32.Monder.gen File: C:\WINDOWS\Temp\rdl1661.tmp
detected: Trojan program Trojan.Win32.Monder.gen File: C:\WINDOWS\Temp\rdl1BD.tmp
detected: Trojan program Trojan.Win32.Monder.gen File: C:\WINDOWS\Temp\rdl71.tmp
detected: Trojan program Trojan.Win32.Monder.gen File: C:\WINDOWS\Temp\rdlDE.tmp
detected: Trojan program Trojan-Dropper.Win32.Agent.atmg File: C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\94KX7V4W\n1[1].exe
detected: virus Worm.Win32.AutoRun.aqfe File: F:\system.exe
detected: virus Worm.Win32.AutoRun.sjn File: F:\autorun.inf
detected: Trojan program Trojan-Dropper.Win32.Agent.atmg File: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GZ012LMN\17[3].exe
detected: Trojan program Trojan.Win32.Monder.gen File: C:\WINDOWS\Temp\rdl16EC.tmp
detected: Trojan program Trojan.Win32.Monder.gen File: C:\WINDOWS\Temp\rdl16FA.tmp
detected: Trojan program Trojan.Win32.Monder.gen File: C:\WINDOWS\Temp\rdl1703.tmp
detected: Trojan program Trojan.Win32.Monder.gen File: C:\WINDOWS\Temp\rdl1707.tmp
detected: Trojan program Trojan.Win32.Monder.gen File: C:\WINDOWS\Temp\rdl1714.tmp
detected: Trojan program Trojan.Win32.Monder.gen File: C:\WINDOWS\Temp\rdl1722.tmp

[Blade81]

Hi,

Did you run Flash Disinfector before the scan as instructed?

Assuming f: drive is in this case your external drive. Delete following files in it and run scanner again:
F:\system.exe
F:\autorun.inf

[rogerspat]

Yes I did run the Flash Disinfector first.

That is actually my memory card for my camera (it was connected to the computer when problems started showing up). When I try and delete the files, the come right back. Should I format the card, or try to clean them up using the AVPTool?

My external hard drive was drive E: and nothing showed up on it.

I did get my new hard drive, should everything be good to go to remove the old drive and copy my drive image to the new drive?

Would it also be ok at this time to try and copy the files I need off of the laptop drive to the external drive and scan the external drive again? (but not connect it to the new laptop hard drive yet)

Thanks

Patrick

[Blade81]

Hi,

Probably best way is to reformat the card.

Yes to both other two questions.