Extremely slow computer

A

Adson

New member
Hi. I am a complete novice when it comes to do with anything computer related but someone recommended this forum.
I think I must have a problem with my computer as it takes forever to turn on, shut down, switch web pages etc and sometimes it just freezes. It usually makes a noise like a video fast forwarding (is this normal).
Any suggestions (other than physical violence to the thing - however tempting!) would be very gratefully received.

I have downloaded HijackThis and saved the log

Logfile of HijackThis v1.99.1
Scan saved at 17:17:42, on 09/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\winhlp.exe
C:\Windows\mscsvc.exe
C:\Windows\osrwin32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin Net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wpds.exe] C:\Windows\system32\doriot.exe
O4 - HKLM\..\Run: [winshost.exe] C:\Windows\system32\winshost.exe
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [winhlp.exe] C:\Windows\winhlp.exe
O4 - HKLM\..\Run: [mscsvc.exe] C:\Windows\mscsvc.exe
O4 - HKLM\..\Run: [windhost.exe] C:\Windows\osrwin32.exe
O4 - HKLM\..\Run: [sm] C:\Windows\sm_exe.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [firewall_anti] C:\Windows\firewall_anti.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [wpds.exe] C:\Windows\system32\doriot.exe
O4 - HKCU\..\Run: [winshost.exe] C:\Windows\system32\winshost.exe
O4 - Startup: Internet Explorer.lnk = C:\Program Files\Internet Explorer\iexplore.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Windows\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} - http://webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125154514088
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt03.com/dialer/internazionale_ver4.CAB
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1131287A-98BC-406A-ABEE-0EA656B7F46B}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{1131287A-98BC-406A-ABEE-0EA656B7F46B}: NameServer = 194.168.4.100 194.168.8.100
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
 
Hello

Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
O4 - HKLM\..\Run: [wpds.exe] C:\Windows\system32\doriot.exe
O4 - HKLM\..\Run: [winshost.exe] C:\Windows\system32\winshost.exe
O4 - HKLM\..\Run: [winhlp.exe] C:\Windows\winhlp.exe
O4 - HKLM\..\Run: [mscsvc.exe] C:\Windows\mscsvc.exe
O4 - HKLM\..\Run: [windhost.exe] C:\Windows\osrwin32.exe
O4 - HKLM\..\Run: [sm] C:\Windows\sm_exe.exe
O4 - HKLM\..\Run: [firewall_anti] C:\Windows\firewall_anti.exe
O4 - HKCU\..\Run: [wpds.exe] C:\Windows\system32\doriot.exe
O4 - HKCU\..\Run: [winshost.exe] C:\Windows\system32\winshost.exe
O4 - Startup: Internet Explorer.lnk = C:\Program Files\Internet Explorer\iexplore.exe
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binarie...ia32_EN_XP.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt03.com/dialer/internazionale_ver4.CAB
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Install atleast a free anti virus program, update the do a full system scan...
Dont make the common mistake of installing more than one.
AVG Anti-Virus-Free: http://www.grisoft.com/us/us_dwnl_free.php
AntiVir Personal Edition: http://www.free-av.com/
avast! 4 Home - Free antivirus software :
http://www.asw.cz/eng/free_virus_protectio.html

Only after that:
Post a fresh hijackthis log please, be sure to mention any current problems.
 
LonnyRJones - thank you so much for your help.

Regarding the anti virus programs you mentioned, is it ok to install one of these (any one you prefer?) as well as having spybot s&d and Ad-Aware SE Personal installed?
 
Hi. I have installed and run AVG but it says I still have 45 infections which it seems it cannot remove (most seem to be a worm - bagle).

Thanks again for your help and advice. Here is the last HijackThis log I just did:

Logfile of HijackThis v1.99.1
Scan saved at 14:08:45, on 11/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin Net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Windows\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} - http://webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125154514088
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4667/mcfscan.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1131287A-98BC-406A-ABEE-0EA656B7F46B}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{1131287A-98BC-406A-ABEE-0EA656B7F46B}: NameServer = 194.168.4.100 194.168.8.100
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
 
Hi. Sorry for the delay in replying, I've been away from home for the last week.

I still seem to have the problems unfortunately. Here is a copy of the AVG file I have just done in safe mode:



Partition table (MBR) Reading error Error
Boot sector of disk C: Reading error Error
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load Scanned
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit Scanned
System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell Scanned
System registry exefile\shell\open\command Scanned
System registry scrfile\shell\open\command Scanned
System registry scrfile\shell\config\command Scanned
System registry batfile\shell\open\command Scanned
System registry cmdfile\shell\open\command Scanned
System registry comfile\shell\open\command Scanned
System registry piffile\shell\open\command Scanned
System registry giffile\shell\open\command Scanned
System registry htmlfile\shell\open\command Scanned
System registry htafile\shell\open\command Scanned
System registry jpegfile\shell\open\command Scanned
System registry txtfile\shell\open\command Scanned
System registry regfile\shell\open\command Scanned
System registry cplfile\shell\cplopen\command Scanned
System registry Word.Document.8\shell\open\command Scanned
System registry WordPad.Document.1\shell\open\command Scanned
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe ok Quick checked
C:\Program Files\Common Files\Real\Update_OB\realsched.exe ok Quick checked
C:\Program Files\Internet Explorer\iexplore.exe ok Quick checked
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE ok Quick checked
C:\Program Files\QuickTime\qttask.exe ok Quick checked
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe ok Quick checked
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe ok Quick checked
C:\WINDOWS\System32\mshta.exe ok Quick checked
C:\Windows\Cpqdiag\CPQDFWAG.EXE ok Quick checked
C:\Windows\regedit.exe ok Quick checked
C:\Windows\system32\ctfmon.exe ok Quick checked
C:\Windows\system32\rundll32.exe ok Quick checked
C:\Windows\system32\shell32.dll ok Quick checked
C:\Windows\system32\shimgvw.dll ok Quick checked
C:\Windows\system32\kernel32.dll ok Quick checked
C:\Windows\system32\wsock32.dll ok Quick checked
C:\Windows\system32\user32.dll ok Quick checked
C:\Windows\system32\shell32.dll ok Quick checked
C:\Windows\system32\ntoskrnl.exe ok Quick checked
C:\Windows\system32\drivers\etc\hosts ok Quick checked
C:\Documents and Settings\Adson Santos\Local Settings\Application Data\IM\Identities\{8523498E-0BA4-4D82-AC6E-0FB9F57D9289}\Message Store\Attachments\price2.zip:\Loader\doc_01.exe Virus identified I-Worm/Bagle.BK Infected, Embedded object
C:\Documents and Settings\Adson Santos\Local Settings\Application Data\IM\Identities\{8523498E-0BA4-4D82-AC6E-0FB9F57D9289}\Message Store\Attachments\price2.zip Virus identified I-Worm/Bagle.BK Infected, Archive
C:\Documents and Settings\Adson Santos\Local Settings\Application Data\IM\Identities\{8523498E-0BA4-4D82-AC6E-0FB9F57D9289}\Message Store\Attachments\price_new.zip:\Loader\doc_01.exe Virus identified I-Worm/Bagle.BK Infected, Embedded object
C:\Documents and Settings\Adson Santos\Local Settings\Application Data\IM\Identities\{8523498E-0BA4-4D82-AC6E-0FB9F57D9289}\Message Store\Attachments\price_new.zip Virus identified I-Worm/Bagle.BK Infected, Archive
C:\WINDOWS\1126039.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\1142202.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\1144165.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\1235857.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\1284366.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\1319897.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\1330372.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\1504423.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\1678713.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\1715556.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\23919955.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\24403710.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\24706556.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\251411.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\26418607.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\3801205.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\438911.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\50397828.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\504595.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\550141.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\550842.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\634662.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\716229.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\722518.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\759421.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\803144.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\820359.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\827229.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\842601.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\849331.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\849811.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\868448.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\927824.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\937798.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\940862.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\948293.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\949335.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\964326.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\994540.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\system32\winb2.exe Virus found I-Worm/Bagle Infected
C:\WINDOWS\system32\wind2ll2.exe Virus found I-Worm/Bagle Infected
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load Scanned
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit Scanned
System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell Scanned
System registry exefile\shell\open\command Scanned
System registry scrfile\shell\open\command Scanned
System registry scrfile\shell\config\command Scanned
System registry batfile\shell\open\command Scanned
System registry cmdfile\shell\open\command Scanned
System registry comfile\shell\open\command Scanned
System registry piffile\shell\open\command Scanned
System registry giffile\shell\open\command Scanned
System registry htmlfile\shell\open\command Scanned
System registry htafile\shell\open\command Scanned
System registry jpegfile\shell\open\command Scanned
System registry txtfile\shell\open\command Scanned
System registry regfile\shell\open\command Scanned
System registry cplfile\shell\cplopen\command Scanned
System registry Word.Document.8\shell\open\command Scanned
System registry WordPad.Document.1\shell\open\command Scanned
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe ok Quick checked
C:\Program Files\Common Files\Real\Update_OB\realsched.exe ok Quick checked
C:\Program Files\Internet Explorer\iexplore.exe ok Quick checked
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE ok Quick checked
C:\Program Files\QuickTime\qttask.exe ok Quick checked
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe ok Quick checked
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe ok Quick checked
C:\WINDOWS\System32\mshta.exe ok Quick checked
C:\Windows\Cpqdiag\CPQDFWAG.EXE ok Quick checked
C:\Windows\regedit.exe ok Quick checked
C:\Windows\system32\ctfmon.exe ok Quick checked
C:\Windows\system32\rundll32.exe ok Quick checked
C:\Windows\system32\shell32.dll ok Quick checked
C:\Windows\system32\shimgvw.dll ok Quick checked
 
I've run these programs and then done another AVG scan which is still coming up with 43 viruses (all I-worm Bagle). I have repeated this several times but the 43 viruses are always there.
Also, now when I run a Spybot scan I keep getting lots (43 I suppose) of warnings from AVG Resident Shield saying VIRUS DETECTED! and gives me the option of deleting the files or moving them to vault but also warns that doing so could mean the operating system may not work properly. What should I do?
 
Hi
Did either of those tools find bagle or anything for that matter ?
Did you delete all stored email's in outlook ?

This might show us a hidden run, Go start run and past this bolded line in and hit ok or press enter
Start /min Hijackthis.exe /autolog

another hiajckthis log will open, post it please
 
Yes, I deleted the messages from Outlook.

I pasted the link into the run box but when i pressed start it said it could not find Start.

Should I just do another hijack this scan?
 
My mistake

Copy the contents of the quote box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
Start /min Hijackthis.exe /autolog
Click to expand...
Run check.bat and post that hjt log
 
Ok thanks, I did that and here are the results

Logfile of HijackThis v1.99.1
Scan saved at 22:47:31, on 25/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Windows\explorer.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin Net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [logon.exe] C:\Windows\System32\logon.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Windows\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} - http://webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125154514088
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4667/mcfscan.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
 
Oh, and if it is of any use, this is the latest Stinger scan

McAfee AVERT Stinger Version 2.5.9 built on Nov 22 2005

Copyright (C) 2005 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Nov 22 2005.

Ready to scan for 54 viruses, trojans and variants.



Scan initiated on Wed Jan 25 20:13:51 2006

C:\Documents and Settings\Adson Santos\Local Settings\Application Data\IM\Identities\{8523498E-0BA4-4D82-AC6E-0FB9F57D9289}\Message Store\Attachments\price2.zip\DOC_01.EXE

Found the W32/Bagle.dldr.gen virus !!!

C:\Documents and Settings\Adson Santos\Local Settings\Application Data\IM\Identities\{8523498E-0BA4-4D82-AC6E-0FB9F57D9289}\Message Store\Attachments\price2.zip could not be repaired.

C:\Documents and Settings\Adson Santos\Local Settings\Application Data\IM\Identities\{8523498E-0BA4-4D82-AC6E-0FB9F57D9289}\Message Store\Attachments\price_new.zip\DOC_01.EXE

Found the W32/Bagle.dldr.gen virus !!!

C:\Documents and Settings\Adson Santos\Local Settings\Application Data\IM\Identities\{8523498E-0BA4-4D82-AC6E-0FB9F57D9289}\Message Store\Attachments\price_new.zip could not be repaired.

Number of clean files: 148120

Number of infected files: 2
 
Hi

That HJT log didnt show what i expected, thats a good thing.

Can you delete the contents of that attachments folder manualy ?
In order to get there first Reconfigure Windows XP to show hidden files/extension's:
Open any folder, Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Apply to confirm. Click OK.
=============================
Where are the items AVG is still seeing ?
 
Hi

I've followed your instructions on the hidden files/extensions.

What do I have to do to delete the contents of that attachments folder manually ?

Sorry, what do you mean where are the items AVG is still seeing? Should I do another AVG scan and post it?
 
Hi

Navigate there using an explorer folder, an easy way is to copy the bolded line below
C:\Docume~1\Adson Santos\Locals~1\Applic~1\IM\Identities\{8523498E-0BA4-4D82-AC6E-0FB9F57D9289}\Message Store\Attachments

Go start run then paste that in and hit enter once there delete the entire contents of that attachments folder

Panda provides a good report

Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Save the report and post it back here please if there are any that it is unable to deal with.
 
You must log in or register to reply here.
Back
Top