[jonbyles]

Hi

This is my first post so please excuse me if I'm asking anything daft.

I keep getting a svchost.exe error followed by either :

0x75606eb5 or 0x7c9108b3 or 0x76f6122e.

coming up on my computer at different times. It seems to be when I go on the net, however I am getting a host of other problems as well.

They are in fact identical to another users problems -

http://forums.techguy.org/malware-re...ion-error.html,

however, not wanting to muck up my computer for good, I wasn't sure whether or not I could follow the solution you gave to that problem ( using combifix).

If I'm safe in using that solution, then fantastic, if not, then please please please can you help me.

The other problems I'm getting are :

My system seems to struggle doing 2 things at once ( a bit like me according to my wife!)
All sounds have disappeared, apart from error and startup sounds.
IE freezes, or takes an age trying to close a window.
My task manager does not work, which is annoying when you want to try and stop the freezing!
I can't use windows update either manually or automatically.

I've run antivir scans, which found a few viruses, I've run spyware, but nothing seems to fix the problem.

I'm tearing my hair out, and would appreciate your help.

I've downloaded the hijak app, and it gave me all this

Genuinely looking forward to hearing from you soon

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:11:50, on 05/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TrayIcon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\PHILIP~1\VProperty.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
D:\office2007\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
D:\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
D:\prog files\WCESCOMM.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
D:\office2007\Office12\ONENOTEM.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\office2007\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [DisplayTrayIcon] C:\WINDOWS\system32\TrayIcon.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ToUcamVProperty] C:\PROGRA~1\PHILIP~1\VProperty.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "D:\office2007\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\prog files\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = D:\office2007\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\OFFICE~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\OFFICE~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - d:\prog files\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - d:\prog files\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - d:\prog files\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE~1\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Jon\My Documents\New Folder\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Jon\My Documents\New Folder\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01...s/MSNPUpld.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\office2007\Office12\GrooveSystemServices.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 11831 bytes

[jonbyles]

bump

[jonbyles]

bump. Please. I just need to know if I can use the same fix as another user, without it damaging my computer.
Many thanks

[jonbyles]

Bump

[jonbyles]

Bump. Please will somebody help me......

[jonbyles]

bump

[jonbyles]

Bump

[cybertech]

Hi, Welcome to TSG!!

Sorry you have waited so long for assistance.

How old is the computer and how much ram does it have?


Download ATF Cleaner by Atribune.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

Click Exit on the Main menu to close the program.




Download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

[jonbyles]

Hi, and big thanks for the reply.

However, I've got a problem.

ATF Cleaner stage is done and completed, but MBAM will not run, no matter what I try.

It downloads fine, but will not run either from the download itself, or from the desktop. I've tried putting it in different drives on the system, tried disabling current antivirus etc, but nothing seems to work.

Is it a bad link, or is my computer fighting the thing that's trying to help it??

I've had the comp about 4/5 years by the way, and it's apparently got 512 of ram in it. It runs like it's got 5.12 though !! CPU usage goes to 100% when one application is opened !!

I await your help and suggestions, and I'll keep trying in the meantime.

Many thanks

Jon

[jonbyles]

IGNORE LAST POST

I've renamed the MBAM file as 'jon' and it ran.

Stand by for log report.

Cheers

Jon

[jonbyles]

That's that done

followed your instructions and got the following report:

Malwarebytes' Anti-Malware 1.38
Database version: 2383
Windows 5.1.2600 Service Pack 3

06/07/2009 23:49:48
mbam-log-2009-07-06 (23-49-48).txt

Scan type: Quick Scan
Objects scanned: 107141
Time elapsed: 11 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareRemo valBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\Jon\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\Jon\application data\malwareremovalbot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\Jon\application data\malwareremovalbot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Program Files\winupdates (Worm.P2P) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\bszip.dll (Worm.P2P) -> Quarantined and deleted successfully.
c:\documents and settings\Jon\application data\malwareremovalbot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\Jon\application data\malwareremovalbot\Log\2009 Jun 21 - 11_01_30 AM_040.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\Jon\application data\malwareremovalbot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\RECYCLER\S-5-9-99-100022251-100024658-100005233-4384.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\MalwareRemovalBot Scheduled Scan.job (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.


Getting excited now.

looking forward to your next installment

thanks so much again

Jon

[cybertech]

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
  • Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

Upgrading Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 14.
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u14-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u14-windows-i586-p.exe and select "Run as an Administrator".)

[jonbyles]

I updated Java before doing the Kaspersky scan, and the log is as follows:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, July 8, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, July 07, 2009 22:00:04
Records in database: 2438441
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 117593
Threat name: 12
Infected objects: 23
Suspicious objects: 5
Duration of the scan: 03:36:53


File name / Threat name / Threats count
C:\Documents and Settings\Jon\Local Settings\Application Data\Identities\{16294F3F-6FCD-4D94-925E-2E9A57E5E203}\Microsoft\Outlook Express\Sent Items.dbx Infected: Trojan-Downloader.Win32.Agent.auu 1
C:\Documents and Settings\Jon\Local Settings\Application Data\Identities\{16294F3F-6FCD-4D94-925E-2E9A57E5E203}\Microsoft\Outlook Express\Sent Items.dbx Infected: Trojan-Downloader.Win32.Small.dnc 1
C:\Documents and Settings\Jon\Local Settings\Application Data\Microsoft\Windows Live Mail\pop.mail.ya 4cd\Inbox\071053AB-00008C96.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Jon\Local Settings\Application Data\Microsoft\Windows Live Mail\pop.mail.ya 4cd\Junk E-mail\2B017DA5-00007025.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Jon\Local Settings\Application Data\Microsoft\Windows Live Mail\pop.mail.ya 4cd\Junk E-mail\55972514-00007A71.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Jon\Local Settings\Application Data\Microsoft\Windows Live Mail\pop.mail.ya 4cd\Junk E-mail\71E0041E-0000751A.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Jon\Local Settings\Application Data\Microsoft\Windows Live Mail\pop.mail.ya 4cd\Junk E-mail\71E0041E-00007807.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Jon\Local Settings\Temp\tmp1521.tmp Infected: Trojan.Win32.Agent2.grj 1
D:\Kathryn\kathryn's music\13.03.09\jon allen - greatest hits.wma Infected: Trojan-Downloader.WMA.Wimad.n 1
D:\Kathryn\kathryn's music\13.03.09\jon allen.mp3 Infected: Trojan-Downloader.WMA.Wimad.r 1
D:\Kathryn\kathryn's music\All Tunes\jon allen - greatest hits.wma Infected: Trojan-Downloader.WMA.Wimad.n 1
D:\Kathryn\kathryn's music\All Tunes\jon allen.mp3 Infected: Trojan-Downloader.WMA.Wimad.r 1
D:\Kathryn\kathryn's music\Eternal\salvation army christmas - greatest hits.wma Infected: Trojan-Downloader.WMA.Wimad.n 1
D:\Prog Stuff\Digital play\areslite181.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d 3
D:\Prog Stuff\Digital play\areslite181.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b 1
D:\RECYCLER\S-5-9-99-100022251-100024658-100005233-4384.com Infected: Trojan.Win32.TDSS.tda 1
D:\Unused files and folders\Prog Dload\areslite181.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d 1
D:\Unused files and folders\Prog Dload\areslite181.exe Infected: not-a-virus:AdWare.Win32.NavExcel.g 1
D:\Unused files and folders\Prog Dload\areslite181.exe Infected: not-a-virus:AdWare.Win32.NavExcel 1
D:\Unused files and folders\Prog Dload\areslite181.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b 1
D:\Unused files and folders\Prog Dload\areslite181.exe Infected: not-a-virus:AdWare.Win32.NavExcel.i 1
D:\Unused files and folders\Prog Dload\setup_ares.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d 1
D:\Unused files and folders\Prog Dload\setup_ares.exe Infected: not-a-virus:AdWare.Win32.NavExcel.g 1
D:\Unused files and folders\Prog Dload\setup_ares.exe Infected: not-a-virus:AdWare.Win32.NavExcel 1
D:\Unused files and folders\Prog Dload\setup_ares.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b 1
D:\Unused files and folders\Prog Dload\setup_ares.exe Infected: not-a-virus:AdWare.Win32.NavExcel.i 1

The selected area was scanned.


Thanks lots for all your help so far....... really looking forward to getting this sorted once and for all.

Looking forward to your next reply

Thanks again

Jon

[cybertech]

The P2P programs you have installed expose you to risks because of the nature of the P2P file sharing process. File sharing/P2P programs rely on members giving and gaining unrestricted access to computers across the P2P network. This practice can make you vulnerable to data and identity theft. It also exposes you to very malicious worms and trojans. You change those risky default settings to a safer configuration but the act of downloading files from an anonymous source greatly increases your exposure to infection.

I suggest you go to add/remove programs and remove all P2P programs from your machine!




You need to clean out the Outlook Express and Windows Live Mail folders to remove all of the infected files.



Please download the OTM by OldTimer.

• Save it to your desktop.
• Please double-click OTM.exe to run it.
• Copy all the lines in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Quote:

  :Files
  C:\Documents and Settings\Jon\Local Settings\Temp\tmp1521.tmp
  D:\Kathryn\kathryn's music\13.03.09\jon allen - greatest hits.wma
  D:\Kathryn\kathryn's music\13.03.09\jon allen.mp3
  D:\Kathryn\kathryn's music\All Tunes\jon allen - greatest hits.wma
  D:\Kathryn\kathryn's music\All Tunes\jon allen.mp3
  D:\Kathryn\kathryn's music\Eternal\salvation army christmas - greatest hits.wma
  D:\Prog Stuff\Digital play\areslite181.exe
  D:\RECYCLER\S-5-9-99-100022251-100024658-100005233-4384.com
  D:\Unused files and folders\Prog Dload\areslite181.exe
  D:\Unused files and folders\Prog Dload\setup_ares.exe
  
  

• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Restart the machine and post a new hijackthis log. Let me know if you are having any problems.

[jonbyles]

Hi again

Here's the log from OTM

========== FILES ==========
C:\Documents and Settings\Jon\Local Settings\Temp\tmp1521.tmp moved successfully.
D:\Kathryn\kathryn's music\13.03.09\jon allen - greatest hits.wma moved successfully.
D:\Kathryn\kathryn's music\13.03.09\jon allen.mp3 moved successfully.
D:\Kathryn\kathryn's music\All Tunes\jon allen - greatest hits.wma moved successfully.
D:\Kathryn\kathryn's music\All Tunes\jon allen.mp3 moved successfully.
D:\Kathryn\kathryn's music\Eternal\salvation army christmas - greatest hits.wma moved successfully.
D:\Prog Stuff\Digital play\areslite181.exe moved successfully.
D:\RECYCLER\S-5-9-99-100022251-100024658-100005233-4384.com moved successfully.
D:\Unused files and folders\Prog Dload\areslite181.exe moved successfully.
D:\Unused files and folders\Prog Dload\setup_ares.exe moved successfully.

OTM by OldTimer - Version 3.0.0.4 log created on 07092009_180840