Cannot access control panel

GMER problems

Shaba,

GMER is giving me some problem. The first time I scanned it disappeared after I clicked copy. Second time I scanned I clicked save, the save window popped up then I got a message that GMER unexpectedly quit and nothing was saved.

Below is the GMER log of what appears when GMER first opens NOT after the scan. I don't know if this helps.

I am rescanning for the third time. Any advice?

Thanks

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-11-21 14:07:16
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

Code Cbvy76.sys ZwEnumerateKey
Code Cbvy76.sys ZwOpenKey

Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F9CA7D90] Cbvy76.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [FA3C8404] avg7rsw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [FA42885A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [FA42885A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [FA42885A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [FA42885A] avgtdi.sys

---- EOF - GMER 1.0.13 ----
 
Update

No matter what I tried the program would not create a log. It froze and had to reboot. I ran it in safe mode and it created a log.

Here is the log that was created in SAFE MODE (I don't know if it is helpful or not)

Thanks


GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-11-21 19:01:13
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

Code Cbvy76.sys ZwEnumerateKey
Code Cbvy76.sys ZwOpenKey

---- Kernel code sections - GMER 1.0.13 ----

PAGE ntoskrnl.exe!ZwOpenKey 80567CFB 5 Bytes JMP F9CABCBA Cbvy76.sys
PAGE ntoskrnl.exe!ZwEnumerateKey 8056EEB0 7 Bytes JMP F9CABF4E Cbvy76.sys

---- Devices - GMER 1.0.13 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F9CA7D90] Cbvy76.sys

---- Registry - GMER 1.0.13 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Control\GroupOrderList@System Reserved?Boot Bus Extender?System Bus Extender?SCSI miniport?Port?Primary Disk?SCSI Class?SCSI CDROM Class?FSFilter Infrastructure?FSFilter System?FSFilter Bottom?FSFilter Copy Protection?FSFilter Security Enhancer?FSFilter Open File?FSFilter Physical Quota Management?FSFilter Encryption?FSFilter Compression?FSFilter HSM?FSFilter Cluster File System?FSFilter System Recovery?FSFilter Quota Management?FSFilter Content Screener?FSFilter Continuous Backup?FSFilter Replication?FSFilter Anti-Virus?FSFilter Undelete?FSFilter Activity Monitor?FSFilter Top?Filter?Boot File System?Base?Pointer Port?Keyboard Port?Pointer Class?Keyboard Class?Video Init?Video?Video Save?File System?Event Log?Streams Drivers?NDIS Wrapper?COM Infrastructure?UIGroup?LocalValidation?PlugPlay?PNP_TDI?NDIS?TDI?NetBIOSGroup?ShellSvcGroup?SchedulerGroup?SpoolerGroup?AudioGroup?SmartCardGroup?NetworkProvider?RemoteValidation?NetDDEGroup?Parallel arbitrator?Extended Base?PCI Con 0x02 0x00 0x00 0x00 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Control\GroupOrderList@System Reserved?Boot Bus Extender?System Bus Extender?SCSI miniport?Port?Primary Disk?SCSI Class?SCSI CDROM Class?FSFilter Infrastructure?FSFilter System?FSFilter Bottom?FSFilter Copy Protection?FSFilter Security Enhancer?FSFilter Open File?FSFilter Physical Quota Management?FSFilter Encryption?FSFilter Compression?FSFilter HSM?FSFilter Cluster File System?FSFilter System Recovery?FSFilter Quota Management?FSFilter Content Screener?FSFilter Continuous Backup?FSFilter Replication?FSFilter Anti-Virus?FSFilter Undelete?FSFilter Activity Monitor?FSFilter Top?Filter?Boot File System?Base?Pointer Port?Keyboard Port?Pointer Class?Keyboard Class?Video Init?Video?Video Save?File System?Event Log?Streams Drivers?NDIS Wrapper?COM Infrastructure?UIGroup?LocalValidation?PlugPlay?PNP_TDI?NDIS?TDI?NetBIOSGroup?ShellSvcGroup?SchedulerGroup?SpoolerGroup?AudioGroup?SmartCardGroup?NetworkProvider?RemoteValidation?NetDDEGroup?Parallel arbitrator?Extended Base?PCI Con 0x02 0x00 0x00 0x00 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList@System Reserved?Boot Bus Extender?System Bus Extender?SCSI miniport?Port?Primary Disk?SCSI Class?SCSI CDROM Class?FSFilter Infrastructure?FSFilter System?FSFilter Bottom?FSFilter Copy Protection?FSFilter Security Enhancer?FSFilter Open File?FSFilter Physical Quota Management?FSFilter Encryption?FSFilter Compression?FSFilter HSM?FSFilter Cluster File System?FSFilter System Recovery?FSFilter Quota Management?FSFilter Content Screener?FSFilter Continuous Backup?FSFilter Replication?FSFilter Anti-Virus?FSFilter Undelete?FSFilter Activity Monitor?FSFilter Top?Filter?Boot File System?Base?Pointer Port?Keyboard Port?Pointer Class?Keyboard Class?Video Init?Video?Video Save?File System?Event Log?Streams Drivers?NDIS Wrapper?COM Infrastructure?UIGroup?LocalValidation?PlugPlay?PNP_TDI?NDIS?TDI?NetBIOSGroup?ShellSvcGroup?SchedulerGroup?SpoolerGroup?AudioGroup?SmartCardGroup?NetworkProvider?RemoteValidation?NetDDEGroup?Parallel arbitrator?Extended Base?PCI 0x02 0x00 0x00 0x00 ...

---- Files - GMER 1.0.13 ----

ADS C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\soccerstar_steve10@hotmail.com\SharingMetadata\bcinat@msn.com\DFSR\Staging\CS{067EB3F5-E02D-CDDD-45D9-CA84160A59A9}\01\10-{067EB3F5-E02D-CDDD-45D9-CA84160A59A9}-v1-{CFA8CFE0-AF01-4DC9-BD1D-D7A357448733}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
File C:\WINDOWS\system32\drivers\Cbvy76.sys
File C:\WINDOWS\system32\drivers\symavc32.sys

---- EOF - GMER 1.0.13 ----
 
Hi

Sure it is :)

Run gmer.exe
Click the tab called Processes and click the Safe... button. The computer will reboot and the Gmer screen will open.
Click Files... and browse to the following file:
C:\WINDOWS\system32\drivers\Cbvy76.sys
Now click Delete
Also do that with these files:

C:\WINDOWS\system32\drivers\symavc32.sys

Now click the Services tab. Click the entries in red one by one with your right mouse button and click Delete... Answer Yes to all the warning windows.
When you've removed all the Service entries in red, reboot your computer.

Re-run gmer

Post:

- a fresh HijackThis log
- gmer log
 
There are no services in red.

When I go to close GMER I get a warning

Exiting GMER will prevent you from running other processes. The operating system might be unreachable unless other available process are running. Are you sure you want to continue?


What do I do?
 
Shaba,

GMER is still acting the same as previous posts. It will not let me produce a log. Should I run it in safe mode and produce a log?

Please advise
 
Shaba,

GMER log form SAFE MODE

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-11-22 09:30:19
Windows 5.1.2600 Service Pack 2


---- Registry - GMER 1.0.13 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Control\GroupOrderList@System Reserved?Boot Bus Extender?System Bus Extender?SCSI miniport?Port?Primary Disk?SCSI Class?SCSI CDROM Class?FSFilter Infrastructure?FSFilter System?FSFilter Bottom?FSFilter Copy Protection?FSFilter Security Enhancer?FSFilter Open File?FSFilter Physical Quota Management?FSFilter Encryption?FSFilter Compression?FSFilter HSM?FSFilter Cluster File System?FSFilter System Recovery?FSFilter Quota Management?FSFilter Content Screener?FSFilter Continuous Backup?FSFilter Replication?FSFilter Anti-Virus?FSFilter Undelete?FSFilter Activity Monitor?FSFilter Top?Filter?Boot File System?Base?Pointer Port?Keyboard Port?Pointer Class?Keyboard Class?Video Init?Video?Video Save?File System?Event Log?Streams Drivers?NDIS Wrapper?COM Infrastructure?UIGroup?LocalValidation?PlugPlay?PNP_TDI?NDIS?TDI?NetBIOSGroup?ShellSvcGroup?SchedulerGroup?SpoolerGroup?AudioGroup?SmartCardGroup?NetworkProvider?RemoteValidation?NetDDEGroup?Parallel arbitrator?Extended Base?PCI Con 0x02 0x00 0x00 0x00 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Control\GroupOrderList@System Reserved?Boot Bus Extender?System Bus Extender?SCSI miniport?Port?Primary Disk?SCSI Class?SCSI CDROM Class?FSFilter Infrastructure?FSFilter System?FSFilter Bottom?FSFilter Copy Protection?FSFilter Security Enhancer?FSFilter Open File?FSFilter Physical Quota Management?FSFilter Encryption?FSFilter Compression?FSFilter HSM?FSFilter Cluster File System?FSFilter System Recovery?FSFilter Quota Management?FSFilter Content Screener?FSFilter Continuous Backup?FSFilter Replication?FSFilter Anti-Virus?FSFilter Undelete?FSFilter Activity Monitor?FSFilter Top?Filter?Boot File System?Base?Pointer Port?Keyboard Port?Pointer Class?Keyboard Class?Video Init?Video?Video Save?File System?Event Log?Streams Drivers?NDIS Wrapper?COM Infrastructure?UIGroup?LocalValidation?PlugPlay?PNP_TDI?NDIS?TDI?NetBIOSGroup?ShellSvcGroup?SchedulerGroup?SpoolerGroup?AudioGroup?SmartCardGroup?NetworkProvider?RemoteValidation?NetDDEGroup?Parallel arbitrator?Extended Base?PCI Con 0x02 0x00 0x00 0x00 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList@System Reserved?Boot Bus Extender?System Bus Extender?SCSI miniport?Port?Primary Disk?SCSI Class?SCSI CDROM Class?FSFilter Infrastructure?FSFilter System?FSFilter Bottom?FSFilter Copy Protection?FSFilter Security Enhancer?FSFilter Open File?FSFilter Physical Quota Management?FSFilter Encryption?FSFilter Compression?FSFilter HSM?FSFilter Cluster File System?FSFilter System Recovery?FSFilter Quota Management?FSFilter Content Screener?FSFilter Continuous Backup?FSFilter Replication?FSFilter Anti-Virus?FSFilter Undelete?FSFilter Activity Monitor?FSFilter Top?Filter?Boot File System?Base?Pointer Port?Keyboard Port?Pointer Class?Keyboard Class?Video Init?Video?Video Save?File System?Event Log?Streams Drivers?NDIS Wrapper?COM Infrastructure?UIGroup?LocalValidation?PlugPlay?PNP_TDI?NDIS?TDI?NetBIOSGroup?ShellSvcGroup?SchedulerGroup?SpoolerGroup?AudioGroup?SmartCardGroup?NetworkProvider?RemoteValidation?NetDDEGroup?Parallel arbitrator?Extended Base?PCI 0x02 0x00 0x00 0x00 ...

---- Files - GMER 1.0.13 ----

ADS C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\soccerstar_steve10@hotmail.com\SharingMetadata\bcinat@msn.com\DFSR\Staging\CS{067EB3F5-E02D-CDDD-45D9-CA84160A59A9}\01\10-{067EB3F5-E02D-CDDD-45D9-CA84160A59A9}-v1-{CFA8CFE0-AF01-4DC9-BD1D-D7A357448733}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

---- EOF - GMER 1.0.13 ----







GMER log after it starts (unscanned) in regular mode


GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-11-22 09:36:02
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [FA3C8404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [FA3C8404] avg7rsw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [FA41285A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [FA41285A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [FA41285A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [FA41285A] avgtdi.sys

---- EOF - GMER 1.0.13 ----
 
SD fix



SDFix: Version 1.115

Run by user on Thu 11/22/2007 at 09:57 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 10:06:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\soccerstar_steve10@hotmail.com\SharingMetadata\bcinat@msn.com\DFSR\Staging\CS{067EB3F5-E02D-CDDD-45D9-CA84160A59A9}\01\10-{067EB3F5-E02D-CDDD-45D9-CA84160A59A9}-v1-{CFA8CFE0-AF01-4DC9-BD1D-D7A357448733}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"D:\\Life\\life.exe"="D:\\Life\\life.exe:*:Disabled:The Game Of Life"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"="C:\\Program Files\\Paltalk Messenger\\paltalk.exe:*:Enabled:PaltalkScene"
"C:\\Program Files\\xloader10181.exe"="C:\\Program Files\\xloader10181.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\user\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\user\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Documents and Settings\\user\\Application Data\\pcpriv.exe"="C:\\Documents and Settings\\user\\Application Data\\pcpriv.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\user\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\user\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\xloader10181.exe"="C:\\Program Files\\xloader10181.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\user\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\user\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\user\\Application Data\\pcpriv.exe"="C:\\Documents and Settings\\user\\Application Data\\pcpriv.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\user\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\user\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------


Files with Hidden Attributes:

Sun 30 Nov 2003 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 11 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 30 Nov 2003 4,348 ...H. --- "C:\Documents and Settings\user\My Documents\My Music\License Backup\drmv1key.bak"
Sun 27 Nov 2005 20 A..H. --- "C:\Documents and Settings\user\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 30 Nov 2003 400 A.SH. --- "C:\Documents and Settings\user\My Documents\My Music\License Backup\drmv2key.bak"

Finished!


Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:47 AM, on 11/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PopUp Buster+] C:\Program Files\PopUpBuster\popupbuster.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [9Zvk] C:\WINDOWS\wlqnxl.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe (file missing)
O9 - Extra 'Tools' menuitem: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6067 bytes
 
Hi

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\xloader10181.exe"=-
"C:\\WINDOWS\\system32\\printer.exe"=-
"C:\\WINDOWS\\system32\\spoolvs.exe"=-
"C:\\WINDOWS\\shell.exe"=-
"C:\\Documents and Settings\\user\\Start Menu\\Programs\\Startup\\findfast.exe"=-
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="-
"%windir%\\system32\\winav.exe"=-

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\xloader10181.exe"=-
"C:\\WINDOWS\\system32\\printer.exe"=-
"C:\\WINDOWS\\system32\\spoolvs.exe"=-
"C:\\WINDOWS\\shell.exe"=-
"C:\\Documents and Settings\\user\\Start Menu\\Programs\\Startup\\findfast.exe"=-
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"=-
"%windir%\\system32\\winav.exe"=-

It should look like this ->
reg.gif


Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

Open HijackThis, click do a system scan only and checkmark this:

O4 - HKLM\..\Run: [9Zvk] C:\WINDOWS\wlqnxl.exe

Close all windows including browser and press fix checked.

Reboot.

Delete if present:

C:\WINDOWS\wlqnxl.exe

Empty Recycle Bin

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
 
Shaba,

here are the logs

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 22, 2007 2:19:15 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/11/2007
Kaspersky Anti-Virus database records: 464169
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 34001
Number of viruses found: 7
Number of infected objects: 28
Number of suspicious objects: 3
Duration of the scan process: 01:14:22

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\19054844/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\19054844 ZIP: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\19054844 CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\19881011 Infected: Email-Worm.Win32.NetSky.r skipped
C:\Program Files\Norton AntiVirus\Quarantine\19E17DB0 Infected: Email-Worm.Win32.NetSky.r skipped
C:\Program Files\Norton AntiVirus\Quarantine\1B0F4781/msg.eml .scr Infected: Email-Worm.Win32.NetSky.r skipped
C:\Program Files\Norton AntiVirus\Quarantine\1B0F4781 ZIP: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\1B0F4781 CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\33C47CA2/[From mfaroni@cogeco.ca][Date Wed, 2 Jun 2004 15:52:29 -0700]/UNNAMED/data11647.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Program Files\Norton AntiVirus\Quarantine\33C47CA2/[From mfaroni@cogeco.ca][Date Wed, 2 Jun 2004 15:52:29 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
C:\Program Files\Norton AntiVirus\Quarantine\33C47CA2 Mail: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\33C47CA2 CryptFF: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\3AC41C2F/talk.pif Infected: Email-Worm.Win32.NetSky.b skipped
C:\Program Files\Norton AntiVirus\Quarantine\3AC41C2F ZIP: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\3AC41C2F CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\44056BF4/hceswwct.exe Suspicious: Password-protected-EXE skipped
C:\Program Files\Norton AntiVirus\Quarantine\44056BF4 ZIP: suspicious - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\44056BF4 CryptFF: suspicious - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\56A6462D/found.exe Infected: Email-Worm.Win32.NetSky.b skipped
C:\Program Files\Norton AntiVirus\Quarantine\56A6462D ZIP: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\56A6462D CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\6E8E63A5 Infected: Email-Worm.Win32.NetSky.r skipped
C:\Program Files\Norton AntiVirus\Quarantine\6EA83388/[From kryssie41@hotmail.com][Date Thu, 3 Jun 2004 22:01:28 -0700]/msg22035.zip Infected: Email-Worm.Win32.NetSky.r skipped
C:\Program Files\Norton AntiVirus\Quarantine\6EA83388 Mail: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\6EA83388 CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\739843CF/creditcard.rtf.pif Infected: Email-Worm.Win32.NetSky.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\739843CF ZIP: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\739843CF CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\73B967AB Infected: Email-Worm.Win32.NetSky.r skipped
C:\Program Files\ucleaner_setup.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.e skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{76208822-32B8-4429-A6DC-2BE7295772B2}\RP1371\A0159146.exe Object is locked skipped
C:\System Volume Information\_restore{76208822-32B8-4429-A6DC-2BE7295772B2}\RP1371\A0159147.exe Object is locked skipped
C:\System Volume Information\_restore{76208822-32B8-4429-A6DC-2BE7295772B2}\RP1371\A0159149.exe Object is locked skipped
C:\System Volume Information\_restore{76208822-32B8-4429-A6DC-2BE7295772B2}\RP1372\A0159259.sys Object is locked skipped
C:\System Volume Information\_restore{76208822-32B8-4429-A6DC-2BE7295772B2}\RP1372\A0159280.sys Object is locked skipped
C:\System Volume Information\_restore{76208822-32B8-4429-A6DC-2BE7295772B2}\RP1373\A0159297.exe Object is locked skipped
C:\System Volume Information\_restore{76208822-32B8-4429-A6DC-2BE7295772B2}\RP1373\A0159299.exe Object is locked skipped
C:\System Volume Information\_restore{76208822-32B8-4429-A6DC-2BE7295772B2}\RP1373\A0159308.dll Object is locked skipped
C:\System Volume Information\_restore{76208822-32B8-4429-A6DC-2BE7295772B2}\RP1373\A0159309.dll Object is locked skipped
C:\System Volume Information\_restore{76208822-32B8-4429-A6DC-2BE7295772B2}\RP1373\A0159310.exe Object is locked skipped
C:\System Volume Information\_restore{76208822-32B8-4429-A6DC-2BE7295772B2}\RP1373\A0159312.exe Object is locked skipped
C:\System Volume Information\_restore{76208822-32B8-4429-A6DC-2BE7295772B2}\RP1373\A0159313.exe Object is locked skipped
C:\System Volume Information\_restore{76208822-32B8-4429-A6DC-2BE7295772B2}\RP1373\A0159314.exe Object is locked skipped
C:\System Volume Information\_restore{76208822-32B8-4429-A6DC-2BE7295772B2}\RP1373\A0159315.sys Object is locked skipped
C:\System Volume Information\_restore{76208822-32B8-4429-A6DC-2BE7295772B2}\RP1373\A0159327.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bi skipped
C:\System Volume Information\_restore{76208822-32B8-4429-A6DC-2BE7295772B2}\RP1374\A0160394.sys Object is locked skipped
C:\System Volume Information\_restore{76208822-32B8-4429-A6DC-2BE7295772B2}\RP1374\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB810217$\fp40ext.inf Object is locked skipped
C:\WINDOWS\$NtUninstallKB810217$\fp4autl.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB822603$\hccoin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB822603$\usbehci.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB822603$\usbhub.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB822603$\usbport.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB822603$\usbuhci.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB824105$\netbt.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ328310$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallQ329834$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ810565$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ810577$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ811493$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ811493$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ814995$\acgenral.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ814995$\apphelp.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallQ814995$\apph_sp.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallQ814995$\apps_sp.chm Object is locked skipped
C:\WINDOWS\$NtUninstallQ814995$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallQ817606$\srv.sys Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:44 PM, on 11/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PopUp Buster+] C:\Program Files\PopUpBuster\popupbuster.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe (file missing)
O9 - Extra 'Tools' menuitem: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6337 bytes
 
Hi

Empty this folder:

C:\Program Files\Norton AntiVirus\Quarantine

Empty Recycle Bin

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?
 
Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Next we remove all used tools.

Please download OTMoveIt and save it to desktop.
  • Double-click OTMoveIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo
2) Sunbelt/Kerio
3) Agnitum
4) ZoneAlarm

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

  • Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware 2007 to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!
 
Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
 
You must log in or register to reply here.
Back
Top