8 viruses found, unable to delete.

[DAVE9999]

Windows XP home.....Intel pentium 4....3.2ghz....512 ram....  

Hello, have picked up 8 viruses, found when using Kapersky online as follows

C:\System Volume Information\_restore{4A29620B-0973-4CDA-BBC9-4088620A8365}\RP152\A0061781.exe Infected: Packed.Win32.Tibs skipped

C:\temp\cs_mary.exe/Realtime.dll Infected: Trojan-Spy.Win32.Delf.fk skipped

C:\temp\cs_mary.exe CreateInstall: infected - 1 skipped

C:\temp\setup_ares.exe/data0037 Infected: not-a-virus:AdWare.Win32.NavExcel.i skipped

C:\temp\setup_ares.exe NSIS: infected - 1 skipped

C:\temp\WarezP2P_DLC.exe/stream/data0035 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\temp\WarezP2P_DLC.exe/stream Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\temp\WarezP2P_DLC.exe NSIS: infected - 2 skipped




I have been getting some online community forum help and the expert says


"Please remove/uninstall thru add/remove program

Ares
Kazza Lite

Reboot


Kaspersky Results:

One is under system restore and we will get that as a last step.

The others are in temp folder so...


*********Run CCleaner useing windows tab only please***********



Run the above tool from safe mode explained below


Safe Mode:

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter."

I did all that but wasnt sure on the sentance     "Run CCleaner useing windows tab only".

WHAT ON EARTH DO THEY MEAN??
I have downloaded a copy of CCleaner from     http://www.ccleaner.com/.

But after using it, as directed, Running another Kapaskey  the nasties are still there.

I have asked twice to the person what  "Run CCleaner useing windows tab only". means, but have received no reply.

PLEASE reply to that question only,     if you know.
"Run CCleaner useing windows tab only"

I,m stuck with it at the moment, with some viruses to be deleted,

HOPING to go on to getting my WMP 10 working properly.

I've tried uninstalling and installing but whenever a web site has online streaning WMP videos, it crashes the system.  giving the "WMP has encountered an error, and must close"  message.
A more common fault with it nowerdays.....Gates lot hasn't bothered to fix it...maybe even WMP 11 will keep crashing..

Many thanks..

"Run CCleaner useing windows tab only"  is the question!  what do they mean.??

[dl65]

DAVE9999......Ok ....... I hear you frustation .......
I am assumming your machine became infected as the result of using
Ares and or Kazza Lite .....is that about it ?
Well try and do this one step at a time

dl65  

[DAVE9999]

hello dl65, just got this message literally a few mins ago.
I do suspect Ares and kazza lite infected it all.  Have deleated it using add/remove.
Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.

Please double-click Killbox.exe to run it.

Select
"Delete on Reboot
Then click on either the "All Files" button if there is more than 1 item to Delete.
Please copy the file path(s) below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\temp\cs_mary.exe/Realtime.dll
C:\temp\cs_mary.exe CreateInstall
C:\temp\setup_ares.exe/data0037
C:\temp\setup_ares.exe NSI
C:\temp\WarezP2P_DLC.exe/stream/data0035
C:\temp\WarezP2P_DLC.exe/stream


Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.


Looks like we have dispenced with the CCleaner st up.

Do you think the above is the solution?

[dl65]

 DAVE9999.....  We'll lets just be sure ,    Have you turned off system restore ?

dl65  

[dl65]

DAVE9999   I'm not convinced your system is clean yet .............
It sounds like there are two issues  here ......... a virus or viruses as well as a trojan .

dl65  

[DAVE9999]

Hello dl65 , just checked and System restore is on.  should it be off for the time being.

Matey whos just contacted me reconds I should ctrl + c the mentioned viruses and copy to clipboard



It will not copy to clipboard using ctrl +c highlighting ALL of them and pressing CTRL + C

Nothing comes up in the killbox "full path of file to delete" Is it still there?.

The minute I start contacting you,, matey finally contacts me.

I perhaps wont get another answer off him till tomorrow.
Individually copying them to the "Kill box" program and rebooting would be the only answer. doing it 6 times though.  Cause the clipboard function isn't working. or doesn't seem to be.

Does the clipboard have to be enabled??

Can you beleive this, found

Adds Clipboard Viewer into your Start Menu

If you Clipboard Viewer is not on the Start menu, then you need to install it. Here is how:

 

1. Right-click Start button> Properties > Classic Start Menu > Customize > Add > Browse > C: drive, expand the tree by clicking the plus signs to Windows, System32, select clipbrd (or clipbrd.exe, depending on your folder View settings)

AND IT IS NOT THERE.

at every turn things just don't go right for me just lately.

[DAVE9999]

How do dl65.  I have got the clipboard viewer working,  had to load up into "Killbox" program each virus location one at a time .
  And get for each the message "Pending file rename operations registry data has been removed by external process"


looks like those six viruses are going to be hard to delete.

C:\temp\cs_mary.exe/Realtime.dll
C:\temp\cs_mary.exe CreateInstall
C:\temp\setup_ares.exe/data0037
C:\temp\setup_ares.exe NSI
C:\temp\WarezP2P_DLC.exe/stream/data0035
C:\temp\WarezP2P_DLC.exe/stream

They are the nasties, no doubt hidden away in the regestry, possibly changing names and that.
Unless there is another virus killing program that can find them in the regestry.

[dl65]

 DAVE9999....  Here's what I suggets you do ...... ( out aside the info from your mate for right now ) and please do the following

Turn off system restore immediately ..... as you probably are infected with both viruses as well as trojans ....and they love to hide in the restore files ......

Then open ccleaner and configure it as detailed here .....
http://www.computerhope.com/cgi-bin/yabb/YaBB.cgi?num=1149558249  

once you have it configured ...please run the cleaner portion .....just click on the brush icon ...then in the lower right corner click on run cleaner .

Let me know when you have finished up to there

dl65  

[DAVE9999]

Hello dl65, turned off systems restore and ran CCleaner to settings.....thanks.

[dl65]

Dave ...are we ready to do the next step ?
do you happen to remember about how much cleaner removed ?

dl65  

[DAVE9999]

all ready,

[dl65]

Before we do the next step , do you have Ewido on your machine ?

dl65  

[DAVE9999]

yes, 3.5 malware

[dl65]

ok ...thats great ...now what I would like you to do is reboot into safe mode ...and once there ....run your anti virus program ....is it up to date ?

dl65  

[DAVE9999]

All up to date. downladed new update today.

[dl65]

great ...ok reboot into safe mode and scan with your av ......... not Ewido ....yet

dl65  

[dl65]

Dave ...do you know how to get into safe mode ?

As soon as windows shuts down and just as it starts to load...repeatedly tap the F8 key until you are offered the varios start options ...choose SAFE mode

dl65  

[DAVE9999]

Booted up in safe mode, ran FULL ewado.   1 nasty found TrackingCookie.Yieldmanager .
Deleted.

The CCleaner removed about 9.9mb I'm sure it was.

I hope those six viruses I mentioned are the only ones that is stopping the WMP 10 from streaming properly.   Keeps crashing on WMP stream web sites. loosing all funtuallity.

Thanks.

[dl65]

BTW , what anti virus program do you have installed .......

Have you ran Ewido ....... now that you are back in normal mode ?

I thought I asked you to run your anti virus in safe mode , not Ewido....it should be run in normal mode .

dl65  

[dl65]

There is one more thing I would suggest you do ..... run hijackthis and post the log here to inspect ........  Get it at .... http://www.majorgeeks.com/download3155.html

hopefully then you issues will be gone ......

dl65  

[DAVE9999]

av as in anti-virus program as in NOT ewado that I ran.

I'll have to pick this up again tommorrow.. its 02.30 am   the other tennents in house might moan at noise of computor cranking .

I'll do the Avast Anti virus in Safe mode tomorrow.
Thanks.

[dl65]

lol ....... they must be really light sleepers ......

Cheers
dl65  

[dl65]

Dave .....

av as in anti-virus program as in NOT ewado that I ran.

   ...yes run anti virus ( av ) in safe mode , not Ewido .  ( run Ewido in normal mode )

dl65  

[DAVE9999]

Heres the HJT.

Thanks.
I'll have to send 2 posts as I havent a clue about  bmp jpg jpeg gif png swf zip files for the attachment.
hard enough to get it into note pad.

Logfile of HijackThis v1.99.1
Scan saved at 03:08:48, on 07/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\WebWasher\wwasher.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\david marks\My Documents\My Videos\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.igmaynard.co.uk/bongo/showroom.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [WebWasher] C:\Program Files\WebWasher\wwasher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

[DAVE9999]

and rest.

O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119829022406
O16 - DPF: {701DC9DC-ACD5-4E94-85E3-F3F1ED68611A} (CWebClientCtl Object) - http://download.paltalk.com/webclienttest/webclientctl.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Just fitted nicely.

People cant use all that to hijack my computor can they??

[DAVE9999]

Looks like I'll have to start again tommorrow, with the avast in safe mode, then ewado and I'll post another HJT.
I'll write down anything found.

The fan on the comp is blowing like a gale and cranking., Its 3.30am I'd best go.

Thanks for your patience and    understanding.

.

[dl65]

DAVE9999.......

Mark for removal the following :
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe      ( this ones bad )

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE         ( also a bad one )

O8 - Extra context menu item: &Highlight -  
        C:\WINDOWS\WEB\highlight.htm    

O8 - Extra context menu item: &Links List -
       C:\WINDOWS\WEB\urllist.htm  

O8 - Extra context menu item: I&mages List -
       C:\WINDOWS\Web\imglist.htm    
  
O8 - Extra context menu item: Zoom &In -
       C:\WINDOWS\WEB\zoomin.htm    
  
O8 - Extra context menu item: Zoom O&ut -
       C:\WINDOWS\WEB\zoomout.htm  

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {701DC9DC-ACD5-4E94-85E3-F3F1ED68611A} (CWebClientCtl Object) - http://download.paltalk.com/webclienttest/webclientctl.cab    

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe    [highlight]Do you know this entry ...if so leave it , if not remove it .[/highlight]

Ok ...... now click .... fix marked ........  and see how things are .......

reboot and post a fresh hijackthis log .

And to answer your question no the posted log will not comprimise your machine .

dl65  

[DAVE9999]

Hello dl65, I have a "labtec" mouse, came with a labtec ultra flat keyboard,  spilt milk on the keyboard and replaced it with original emachines wired keyboard.  still use the labtec unwired mouse.
Found this relating to ShowWnd.exe  

  ShowWnd ShowWnd.exe "Found on Gateway computers (and maybe others) - see here. ""Showwnd is included with the Chicony keyboard software and is used by the software to stop the keyboard driver's taskbar entry from reappearing. It is not necessary to remove the keyboard software  

"Related software downloads for Chicony USB Keyboard Mouse"  
Labtec Mouse 2.1
Supports all Labtec mice.  

found this of hjt for someone called hoopoe    at

http://www.bleepingcomputer.com/forums/topic16767.html

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe


He has in particular
C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe


I have
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

Are you sure  about  [ShowWnd] ShowWnd.exe. ?   It may be genuine software, chicory software for the labtec keyboard/mouse.

I just want to be extra sure, before I make a mistake.

Thanks .  

[DAVE9999]

Hello dl65,  here a hjt. thanks for answering the "is the hjt postings secure,
All in 2 parts.

Logfile of HijackThis v1.99.1
Scan saved at 12:42:21, on 07/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\WebWasher\wwasher.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
C:\Documents and Settings\david marks\My Documents\My Videos\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.igmaynard.co.uk/bongo/showroom.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [WebWasher] C:\Program Files\WebWasher\wwasher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm

[DAVE9999]

And 2 nd part follows.

Will do a CCleaner, then Avarst AV in safe mode then ewido then hjt, and post that on.  See if it picks up   those found when using Kapersky online  a few days ago as follows
 
C:\System Volume Information\_restore{4A29620B-0973-4CDA-BBC9-4088620A8365}\RP152\A0061781.exe Infected: Packed.Win32.Tibs skipped  
 
C:\temp\cs_mary.exe/Realtime.dll Infected: Trojan-Spy.Win32.Delf.fk skipped  
 
C:\temp\cs_mary.exe CreateInstall: infected - 1 skipped  
 
C:\temp\setup_ares.exe/data0037 Infected: not-a-virus:AdWare.Win32.NavExcel.i skipped  
 
C:\temp\setup_ares.exe NSIS: infected - 1 skipped  
 
C:\temp\WarezP2P_DLC.exe/stream/data0035 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped  
 
C:\temp\WarezP2P_DLC.exe/stream Infected: not-a-virus:AdWare.Win32.NewDotNet skipped  
 
C:\temp\WarezP2P_DLC.exe NSIS: infected - 2 skipped  












O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119829022406
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Many thanks,  I'll see if it has cleared up the WMP streaming problem.

[dl65]

DAVE9999.....  Showtime keeps comming up as bad ...it has to be removed
 ShowWnd.exe - Dangerous
ShowWnd.exe is Trojan/Backdoor.

This must be marked for removal .......
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe

mark for removal and click fix ..........

Reboot ....and then see if ShowWnd is still there ...... Hopefully its gone .


dl65  

[DAVE9999]

hello dl65.
Ran CCleaner, 12.3mb deleted.  read your guide to using the program, that was good.
Ran "Issues" part of it, fixed 130 reg entries.
Ran it again and it came up with another 39.  I found it can pay to run it twice.

Ran Avast Anti Virus in safe mode no infections found.
But some files corrupted.
ARC Archive at C:\programfiles.\microsoftworks\1003\wizards\...\.

And 3 cab archive files in D:\

D:\preload\data9.01imp\bckgres.dll
D:\preload\data9.02imp\fxst30.dll
D:\preload\data9.05inp\imkr61chm

Is it serious?. does it need fixing/deleating?
Those corrupted files worry me.

Wasn't set up to record log file.  found that out afterwards. wrote the above down just in case before hand

Also ran Kaperskey online virus scan.

KASPERSKY ON-LINE SCANNER REPORT  
Wednesday, June 07, 2006 9:21:55 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 7/06/2006
Kaspersky Anti-Virus database records: 199048
 
 
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
 
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\  
 
Scan Statistics
Total number of scanned objects 50217
Number of viruses found 3
Number of infected objects 7
Number of suspicious objects 0
Duration of the scan process 00:35:27

Infected Object Name Virus Name Last Action
C:\temp\cs_mary.exe/Realtime.dll  Infected: Trojan-Spy.Win32.Delf.fk  skipped  
 
C:\temp\cs_mary.exe  CreateInstall: infected - 1  skipped  
 
C:\temp\setup_ares.exe/data0037  Infected: not-a-virus:AdWare.Win32.NavExcel.i  skipped  
 
C:\temp\setup_ares.exe  NSIS: infected - 1  skipped  
 
C:\temp\WarezP2P_DLC.exe/stream/data0035  Infected: not-a-virus:AdWare.Win32.NewDotNet  skipped  
 
C:\temp\WarezP2P_DLC.exe/stream  Infected: not-a-virus:AdWare.Win32.NewDotNet  skipped  
 
C:\temp\WarezP2P_DLC.exe  NSIS: infected - 2  skipped  
 
Scan process completed.


The next one has compleatly gone since last Kaperskey test 2 days ago.
C:\System Volume Information\_restore{4A29620B-0973-4CDA-BBC9-4088620A8365}\RP152\A0061781.exe  Infected: Packed.Win32.Tibs  

Picked up our "Avenger"program, ran it, all the above viruses are in the Avenger.backup.zip.  Ok to leave it there?.  Its more of a quarrenteen type program.  


And ran Ewido malware 3.5.
Nothing found.  BUT it took 20 mins instead of usual 45 mins.

Did hjt log.
As follows in next two posts.
Thanks.

[DAVE9999]

Its those Corrupt files found with the Anti Virus program that you wanted me to run, that worries me.

Logfile of HijackThis v1.99.1
Scan saved at 11:04:01, on 08/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\WebWasher\wwasher.exe
C:\spywarebegone\SpywareBeGone.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\david marks\My Documents\My Videos\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [WebWasher] C:\Program Files\WebWasher\wwasher.exe
O4 - HKCU\..\Run: [Spyware Begone] "C:\spywarebegone\SpywareBeGone.exe" -FastScan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm

[DAVE9999]

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119829022406
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks for all your effort, it wont be long before streamed WMP videos can be played again.
If all these improvements help it out.   many thanks.

[dl65]

DAVE9999.....  What we seem to have here is a problem understanding what each other are saying ..... I think . For example , I said ...

...yes run anti virus ( av ) [highlight]in safe mode [/highlight]

   and yet you provided a virus scan from an online source, not the avast , installed on your machine .   SAFE mode means ....... just that ....not Safe with networking ..... I did not want your machine to be connected to the internet .  the other odd thing I see, is that there are referances to entries in temp folder....... [highlight]C:\temp\WarezP2P_DLC.exe[/highlight]/stream/data0035  Infected: not-a-virus:AdWare.Win32.NewDotNet  skipped  ...... If you have configured ccleaner and run the cleaner portion as suggested ...... Cleaner would have deleted the temp  files .....   ( look at how the cleaner should be set up ....see screen shot attached )   Have a look at the way yours is configured ......do you have green check marks the same as you see in my setup ?
 Then the other odd thing ...your summary list of infected files found ( 7 or 8 I think ) ....did you tell the scanner to remove or quarantine them ?
Then I see referance to P2P folders ....... I thought you said you removed all those ...... It's almost as if someone else as well as myself is offering you advice and your taking a bit from one and a bit from another ....the result is very little is being achieved .
If you would like , I could with your permission connect directly to your machine and assist you .......
Please let me know.

dl65  

[DAVE9999]

Hello dl65, as I put in last post  "Ran Avast Anti Virus in safe mode no infections found."
Ran it in SAFE mode.  
As I said, It Wasn't set up to record log file.  found that out afterwards. when I looked for the log file to post to you. I had to click on the "Record a log file sign" It was not set up to record a log. must be their standard setting. I had no idea about that. wrote the below  down just in case before hand. (Parania)
 I couldn't copy the results off the screen, it wouldn't let me.  

some files corrupted.
ARC Archive at C:\programfiles.\microsoftworks\1003\wizards\...\.
 
And 3 cab archive files in D:\
 
D:\preload\data9.01imp\bckgres.dll
D:\preload\data9.02imp\fxst30.dll
D:\preload\data9.05inp\imkr61chm
WAS all it said.

I did a kapaskey scan to see if after using CCleaner the 8 viruses that I contacted you about.  the "8 viruses found unable to delete" were still there, they were.  well seven of them.

Ran the "Avenger" program to get rid of them.
Clicked on remove those files and it did and backed them up in a zip file.
Must have a back up function to the program.
Which I suppose, if left alone will be ok.
None are in C:temp anymore.

I used the remove/uninstall thru add/remove program
to remove  
Ares
Kazza Lite  as I said on 6th june.
It didnt remove
  C:\temp\WarezP2P_DLC.exe/stream/data0035  Infected: not-a-virus:AdWare.Win32.NewDotNet.
And the other ones.
No idea why.

Neither did CCleaner when I ran it. Exactlty as in your diagram.
They are not there any more.  the Kaperskey scan showed they were now in "Avenger "backup.zip.

The reason CCleaner had not deleated the particular one you mention C:\temp\WarezP2P_DLC.exe/stream/data0035  Infected: not-a-virus:AdWare.Win32.NewDotNet.

Like CCleaner has for instance deleated  
C:\WINDOWS\TEMP\Perflib_Perfdata_530.dat 16.00KB
C:\WINDOWS\TEMP\Perflib_Perfdata_538.dat 16.00KB
C:\WINDOWS\TEMP\Perflib_Perfdata_540.dat 16.00KB
C:\WINDOWS\TEMP\ZLT01eeb.TMP 256 bytes
C:\DOCUME~1\DAVIDM~1\LOCALS~1\Temp\8A56EAB7.TMP 122 bytes
C:\DOCUME~1\DAVIDM~1\LOCALS~1\Temp\jusched.log 1.61KB
C:\DOCUME~1\DAVIDM~1\LOCALS~1\Temp\~DF53A5.tmp 16.00KB
-------------------------------------------------------------

Is because    C:\temp\WarezP2P_DLC.exe/stream/data0035  Infected: not-a-virus:AdWare.Win32.NewDotNet.

Is located at C:\temp.Warez etc.  (Or rather was)   And no function on CCleaner will remove it.
None will.
Maybe it only deletes temp files with a capital T,  ie Temp and not temp as where mine are located.
Perhaps all the temp files downloaded should have gone to C;\Windows\Temp and beceause there is a C:\temp folder possibly put there by myself, I can't remember, the files have downloaded to C:\temp instead.  Maybe an expert would know.

I couldnt see what harm connecting to the internet would do, after doing the Avast scan in safe mode, (exactly like you said), as I would have to connect to it, to contact you, and display the results.
 I suspect the Avast Anti virus, even though up to date, wouldn't detect a barn door, Thats why it is free I suspect.    
The Kapaskey scan did.   Of cause they may have put them there, modifying some known virus, and therefore only they can currently detect it. (Parania, again)

Are Antivirus program companies deliberately infecting peoples computors, ?
Getting them to splash out $50 bucks a year to clean up some of their doing.?
And people in the know, people who spend their time clearing up viruses on a day to day basis,  know about this, but are not telling me/general public about it.
 Maybe they get paid to pass on these viruses to the rest of the Companies in the Multi billion $ Virus infecting/detecting industry.  Especially if its a real nice juicy new one. (another paraniod idea, or am I close on that one.)     Am I right.  does this happen.

Are we to assume that .
C:\temp\cs_mary.exe   .....       a Trojan-Spy.Win32.Delf.fk  

C:\temp\setup_ares.exe  ......     "not-a-virus:AdWare.Win32.NavExcel.i"
 
C:\temp\WarezP2P_DLC.exe   ......        not-a-virus:AdWare.Win32.NewDotNet

which have now gone

Are located in those corrupt files in D;\ that Avarst found. as below.
That I mentioned in my last post,  (Or they have been there!).

D:\preload\data9.01imp\bckgres.dll
D:\preload\data9.02imp\fxst30.dll
D:\preload\data9.05inp\imkr61chm

And as soon as the System restore is turned back on, they will come back.


What concerns me is those Corrupted files at:
ARC Archive at C:\programfiles.\microsoftworks\1003\wizards\...\.
 
And 3 cab archive files in D:\
 
D:\preload\data9.01imp\bckgres.dll
D:\preload\data9.02imp\fxst30.dll
D:\preload\data9.05inp\imkr61chm

Is  a mind meld  to my computor needed to fix them?
I am sure this time I can get it together and carry out the neccesary directions on how to fix it.

Many thanks dl65.

[dl65]

DAVE9999 ......

I couldnt see what harm connecting to the internet would do, after doing the Avast scan in safe mode, (exactly like you said)

  There isn't any harm in that at all...... all I wanted to be sure was that you were using your own anti virus as opposed to a on - line scanner .

And as soon as the System restore is turned back on, they will come back.

....   No ,thats the point of turning it off ..... the previous restore points are removed and the threat of reinfection removed as well .  Once system restore is turned back on ...... A new restore point will be created .

Is  a mind meld  to my computor needed to fix them?

 No Spock ....LOL .... it isn't , what we do is both go on msn messenger and then you invite me to remotely connect to you machine ....... once you have ageed , and we directly connect , I am able to see everything on your desktop that you see and I can control your pc from this end ....you just sit back and watch ..... I also have control of your mouse . I can go into any files , make repairs as required and then turn control back to you ........ this procedure is completely safe . once the connection is broken , there is no way that I can reconnect to your machine ,without your approval.

cheers
dl65  

[dl65]

Dave9999..... How about posting a brand new hijackthis log ......


dl65  

[DAVE9999]

Hello dl65,
 ran CCleaner,All items in  C:\temp\etc,etc still there.

Ran Avast AV in safe mode, AND managed this time to get a record of it.

* avast! Report

* Task 'Simple user interface' used
* Started on 09 June 2006 11:30:15
* VPS: 0623-2, 08/06/2006


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CDilla.zip\CDILLA10.EXE [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CDilla.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CDilla1.zip\CDILLA05.DLL [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CDilla1.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\GoldenPalaceCasino.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\GoldenPalaceCasino.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NavExcelWebsearch.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NavExcelWebsearch.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip\zlbw.dll [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff.zip\svcp.csv [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff1.zip\svcp.csv [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff1.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff2.zip\svcp.csv [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff2.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Tibsvq.zip\parad.raw.exe [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Tibsvq.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Tibsvq1.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Tibsvq1.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\david marks\My Documents\My Videos\free-spyware-removal-2007.exe\Master.dat [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\Ad-Aware SE Default.skn [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\arrow1.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\arrow2.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bck1.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt11.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt12.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt13.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt21.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt22.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt23.bmp [E] Archive is password protected. (42056

Best bits on next post

[DAVE9999]

Continued

C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt31.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt32.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt33.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt41.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt42.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt43.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt51.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt52.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt53.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt61.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt62.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox1.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox2.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox3.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox4.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn1.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn2.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn3.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph1.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph2.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph3.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph4.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph5.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph6.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph7.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\main.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\preview.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\sprite1.bmp [E] Archive is password protected. (42056)
C:\Program Files\Microsoft Works\1033\Wizards\crdus54w.wwp\Object 2\Contents\ [E] ARC archive is corrupted. (42133)
C:\spywarebegone\Database\Master.enc\Master.dat [E] Archive is password protected. (42056)
C:\temp\winzip90.exe\SETUP.WZ\WINZIP32.EX_ [E] Archive is password protected. (42056)
D:\PRELOAD\data9_01.inp\bckgres.dll [E] CAB archive is corrupted. (42127)
D:\PRELOAD\data9_02.inp\fxst30.dll [E] CAB archive is corrupted. (42127)
D:\PRELOAD\data9_05.inp\imkr61.chm [E] CAB archive is corrupted. (42127)
Infected files: 0
Total files: 230657
Total folders: 4773
Total size: 20.6 GB

Its the ones below (taken from above) that concern me.
C:\Program Files\Microsoft Works\1033\Wizards\crdus54w.wwp\Object 2\Contents\ [E] ARC archive is corrupted. (42133)
D:\PRELOAD\data9_01.inp\bckgres.dll [E] CAB archive is corrupted. (42127)
D:\PRELOAD\data9_02.inp\fxst30.dll [E] CAB archive is corrupted. (42127)
D:\PRELOAD\data9_05.inp\imkr61.chm [E] CAB archive is corrupted. (42127)

HJT log in 2 parts to follow.

[DAVE9999]

Logfile of HijackThis v1.99.1
Scan saved at 20:10:53, on 09/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\spywarebegone\SpywareBeGone.exe
C:\Documents and Settings\david marks\My Documents\My Videos\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Spyware Begone] "C:\spywarebegone\SpywareBeGone.exe" -FastScan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

[dl65]

DAVE9999 ...... Do you have ccleaner setup per the screenshot I included above .....because if you look in the system portion of the screenshot , you will see that TEMP files are marked for removal ......... So I don't know why ypours isnt being removed . Have you actually gone into C:/windows/temp and looked to see if its empty or not ....? If it isn't , go there and once in the temp file , click edit ....select all and delete ...... Oh yes and be sure that nothing else is open .....

dl65  

[dl65]

DAVE9999 , By any chance , is there more than one user account on this machine ?

dl65  

[DAVE9999]

2nd part

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119829022406
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Please can  you let us know how best to deal with the corrupted files below, then I can leave everyone at Computor Hope.com to deal with other peoples computor maladies and worries..

The Windows XP and Microsoft Works came Pre-loaded, No disk to replace anything with.
Not even a recovery disc.

C:\Program Files\Microsoft Works\1033\Wizards\crdus54w.wwp\Object 2\Contents\ [E] ARC archive is corrupted. (42133)
D:\PRELOAD\data9_01.inp\bckgres.dll [E] CAB archive is corrupted. (42127)
D:\PRELOAD\data9_02.inp\fxst30.dll [E] CAB archive is corrupted. (42127)
D:\PRELOAD\data9_05.inp\imkr61.chm [E] CAB archive is corrupted. (42127)
 

[dl65]

DAVE9999 ....With the exception of 2 questionable entries , your logfile looks ok .

dl65  

[DAVE9999]

DAVE9999 ...... Do you have ccleaner setup per the screenshot I included above .....because if you look in the system portion of the screenshot , you will see that TEMP files are marked for removal ......... So I don't know why ypours isnt being removed . Have you actually gone into C:/windows/temp and looked to see if its empty or not ....? If it isn't , go there and once in the temp file , click edit ....select all and delete ...... Oh yes and be sure that nothing else is open .....


Hello dl65,  Yes the C:\windows\temp is totally empty.    All the stuff that has been downloaded, big programs and that have gone to   C:\temp\ .   not to C:\Windows\temp,    I may well have manually made that file up ages ago, then ever since the big programs I've down loaded have gone there.

Maybe, I should delete that temp file altogether, after deleting its contents???  Is that a good idea.

The comp is set up for Me and "Administrater".  cant remember when that was set up.

[dl65]

DAVE9999...... Hummm ...no cds of any kind ...... Do you have a image of the original configuration on another partition by any chance ?

dl65  

[dl65]

DAVE9999

Yes the C:\windows\temp is totally empty.

good ...thats the folder that ccleaner empties whenever you run it ......
I would suggest deleting the other temp folder that you created ........ ( if for some reason things don't work right , you can always create a new one but you really don't need it )

dl65  

[DAVE9999]

dl65.
No I was asked to make a Recovery disc, but only had CD re- recordable discs and they wanted the once only type.
I never got round to making any.
I'm deleting contents of C:\temp now

[dl65]

DAVE9999 ......That isnt good , because if for any reason you are forced to format , you're are hooped .....with out anything to re install with or a drive image .

dl65  

[dl65]

DAVE9999   Your machine isn't that old is it ?  It may be possible to puchase a install/restore disk for it .

dl65  

[DAVE9999]

hello dl65, after deleting the contents of C:temp there are 3 left that are ment to be "system files"
1 Desktop ...configeration settings
2 Thumbs ..data base file
3  Dvd system file.

It says they are needed by other programs.  

Without any way of restoring lost data, is it best to leave

C:\Program Files\Microsoft Works\1033\Wizards\crdus54w.wwp\Object 2\Contents\ [E] ARC archive is corrupted. (42133)

D:\PRELOAD\data9_01.inp\bckgres.dll [E] CAB archive is corrupted. (42127)
D:\PRELOAD\data9_02.inp\fxst30.dll [E] CAB archive is corrupted. (42127)
D:\PRELOAD\data9_05.inp\imkr61.chm [E] CAB archive is corrupted. (42127)
 

[dl65]

DAVE9999 ........ Exactly what is on your D: drive ?

dl65  

[dl65]

DAVE9999 ....How old is your machine ?

dl65  

[DAVE9999]

dl65, there is

 i386 ...             755 mb        1066 files.     245  folders
miniNT               83 mb          567 files    15   folders
preload              1.09 gb       46 files     0 folders.
system restore   414kb          4  files
system vol info      0
updgoi               7.8 mb          29 folders

[DAVE9999]

Dl 65      its about   15 months old   emachines  5250

[dl65]

DAVE9999 ......... Those are all the preloaded programs etc.... thats the solution to the restore issue ....do you have the manual that came with the machine ...as there should be info  on how the reload the original configuration .

dl65  

[dl65]

DAVE9999 ..... Have you contacted Emachines ..?

dl65  

[DAVE9999]

Hello dl65, just looked through it, they say "all programs that were preinstalled on your computor are available on the backup restore discs that you created with the recovery media program"
I didn't cause i didn't have the cd-r discs to hand.  just got out tonight what I thought was a sealed pack of cd discs with all the data on it.....Turns out the  6 discs are blank cd-r discs that they provoided  for me to copy on.

Now that is a sod.  All the time I had some blank cd-r discs!.  

They say "you can use the back up restore discs or you can use the back up files located on your computor".

Well i cant do either, cause some of those files are corrupted, and i havent the discs to load up.

Stuffed  on that one then.!

Is it best just to leave it then,
Now that those nasties have been enprisened in the "Avenger" zip file.
As long as the corruption in the D;\ restore doesn't spread.  
Ill just have to carry on.
I wouldnt want to get any resore disks from the vendor, they would charge as much as Gate's Windows Xp would cost, or a good way to it,, even if they had one for my model.

You say after looking at the latest HJT file, there may be two problems,  can those be fixed and I'll clear off out the way.

[Dead_reckon]

if you want to get rid of teh viruses i recommend AVG anti virus free edition which can be found here: http://free.grisoft.com/doc/1

good program, you will have to get rid of any other anti virus programs already installed though, i use avg free and would reccomend it to anyone

[dl65]

DAVE9999....Well the 2 files I was refering to are just questionable .........thats all.

Now that those nasties have been enprisened in the "Avenger" zip file.

    why dont you delete the quarantined files ?

Now as far as the files on D: drive ....... If in fact some of them are corrupted or infected  , then whats the point of having them on your machine ...... the contents of that drive is useless . I would wipe D: clean . ........  the fact that there are infected files on that drive are a potential threat .

dl65  

[Dead_reckon]

DAVE9999....Well the 2 files I was refering to are just questionable .........thats all.

Now that those nasties have been enprisened in the "Avenger" zip file.

    why dont you delete the quarantined files ?

Now as far as the files on D: drive ....... If in fact some of them are corrupted or infected  , then whats the point of having them on your machine ...... the contents of that drive is useless . I would wipe D: clean . ........  the fact that there are infected files on that drive are a potential threat .

dl65  

i agree, the corrupted files can damage C:, which would make this relatively small problem a headache to fix

[DAVE9999]

Dl65, I suppose I could contact them,  mind you if Gatesy brings out a new Windows program soon. I may well end up buying that.
They may well have sorted out WMP by then as well, Many people have the same problem with WMP when they changed up to the none deletable  version 10.

Looks like we have done as much as we can on it then,  I never knew about the "Preload files" and all that being on the D:\ drive.  
Theres been quite a lot of stuff I have learnt over the last few days about software, systems, viruses and that.
Sometimes though due to laziness on my part, "Not getting it all recorded down on disk" from brand new.
to perhaps not running enough virus scans, we can come a cropper.

I'll delete those 3 particular files then with Avast.
How is the best way of deleting the virus  files in the avenger program.
C:\avenger\backup.zip/avenger/cs_mary.exe/Realtime.dll  Infected: Trojan-Spy.Win32.Delf.fk  skipped  
 
C:\avenger\backup.zip/avenger/cs_mary.exe  Infected: Trojan-Spy.Win32.Delf.fk  skipped  
 
C:\avenger\backup.zip/avenger/setup_ares.exe/data0037  Infected: not-a-virus:AdWare.Win32.NavExcel.i  skipped  
 
C:\avenger\backup.zip/avenger/setup_ares.exe  Infected: not-a-virus:AdWare.Win32.NavExcel.i  skipped  
 
C:\avenger\backup.zip/avenger/WarezP2P_DLC.exe/stream/data0035  Infected: not-a-virus:AdWare.Win32.NewDotNet  skipped  
 
C:\avenger\backup.zip/avenger/WarezP2P_DLC.exe/stream  Infected: not-a-virus:AdWare.Win32.NewDotNet  skipped  
 
C:\avenger\backup.zip/avenger/WarezP2P_DLC.exe  Infected: not-a-virus:AdWare.Win32.NewDotNet  skipped  
 
C:\avenger\backup.zip  ZIP: infected - 7  skipped  

[dl65]

DAVE9999      

C:\avenger\backup.zip/avenger/[highlight]cs_mary.exe/Realtime.dll  Infected[/highlight]: Trojan-Spy.Win32.Delf.fk  skipped  
  
C:\avenger\backup.zip/avenger/[highlight]cs_mary.exe  Infected[/highlight]: Trojan-Spy.Win32.Delf.fk  skipped  
  
C:\avenger\backup.zip/avenger/[highlight]setup_ares.exe/data0037  Infected[/highlight]: not-a-virus:AdWare.Win32.NavExcel.i  skipped  
  
C:\avenger\backup.zip/avenger/[highlight]setup_ares.exe  Infected[/highlight]: not-a-virus:AdWare.Win32.NavExcel.i  skipped  
  
C:\avenger\backup.zip/avenger/[highlight]WarezP2P_DLC.exe/stream/data0035  Infected: not-a-virus:AdWare.Win32.NewDotNet  skipped   [/highlight]
 
C:\avenger\backup.zip/avenger/[highlight]WarezP2P_DLC.exe/stream  Infected: not-a-virus:AdWare.Win32.NewDotNet  skipped   [/highlight]  

C:\avenger\backup.zip/avenger/[highlight]WarezP2P_DLC.exe  Infected: not-a-virus:AdWare.Win32.NewDotNet  skipped   [/highlight]

navigate to to folder high lited in yellow and delete it .....
When you finished deleting them , run your AV again for peace of mind.

You mention you cant delete wmp 10 ??  why not ......... in add/remove programs , wait until the list is published and then over on the left side click on add/remove windows components ...... when the list appears go to wmp 10 and delete it ......

BTW .... NEWDOTNET is bad news .

dl65  

[DAVE9999]

dl65,, Is it safe to open that zip file to get at them,  I would have to extract the file to somewhere using Windows explorer?.  
Using the delete funtion from , Windows explorer, file, delete.  And that would do it.
And its safe?.

[dl65]

DAVE9999 ....dont unzip the file just delete the zipped file


dl65  

[dl65]

Hey Mark .....Dave has infected and corrupt files in his D: restore partition ....and has no cds. Any thoughts ?

dl65    

Buying a CD and reinstalling would solve this whole problem.  

[DAVE9999]

Dl65,
Great, done that with some "terminating" deleting program onboard.
Ran find and they are gone.

I would sooner run another onboard Anti virus program to check if those files are corrupt, a second oppinion,
Not every AV pick up every viruses and some might pick up a wrong bit of data.
Do they still have that "Disc repair" funtion with Windows Running it for ages as it fixes any errors in that segmont??  I'll have a look.  Maybe some freeware scan disc type program might help I'll check it out.

I'll delete and reload WMP and see if I can get it to stream off a web page with WMP stream videos.

Mayby all the improvements over the last few days has fixed it.

Youv'e been a great help over the last few days.

I thought you would have given up on me ages back, I got into a muddle when you asked me did I have Awido installed, then to run my anti virus program.  Like a clot I thought you ment the Ewido!!

Things like that, I guess you pick up Patience, and some degree of understanding from all your experiences at what you do.
A lot of people like myself have some knowlege of the workings of things and then a compleat blank in other areas.  We all just bumble allong, not having any school training like they do nowerdays, doing the best we can.
I'll mosey on off then, and all those people and their virus's and other ills will present themselves to you as they continue to do.

THANKS for all the info and computor knowledge youv'e imparted.
I've learnt quite a lot and I intend to put it to good use.
Good luck. And thanks again.

[dl65]

DAVE9999 .... I'm glad we able to of some help for you........

We all just bumble allong, not having any school training like they do nowerdays, doing the best we can.

  You don't have to have attended classes to learn ...... lol ......  It never ceases to amaze me just how much we learn in our bumbling along ........
Please come back again anytime .

Cheers
dl65  

[DAVE9999]

Hello dl65,

I'm glad you said "Please come back again anytime".
Cause following on from
8 viruses found, unable to delete.  Topic.
  Reply #26 - Jun 6th, 2006, 10:58pm
Mark for removal
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE .


I have since found out,   having no sound,    that ALCMTR.EXE is part of
my Realtek audio files.

The emachines 5250 Computor I have has a Realtek Audio chip.
It looks like ALMCMTR.EXE was part of the process in delivering sound to the headphones.

The web page at   http://www.digit-life.com/articles2/intel-hdaudio/intel-hdaudio.html
Shows the Realtek sound manager, The very first diagram of the Realtek sound manager (coloured in shades of blue) just under heading of "Control panel".  (Slightly scrolling down)
The very first one with all the eq slider knobs and that.
Clicking on it gives a much bigger picture.  at http://www.ixbt.com/multimedia/intel/hdaudio/shot2.png
I have found the only way to activate my sound is to go to "Control Panel", click on "Sound effects manager" and when it openes click on the 6th button on the top of that picture.  the one called  "Audio Wizard".  then this picture appears
http://www.ixbt.com/multimedia/intel/hdaudio/shot3.png  
And the sound can be heard.  It is then activated.

Isn't that a strange thing!.  by pressing that button, "Audio Wizard" the sound is then activated.
A total fluke that I found that!.

Alcmtr.exe  is described as "Realtek Azalia Audio - Event Monitor"    and is currently located at C:\Program Files\Realtek\InstallShield  allong with 12 other files.

The Realtec Sound Manager used to load up at start up,  in the little task bar thing next to the clock at bottom right of screen.

I think somehow entering O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE  into HJT has disabled it from running.  And has turned off the sound until the procedure, (by chance found) above is gone through.

I dont know where to turn.  
Ideally, I'd like the Realtec control manager to "Come on " at start up like it did.
And all the sound to work from start without going through the above.

I of course haven't a clue how to bring this about.
Maybe if the ALCMTR.EXE  is put back into O4 - HKLM\..\Run: the whole sound thing will automaticly work again.

It "sounds" a bit of a sod to fix,

In the list of drivers for the realtek driver in control panel "sounds and audio devices"
there is
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\RTLCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
and 11 others.

The top one being the one that HJT got its hands on.
ALCMTR.EXE is still in the C:\WINDOWS location it hasn't been deleted.

Any ideas on how to fix it please,
I'm a bit buggered up with it.  Isn't it a strang thing.
        Many thanks.

[dl65]

DAVE9999

ALCMTR.EXE  ....... is spyware and thats why it is singled out for removal......
Your sound is on board I think ...so if you reinstall the drivers for the onboard sound , it should be ok ........  what it does is harvest info about your system and send it back to Realtek.....
    "Description: Realtek AC97 Audio - Event Monitor. "Spyware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers"


Hope this explains .

dl65  

[DAVE9999]

Hello dl65,

I would imagine realtek has made the software so that if part of it's software program for its realtec audio chip is took away from, then there is no sound.
Which is what has happened.
There is no sound,
 
When you say about reinstalling the drivers, would that mean deleting it first from Add/remove and then going to control panel,, sounds and audio devices,,,Hardware,,,realteck high definition audio,,properties,,,driver,,update driver,,,welcome to the hardware wizard.

I've tried the latter, (Not deleting the drivers first) and it says I have the best drivers fitted already.
I can't  reinstall the drivers.  Ive no idea where they are. and how to reinstall them.

Can you help us out reinstalling the drivers.  If that is all that is needed to get the sound back automaticaly..
Thanks.

[dl65]

DAVE9999  ...... check the device manager and look at each item in the sound part see if you see any yellow exclamation marks .  

The other thing you can do is ..... click start /run ...... in the run box type dxdiag ........press enter ...... now click the sound 1 tab and run the tests...if anything fails it will tell you what to do...... then click sound 2 tab and run the test there as well.


dl65  

[infoseeker]

DAVE9999
try this link
http://www.kellys-korner-xp.com/xp_tweaks.htm

using IE double click line # 6 then follow the instruction (click ok/yes)
if it will not work
double click on line # 316 then follow the instruction (click ok/yes)
if it still not
double click on line # 371 then follow the instruction (click ok/yes)

let us know what happen