help to completely remove virus please

janeys · 18 January 2010 at 10:33PM

Hi I hope someone can help me. At the weekend I foolishly opened a email from ups which was infected with a number of trojans:mad::mad::mad:. I scanned it prior to opening with kaspersky 2010 and it said no virus detected so I thought it would be ok to open. Once I tried to open it I realised that there was something wrong with the email and immediately deleted it and told my husband what I had done as he knows more about computers than me. I immediately run a full scan on kaspersky and it told us we had 6 trojans and 5 viruses. My husband has been running various programmes over the weekend opening up in safe mode and trying to 'talk' to the kaspersky people to get these viruses removed. He believes that they are now removed as they re no longer showing when he runs a security check on kaspersky.

The problem is that we still have a small screen on the computer, a small box in black with large red writing saying

your system is infected! (underneath this in smaller white letters)
system has been stopped due to a serious malfunction spyware activity has been detected it is recomended to use spyware removal tool to prevent data loss do not use the computer before all spyware removed

How do we get rid of this screen and how can I be sure the computer is free from viruses and safe to use with sensitve bank details when ordering online. Sorry for long post and thanks in advance for any help janeys

pcombo · 18 January 2010 at 11:03PM

:P aliEnRIK normaly has good solutions for all this kinda stuff.

Sometimes a virus or so will just keep coming back no matter what you and may require a format to make sure it wont come back. But im sure someone will correct me if that is wrong.

olly300 · 19 January 2010 at 12:05AM

pcombo wrote: »

Sometimes a virus or so will just keep coming back no matter what you and may require a format to make sure it wont come back. But im sure someone will correct me if that is wrong.

I've managed to get rid of some quite nasty windows viruses but I've had the advantage of dual booting to another operating system, or having having another PC laptop to use download things to clear it up and invesigate solutions. (Plus I'm well practised now.)

pcombo · 19 January 2010 at 12:22AM

Dual booting isn't really an advantage lol if its ont he same drive as the infected the secondary os will be infected aswell no doubt.

greenoak · 19 January 2010 at 12:51AM

Sound like your best option, you may be able to roll windows back to 14th jan etc

If you have an external hard drive I would back every thing up and reinstall windows

its a lot less stressful than fire fighting virus and trojans

busenbust · 19 January 2010 at 1:21AM

Hi janey, If your Internet connection is still working then download malwarebytes, install, update and then run a quick scan. Delete any malware infections which it may find.

HTH.

aliEnRIK · 19 January 2010 at 7:33AM

Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_malwarebytes_anti_malware/
Open malwarebytes and goto UPDATE and click 'check for updates'. After its updated goto SCANNER and click PERFORM FULL SCAN then click SCAN
Post the COMPLETE log here AFTER youve deleted everything it finds

reboot

Download HIJACK THIS (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_hijackthis/
Click MAIN MENU then DO A SYSTEM SCAN AND SAVE A LOGFILE(Takes seconds) then post the log so we can see whats running
(do NOT do anything else with Hijack but scan and post the FULL log)

janeys · 19 January 2010 at 1:38PM

Thank you, thank you, thank you.:T:T:T aliEnRIK I have done the first part of the full scan and here is the report I have rebooted computer and am now going to do the second scan.

Malwarebytes' Anti-Malware 1.44
Database version: 3597
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
19/01/2010 12:25:54
mbam-log-2010-01-19 (12-25-54).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 211009
Time elapsed: 52 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\winadth.dll (Trojan.Hiloti) -> Delete on reboot.
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{deceaaa2-370a-49bb-9362-68c3a58ddc62} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09f1adac-76d8-4d0f-99a5-5c907dadb988} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ad7fafb0-16d6-40c3-af27-585d6e6453fd} (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: winadth.dll -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\winadth.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\mvhgkr.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Arthur\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Have just done hijack this and this is the log file

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 12:43:04, on 19/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\RegCure\RegCure.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ydecevukovikerev] rundll32.exe "C:\WINDOWS\imalifip.dll",Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {0A742471-6B4B-4419-A0B2-68E4A9FF5ACD} (BTLocalAPI.BTlocal) - [URL]file://C:\ActivLite_ECDLXP_E\btlocal3.cab[/URL]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - [URL="file:///C:/Program%20Files/Escape%20the%20Museum/Images/stg_drm.ocx"]file:///C:/Program%20Files/Escape%20the%20Museum/Images/stg_drm.ocx[/URL]
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {46431044-1B22-4EF3-B333-863AAF310153} - http://download.five.tv/Download/five_3_4_0_8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258113225828
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - [URL]file:///C:/Program%20Files/Escape%20the%20Museum/Images/armhelper.ocx[/URL]
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://download.five.tv/Download/Entriq_3_4_0_10_Silent.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
--
End of file - 12428 bytes

Browntoa · 19 January 2010 at 1:44PM

looking at the log file you now need to run

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

and post that log file

aliEnRIK · 19 January 2010 at 2:03PM

TICK these and FIX them ~
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Ydecevukovikerev] rundll32.exe "C:\WINDOWS\imalifip.dll",Startup
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

The one in bold MUST be fixed

If you dont use it (I dont think you should use it anyways) fix this too ~
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

You need to run COMBOFIX as Browntoa posted

On a side note, you have tuneup running which I wouldnt recommend as if it removes a registry it shouldnt then you could make your computer a dead computer
Same with 'regcure'
Id uninstall yahoo toolbar and replace with GOOGLE toolbar (Much less of a resource hog)
Uninstall the EPSON TOOLBAR too

janeys · 19 January 2010 at 2:58PM

This is the latest report that browntoa suggested
ComboFix 10-01-18.02 - Arthur 19/01/2010 13:35:57.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.895.411 [GMT 0:00]
Running from: c:\documents and settings\Arthur\My Documents\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Local Settings\Application Data\{9BF4ECBD-4FAE-4730-B03E-53BD9E8FB790}
c:\documents and settings\Administrator\Local Settings\Application Data\{9BF4ECBD-4FAE-4730-B03E-53BD9E8FB790}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{9BF4ECBD-4FAE-4730-B03E-53BD9E8FB790}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{9BF4ECBD-4FAE-4730-B03E-53BD9E8FB790}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{9BF4ECBD-4FAE-4730-B03E-53BD9E8FB790}\install.rdf
c:\documents and settings\Arthur\Local Settings\Application Data\{086E73A8-B1B7-4782-B19E-FD9D7871FD34}
c:\documents and settings\Arthur\Local Settings\Application Data\{086E73A8-B1B7-4782-B19E-FD9D7871FD34}\chrome.manifest
c:\documents and settings\Arthur\Local Settings\Application Data\{086E73A8-B1B7-4782-B19E-FD9D7871FD34}\chrome\content\_cfg.js
c:\documents and settings\Arthur\Local Settings\Application Data\{086E73A8-B1B7-4782-B19E-FD9D7871FD34}\chrome\content\overlay.xul
c:\documents and settings\Arthur\Local Settings\Application Data\{086E73A8-B1B7-4782-B19E-FD9D7871FD34}\install.rdf
c:\recycler\S-1-5-21-4246047084-1669180680-1000674248-1003
c:\windows\EventSystem.log
c:\windows\imalifip.dll
c:\windows\system32\18467.exe
c:\windows\system32\Thumbs.db
.
((((((((((((((((((((((((( Files Created from 2009-12-19 to 2010-01-19 )))))))))))))))))))))))))))))))
.
2010-01-19 12:41 . 2010-01-19 12:41 388096 ----a-r- c:\documents and settings\Arthur\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-19 12:41 . 2010-01-19 12:41

d

w- c:\program files\TrendMicro
2010-01-19 11:23 . 2010-01-19 11:23

d

w- c:\documents and settings\Arthur\Application Data\Malwarebytes
2010-01-19 11:22 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-19 11:22 . 2010-01-19 11:22

d

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-19 11:22 . 2010-01-19 11:23

d

w- c:\program files\Malwarebytes' Anti-Malware
2010-01-19 11:22 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-18 17:54 . 2010-01-18 17:55

d

w- C:\CABS
2010-01-18 17:54 . 2010-01-18 17:54

d

w- C:\OEMCUST
2010-01-18 17:54 . 2010-01-18 17:54

d

w- C:\FACTONLY
2010-01-16 12:41 . 2010-01-16 12:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-16 12:37 . 2010-01-16 12:37 152576 ----a-w- c:\documents and settings\Arthur\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-15 15:34 . 2010-01-15 15:34

d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-15 12:25 . 2010-01-19 12:29 120 ----a-w- c:\windows\Kwajozoqocef.dat
2010-01-15 12:25 . 2010-01-19 10:08 0 ----a-w- c:\windows\Pgabutunagec.bin
2010-01-14 23:15 . 2010-01-16 12:36 79488 ----a-w- c:\documents and settings\Arthur\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-12 21:23 . 2009-07-28 11:13 303104 ----a-w- c:\windows\Uninstall_tkexe.exe
2010-01-12 21:22 . 2010-01-13 18:43

d

w- c:\program files\TKexe
2010-01-12 17:45 . 2010-01-12 17:45

d

w- c:\program files\Smilebox
2010-01-02 13:32 . 2010-01-02 13:32 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2010-01-02 13:32 . 2010-01-02 13:32 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2010-01-02 13:32 . 2010-01-02 13:32 604688 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2010-01-02 13:32 . 2010-01-02 13:32 522768 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2010-01-02 13:32 . 2010-01-02 13:32 1096208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2010-01-02 13:31 . 2010-01-02 13:31 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-01-02 13:31 . 2010-01-02 13:31 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-01-02 13:25 . 2010-01-02 13:25 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-01-02 13:25 . 2010-01-02 13:25 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-01-02 13:23 . 2010-01-19 13:46

d

w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-01-02 13:23 . 2010-01-02 13:23

d

w- c:\program files\Kaspersky Lab
2010-01-02 13:20 . 2010-01-02 13:20

d

w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-18 22:30 . 2007-02-08 19:23

d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-16 12:39 . 2006-06-06 20:38

d

w- c:\program files\Java
2010-01-15 13:40 . 2008-05-30 07:54

d

w- c:\program files\CA Yahoo! Anti-Spy
2010-01-13 21:32 . 2009-12-12 18:26

d

w- c:\documents and settings\Arthur\Application Data\MysteryStudio
2010-01-04 23:58 . 2009-07-17 16:34 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-23 14:07 . 2009-08-12 21:47

d

w- c:\program files\RegCure
2009-12-12 18:26 . 2009-08-27 21:25

d

w- c:\program files\Games
2009-12-08 22:39 . 2009-12-08 22:39 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-12-08 22:39 . 2009-12-08 22:39 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-12-08 22:39 . 2009-04-22 13:39

d

w- c:\program files\TuneUp Utilities 2009
2009-12-06 23:28 . 2009-12-06 23:28

d

w- c:\documents and settings\Arthur\Application Data\Serif
2009-11-28 21:32 . 2009-11-28 21:32

d

w- c:\documents and settings\Arthur\Application Data\SerpentOfIsis
2009-11-21 15:51 . 2004-08-10 15:37 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-16 11:25 . 2009-12-08 22:39 29000 ----a-w- c:\windows\system32\uxtuneup.dll
2009-10-29 07:45 . 2004-08-10 15:38 916480 ----a-w- c:\windows\system32\wininet.dll
2006-03-22 14:08 . 2006-03-22 14:08 774144 -c--a-w- c:\program files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-16 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LDM"=c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" boot
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe"
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"YSearchProtection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"EPSON Stylus Photo RX420 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
"LogitechVideoRepair"=c:\program files\Logitech\Video\ISStart.exe
"LogitechVideoTray"=c:\program files\Logitech\Video\LogiTray.exe
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"ACTIVBOARD"=c:\apps\ABoard\ABoard.exe
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
"ATIPTA"=c:\ati technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [14/10/2009 20:18 36880]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14/09/2009 13:42 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/10/2009 18:39 19472]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 03:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
2010-01-19 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-11-16 15:54]
2010-01-16 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]
2010-01-19 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]
2010-01-14 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]
2010-01-19 c:\windows\Tasks\User_Feed_Synchronization-{08A4182A-EEE2-4F7E-AA6C-CE726000AEDB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.

Supplementary Scan

.
uStart Page = hxxp://uk.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://search.blueyonder.co.uk/search/search.jsp
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [URL]file://c:\windows\Java\classes\xmldso.cab[/URL]
DPF: {0A742471-6B4B-4419-A0B2-68E4A9FF5ACD} - [URL]file://c:\activlite_ecdlxp_e\btlocal3.cab[/URL]
DPF: {46431044-1B22-4EF3-B333-863AAF310153} - hxxp://download.five.tv/Download/five_3_4_0_8.cab
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Ydecevukovikerev - c:\windows\imalifip.dll

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 13:46
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

LOCKED REGISTRY KEYS

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="DD434AB253FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667C900C993C7A54B4E0DCC630FB1B867A57EA80EE954778F06E43A64243B0216C6BC1A804FA0FD18FD8C4C0A624B77C50CCE894D75FC19CC75E764E939752CC306A92F8A4EF8F2B2516DB82EE0F5C6A272B7DC871DAE90BD2C71DBE1EB7A8E08CBAC0B9F8592639D657B4E42D4748106D95569079E49D893319093908FEBDE5F42E56E1E007165BDA908BBDC9B4B39DF964BE93C50759D68DD59F4DB8DB2082867791006D8DCBDDD62E8203528C3B302513D8DB8161C41B55FDFDBD1E378A8A98E8D977BC3616AA8A67593AC816BE7A40656F7326EE9595BB8BF96A19E2D130B5E4FA14904CE18316289A0C14192025F0844BE86E5D32E1D3F986B9FE5834D58D1EC415B733AAC6DD487431D15CEE23279B76FB29F0E40A19C0D1242F0731202371B79C2FE7A3FB413D2EE0841F8A080D367065AD514BD74CD4334278A3851DCB212443429AC1A4784D50A6E992F810EE48B77C3D0A28E852564F48D14CF2CA1390C8D880631BDC3E47AEC6489518308CBE22A5A723DCAA749A166D8827E796B96C838BC3F2BDEB1C2B3E61F1005D57B7EAEF9ACAB29409233AC12915D4A44BCE88C18F1920362790375B9F8BE34DEDAC6B4346E04F071E1B0BA7263407FC9F7249F766CD06665E8DDB71CEEBA0BB67BBEBE9D7598E29295E288F79E5D2CFCE58E4C90175FC237B05E7836A3BF7B281A591AEC3C18900F0FC1540736F6240634426317FB374F5CE56438A85C1CB9B553D999CCE344CF811894DF77C2667F3D71AE37AFCD65818A83A3F90304B13F13AADA11DB2D75BBBDD97A729500979732939621F1608C962E67A447CC28F649298547DB2D8017B249E56457224E8A8B28F18FFB6C2EE08F6650422E7F7976D913AEE0D5C8E6A8D5DB2D99DACEB1554114C9072720522CAF87E4ACBC09CE4D3423D5BC622891BB8CE40AB1D245509DDB21BB3986800F4A7E982FE68A4CA3AE63DD0B43E5BC527A0084B59C93A278A1CAADCA3A81F7492EC8D59B4A2D1E92E0347AC5304B669E9D9E12501BF8F318B0B8CCDF7004E208DD20AC7D0144C8603EB66661157FFE14F599955D4360BFC4AF1DC548177D937AEED643070D6E8BF1B341419AD773CFEFE5E84CC37E2EFDB4952C11B33BE1CD70130570D43F5017CF46EBE095309E99956446A84F0AC79845EFE1DEB6C2284A5F0987BDE1C093122A0A944DD62B788D8BFE2E502FF81871F5607E9049614DB65F26FDEC918EE496D1A95C424A298053FCD1E41CF6B08DDBE91703BCC9A3D0B42E544D7028F57431BCE328B13EDEB68539926F9A9D6A9B216A60B7AF75E7B4582D111E714E1EF66605"
.

DLLs Loaded Under Running Processes

- - - - - - - > 'winlogon.exe'(1676)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2888)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.

Other Running Processes

.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\apps\HIDSERVICE\HIDSERVICE.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\oodag.exe
c:\windows\system32\PSIService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\System32\TUProgSt.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-19 13:52:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-19 13:52
Pre-Run: 135,591,809,024 bytes free
Post-Run: 135,525,109,760 bytes free
- - End Of File - - E9305D16ABA30853FD2BF3B1D4C87893

help to completely remove virus please

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free