1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: HJT log after 'fixing' spyware: Desktop image prob & svchost.exe constantly running

Discussion in 'Virus & Other Malware Removal' started by aferroyt, Jan 3, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. aferroyt

    aferroyt Thread Starter

    Joined:
    Jan 3, 2006
    Messages:
    14
    Hi there,

    Background: I had some spyware on my PC (possibly SpyAxe and/or Spy Sheriff and/or others), so I decided to embark on the l-o-n-g journey to try and fix it. I think I removed it by running a program called smitRem. Also, Windows couldn't find a "kernels64.dll" file, so I used HijackThis (HJT) to delete the associated registry file. I also purchased the Spyware Doctor software. Anyway, I still have 3 strange things happening:

    1. When Windows loads, my cursor goes into hourglass mode every two seconds or so (like it's constantly working on something). The Task Manager shows the svchost.exe task intermittently running, plus there are a couple other processes that seem normal.

    2. I cannot change the image on my Desktop, nor can I access the Browse menu to get images. The only images that will display are those that came with the OS.

    3. In the past I used to be able to simply click Outlook Express or Internet Explorer and my Dial-up Connection window would pop up, asking me whether or not I'd like to connect to the Internet. Now this doesn't work. I have to double-click the actual connection BEFORE opening any web-dependant programs.

    Below is my HJT log. This is a brand new computer and is the first time I've had any issues with it. I'm very curious to understand whether or not these issues are leftovers from the spyware. If you have any suggestions to fix these issues, can you please explain why you've chosen them? Just trying to learn a bit... (smile)

    Any help you could provide would be very much appreciated!!!

    Thanks,
    -aferroyt-

    ---------------------------

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\sysldr32.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\xxxxxxxx\Local Settings\Temp\HijackThis.exe
    C:\WINDOWS\system32\svchost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernels64.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels64.exe
    O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
    O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1338DB03-74C0-44CB-842B-72D2B66F29E3}: NameServer = 206.47.244.57 206.47.244.89
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1338DB03-74C0-44CB-842B-72D2B66F29E3}: NameServer = 206.47.244.57 206.47.244.89
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: st3d - C:\WINDOWS\g575640.dll
    O21 - SSODL: zGFAd - {CC6A5F0F-66C0-F5A5-7DCA-184EAFCB3259} - C:\WINDOWS\system32\qlfxii.dll
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
     
  2. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Please Download win32delfkil.exe:

    http://users.telenet.be/marcvn/tools/win32delfkil.exe

    Save it on your desktop.

    Double click on win32delfkil.exe and install it.

    This creates a new folder on your desktop: win32delfkil.

    Close all windows, open the win32delfkil folder and double click on "fix.bat".

    The computer will reboot automatically.

    Please download WebRoot SpySweeper (It's a 2 week trial):

    http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

    Click the Free Trial link under "Downloads/SpySweeper" to download the program.

    Install it. Once the program is installed, it will open.

    It will prompt you to update to the latest definitions, click Yes.
    Once the definitions are installed, click Options on the left side.
    Click the Sweep Options tab.

    Under What to Sweep please put a check next to the following:

    * Sweep Memory
    * Sweep Registry
    * Sweep Cookies
    * Sweep All User Accounts
    * Enable Direct Disk Sweeping
    * Sweep Contents of Compressed Files
    * Sweep for Rootkits

    Please UNCHECK Do not Sweep System Restore Folder.

    Click Sweep Now on the left side.

    Click the Start button.

    When it's done scanning, click the Next button.

    Make sure everything has a check next to it, then click the Next button.

    It will remove all of the items found.

    Click Session Log in the upper right corner, copy everything in that window.

    Click the Summary tab and click Finish.

    Perform an ActiveSCan:

    http://www.pandasoftware.com/activescan/

    Save the report to the desktop.

    Post a new HijackThis log and the results of the ActiveScan, the contents of the Spysweeper session log you copied and the contents of the logfile c:\windelf.txt.
     
  3. aferroyt

    aferroyt Thread Starter

    Joined:
    Jan 3, 2006
    Messages:
    14
    Hi there,

    Ok, below are the results from the scans. I couldn't do the ActiveScan because of an error (which I've noted at the end of this posting). Also, please note that I've xxxxxx'd out any personal names associated with my computer.

    Any help you could provide would be VERY much appreciated!!

    -aferroyt-

    -----------------------
    This came up while performing the scan:

    Scan type: Realtime Protection Scan
    Event: Virus Found!
    Virus name: Trojan.Abwiz
    File: C:\documents and settings\xxxxxxx\local settings\temporary internet files\content.ie5\w9ezkp63\paradise[1].raw
    Location: Quarantine
    Computer: xxxxxx
    User: SYSTEM
    Action taken: Clean failed : Quarantine succeeded : Access denied
    Date found: Wed Jan 04 21:10:46 2006
    -----------------------

    WEBROOT

    9:03 PM: | Start of Session, January 4, 2006 |
    9:03 PM: Spy Sweeper started
    9:03 PM: Sweep initiated using definitions version 596
    9:03 PM: Found Trojan Horse: trojan_downloader_harnig
    9:03 PM: HKLM\software\microsoft\windows\currentversion\run\ || systemloader (ID = 1098837)
    9:03 PM: sysldr32.exe (ID = 1098837)
    9:03 PM: Starting Memory Sweep
    9:05 PM: Detected running threat: C:\WINDOWS\sysldr32.exe (ID = 217730)
    9:05 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || SystemLoader (ID = 0)
    9:06 PM: Memory Sweep Complete, Elapsed Time: 00:02:57
    9:06 PM: Starting Registry Sweep
    9:06 PM: Found Trojan Horse: vesbiz downloader
    9:06 PM: HKLM\software\microsoft\windows\currentversion\run\ || system (ID = 145542)
    9:06 PM: Found Trojan Horse: 3proxy
    9:06 PM: HKLM\software\microsoft\windows\currentversion\run\ || hostsrv (ID = 815190)
    9:06 PM: HKLM\software\microsoft\windows\currentversion\run\ || systemloader (ID = 1062668)
    9:06 PM: Found Adware: coolwebsearch (cws)
    9:06 PM: HKLM\software\microsoft\windows\currentversion\run\ || systemloader (ID = 1098797)
    9:06 PM: Found Trojan Horse: trojan-backdoor-us15info
    9:06 PM: HKU\WRSS_Profile_S-1-5-21-2035915446-2758361169-3101683467-1007\software\microsoft\windows\currentversion\run\ || shell (ID = 650813)
    9:06 PM: Found Trojan Horse: trojan-backdoor-securemulti
    9:06 PM: HKU\WRSS_Profile_S-1-5-21-2035915446-2758361169-3101683467-1007\software\microsoft\windows\currentversion\run\ || aupd (ID = 743915)
    9:06 PM: HKU\WRSS_Profile_S-1-5-21-2035915446-2758361169-3101683467-1007\software\microsoft\windows\currentversion\run\ || aupd (ID = 766565)
    9:06 PM: Found Adware: spysheriff
    9:06 PM: HKU\WRSS_Profile_S-1-5-21-2035915446-2758361169-3101683467-1007\software\microsoft\windows\currentversion\run\ || windows installer (ID = 1088024)
    9:06 PM: Found Trojan Horse: trojan-backdoor-satellite
    9:06 PM: HKU\S-1-5-18\software\microsoft\moviemaker\recordsettings\captureset\ (1 subtraces) (ID = 1021450)
    9:06 PM: Registry Sweep Complete, Elapsed Time:00:00:22
    9:06 PM: Starting Cookie Sweep
    9:06 PM: Found Spy Cookie: advertising cookie
    9:06 PM: xxxxx@advertising[2].txt (ID = 2175)
    9:06 PM: Found Spy Cookie: atlas dmt cookie
    9:06 PM: xxxxx@atdmt[2].txt (ID = 2253)
    9:06 PM: Found Spy Cookie: ru4 cookie
    9:06 PM: xxxxx@edge.ru4[1].txt (ID = 3269)
    9:06 PM: Found Spy Cookie: fastclick cookie
    9:06 PM: xxxxx@fastclick[2].txt (ID = 2651)
    9:06 PM: Found Spy Cookie: 2o7.net cookie
    9:06 PM: xxxxx@highbeam.122.2o7[1].txt (ID = 1958)
    9:06 PM: xxxxx@media.fastclick[1].txt (ID = 2652)
    9:06 PM: Found Spy Cookie: tribalfusion cookie
    9:06 PM: xxxxx@tribalfusion[1].txt (ID = 3589)
    9:06 PM: Found Spy Cookie: adserver cookie
    9:06 PM: xxxxx@z1.adserver[1].txt (ID = 2142)
    9:06 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
    9:06 PM: Starting File Sweep
    9:06 PM: Found Adware: winhound spyware remover
    9:06 PM: c:\documents and settings\xxxxxxx\application data\winhound.com (11 subtraces) (ID = -2147462035)
    9:10 PM: paradise[1].raw (ID = 211843)
    9:12 PM: Found Trojan Horse: trojan-downloader-content-loader
    9:12 PM: vx4.game (ID = 220143)
    9:16 PM: Found Adware: spysheriff fakealert
    9:16 PM: 2.qtdfmp (ID = 217676)
    9:17 PM: qvxt2.game (ID = 220040)
    9:19 PM: qvxt4.game (ID = 217730)
    9:19 PM: xp_nb47[1].exe (ID = 217727)
    9:19 PM: Found Adware: members area dialer
    9:19 PM: 5.qtdfmp (ID = 217679)
    9:19 PM: xp_nb47[1].exe (ID = 217727)
    9:19 PM: Found Trojan Horse: trojan-downloader-alfaportal
    9:19 PM: tool[1].exe (ID = 217731)
    9:19 PM: vx2.game (ID = 210321)
    9:19 PM: Found Trojan Horse: trojan-downloader-asdbiz.biz
    9:19 PM: vx3.game (ID = 80237)
    9:19 PM: Found Trojan Horse: trojan-downloader-hebeeaac
    9:19 PM: 6.qtdfmp (ID = 209695)
    9:20 PM: 7.qtdfmp (ID = 217732)
    9:20 PM: Found Adware: trojan-downloader-evko.biz
    9:20 PM: vxt1.game (ID = 217733)
    9:20 PM: vx1.game (ID = 80237)
    9:20 PM: tool[1].exe (ID = 217731)
    9:20 PM: dmx5a.tmp (ID = 217327)
    9:20 PM: dmx5d.tmp (ID = 217727)
    9:21 PM: sysldr32.exe (ID = 217730)
    9:21 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || SystemLoader (ID = 0)
    9:22 PM: File Sweep Complete, Elapsed Time: 00:15:33
    9:22 PM: Full Sweep has completed. Elapsed time 00:18:53
    9:22 PM: Traces Found: 54
    9:24 PM: Removal process initiated
    9:24 PM: Quarantining All Traces: 3proxy
    9:24 PM: Quarantining All Traces: spysheriff
    9:24 PM: Quarantining All Traces: trojan-backdoor-satellite
    9:24 PM: Quarantining All Traces: trojan-backdoor-securemulti
    9:24 PM: Quarantining All Traces: trojan-backdoor-us15info
    9:24 PM: Quarantining All Traces: trojan-downloader-hebeeaac
    9:24 PM: Quarantining All Traces: coolwebsearch (cws)
    9:24 PM: Quarantining All Traces: trojan_downloader_harnig
    9:24 PM: trojan_downloader_harnig is in use. It will be removed on reboot.
    9:24 PM: sysldr32.exe is in use. It will be removed on reboot.
    9:24 PM: sysldr32.exe is in use. It will be removed on reboot.
    9:24 PM: C:\WINDOWS\sysldr32.exe is in use. It will be removed on reboot.
    9:24 PM: Quarantining All Traces: trojan-downloader-alfaportal
    9:24 PM: Quarantining All Traces: trojan-downloader-asdbiz.biz
    9:24 PM: Quarantining All Traces: trojan-downloader-content-loader
    9:24 PM: Quarantining All Traces: vesbiz downloader
    9:24 PM: Quarantining All Traces: members area dialer
    9:24 PM: Quarantining All Traces: spysheriff fakealert
    9:24 PM: Quarantining All Traces: trojan-downloader-evko.biz
    9:24 PM: Quarantining All Traces: winhound spyware remover
    9:24 PM: Quarantining All Traces: 2o7.net cookie
    9:24 PM: Quarantining All Traces: adserver cookie
    9:24 PM: Quarantining All Traces: advertising cookie
    9:24 PM: Quarantining All Traces: atlas dmt cookie
    9:24 PM: Quarantining All Traces: fastclick cookie
    9:24 PM: Quarantining All Traces: ru4 cookie
    9:24 PM: Quarantining All Traces: tribalfusion cookie
    9:26 PM: Preparing to restart your computer. Please wait...
    9:26 PM: Removal process completed. Elapsed time 00:01:42
    9:28 PM: BHO Shield: found: -- BHO installation denied at user request
    ********
    8:56 PM: | Start of Session, January 4, 2006 |
    8:56 PM: Spy Sweeper started
    9:02 PM: Your spyware definitions have been updated.
    9:03 PM: | End of Session, January 4, 2006 |
    -----------------------

    HIJACK THIS LOG

    Logfile of HijackThis v1.99.1
    Scan saved at 9:42:57 PM, on 04/01/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\PROGRA~1\SPYWAR~1\swdoctor.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\xxxxxxx\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1338DB03-74C0-44CB-842B-72D2B66F29E3}: NameServer = 206.47.244.57 206.47.244.89
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1338DB03-74C0-44CB-842B-72D2B66F29E3}: NameServer = 206.47.244.57 206.47.244.89
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: zGFAd - {CC6A5F0F-66C0-F5A5-7DCA-184EAFCB3259} - C:\WINDOWS\system32\qlfxii.dll
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    -----------------------

    ACTIVESCAN

    I couldn't download it because I received the following window/error:

    Error on downloading ActiveScan
    An error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try again
    Possible causes of this error are:

    Not allowing the application's ActiveX control to be downloaded.

    Problems with the Internet connection.

    The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,...
     
  4. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Move Hijackthis to a permanent folder such as C:\Program Files\Hijackthis. It wont work properly from a Temp file.

    Download Cleanup from Here:

    http://www.stevengould.org/downloads/cleanup/CleanUp40.exe


    * A window will open and choose SAVE, then DESKTOP as the destination.
    * On your Desktop, click on Cleanup40.exe icon.
    * Then, click RUN and place a checkmark beside "I Agree"
    * Then click NEXT followed by START and OK.
    * A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
    * Click OK
    * DO NOT RUN IT YET

    Close all browsers. Place a checkmark on the following line and click on Fis Checked:

    O21 - SSODL: zGFAd - {CC6A5F0F-66C0-F5A5-7DCA-184EAFCB3259} - C:\WINDOWS\system32\qlfxii.dll

    Boot in Safe Mode.

    Open Windows Explorer. Find and delete the following file:

    C:\WINDOWS\system32\qlfxii.dll

    * Run Cleanup:

    * Click on the "Cleanup" button and let it run.
    * Once its done, close the program.

    Restart the computer.

    Please run an on-line virus scan at Kaspersky OnLine Scan:

    http://www.kaspersky.com/virusscanner

    or if that doesnt work, you can use TrendMicro:

    http://housecall.trendmicro.com/

    or BitDefender:

    http://www.bitdefender.com/scan8/ie.html

    Please post the results of the scan(s) in your next reply.
     
  5. aferroyt

    aferroyt Thread Starter

    Joined:
    Jan 3, 2006
    Messages:
    14
    Hi there,

    I did all of what you suggested. Below is the result of the scan. I've noticed that the computer is starting to run smoother, that's for sure. But I'm still not able to get the Dial-up Connection window to pop up when opening a web-based application. What are your thoughts?

    I can't thank you enough for your help thus far!!

    -aferroyt-

    -----------------------------------------------
    -------------------------------------------------------------------------------
    KASPERSKY ON-LINE SCANNER REPORT
    Sunday, January 08, 2006 21:23:03
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky On-line Scanner version: 5.0.67.0
    Kaspersky Anti-Virus database last update: 9/01/2006
    Kaspersky Anti-Virus database records: 159646
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: standard
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - Critical Areas:
    C:\WINDOWS
    C:\DOCUME~1\XXXXXX~1\LOCALS~1\Temp\

    Scan Statistics:
    Total number of scanned objects: 10567
    Number of viruses found: 1
    Number of infected objects: 1
    Number of suspicious objects: 0
    Duration of the scan process: 631 sec

    Infected Object Name - Virus Name
    C:\WINDOWS\g575640.dll Infected: Trojan-Downloader.Win32.Delf.zu

    Scan process completed.
     
  6. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Boot in Safe Mode and delete the C:\WINDOWS\g575640.dll fie if the KASPERSKY ON-LINE SCANNER didn't fix it.

    Post a new Hijackthis log.
     
  7. aferroyt

    aferroyt Thread Starter

    Joined:
    Jan 3, 2006
    Messages:
    14
    Hi there,

    Below are the results of the Hijack This scan.

    Thanks!
    -aferroyt-

    -------------------------------------
    Logfile of HijackThis v1.99.1
    Scan saved at 6:40:30 PM, on 09/01/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\xxxxx\Local Settings\Temp\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: zGFAd - {CC6A5F0F-66C0-F5A5-7DCA-184EAFCB3259} - C:\WINDOWS\system32\qlfxii.dll (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
     
  8. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Fix this line in Hijackthis:

    O21 - SSODL: zGFAd - {CC6A5F0F-66C0-F5A5-7DCA-184EAFCB3259} - C:\WINDOWS\system32\qlfxii.dll (file missing)


    The rest of the log seems clear. How is the computer doing?
     
  9. aferroyt

    aferroyt Thread Starter

    Joined:
    Jan 3, 2006
    Messages:
    14
    Thank you ever so much!!

    Clean bill of health I'd say!!! The computer is working great (just like old times...)

    THANKS!!

    -aferroyt-
     
  10. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    (y) Nice going!

    Turn Off System restore to flush the backup points that also are infected, then turn it back On.

    To turn off Windows XP System Restore:

    Note: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

    Click Start.
    Right-click My Computer, and then click Properties.
    Click the System Restore tab.
    Select "Turn off System Restore" or "Turn off System Restore on all drives" check box.
    Click Apply. The following message appears:
    As noted in the message, this will delete all existing restore points. Click Yes to do this.
    Click OK.


    To turn On Windows XP System Restore:

    Click Start.
    Right-click My Computer, and then click Properties.
    Click the System Restore tab.
    Clear the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
    Click Apply, and then click OK.

    System Restore will create regular backups of selected system files and program files.

    You can also create a Restore Point on your own:

    Start-_All Programs->Accessories->System Tools-> System Restore

    Follow instructions on Screen to create a restore point.

    Here is some advise from our security Experts to avoid re-infection:

    http://forums.techguy.org/t208517.html

    Use the thread's Tools and mark this thread as "Solved".
     
  11. aferroyt

    aferroyt Thread Starter

    Joined:
    Jan 3, 2006
    Messages:
    14
    Thank you EVER so much for your help in getting this problem resolved! The computer works great... a big KUDOS!!

    -aferroyt-
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/430812

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice