I've tryed to go to trend micro and its nt working. I have alot of pop ups and i did have a yellow triangle in the bottom right corner up until yesterday and its not there anymore. I did a free scan off a site and said i had 1018 infections. Cant get them off please help me. not sure what information you need, please let me know.

I've gotten alert messages saying im infected, the blinking yellow triangle is in the corner. computer beeps sometimes way after being turned on. (not the beginning beeps). computer is running slow. here is my saved log from hijack this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:06:41 AM, on 11/25/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\VTTray.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\inf\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\program files\internet explorer\iexplore.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Documents and Settings\Administrator\Desktop\Trillian\trillian.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nb4f.com.cn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nb4f.com.cn
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\VTTray.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [I&F Viewer toolbar] "C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start
O4 - HKCU\..\Run: [Photozig Albums Media Detector] C:\Program Files\Photozig Albums\pzAlbumsDetect.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Policies\Explorer\Run: [Userinit] C:\WINNT\system32\inf\svchost.exe C:\WINNT\system32\lwisys16_071122.dll start
O4 - HKUS\S-1-5-21-1614895754-492894223-1343024091-500\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 (User '?')
O4 - HKUS\S-1-5-21-1614895754-492894223-1343024091-500\..\Run: [I&F Viewer toolbar] "C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start (User '?')
O4 - HKUS\S-1-5-21-1614895754-492894223-1343024091-500\..\Run: [Photozig Albums Media Detector] C:\Program Files\Photozig Albums\pzAlbumsDetect.exe (User '?')
O4 - HKUS\S-1-5-21-1614895754-492894223-1343024091-500\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1181928959386
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1181937761526
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.dishgames.com/online/on...ploader_v5.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GrayPigeon_Hacker.com.cn - Unknown owner - C:\WINNT\Hacker.com.cn.exe
O23 - Service: Realplay upshell service - Unknown owner - C:\WINNT\System32\realshell.exe
O23 - Service: s3contrl (32-bit) - Unknown owner - C:\WINNT\VTTray.exe
O23 - Service: Windows System Hardware BackUp (WindowsSystemHDBackUp) - Unknown owner - C:\WINNT\System32\¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡

--
End of file - 6157 bytes

you make 2 posts in 20 minutes and then send emails screaming for help

I have combined both posts now wait your turn and you will be got to eventually

A lot of people have been waiting much longer and 1 hour is not long to wait

you are badly infected and it will take a lot to clean you up

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

then when it has rebooted

Download Combofix to your desktop:

* Double-click combofix.exe & follow the prompts.
* When finished, it shall produce a log for you. Post that log in your next reply.


Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

heres the combofix log.

ComboFix 07-11-19.3 - Administrator 11/25/2007 8:12:57.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.345 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\bsoa\Application Data\FunWebProducts
C:\Documents and Settings\bsoa\Application Data\FunWebProducts\Data\bsoa\avatar.dat
C:\Documents and Settings\bsoa\Application Data\FunWebProducts\Data\bsoa\register.dat
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images\001F0EC4.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\003A17C6.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\f3wallpp.bmp
C:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
C:\WINNT\Hacker.com.cn.exe
C:\WINNT\mwinsys.ini
C:\WINNT\System\AlxRes071109.exe
C:\WINNT\system32\inf\scrsys071109.scr
C:\WINNT\system32\inf\scrsys071122.scr
C:\WINNT\system32\inf\scrsys16_071109.dll
C:\WINNT\system32\inf\scrsys16_071122.dll
C:\WINNT\system32\mywebhit.ini
C:\WINNT\system32\winsys16_071109.dll
C:\WINNT\system32\winsys32_071109.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_GRAYPIGEON_HACKER.COM.CN
-------\GrayPigeon_Hacker.com.cn


((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 )))))))))))))))))))))))))))))))
.

2007-11-25 08:17 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_1e8.dat
2007-11-25 08:00 <DIR> d-------- C:\WINNT\ERUNT
2007-11-25 01:24 691,248 -r-hs---- C:\WINNT\system32\****************
2007-11-24 14:53 215,552 -r-hs---- C:\WINNT\system32\termsrvhack.dll
2007-11-24 14:53 49,152 -r-hs---- C:\Program Files\3389.exe
2007-11-24 12:59 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-24 07:24 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-11-24 02:13 <DIR> d-------- C:\Program Files\SpywareBot
2007-11-24 02:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SpywareBot
2007-11-24 01:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Tenebril
2007-11-24 01:52 696,832 -r-hs---- C:\WINNT\system32\realshell.DLL
2007-11-24 01:52 65,536 -r-hs---- C:\WINNT\system32\REALSHELLKEY.DLL
2007-11-24 01:51 285,911 -r-hs---- C:\WINNT\system32\realshell.exe
2007-11-24 01:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tenebril
2007-11-23 23:25 <DIR> d-------- C:\Program Files\ITTerritory
2007-11-23 20:18 <DIR> d-------- C:\WINNT\system32\tenarchlib
2007-11-23 20:18 180,224 --a-s---- C:\WINNT\system32\archlib.dll
2007-11-23 17:10 204,800 --a------ C:\WINNT\system32\mwisys32_071122.dll
2007-11-23 17:10 25,088 --a------ C:\WINNT\system32\lwisys16_071122.dll
2007-11-23 13:19 104,248 --a------ C:\WINNT\system\sslxpes071122.exe
2007-11-23 00:21 3,072 --a------ C:\WINNT\system32\drivers\64FD0CB0-8DD1-43F0-8EBD-AA075CDE0748.cxv
2007-11-22 21:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-11-22 19:32 <DIR> d-------- C:\Program Files\AntiSpyGolden 5.1
2007-11-22 15:52 <DIR> d-------- C:\Program Files\VirusProtect 3.8
2007-11-22 15:51 <DIR> d-------- C:\Program Files\Video Add-on
2007-11-22 04:33 <DIR> d-------- C:\windows
2007-11-16 14:08 <DIR> d-------- C:\Program Files\MetaStream
2007-11-15 02:24 <DIR> d-------- C:\Program Files\Photozig Albums
2007-11-15 02:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Photozig Albums
2007-11-15 02:24 1,820,160 --a------ C:\WINNT\system32\Photozig Screen Saver.scr
2007-11-15 02:24 352,256 --a------ C:\WINNT\system32\ijl15.dll
2007-11-14 20:21 <DIR> d-------- C:\Program Files\The Weather Channel FW
2007-11-14 20:21 <DIR> d-------- C:\Program Files\AskPBar
2007-11-14 02:27 499,712 --a------ C:\WINNT\system32\msvcp71.dll
2007-11-14 02:27 462,848 --a------ C:\WINNT\system32\msaatext.dll
2007-11-14 02:27 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2007-11-14 02:27 348,160 --------- C:\WINNT\system32\msvcr71.dll
2007-11-14 01:31 <DIR> d-------- C:\Program Files\Photo Toolkit
2007-11-13 22:55 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Yahoo!
2007-11-13 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-13 22:34 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-11-13 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-13 22:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-11-13 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-11-13 15:53 43,520 --a------ C:\WINNT\system32\CmdLineExt03.dll
2007-11-13 15:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\WeatherBug
2007-11-13 15:48 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-11-13 15:48 <DIR> d-------- C:\Program Files\AWS
2007-11-12 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-11-12 17:19 <DIR> d-------- C:\Program Files\Conquer 2.0
2007-11-12 08:02 1,163 --a------ C:\WINNT\mozver.dat
2007-11-12 07:04 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2007-11-12 06:53 0 --a------ C:\WINNT\nsreg.dat
2007-11-12 06:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2007-11-12 06:46 <DIR> d-------- C:\Program Files\OpenOffice.org 2.3
2007-11-12 06:45 4,937 --a------ C:\WINNT\system32\jupdate-1.6.0_02-b05.log
2007-11-11 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\iWin
2007-11-11 19:56 <DIR> d-------- C:\Program Files\Oberon Media
2007-11-11 19:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-11-11 18:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MySpace
2007-11-11 10:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2007-11-11 10:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Oberon Games
2007-11-11 09:45 <DIR> d-------- C:\Program Files\DishGAMES
2007-11-11 09:45 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-11 04:41 192 --a------ C:\WINNT\system32\mywehit.ini
2007-11-09 23:48 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-11-09 23:00 1,204 --a------ C:\WINNT\system32\d3d9caps.dat
2007-11-09 22:59 1,092 --a------ C:\WINNT\system32\d3d8caps.dat
2007-11-09 22:33 <DIR> d-------- C:\Documents and Settings\bsoa\Application Data\DMCache
2007-11-09 22:23 671,744 ---hs---- C:\WINNT\system32\_winlogon.exe
2007-11-09 20:14 <DIR> d-------- C:\WINNT\Sun
2007-11-09 16:58 <DIR> d-------- C:\WINNT\system32\inf
2007-11-09 16:54 <DIR> d-------- C:\Program Files\MySpace
2007-11-09 16:54 <DIR> d-------- C:\Documents and Settings\bsoa\Application Data\MySpace
2007-11-09 16:34 <DIR> d-------- C:\Documents and Settings\bsoa\Application Data\Yahoo!
2007-11-09 16:33 <DIR> d-------- C:\Program Files\Google
2007-11-09 16:32 5,387 --a------ C:\WINNT\system32\jupdate-1.6.0_03-b05.log
2007-11-09 16:27 <DIR> d-------- C:\WINNT\system32\Macromed
2007-11-09 16:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-09 16:25 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-09 16:21 34,136 --a------ C:\WINNT\system32\wucltui.dll.mui
2007-11-09 16:21 30,072 --a------ C:\WINNT\system32\mucltui.dll.mui
2007-11-09 16:21 25,944 --a------ C:\WINNT\system32\wuaucpl.cpl.mui
2007-11-09 16:21 25,944 --a------ C:\WINNT\system32\wuapi.dll.mui
2007-11-09 16:21 20,312 --a------ C:\WINNT\system32\wuaueng.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 14:46 --------- d-----w C:\Program Files\Java
2007-11-12 11:43 --------- d-----w C:\Program Files\OpenOffice.org 2.2
2007-11-11 12:43 --------- d-----w C:\Documents and Settings\bsoa\Application Data\OpenOffice.org2
2007-11-10 02:17 95,024 ----a-w C:\WINNT\system32\sfc.dll
2007-06-15 17:22 271 ---h--w C:\Program Files\desktop.ini
2007-06-15 17:22 21,952 ---h--w C:\Program Files\folder.htt
2003-06-20 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [04-11-08 17:13 ]
"I&F Viewer toolbar"="C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" []
"Photozig Albums Media Detector"="C:\Program Files\Photozig Albums\pzAlbumsDetect.exe" [07-11-09 18:17 ]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [07-11-20 14:41 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-20 04:00 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 01:11 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-20 04:00 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\expl orer]
"StartMenuLogOff"= 1 (0x1)

R2 WindowsSystemHDBackUp;Windows System Hardware BackUp;C:\WINNT\System32\¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
R3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S2 Realplay upshell service;Realplay upshell service;C:\WINNT\System32\realshell.exe
S3 bDMusicb;bDMusicb;\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bDMusicb.sys

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2007-11-25 16:18:13 C:\WINNT\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 08:18:00
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

\WINNT\system32\¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡ [568] 0x818E3900

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-25 8:18:57 - machine was rebooted
.
--- E O F ---
getting copy of SDfix.

here is the SDfix log.

SDFix: Version 1.115

Run by Administrator on Sun 11/25/2007 at 8:01a

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
s3contrl (32-bit)
WINLOGON

Path:
"C:\WINNT\VTTray.exe"
C:\Program Files\Common Files\Microsoft Shared\MSINFO\winlogon.exe

s3contrl (32-bit) - Deleted
WINLOGON - Deleted


C:\WINNT\system32\Microsoft\backup.ftp Found
C:\WINNT\system32\Microsoft\backup.tftp Found

Checking files:

Genuine:
C:\WINNT\system32\Microsoft\backup.ftp
C:\WINNT\system32\Microsoft\backup.tftp

Dummy:
C:\WINNT\system32\ftp.exe
C:\WINNT\system32\tftp.exe
C:\WINNT\system32\dllcache\ftp.exe
C:\WINNT\system32\dllcache\tftp.exe

Files copied to SDFix\Backups

Restoring files if backups are found

Final Check:

Genuine:
C:\WINNT\system32\Microsoft\backup.ftp
C:\WINNT\system32\Microsoft\backup.tftp
C:\WINNT\system32\ftp.exe
C:\WINNT\system32\tftp.exe
C:\WINNT\system32\dllcache\ftp.exe
C:\WINNT\system32\dllcache\tftp.exe

Dummy:



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\3D3T4T~1.EXE - Deleted
C:\Program Files\Common Files\Carlson\carlton - Deleted
C:\Documents and Settings\All Users\Start Menu\carlton - Deleted
C:\WINNT\system32\Microsoft\backup.ftp - Deleted
C:\WINNT\system32\Microsoft\backup.tftp - Deleted
C:\WINNT\uninstal.bat - Deleted
C:\WINNT\VTTray.exe - Deleted



Folder C:\Program Files\Common Files\Carlson - Removed

Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 08:05:00
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

\WINNT\system32\¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡ [592] 0x818E0680

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 1
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 24 Nov 2007 49,152 ..SHR --- "C:\Program Files\3389.exe"
Sat 17 Nov 2007 761,344 ..SHR --- "C:\WINNT\Hacker.com.cn.exe"
Sun 25 Nov 2007 696,832 ..SHR --- "C:\WINNT\system32\realshell.DLL"
Sat 24 Nov 2007 285,911 ..SHR --- "C:\WINNT\system32\realshell.exe"
Sat 24 Nov 2007 65,536 ..SHR --- "C:\WINNT\system32\REALSHELLKEY.DLL"
Sat 24 Nov 2007 215,552 ..SHR --- "C:\WINNT\system32\termsrvhack.dll"
Fri 9 Nov 2007 671,744 ..SH. --- "C:\WINNT\system32\_winlogon.exe"

Finished!

That is extremely badly infected and I will not guarantee we can fix it

It will take me at least 45 minutes of examining those logs to prepare the FIRST part of the fix needed

I will post back as soon as I have it prepared


READ THIS:

We have found out that this malware/spyware is designed to steal your private information. That includes all passwords, log ins to forums and your email details & other websites and most of all your Bank, Credit card or Paypal details.
It is vital that after you have been cleaned up you change all your passwords and it is necessary to get in touch with your Bank or other financial body to inform them that your details may ( probably have ) been stolen
It also seems to be able to steal all your emails so anything you have emailed to anybody is no longer confidential

You have no antivirus at all and wonder why you got infected

Thus will start to clear it up but as I said before I won't guarantee it will work and it definitely won't fix it all in one go

download the attached CFScript.txt and save it to your desktop

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


then

* Run Kaspersky online virus scan Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from Kaspersky scan

Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from

You must use IE for the scan to work

then

download gmer rootkit detector from http://gmer.net

unzip it & double click the gmer.exe file

select rootkit tab & press scan

when it has finished press copy & post back the log it makes

here is the combofix log

ComboFix 07-11-19.3 - Administrator 11/25/2007 16:09:24.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.312 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

FILE
C:\Program Files\3389.exe
C:\WINNT\Hacker.com.cn.exe
C:\WINNT\system\sslxpes071122.exe
C:\WINNT\system32\_winlogon.exe
C:\WINNT\system32\drivers\64FD0CB0-8DD1-43F0-8EBD-AA075CDE0748.cxv
C:\WINNT\system32\lwisys16_071122.dll
C:\WINNT\system32\mwisys32_071122.dll
C:\WINNT\system32\realshell.DLL
C:\WINNT\system32\realshell.exe
C:\WINNT\system32\REALSHELLKEY.DLL
C:\WINNT\system32\termsrvhack.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\3389.exe
C:\Program Files\AntiSpyGolden 5.1
C:\Program Files\AntiSpyGolden 5.1\AntiSpyGolden AntiSpyGolden.url
C:\Program Files\AntiSpyGolden 5.1\Logs\scan_log_11222007-193257.html
C:\WINNT\system\sslxpes071122.exe
C:\WINNT\system32\_winlogon.exe
C:\WINNT\system32\drivers\64FD0CB0-8DD1-43F0-8EBD-AA075CDE0748.cxv
C:\WINNT\System32\¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡\
C:\WINNT\system32\lwisys16_071122.dll
C:\WINNT\system32\mwisys32_071122.dll
C:\WINNT\system32\realshell.DLL
C:\WINNT\system32\REALSHELLKEY.DLL
C:\WINNT\system32\termsrvhack.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_REALPLAY_UPSHELL_SERVICE
-------\LEGACY_WINDOWSSYSTEMHDBACKUP
-------\WindowsSystemHDBackUp


((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 )))))))))))))))))))))))))))))))
.

2007-11-25 10:22 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-11-25 08:46 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-25 08:46 1,066,176 --a------ C:\WINNT\system32\MSCOMCTL.OCX
2007-11-25 08:46 118,784 --a------ C:\WINNT\system32\MSSTDFMT.DLL
2007-11-25 08:46 115,920 --a------ C:\WINNT\system32\MSINET.OCX
2007-11-25 08:00 <DIR> d-------- C:\WINNT\ERUNT
2007-11-25 01:24 691,248 -r-hs---- C:\WINNT\system32\****************
2007-11-24 12:59 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-24 07:24 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-11-24 02:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SpywareBot
2007-11-24 01:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Tenebril
2007-11-24 01:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tenebril
2007-11-23 23:25 <DIR> d-------- C:\Program Files\ITTerritory
2007-11-23 20:18 <DIR> d-------- C:\WINNT\system32\tenarchlib
2007-11-23 20:18 180,224 --a-s---- C:\WINNT\system32\archlib.dll
2007-11-22 21:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-11-22 15:52 <DIR> d-------- C:\Program Files\VirusProtect 3.8
2007-11-22 15:51 <DIR> d-------- C:\Program Files\Video Add-on
2007-11-22 04:33 <DIR> d-------- C:\windows
2007-11-16 14:08 <DIR> d-------- C:\Program Files\MetaStream
2007-11-15 02:24 <DIR> d-------- C:\Program Files\Photozig Albums
2007-11-15 02:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Photozig Albums
2007-11-15 02:24 352,256 --a------ C:\WINNT\system32\ijl15.dll
2007-11-14 20:21 <DIR> d-------- C:\Program Files\The Weather Channel FW
2007-11-14 20:21 <DIR> d-------- C:\Program Files\AskPBar
2007-11-14 02:27 499,712 --a------ C:\WINNT\system32\msvcp71.dll
2007-11-14 02:27 462,848 --a------ C:\WINNT\system32\msaatext.dll
2007-11-14 02:27 348,160 --------- C:\WINNT\system32\msvcr71.dll
2007-11-14 01:31 <DIR> d-------- C:\Program Files\Photo Toolkit
2007-11-13 22:55 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Yahoo!
2007-11-13 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-13 22:34 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-11-13 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-13 22:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-11-13 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-11-13 15:53 43,520 --a------ C:\WINNT\system32\CmdLineExt03.dll
2007-11-13 15:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\WeatherBug
2007-11-13 15:48 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-11-13 15:48 <DIR> d-------- C:\Program Files\AWS
2007-11-12 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-11-12 17:19 <DIR> d-------- C:\Program Files\Conquer 2.0
2007-11-12 08:02 1,163 --a------ C:\WINNT\mozver.dat
2007-11-12 07:04 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2007-11-12 06:53 0 --a------ C:\WINNT\nsreg.dat
2007-11-12 06:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2007-11-12 06:46 <DIR> d-------- C:\Program Files\OpenOffice.org 2.3
2007-11-12 06:45 4,937 --a------ C:\WINNT\system32\jupdate-1.6.0_02-b05.log
2007-11-11 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\iWin
2007-11-11 19:56 <DIR> d-------- C:\Program Files\Oberon Media
2007-11-11 19:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-11-11 18:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MySpace
2007-11-11 10:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2007-11-11 10:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Oberon Games
2007-11-11 09:45 <DIR> d-------- C:\Program Files\DishGAMES
2007-11-11 09:45 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-09 23:48 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-11-09 23:00 1,204 --a------ C:\WINNT\system32\d3d9caps.dat
2007-11-09 22:59 1,092 --a------ C:\WINNT\system32\d3d8caps.dat
2007-11-09 22:33 <DIR> d-------- C:\Documents and Settings\bsoa\Application Data\DMCache
2007-11-09 20:14 <DIR> d-------- C:\WINNT\Sun
2007-11-09 16:58 <DIR> d-------- C:\WINNT\system32\inf
2007-11-09 16:54 <DIR> d-------- C:\Program Files\MySpace
2007-11-09 16:54 <DIR> d-------- C:\Documents and Settings\bsoa\Application Data\MySpace
2007-11-09 16:34 <DIR> d-------- C:\Documents and Settings\bsoa\Application Data\Yahoo!
2007-11-09 16:33 <DIR> d-------- C:\Program Files\Google
2007-11-09 16:32 5,387 --a------ C:\WINNT\system32\jupdate-1.6.0_03-b05.log
2007-11-09 16:27 <DIR> d-------- C:\WINNT\system32\Macromed
2007-11-09 16:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-09 16:25 <DIR> d-------- C:\Program Files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 14:46 --------- d-----w C:\Program Files\Java
2007-11-12 11:43 --------- d-----w C:\Program Files\OpenOffice.org 2.2
2007-11-11 12:43 --------- d-----w C:\Documents and Settings\bsoa\Application Data\OpenOffice.org2
2007-11-10 02:17 95,024 ----a-w C:\WINNT\system32\sfc.dll
2007-11-10 02:16 1,820,160 ----a-w C:\WINNT\system32\Photozig Screen Saver.scr
2007-06-15 17:22 271 ---h--w C:\Program Files\desktop.ini
2007-06-15 17:22 21,952 ---h--w C:\Program Files\folder.htt
2003-06-20 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((( snapshot@Sun 2007-11-25_ 8.18.23.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-15 18:02:14 465,472 ----a-w C:\WINNT\Downloaded Program Files\wlscBase.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [04-11-08 17:13 ]
"Photozig Albums Media Detector"="C:\Program Files\Photozig Albums\pzAlbumsDetect.exe" [07-11-09 18:17 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-20 04:00 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 01:11 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-20 04:00 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\expl orer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=secuload.dll

R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
R3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S3 bDMusicb;bDMusicb;\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bDMusicb.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-25 16:44:40 C:\WINNT\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 16:12:58
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-25 16:13:49 - machine was rebooted
C:\ComboFix2.txt ... 07-11-25 08:18
.
--- E O F ---

here is the new hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:08 PM, on 11/25/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nb4f.com.cn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nb4f.com.cn
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Photozig Albums Media Detector] C:\Program Files\Photozig Albums\pzAlbumsDetect.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1181928959386
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1181937761526
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.dishgames.com/online/on...ploader_v5.cab
O20 - AppInit_DLLs: secuload.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 4346 bytes

it looks like we have at least one file name in the logs being blocked by the swear filter so it must be bad

2007-11-25 01:24 691,248 -r-hs---- C:\WINNT\system32\****************

can you attach the combofix log to a reply please and any other logs that are being made especially teh gmer one so the swear filter doesn't block them out

and we can see what needs to be deleted

Thanks

thank you for your help, scanning is taking a while will have that to you as soon as its done. its crazy how my computer is that bad i've only had it for 3 weeks. i didnt know of any anti virus protection when i got it.

heres the log again.

i tried putting this in an attachment but its saying its an invalid file. so im pasting it in. let me know if this works. kaspersky scan results.

KASPERSKY ONLINE SCANNER REPORT
Sunday, November 25, 2007 6:43:31 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/11/2007
Kaspersky Anti-Virus database records: 465574
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 25326
Number of viruses found 15
Number of infected objects 29
Number of suspicious objects 0
Duration of the scan process 02:00:53

Infected Object Name Virus Name Last Action

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\3d3t4t8n7l.exe.bac_a00300 Infected: not-a-virus:Dialer.Win32.Agent.z skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ASKPBAR.DLL.bac_a00300 Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\carlton.bac_a00300 Infected: not-a-virus:Dialer.Win32.Agent.z skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\Dc1.exe.bac_a00300 Infected: not-a-virus:Dialer.Win32.Agent.z skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\Dc14.DLL.bac_a00300 Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\dual[1].jpg.bac_a00300 Infected: not-a-virus:Dialer.Win32.Agent.z skipped

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bjcj91gb.default\cert8.db Object is locked skipped

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bjcj91gb.default\formhistory.dat Object is locked skipped

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bjcj91gb.default\history.dat Object is locked skipped

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bjcj91gb.default\key3.db Object is locked skipped

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bjcj91gb.default\parent.lock Object is locked skipped

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bjcj91gb.default\search.sqlite Object is locked skipped

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bjcj91gb.default\urlclassifier2.sqlite Object is locked skipped

C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\bjcj91gb.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\bjcj91gb.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\bjcj91gb.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\bjcj91gb.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007112520071126\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped

C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped

C:\Program Files\AWS\WxBugSetup60b6.04.0.9m.EXE/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped

C:\Program Files\AWS\WxBugSetup60b6.04.0.9m.EXE WiseSFX: infected - 1 skipped

C:\Program Files\AWS\WxBugSetup60b6.04.0.9m.EXE WiseSFX Dropper: infected - 1 skipped

C:\Program Files\Trend Micro\HijackThis\backups\backup-20071124-130148-536.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped

C:\qoobox\Quarantine\C\Program Files\3389.exe.vir Infected: Backdoor.Win32.WinterLove.bb skipped

C:\qoobox\Quarantine\C\WINNT\system\sslxpes071122.exe.vir Infected: Trojan-Spy.Win32.Agent.anz skipped

C:\qoobox\Quarantine\C\WINNT\system32\inf\scrsys071122.scr.vir Infected: Trojan-Spy.Win32.Agent.anz skipped

C:\qoobox\Quarantine\C\WINNT\system32\inf\scrsys16_071109.dll.vir Infected: Trojan-Spy.Win32.Pophot.wv skipped

C:\qoobox\Quarantine\C\WINNT\system32\inf\scrsys16_071122.dll.vir Infected: Trojan-Spy.Win32.Pophot.xl skipped

C:\qoobox\Quarantine\C\WINNT\system32\lwisys16_071122.dll.vir Infected: Trojan-Spy.Win32.Pophot.xl skipped

C:\qoobox\Quarantine\C\WINNT\system32\mwisys32_071122.dll.vir Infected: Trojan-Spy.Win32.Pophot.xk skipped

C:\qoobox\Quarantine\C\WINNT\system32\realshell.DLL.vir Infected: Backdoor.Win32.Hupigon.hls skipped

C:\qoobox\Quarantine\C\WINNT\system32\REALSHELLKEY.DLL.vir Infected: Backdoor.Win32.Hupigon.aoa skipped

C:\qoobox\Quarantine\C\WINNT\system32\winsys16_071109.dll.vir Infected: Trojan-Spy.Win32.Pophot.wv skipped

C:\qoobox\Quarantine\C\WINNT\system32\winsys32_071109.dll.vir Infected: Trojan-Spy.Win32.Pophot.wv skipped

C:\RECYCLER\S-1-5-21-1614895754-492894223-1343024091-1000\Dc826.cab/f3Setup1.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.aw skipped

C:\RECYCLER\S-1-5-21-1614895754-492894223-1343024091-1000\Dc826.cab CAB: infected - 1 skipped

C:\SDFix\backups\backups.zip/backups/3d3t4t8n7l.exe Infected: not-a-virus:Dialer.Win32.Agent.z skipped

C:\SDFix\backups\backups.zip/backups/VTTray.exe Infected: Backdoor.Win32.SdBot.cep skipped

C:\SDFix\backups\backups.zip ZIP: infected - 2 skipped

C:\WINNT\CSC\00000001 Object is locked skipped

C:\WINNT\Debug\ipsecpa.log Object is locked skipped

C:\WINNT\Debug\oakley.log Object is locked skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.a skipped

C:\WINNT\SchedLgU.Txt Object is locked skipped

C:\WINNT\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped

C:\WINNT\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped

C:\WINNT\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped

C:\WINNT\SoftwareDistribution\EventCache\{486C3D17-ADD7-44FC-9D10-FE31D2DF5F97}.bin Object is locked skipped

C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\default Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\software Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\system Object is locked skipped

C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped

C:\WINNT\system32\sfc.dll Infected: Trojan-Spy.Win32.Banker.alr skipped

C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

that is showing the same problem in the attachment as well

2007-11-25 01:24 691,248 -r-hs---- C:\WINNT\system32\-----------------

no file name just a load of ------------------
I have never seen that before

perhaps gmer will show it