# i have trojan on my pc



## sallitaa (Sep 18, 2008)

hello, i need help please, i have alot of virus on mu pc i think 27 or 29 and it makes crazy things on my pc, i`ll appreciate ur help , i got the hijackthis log here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:04 AM, on 10/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\VerbAce Research\VerbAce-Pro\VerbAce-Pro.exe
C:\Program Files\Ela-Salaty\Salaty.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdgtb.exe] C:\WINDOWS\system32\kdgtb.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Ela-Salaty.lnk = C:\Program Files\Ela-Salaty\Salaty.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VerbAce-Pro Startup Agent.lnk = C:\Program Files\VerbAce Research\VerbAce-Pro\VerbAce-Pro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222839222796
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{63CEEF41-ED1E-4CD6-B5B7-E1EED715E939}: NameServer = 85.255.112.116;85.255.112.158
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 9083 bytes

my system is microsoft windows xp professional version 2002 service pack 3,

thanks, best regards.


----------



## cybertech (Apr 16, 2002)

You have two anti-virus programs running, which will cause trouble. Uninstall one of them.

Please download *ATF Cleaner* by Atribune.


Double-click *ATF-Cleaner.exe* to run the program. 
Under *Main* choose: *Select All* 
Click the *Empty Selected* button. 

Click *Exit* on the Main menu to close the program.

Please download *Malwarebytes Anti-Malware* and save it to your desktop. _alternate link 1_ _alternate link 2_
Make sure you are connected to the Internet.
Double-click on *Download_mbam-setup.exe* to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
*Update Malwarebytes' Anti-Malware*
*Launch Malwarebytes' Anti-Malware*

Then click *Finish*.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the *OK* button to close that box and continue. _If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install._
On the Scanner tab:
Make sure the "*Perform Quick Scan*" option is selected.
Then click on the *Scan* button.

If asked to select the drives to scan, leave all the drives selected and click on the *Start Scan* button.
The scan will begin and "_Scan in progress_" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "_The scan completed successfully. Click 'Show Results' to display all objects found_".
Click *OK* to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the *Show Results* button to see a list of any malware that was found.
Make sure that *everything is checked*, and click *Remove Selected*.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. _(see Note below)_
The log is automatically saved and can be viewed by clicking the *Logs* tab in MBAM.
Copy and paste the contents of that report in your next reply with a new hijackthis log.
_*Note*: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware._


----------



## sallitaa (Sep 18, 2008)

hello, here is my MBAM report:
Malwarebytes' Anti-Malware 1.30
Database version: 1356
Windows 5.1.2600 Service Pack 3
11/2/2008 6:50:33 PM
mbam-log-2008-11-02 (18-50-33).txt
Scan type: Quick Scan
Objects scanned: 46802
Time elapsed: 4 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdgtb.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{63ceef41-ed1e-4cd6-b5b7-e1eed715e939}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.116;85.255.112.158 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{63ceef41-ed1e-4cd6-b5b7-e1eed715e939}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.116;85.255.112.158 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{63ceef41-ed1e-4cd6-b5b7-e1eed715e939}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.116;85.255.112.158 -> Quarantined and deleted successfully.
Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Files Infected:
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.


----------



## cybertech (Apr 16, 2002)

*Run HJT again and put a check in the following:*

O17 - HKLM\System\CCS\Services\Tcpip\..\{63CEEF41-ED1E-4CD6-B5B7-E1EED715E939}: NameServer = 85.255.112.116;85.255.112.158

*Close all applications and browser windows before you click "fix checked".*

Restart the machine and post a new hijackthis log.


----------



## sallitaa (Sep 18, 2008)

and here is the hijakthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:05 PM, on 11/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\VerbAce Research\VerbAce-Pro\VerbAce-Pro.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdgtb.exe] C:\WINDOWS\system32\kdgtb.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VerbAce-Pro Startup Agent.lnk = C:\Program Files\VerbAce Research\VerbAce-Pro\VerbAce-Pro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222839222796
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 8587 bytes

now i`ll do the fix checked and i`ll restart then i`ll do another hjt


----------



## cybertech (Apr 16, 2002)

*Run HJT again and put a check in the following:*

O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdgtb.exe] C:\WINDOWS\system32\kdgtb.exe

*Close all applications and browser windows before you click "fix checked".*

Please *download* the *OTMoveIt3 by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt3.exe* to run it. 
*Copy the lines in the quote box below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):



> :Files
> C:\WINDOWS\system32\kdgtb.exe



 Return to OTMoveIt3, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.

Click the red *Moveit!* button.
*Copy everything in the Results window (under the green bar) to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTMoveIt3*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.* In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter **.log* and press the Enter key, navigate to the *C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


----------



## sallitaa (Sep 18, 2008)

sorry but i didn`t find (O17 - HKLM\System\CCS\Services\Tcpip\..\{63CEEF41-ED1E-4CD6-B5B7-E1EED715E939}: NameServer = 85.255.112.116;85.255.112.158) in hijack this

would u tell me what shall i do now?


----------



## cybertech (Apr 16, 2002)

We posted at the same time. Look at post #6.


----------



## sallitaa (Sep 18, 2008)

sorry for bothering u but where is the clipboard


----------



## sallitaa (Sep 18, 2008)

ok i got it


----------



## sallitaa (Sep 18, 2008)

here is it: 

========= FILES ==========
File/Folder C:\WINDOWS\system32\kdgtb.exe not found.

OTMoveIt3 by OldTimer - Version 1.0.7.0 log created o


----------



## cybertech (Apr 16, 2002)

Ok please post a new hijackthis log.


----------



## sallitaa (Sep 18, 2008)

here is it:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:35 PM, on 11/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\VerbAce Research\VerbAce-Pro\VerbAce-Pro.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VerbAce-Pro Startup Agent.lnk = C:\Program Files\VerbAce Research\VerbAce-Pro\VerbAce-Pro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222839222796
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 8559 bytes


----------



## cybertech (Apr 16, 2002)

What is VerbAce-Pro.exe?

You should disable AVG7_CC with msconfig.


Are you having any problems now?


----------



## sallitaa (Sep 18, 2008)

VerbAce-Pro.exe is a dictionary,

what is msconfig??

till now i can see any problems,if i see anything wrong i`ll write u,

thanks so uch for ur help and support, i appreciate it, do u know i`ll tell all of my friends about this site, i like it, thanks.


----------



## cybertech (Apr 16, 2002)

MSconfig is used to disable some startup items. It can be used on non-essential programs.

You don't have to delete them and don't do it with hijackthis, use msconfig to just remove them from startup.

Click Start - Run, type in MSCONFIG, then click OK - "Startup" tab. 

Remove the checkmark from: AVG7_CC 

Click Apply - OK afterwards, then reboot. When the SCU (System Configuration Utility) window appears during reboot, ignore the message. Place a checkmark in the window, then click OK.


----------



## sallitaa (Sep 18, 2008)

ok, i did that , 
but i still have strange files on my pc here is there names(system volume information folder is empty,resycled,autorun.inf,recycler), they r related to the viruses, and also i can`t enter to the partion D on my pc, and when i do right click on this partion i see the word Autoplay then open , search and then explore,


----------



## sallitaa (Sep 18, 2008)

when i try to enter the partion D , A window appears says:

recycled\boot.com is not valid win32 application

would u tell me what shall i do plz,


----------



## sallitaa (Sep 18, 2008)

and there is another thing in add or remove programs in the control panel i can`t find the word remove for all programs, is it a viruse???


----------



## cybertech (Apr 16, 2002)

Visit *this webpage* for instructions for downloading and running ComboFix.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.


----------



## sallitaa (Sep 18, 2008)

hello, i have a problem i can`t understand the steps of downloading the windows recovery console from microsoft to have combofix,besides it needs a floopy disk and i don`t have a floopy drive disk, i have been trying to do it yesterday but i couldn`t, would u please help me?


----------



## cybertech (Apr 16, 2002)

Download ComboFix from one of these locations:

*Link 1*
*Link 2*
*Link 3*

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System










Download the file & save it as it's originally named.

---------------------------------------------------------------------

*Transfer all files you just downloaded, to the desktop of the infected computer.*

--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools











Drag the setup package onto ComboFix.exe and drop it.

Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.










At the next prompt, click 'Yes' to run the full ComboFix scan.

When the tool is finished, it will produce a report for you.
Please post the *C:\ComboFix.txt* in your next reply.


----------



## sallitaa (Sep 18, 2008)

i did that but i`m not sure of something, about the report i think combofix didn`t continue scanning,anyway here is the resulti wrote coz i couldn`t copy and paste it)

scannig for infected files......
this typically doesn`t take more than 10 minutes,
however, scan times for badly infected machines may easily double
combofix has changed your clock settings,
do not change it back, it shall be restored later

deleting files:
"c:\autorun.inf"
"c:\windows\temp\tmp3.tmp"
"D:\autorun.inf"

completed stage_1
completed stage_2
completed stage_3
completed stage_4
completed stage_5
completed stage_6
completed stage_7
completed stage_8
completed stage_9
completed stage_10
completed stage_11
completed stage_12
completed stage_13
completed stage_14
completed stage_15
completed stage_16
completed stage_17
completed stage_18
completed stage_19
completed stage_20
completed stage_21
completed stage_22
completed stage_23
completed stage_24
completed stage_25
completed stage_26
completed stage_27
completed stage_28
completed stage_29
completed stage_30
completed stage_31
completed stage_32
completed stage_33
completed stage_34
completed stage_35
completed stage_36
completed stage_37
completed stage_38
completed stage_39
completed stage_40
completed stage_41
completed stage_42
completed stage_43
completed stage_44
completed stage_45
completed stage_46
completed stage_47
completed stage_48
completed stage_49
completed stage_50

"c:\windows\system32\" is not recognized as an internal or external command, operable program or batch file.


i don`t understand what does it mean, would u plz tell me what shall i do,by the way after i read that i closed the window and restarted my pc.


----------



## cybertech (Apr 16, 2002)

How is the machine running now that you have restarted it?


----------



## sallitaa (Sep 18, 2008)

it`s stable & faster,and i can enter all the partions,but the strange files still exist, and i can`t download hijackthis to paste the log, i don`t know why.


----------



## cybertech (Apr 16, 2002)

*Click here* to download *Dr.Web CureIt* and save it to your desktop.

Doubleclick the *drweb-cureit.exe* file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the *green arrow* at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:








If so, click it and then click the next icon right below and select *Move incurable* as you'll see in next image:








This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click *file* and choose *save report list*
Save the report to your desktop. The report will be called *DrWeb.csv*
Close Dr.Web Cureit.
*Reboot* your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new Hijack This log.


----------



## sallitaa (Sep 18, 2008)

my net connection is bad now and slow,so i`ll download Dr.Web CureIt tomorrow,thanks so mush.


----------



## cybertech (Apr 16, 2002)

:up:


----------



## sallitaa (Sep 18, 2008)

hello, i did as u told me,and here is Dr, web report:

C.bat;C:\ComboFix;Probably BATCH.Virus;Incurable.Moved.;
psexec.cfexe;C:\ComboFix;Program.PsExec.171;Incurable.Moved.;
ComboFix.exe\32788R22FWJFW\C.bat;C:\Documents and Settings\sally & sandy\Desktop\ComboFix.exe;Probably BATCH.Virus;;
ComboFix.exe\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\sally & sandy\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\sally & sandy\Desktop;Archive contains infected objects;Moved.;
main.js;C:\Program Files\Messenger Plus! Live\Scripts\Now Playing;Probably SCRIPT.Virus;Incurable.Moved.;
autorun.inf.vir;C:\Qoobox\Quarantine\C;Win32.HLLW.Autoruner.2805;Deleted.;
A0010033.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP37;Win32.HLLW.Autoruner.2805;Deleted.;
A0010042.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP38;Win32.HLLW.Autoruner.2805;Deleted.;
A0010070.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP38;Win32.HLLW.Autoruner.2805;Deleted.;
A0010138.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP38;Win32.HLLW.Autoruner.2805;Deleted.;
A0010155.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP38;Win32.HLLW.Autoruner.2805;Deleted.;
A0010173.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP38;Win32.HLLW.Autoruner.2805;Deleted.;
A0010184.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP38;Win32.HLLW.Autoruner.2805;Deleted.;
A0010191.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP39;Win32.HLLW.Autoruner.2805;Deleted.;
A0010277.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP40;Win32.HLLW.Autoruner.2805;Deleted.;
A0011255.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP40;Win32.HLLW.Autoruner.2805;Deleted.;
A0011308.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP41;Win32.HLLW.Autoruner.2805;Deleted.;
A0011346.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP41;Win32.HLLW.Autoruner.2805;Deleted.;
A0011384.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP42;Win32.HLLW.Autoruner.2805;Deleted.;
A0012493.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP42;Win32.HLLW.Autoruner.2805;Deleted.;
A0012524.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP42;Win32.HLLW.Autoruner.2805;Deleted.;
A0012550.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP42;Win32.HLLW.Autoruner.2805;Deleted.;
A0012561.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP42;Win32.HLLW.Autoruner.2805;Deleted.;
A0012580.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP42;Win32.HLLW.Autoruner.2805;Deleted.;
A0012592.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP42;Win32.HLLW.Autoruner.2805;Deleted.;
A0012595.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP43;Win32.HLLW.Autoruner.2805;Deleted.;
A0012603.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP44;Win32.HLLW.Autoruner.2805;Deleted.;
A0013656.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP44;Win32.HLLW.Autoruner.2805;Deleted.;
A0013680.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP45;Win32.HLLW.Autoruner.2805;Deleted.;
A0013722.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP45;Win32.HLLW.Autoruner.2805;Deleted.;
A0013751.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP46;Win32.HLLW.Autoruner.2805;Deleted.;
A0013898.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP46;Win32.HLLW.Autoruner.2805;Deleted.;
A0014006.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP46;Win32.HLLW.Autoruner.2805;Deleted.;
A0014010.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP47;Win32.HLLW.Autoruner.2805;Deleted.;
A0015138.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP49;Win32.HLLW.Autoruner.2805;Deleted.;
A0015142.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP50;Win32.HLLW.Autoruner.2805;Deleted.;
A0015178.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP50;Win32.HLLW.Autoruner.2805;Deleted.;
A0015242.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP51;Win32.HLLW.Autoruner.2805;Deleted.;
A0015275.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP51;Win32.HLLW.Autoruner.2805;Deleted.;
A0016261.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP51;Win32.HLLW.Autoruner.2805;Deleted.;
A0016347.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP52;Win32.HLLW.Autoruner.2805;Deleted.;
A0016358.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP53;Win32.HLLW.Autoruner.2805;Deleted.;
A0016371.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP53;Win32.HLLW.Autoruner.2805;Deleted.;
A0016382.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP53;Win32.HLLW.Autoruner.2805;Deleted.;
A0016393.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP53;Win32.HLLW.Autoruner.2805;Deleted.;
A0016416.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP53;Win32.HLLW.Autoruner.2805;Deleted.;
A0017737.inf;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP62;Win32.HLLW.Autoruner.2805;Deleted.;
A0018750.exe\32788R22FWJFW\C.bat;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP64\A0018750.exe;Probably BATCH.Virus;;
A0018750.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP64\A0018750.exe;Program.PsExec.171;;
A0018750.exe;C:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP64;Archive contains infected objects;Moved.;
3T1_8_4.TXT;D:\sally\courses\computer\ICDL (H)\M1\TEXT;Modification of Trojan.Casino.102;Moved.;
A0010034.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP37;Win32.HLLW.Autoruner.2805;Deleted.;
A0010044.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP38;Win32.HLLW.Autoruner.2805;Deleted.;
A0010071.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP38;Win32.HLLW.Autoruner.2805;Deleted.;
A0010139.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP38;Win32.HLLW.Autoruner.2805;Deleted.;
A0010156.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP38;Win32.HLLW.Autoruner.2805;Deleted.;
A0010174.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP38;Win32.HLLW.Autoruner.2805;Deleted.;
A0010185.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP38;Win32.HLLW.Autoruner.2805;Deleted.;
A0010193.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP39;Win32.HLLW.Autoruner.2805;Deleted.;
A0010278.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP40;Win32.HLLW.Autoruner.2805;Deleted.;
A0011256.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP40;Win32.HLLW.Autoruner.2805;Deleted.;
A0011309.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP41;Win32.HLLW.Autoruner.2805;Deleted.;
A0011347.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP41;Win32.HLLW.Autoruner.2805;Deleted.;
A0011385.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP42;Win32.HLLW.Autoruner.2805;Deleted.;
A0012494.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP42;Win32.HLLW.Autoruner.2805;Deleted.;
A0012525.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP42;Win32.HLLW.Autoruner.2805;Deleted.;
A0012551.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP42;Win32.HLLW.Autoruner.2805;Deleted.;
A0012562.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP42;Win32.HLLW.Autoruner.2805;Deleted.;
A0012581.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP42;Win32.HLLW.Autoruner.2805;Deleted.;
A0012593.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP42;Win32.HLLW.Autoruner.2805;Deleted.;
A0012597.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP43;Win32.HLLW.Autoruner.2805;Deleted.;
A0012605.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP44;Win32.HLLW.Autoruner.2805;Deleted.;
A0013657.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP44;Win32.HLLW.Autoruner.2805;Deleted.;
A0013682.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP45;Win32.HLLW.Autoruner.2805;Deleted.;
A0013723.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP45;Win32.HLLW.Autoruner.2805;Deleted.;
A0013753.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP46;Win32.HLLW.Autoruner.2805;Deleted.;
A0013899.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP46;Win32.HLLW.Autoruner.2805;Deleted.;
A0014007.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP46;Win32.HLLW.Autoruner.2805;Deleted.;
A0014012.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP47;Win32.HLLW.Autoruner.2805;Deleted.;
A0015139.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP49;Win32.HLLW.Autoruner.2805;Deleted.;
A0015144.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP50;Win32.HLLW.Autoruner.2805;Deleted.;
A0015179.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP50;Win32.HLLW.Autoruner.2805;Deleted.;
A0015243.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP51;Win32.HLLW.Autoruner.2805;Deleted.;
A0015276.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP51;Win32.HLLW.Autoruner.2805;Deleted.;
A0016262.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP51;Win32.HLLW.Autoruner.2805;Deleted.;
A0016349.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP52;Win32.HLLW.Autoruner.2805;Deleted.;
A0016359.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP53;Win32.HLLW.Autoruner.2805;Deleted.;
A0016372.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP53;Win32.HLLW.Autoruner.2805;Deleted.;
A0016383.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP53;Win32.HLLW.Autoruner.2805;Deleted.;
A0016394.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP53;Win32.HLLW.Autoruner.2805;Deleted.;
A0016396.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP53;Win32.HLLW.Autoruner.2805;Deleted.;
A0016418.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP53;Win32.HLLW.Autoruner.2805;Deleted.;
A0017738.inf;D:\System Volume Information\_restore{FB4D4108-021D-4D27-B201-1B7F80D3B732}\RP62;Win32.HLLW.Autoruner.2805;Deleted.;

and here is hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:08, on 2008-11-05
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\VerbAce Research\VerbAce-Pro\VerbAce-Pro.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VerbAce-Pro Startup Agent.lnk = C:\Program Files\VerbAce Research\VerbAce-Pro\VerbAce-Pro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222839222796
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 8064 bytes

thanks,


----------



## cybertech (Apr 16, 2002)

Looks fine. Any problems?


----------



## sallitaa (Sep 18, 2008)

it`s fine now, but i still have the strange files and access is denied to these files also they can`t be deleted, and they r every were in every file, but the general performance is good, is there anything i can do to get rid of these files???

can i scan my pc from time to time with Dr,web or any of the anti-viruse that u asked me to download? and is there any of them that i should delet from my pc???

thanks.


----------



## cybertech (Apr 16, 2002)

Is there a directory/folder where these files are located or are they all over?


----------



## sallitaa (Sep 18, 2008)

i don`t understand correctly,but the main folders r in my computer i deleted three files but there is a file i can`t delete it called ( system volume information),and in every partion and folder there is two files called (desktop.ini) (thumbs.db)


----------



## cybertech (Apr 16, 2002)

system volume information is your system restore, you should not delete that.
desktop.ini is normal.
thumbs.db is created when you view a folder using Thumbnails.

You *should* remove all of the tools I requested you to download and/or folders associated with them now. It is pointless to keep these tools around as they are updated so frequently that the tools can be outdated within a few days, sometimes within just hours.


Start *OTMoveIt3 *
Click the *CleanUp* button
OTMoveIt3 will download a small file from the Internet. If a security program or firewall warns you of this allow it to download.
OTMoveIt3 will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself.

Click *Yes*.

It's a good idea to Flush your System Restore after removing malware and create a new restore point. 
Turn off system restore, restart the machine and then turn it back on: http://support.microsoft.com/kb/310405

Now you should Clean up your PC

Here are some additional links for you to check out to help you with your computer security.

How did I get infected in the first place.

Secunia software inspector & update checker

Good free tools and advice on how to tighten your security settings.

Security Help Tools

Also check out *TSG Library of Knowledge*


----------



## sallitaa (Sep 18, 2008)

hello, i did every thing u told me about and thanks so much for ur help, but i have a question, how can i be sure that there is no virues in my pc now???


----------



## cybertech (Apr 16, 2002)

Do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under *Upgrading Java*, to download and install the latest vesion.


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
[*]Archives
[*]Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.

*Upgrading Java*:

Download the latest version of *Java Runtime Environment (JRE) 6 Update 10*.
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 6 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u10-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the *jre-6u10-windows-i586-p.exe* and select "Run as an Administrator.")


----------



## sallitaa (Sep 18, 2008)

hello, kaspersky webscanner telling me that i have to turn off my antivirus before running it, but i`m afried of getting another virus, would u recommened me what to do ????


----------



## cybertech (Apr 16, 2002)

You have to disable your current anti-virus program to run the Kaspersky on-line scanner. Yes I suggest you do that and discontinue all other use of the computer until it's finished. When it's complete turn your installed anti-virus program back on.


----------



## sallitaa (Sep 18, 2008)

hello,i did that but the scan stopped at 23%, i repeated it again but it stopped again at 23% also,i don`t know why? would u tell me what to do ?


----------



## cybertech (Apr 16, 2002)

Can you tell what it's stopping on?


----------



## sallitaa (Sep 18, 2008)

it`s cambridge dictionary,but it`s not the source it`s zipped files for the dictionary, i compresed it to send it to some friends


----------



## cybertech (Apr 16, 2002)

Can you delete it or if you want to save it put it on a thumb drive or burn it to a CD?


----------



## sallitaa (Sep 18, 2008)

hello, i deleted it, the zipped dictionary,and here is the scan report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, November 9, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 09, 2008 10:09:15
Records in database: 1376472
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Files scanned: 40701
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:09:35

File name / Threat name / Threats count
D:\sources\temoo\Antivirus\Kaspersky\Kaspersky Antivirus Internet Security 2009 8.0.0.357 + 7 Keys (Never Blacklisteds).rar Infected: Trojan.Win32.Monder.avm 1
The selected area was scanned.


----------



## sallitaa (Sep 18, 2008)

and i forgot something, sorry to bother u, before doing the scan while installing java a message appeared saying the following:

error 1722.there is a problem with this windows installer package. a program runs as part of the setup did not finish as expected. contact your support personnel or package vender.

would u explaine me, is there is something wronge?????


----------



## cybertech (Apr 16, 2002)

This file: D:\sources\temoo\Antivirus\Kaspersky\Kaspersky Antivirus Internet Security 2009 8.0.0.357 + 7 Keys (Never Blacklisteds).rar
is infected and you should delete it.

Try installing *Windows Installer* package and see if that helps with the error.


----------



## sallitaa (Sep 18, 2008)

i installed windows installer package but it told me the following: 

setup has detected that the service pack version of this system is newer than the update you are applying ,

there is no need to install this update


----------



## cybertech (Apr 16, 2002)

Save the Java update to your desktop. Double click on the saved update to run the installation.


----------



## sallitaa (Sep 18, 2008)

i did that,thanks so much for ur help, my pc now is much better, but alittel thing plz, i doupt that there still be a virus on it, coz i rarly encounter crazy things on my pc lately after removing the last virus with kaspersky online scanner, would u recomend me to do another kaspersky scan or sould i do another thing?????, and this is the last thing, thanks.


----------



## cybertech (Apr 16, 2002)

You can run the Kaspersky scan again, anytime you want. If something is found and you want help just post the log. 

This thread stays open for as long as it takes to make you feel like the machine is working ok.  Unless you go 45 days without a post. In that case the thread will auto-close and at that point you should start a new thread.


----------



## sallitaa (Sep 18, 2008)

hello, i did a Kaspersky scan again,but i found nothing and here is the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, November 13, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, November 13, 2008 11:06:16
Records in database: 1382996
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Files scanned: 40678
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:59:53
No malware has been detected. The scan area is clean.
The selected area was scanned.

but when i downloaded java for the secound time, i found it every were in all partions i can find two files for java ,i`m sure there is a virus on my pc, would u help me plz??


----------



## cybertech (Apr 16, 2002)

Is the second partition an old install of Windows? If so you can delete the java from that one.

Download *OTScanIt.exe * to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanIt* on your desktop.

Close any open browsers.
If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
Open the *OTScanit* folder and double-click on *OTScanit.exe* to start the program.
In *Additional Scans *section put a check in BotCheck and Disabled MS Config Items and EventViewer Errors/Warnings
Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
If the log is too large to post, use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## sallitaa (Sep 18, 2008)

i don`t understand how is the second partition an old install of Windows??would u explain more??

for the first time to enter the c partition now and i saw strange files, alot of,they r every where,i tried to print screen the pages but it didn`t want to paste here,

i tried to attach the otscanit report but this message appeared

Your submission could not be processed because a security token was missing.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.​
LinkBacks Enabled by vBSEO 3.1.0​


----------



## sallitaa (Sep 18, 2008)

i attacehed it again, did u recieve it???


----------



## cybertech (Apr 16, 2002)

sallitaa said:


> i found it every were in all partions


Maybe you should explain that to me instead of me guessing what you are talking about.

*use the Reply button, scroll down to the attachments section and attach the notepad file.*


----------



## sallitaa (Sep 18, 2008)

i`m sorry, i meant that i found the java update (that i downloaded it on my desktop ) in many files , and while clicking on it a meesage appears saying: D:\sally\jre-6u10-windows-i586-p.exe is not a valid win 32 application.


----------



## cybertech (Apr 16, 2002)

Try it from here: http://majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html


----------



## sallitaa (Sep 18, 2008)

i have java on my pc now, but in C partition there is strange files and they r alot,with strange names, should i format my pc and install a new windows???although i need all the informations on my pc , what shall i do??


----------



## cybertech (Apr 16, 2002)

Tell me about the strange files. Give me some examples.


----------



## sallitaa (Sep 18, 2008)

ok, i will tell u what i see when i enter the C partition , i see these files:

Documents and setting, Program files, Windows, huadio.tmp, yserve.txt, RECYCLER, system volume information, AutoEXEC.BAT, boot.ini, CONFIG.SYS, IO.SYS, MSDOS.SYS, NTDETECT, ntldr, pagefile.sys, sqmdata00.sqm, sqmdata01.sqm,sqmdata02.sqm, sqmnoopt00.sqm, sqmnoopt01.sqm, sqmnoopt02.sqm, cmdcons, Boot.bak, cmldr.

and when i enter the windows file from the C partition i see also alot of strange files, for example $NTUninstallKB940157$ and there is alot of this files with different numbers,

i hope to be clear enough,thanks


----------



## cybertech (Apr 16, 2002)

huadio.tmp can be deleted.
yserve.txt can be opened with notepad if you want to see what it is. I suspect it's from Yahoo.
The remainder of those look normal.

$NTUninstall*******$ files are windows updates. Harmless and you should leave those as well.


----------



## sallitaa (Sep 18, 2008)

hello, sorry for not writting for a long period,i`ve been busy,and u asked me before to attach an OTsacanit report and here it`s i attached it,wish that every thing is ok, thanks.


----------



## sallitaa (Sep 18, 2008)

plz inform me if u didn`t recieve the attached file,to attach it again, thanks.


----------



## cybertech (Apr 16, 2002)

Start *OTScanIt*. Copy/Paste the information in the Code box below into the pane where it says *Paste fix here* and then click the *Run Fix* button.


```
[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {201f27d4-3704-41d6-89c1-aa35e39143ed} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\AskBarDis\bar\bin\askBar.dll [AskBar BHO]
YN -> {C08DF07A-3E49-4E25-9AB0-D3882835F153} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll [QUICKfind BHO Object]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> {3041d03e-fd4b-44e0-b742-2d9b88305f98} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\AskBarDis\bar\bin\askBar.dll [Ask Toolbar]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YY -> WebBrowser\\{3041D03E-FD4B-44E0-B742-2D9B88305F98} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\AskBarDis\bar\bin\askBar.dll [Ask Toolbar]
YN -> WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{EEE6C35B-6118-11DC-9C72-001320C79847} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 30 days]
NY -> clauth1.dll -> %SystemRoot%\System32\clauth1.dll
NY -> clauth2.dll -> %SystemRoot%\System32\clauth2.dll
NY -> 4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> lsprst7.dll -> %SystemRoot%\System32\lsprst7.dll
NY -> lsprst7.tgz -> %SystemRoot%\System32\lsprst7.tgz
NY -> nsprs.dll -> %SystemRoot%\System32\nsprs.dll
NY -> nsprs.tgz -> %SystemRoot%\System32\nsprs.tgz
NY -> serauth1.dll -> %SystemRoot%\System32\serauth1.dll
NY -> serauth2.dll -> %SystemRoot%\System32\serauth2.dll
NY -> servdat.slm -> %SystemRoot%\System32\servdat.slm
NY -> ssprs.dll -> %SystemRoot%\System32\ssprs.dll
NY -> ssprs.tgz -> %SystemRoot%\System32\ssprs.tgz
NY -> sysprs7.dll -> %SystemRoot%\System32\sysprs7.dll
NY -> sysprs7.tgz -> %SystemRoot%\System32\sysprs7.tgz
NY -> 4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 days]
NY -> 132 C:\Documents and Settings\sally & sandy\Local Settings\temp\*.tmp files -> C:\Documents and Settings\sally & sandy\Local Settings\temp\*.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. 
*Post that information back here*.

I will review the information when it comes back in.

Please download *ATF Cleaner* by Atribune.


Double-click *ATF-Cleaner.exe* to run the program. 
Under *Main* choose: *Select All* 
Click the *Empty Selected* button. 

Click *Exit* on the Main menu to close the program.

Please download *Malwarebytes Anti-Malware* and save it to your desktop. _alternate link 1_ _alternate link 2_
Make sure you are connected to the Internet.
Double-click on *Download_mbam-setup.exe* to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
*Update Malwarebytes' Anti-Malware*
*Launch Malwarebytes' Anti-Malware*

Then click *Finish*.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the *OK* button to close that box and continue. _If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install._
On the Scanner tab:
Make sure the "*Perform Quick Scan*" option is selected.
Then click on the *Scan* button.

If asked to select the drives to scan, leave all the drives selected and click on the *Start Scan* button.
The scan will begin and "_Scan in progress_" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "_The scan completed successfully. Click 'Show Results' to display all objects found_".
Click *OK* to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the *Show Results* button to see a list of any malware that was found.
Make sure that *everything is checked*, and click *Remove Selected*.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. _(see Note below)_
The log is automatically saved and can be viewed by clicking the *Logs* tab in MBAM.
*Copy and paste the contents of that report in your next reply with a new hijackthis log.*
_*Note*: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware._

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under *Upgrading Java*, to download and install the latest vesion.


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
[*]Archives
[*]Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.

*Upgrading Java*:

Download the latest version of *Java Runtime Environment (JRE) 6 Update 10*.
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 6 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u10-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the *jre-6u10-windows-i586-p.exe* and select *"Run as an Administrator"*.)


----------



## sallitaa (Sep 18, 2008)

hello, here is the OTcsanit report:

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{201f27d4-3704-41d6-89c1-aa35e39143ed}\ deleted successfully.
C:\Program Files\AskBarDis\bar\bin\askBar.dll unregistered successfully.
C:\Program Files\AskBarDis\bar\bin\askBar.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C08DF07A-3E49-4E25-9AB0-D3882835F153}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C08DF07A-3E49-4E25-9AB0-D3882835F153}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{3041d03e-fd4b-44e0-b742-2d9b88305f98} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041d03e-fd4b-44e0-b742-2d9b88305f98}\ not found.
File C:\Program Files\AskBarDis\bar\bin\askBar.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{3041D03E-FD4B-44E0-B742-2D9B88305F98} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041D03E-FD4B-44E0-B742-2D9B88305F98}\ not found.
File C:\Program Files\AskBarDis\bar\bin\askBar.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EEE6C35B-6118-11DC-9C72-001320C79847} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}\ not found.
[Files/Folders - Created Within 30 days]
LoadLibrary failed for C:\WINDOWS\System32\clauth1.dll
C:\WINDOWS\System32\clauth1.dll NOT unregistered.
C:\WINDOWS\System32\clauth1.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\clauth2.dll
C:\WINDOWS\System32\clauth2.dll NOT unregistered.
C:\WINDOWS\System32\clauth2.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\lsprst7.dll
C:\WINDOWS\System32\lsprst7.dll NOT unregistered.
C:\WINDOWS\System32\lsprst7.dll moved successfully.
C:\WINDOWS\System32\lsprst7.tgz moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\nsprs.dll
C:\WINDOWS\System32\nsprs.dll NOT unregistered.
C:\WINDOWS\System32\nsprs.dll moved successfully.
C:\WINDOWS\System32\nsprs.tgz moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\serauth1.dll
C:\WINDOWS\System32\serauth1.dll NOT unregistered.
C:\WINDOWS\System32\serauth1.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\serauth2.dll
C:\WINDOWS\System32\serauth2.dll NOT unregistered.
C:\WINDOWS\System32\serauth2.dll moved successfully.
C:\WINDOWS\System32\servdat.slm moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\ssprs.dll
C:\WINDOWS\System32\ssprs.dll NOT unregistered.
C:\WINDOWS\System32\ssprs.dll moved successfully.
C:\WINDOWS\System32\ssprs.tgz moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\sysprs7.dll
C:\WINDOWS\System32\sysprs7.dll NOT unregistered.
C:\WINDOWS\System32\sysprs7.dll moved successfully.
C:\WINDOWS\System32\sysprs7.tgz moved successfully.
[Files/Folders - Modified Within 30 days]
C:\Documents and Settings\sally & sandy\Local Settings\temp\ICD1.tmp folder deleted successfully.
File delete failed. C:\Documents and Settings\sally & sandy\Local Settings\temp\mps_192a.tmp scheduled to be deleted on reboot.
C:\Documents and Settings\sally & sandy\Local Settings\temp\sv859.tmp folder deleted successfully.
File delete failed. C:\Documents and Settings\sally & sandy\Local Settings\temp\~DF1D8B.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sally & sandy\Local Settings\temp\~DF1D9F.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sally & sandy\Local Settings\temp\~DF6E26.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sally & sandy\Local Settings\temp\~DF6E3C.tmp scheduled to be deleted on reboot.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\sally & sandy\Local Settings\temp\mps_192a.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sally & sandy\Local Settings\temp\~DF1D8B.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sally & sandy\Local Settings\temp\~DF1D9F.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sally & sandy\Local Settings\temp\~DF6E26.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sally & sandy\Local Settings\temp\~DF6E3C.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_798.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 12032008_170410
Files moved on Reboot...
File C:\Documents and Settings\sally & sandy\Local Settings\temp\mps_192a.tmp not found!
File C:\Documents and Settings\sally & sandy\Local Settings\temp\~DF1D8B.tmp not found!
File C:\Documents and Settings\sally & sandy\Local Settings\temp\~DF1D9F.tmp not found!
File C:\Documents and Settings\sally & sandy\Local Settings\temp\~DF6E26.tmp not found!
File C:\Documents and Settings\sally & sandy\Local Settings\temp\~DF6E3C.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_798.dat not found!


----------



## sallitaa (Sep 18, 2008)

and here is *Malwarebytes Anti-Malware* report:

Malwarebytes' Anti-Malware 1.30
Database version: 1454
Windows 5.1.2600 Service Pack 3
2008-12-03 19:09:27
mbam-log-2008-12-03 (19-09-27).txt
Scan type: Quick Scan
Objects scanned: 46733
Time elapsed: 12 minute(s), 42 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Files Infected:
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.


----------



## sallitaa (Sep 18, 2008)

and here is the hijackthins log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30, on 2008-12-05
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Lingoes\Translator2\Lingoes.exe
C:\Program Files\VerbAce Research\VerbAce-Pro\VerbAce-Pro.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Lingoes] C:\Program Files\Lingoes\Translator2\Lingoes.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VerbAce-Pro Startup Agent.lnk = C:\Program Files\VerbAce Research\VerbAce-Pro\VerbAce-Pro.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222839222796
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 9032 bytes


----------



## sallitaa (Sep 18, 2008)

and about kaspersky online scanner,it didn`t find any virues, is there anything i can do now,thanks.


----------



## cybertech (Apr 16, 2002)

You have services trying to run for AVG have you uninstalled that?

How is it running now? Any problems?


----------



## sallitaa (Sep 18, 2008)

i tried to uninstall avg, but it didn`t want to uninstall,and u told me before to just disable it from startup and i did that,ok, 
but just now before u send this replay i was trying to install avg insted of avira(i did that now ,not before postting the last posts),coz i want to uninstall avira,and i went to startup and i got it back,but it doesn`t want to install coz it shows this message:

Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Error 0x80070005

would u recommend what to do????,please!!!

i`m trying to see if there is anything wrong with my pc,and if i found abnormal things i`ll inform you, thanks so much for ur help.


----------



## cybertech (Apr 16, 2002)

Click Start - Run - and type in:

*services.msc*

Click OK.

In the services window find the services for the product.

Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. 
Exit the Services utility.

Now try the uninstall/reinstall of the product you want.


----------



## sallitaa (Sep 18, 2008)

i did that for the avg antivirues only, and i tried to install it again but the same message appeared.


----------



## cybertech (Apr 16, 2002)

The same error was fixed here: http://freeforum.avg.com/read.php?13,158280,158299


----------



## sallitaa (Sep 18, 2008)

i need ur help plz?????? sorry for bothering u, it says to creat the registry key,if it`s not exist, but how can i know if it`s exist or not?and how can i creat another one if it`s not exist?

and HOW to change all limited user accounts to computer administrators temporarily???

i downloaded Dial-a-Fix and SubInAcl , but i`m not continue as he says,untill i recieve ur replay, i really appreciate ur help,thanks.


----------



## cybertech (Apr 16, 2002)

Go to control panel, user accounts to manage the accounts.


----------

