14 replies to this topic

[qwerty77]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:22 PM, on 2/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.net-studio.org
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 1512 bytes

[qwerty77]

Malwarebytes' Anti-Malware 1.34
Database version: 1752
Windows 5.1.2600 Service Pack 2

2/12/2009 4:50:50 PM
mbam-log-2009-02-12 (16-50-50).txt

Scan type: Quick Scan
Objects scanned: 60951
Time elapsed: 5 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


forgot to put it this one..

[AdvancedSetup]

Avira AntiVir Rescue System
[indent]Requires access to a working computer with a CD/DVD burner to create a bootable CD.

• Download the Avira AntiVir Rescue System from here
  
• Place a blank CD in your burner and double-click on the downloaded file.
  
• The program will automatically burn the CD for you.
  
• Place the burned CD into the affected computer and start the computer from this CD.
  
• On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
  
• Click on the Configuration button.
  
  • Select Scan all files
    
  • Select Try to repair infected files and Rename files, if they cannot be removed
    
  • Select Scan for dialers
    
  • Select Scan for joke programs (Jokes)
    
  • Select Scan for games
    
  • Select Scan for spyware (SPR)
• Click on Virus scanner
  
• Click on Start scanner at the bottom of the screen
  
• Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems
Please see the post here if you're unable to view the entire screen of Avira.[/indent]

[qwerty77]

unfortunately i don't have a burner here...any possible workaround? thanks for your assistance...

[AdvancedSetup]

Okay, then try this tool. But you should have your Data backed up just in case something happens.


[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.
  
• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[/indent]

[qwerty77]

here's the combo fix log you have asked for.

ComboFix 09-02-12.03 - user 2009-02-13 7:50:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.601 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-13 to 2009-02-13 )))))))))))))))))))))))))))))))
.

2009-02-13 07:49 . 2009-02-13 07:50 <DIR> d-------- c:\windows\system32\CatRoot2
2009-02-08 11:24 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-08 11:24 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-08 11:23 . 2009-02-12 15:20 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-06 14:46 . 2009-02-06 14:46 <DIR> d-------- c:\program files\TechTracker
2009-02-04 19:06 . 2009-02-04 19:06 <DIR> d-------- c:\windows\system32\IOSUBSYS
2009-02-04 19:05 . 2009-02-04 19:07 <DIR> d-------- c:\program files\Google
2009-01-28 19:10 . 2009-01-28 19:10 280 --a------ c:\windows\system32\PDBootState
2009-01-28 19:05 . 2009-01-28 19:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Raxco
2009-01-25 17:14 . 2009-01-25 17:38 987 -rah----- c:\windows\EPMBatch.ept
2009-01-25 17:09 . 2009-01-25 17:09 <DIR> d-------- c:\program files\EASEUS
2009-01-24 19:26 . 2009-01-24 19:26 <DIR> d-------- c:\documents and settings\user\Application Data\URSoft
2009-01-24 19:26 . 2009-02-11 20:22 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-24 19:25 . 2009-01-24 19:38 <DIR> d-------- c:\program files\Your Uninstaller 2008
2009-01-24 19:03 . 2009-01-31 06:00 <DIR> d-------- c:\program files\LimeWire
2009-01-13 16:24 . 2009-01-13 16:24 231,176 --a------ c:\windows\system32\PDBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 15:53 66,526,240 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-02-13 04:55 879,524 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-02-13 04:38 --------- d-----w c:\documents and settings\user\Application Data\LimeWire
2009-02-11 04:26 --------- d-----w c:\program files\TuneUp Utilities 2009
2009-02-04 02:41 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-31 14:27 --------- d-----w c:\documents and settings\user\Application Data\Audacity
2009-01-31 14:26 --------- d-----w c:\program files\Audacity 1.3 Beta (Unicode)
2009-01-31 13:50 --------- d-----w c:\program files\SharePod
2009-01-21 23:45 --------- d-----w c:\program files\Common Files\DVDVideoSoft
2009-01-17 16:54 --------- d-----w c:\program files\DVDVideoSoft
2009-01-09 16:49 71,184 ----a-w c:\windows\system32\drivers\DefragFs.sys
2009-01-04 19:03 --------- d-----w c:\program files\iDump
2009-01-02 17:37 --------- d-----w c:\documents and settings\All Users\Application Data\eboostr
2008-12-29 21:21 --------- d-----w c:\documents and settings\user\Application Data\Media Player Classic
2008-12-29 21:11 --------- d-----w c:\documents and settings\user\Application Data\Leawo
2008-12-28 19:19 --------- d-----w c:\documents and settings\user\Application Data\CallingID
2008-12-28 19:17 --------- d-----w c:\documents and settings\All Users\Application Data\ExPLabs.com
2008-12-26 05:54 --------- d-----w c:\documents and settings\user\Application Data\MailFrontier
2008-12-24 04:43 --------- d-----w c:\documents and settings\NetworkService\Application Data\SACore
2008-12-24 04:38 --------- d-----w c:\program files\Common Files\McAfee
2008-12-24 01:18 603,904 ----a-w c:\windows\system32\TUProgSt.exe
2008-12-24 01:18 360,192 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-12-24 00:52 --------- d-----w c:\program files\CCleaner
2008-12-23 03:01 --------- d-----w c:\documents and settings\user\Application Data\HighAndes
2008-12-23 03:01 --------- d-----w c:\documents and settings\All Users\Application Data\HighAndes
2008-12-14 01:53 --------- d-----w c:\documents and settings\user\Application Data\Any Video Converter
2008-12-14 01:48 796,672 ----a-w c:\windows\GPInstall.exe
2008-12-14 01:20 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-14 00:40 --------- d-----w c:\documents and settings\user\Application Data\Apple Computer
2008-12-14 00:17 --------- d-----w c:\documents and settings\user\Application Data\vlc
2008-12-11 12:31 27,904 ----a-w c:\windows\system32\uxtuneup.dll
2008-11-27 16:51 225,280 ----a-w c:\windows\system32\BootMan.exe
2008-11-26 23:58 472,064 ----a-w c:\windows\system32\NTFSFormat.dll
2008-11-26 23:55 65,536 ----a-w c:\windows\system32\FatCopy.dll
2008-11-26 23:54 17,920 ----a-w c:\windows\system32\SectorCopy.dll
2008-11-26 23:54 139,776 ----a-w c:\windows\system32\NTFSCopy.dll
2008-11-26 23:52 86,016 ----a-w c:\windows\system32\ResizeNTFS.dll
2008-11-26 23:51 93,184 ----a-w c:\windows\system32\Partition.dll
2008-11-26 23:51 61,952 ----a-w c:\windows\system32\FatResizeMove.dll
2008-11-26 23:51 45,568 ----a-w c:\windows\system32\FileSystemCheck.dll
2008-11-26 23:50 180,736 ----a-w c:\windows\system32\DeviceManager.dll
2008-11-26 23:49 86,528 ----a-w c:\windows\system32\NTFSLib.dll
2008-11-26 23:49 31,744 ----a-w c:\windows\system32\FatLib.dll
2008-11-26 23:49 22,016 ----a-w c:\windows\system32\FatFormat.dll
2008-11-26 23:48 68,096 ----a-w c:\windows\system32\Device.dll
2008-11-26 23:48 6,656 ----a-w c:\windows\system32\CallbackOperator.dll
2008-11-26 23:48 24,576 ----a-w c:\windows\system32\NTFSFileSystemAnalyser.dll
2008-11-26 23:48 21,504 ----a-w c:\windows\system32\Fixup.dll
2008-11-26 23:48 14,848 ----a-w c:\windows\system32\FileSystemAnalyser.dll
2008-11-26 23:48 10,752 ----a-w c:\windows\system32\DeviceAdapter.dll
2008-11-26 23:47 25,088 ----a-w c:\windows\system32\FATFileSystemAnalyser.dll
2008-11-26 01:18 86,408 ----a-w c:\windows\system32\setupempdrv03.exe
2008-11-26 01:18 8,704 ----a-w c:\windows\system32\epmntdrv.sys
2008-11-26 01:18 3,072 ----a-w c:\windows\system32\EuGdiDrv.sys
2008-11-26 01:18 14,848 ----a-w c:\windows\system32\EuEpmGdi.dll
.

------- Sigcheck -------

2004-08-03 23:56 690176 3a5ee0514f56b1b775d7641cfba5ad37 c:\windows\system32\wininet.dll
2004-08-03 23:56 690176 3a5ee0514f56b1b775d7641cfba5ad37 c:\windows\system32\dllcache\wininet.dll

2004-08-03 23:56 974336 a5c1f2cf7c31874e66478910b43d6513 c:\windows\explorer.exe
2004-08-03 23:56 974336 a5c1f2cf7c31874e66478910b43d6513 c:\windows\system32\dllcache\explorer.exe

2004-08-03 23:56 100864 80cb133bd6c830e8ca7e90015e45c1cd c:\windows\system32\wuauclt.exe
2004-08-03 23:56 100864 80cb133bd6c830e8ca7e90015e45c1cd c:\windows\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoWinKeys"= 01000000
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-09-27 16:28 210168 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-01-25 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-01-25 3072]
S4 0108401230486864mcinstcleanup;McAfee Application Installer Cleanup (0108401230486864);c:\docume~1\user\LOCALS~1\Temp\010840~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\user\LOCALS~1\Temp\010840~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S4 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-09-28 23856]
S4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2008-12-23 603904]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-12-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 12:36]
.
.
------- Supplementary Scan -------
.
uStart Page = google.net-studio.org
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\xwq2jdsm.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-13 07:52:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\���|����"��|���w*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
Completion time: 2009-02-13 7:54:45
ComboFix-quarantined-files.txt 2009-02-13 15:54:40

Pre-Run: 23,115,333,632 bytes free
Post-Run: 23,088,652,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

176

[qwerty77]

forgot the hijackthis log..sorry...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:02 AM, on 2/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.net-studio.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 1504 bytes

[AdvancedSetup]

Well I don't see anything there that would be causing such a small output from HJT

Please try to download and run the following.


Download to the desktop: Dr.Web CureIt

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  
• Back at the main window, mark the drives that you want to scan.
  
• Select all drives. A red dot shows which drives have been chosen.
  
• Click the green arrow at the right, and the scan will start.
  
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can click next icon next to the files found:
  
  If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
  
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

[qwerty77]

i cant run the setup..it is showing that the program needs to be close then show an error message..

[AdvancedSetup]

Well it would seem you have something, or the box is messed up. Is this one of those small 9" mini-laptops?

SHUT DOWN ALL running applications before running this.

Please download the following scanning tool. GMER
[indent]

• Open the zip file and copy the file gmer.exe to your Desktop.
  
• Double click on gmer.exe and run it.
  
• It may take a minute to load and become available.
  
• Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.
  
• Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOG
  
• Zip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.
  
• DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.
  
• Click OK and quit the GMER program.

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista
[/indent]

[qwerty77]

sorry it took so long..here's the one you were asking for..

 gmer.zip   2.72K   181 downloads

[AdvancedSetup]

Let me review further and get back to you. Yes, something is hiding in there.

[qwerty77]

AdvancedSetup, on Feb 14 2009, 10:05 AM, said:

Let me review further and get back to you. Yes, something is hiding in there.

ok thanks for the help...oh and btw way im using a desktop pc not a laptop..

[qwerty77]

any news?

[AdvancedSetup]

Please click here to download AVP Tool by Kaspersky.

• Save it to your desktop.
  
• Reboot your computer into SafeMode.
  [indent]You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
  Use your up arrow key to highlight SafeMode then hit enter.[/indent]
  
• Double click the setup file to run it.
  
• Click Next to continue.
  
• It will by default install it to your desktop folder.Click Next.
  
• Hit ok at the prompt for scanning in Safe Mode.
  
• It will then open a box There will be a tab that says Automatic scan.
  
• Under Automatic scan make sure these are checked.

[indent]

• System Memory
  
• Startup Objects
  
• Disk Boot Sectors.
  
• My Computer.
  
• Also any other drives (Removable that you may have)

[/indent]

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

• Then click on Scan at the to right hand Corner.
  
• It will automatically Neutralize any objects found.
  
• If some objects are left un-neutralized then click the button that says Neutralize all
  
• If it says it cannot be Neutralized then chooose The delete option when prompted.
  
• After that is done click on the reports button at the bottom and save it to file name it Kas.
  
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
  
  [indent]Note: This tool will self uninstall when you close it so please save the log before closing it.

[/indent]