Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

AVG finds virus when I open document but not on scan..help p

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

AVG finds virus when I open document but not on scan..help p

Unread postby mugatea » October 9th, 2006, 2:50 pm

Hello, I went to print off 12 pages of work this afternoon but when the print began, AVG (free version) detected a virus and stopped the print. I can now no longer get into the document without AVG saying virus detected.

But scanning with AVG says 'No Virus Found'.

My neighbour has come round and scanned my pc with the following:

Ewido on line scanner...would not scan because I have WIN2000 as my operating system.

Kaspersky online scanner...found 5 or 6 virii but could not delete them. (Log saved)

Adaware..nothing found

Spybot search and destroy....3 adware deleted.

Nortons on line scanner...found...Zango (deleted)
Adware.WebBar not deleted)

In my in tray I have a blue icon with an 'i' in the centre which when I hover over it, it says, 'Battle Zone Documentaries...catch it here'

I've again ran AVG which says nothing found but if I attempt to print my document off I get a virus warning from AVG and printer stops.

Can you help please help me

Lisa
mugatea
Active Member
 
Posts: 7
Joined: October 9th, 2006, 2:21 pm
Advertisement
Register to Remove

Unread postby Blade81 » October 9th, 2006, 4:19 pm

Hello Lisa! Welcome to Malware Removal! :)


Use this link to get HijackThis.
Save it to your desktop and then double-click to run it.
It will install the program in c:\program files\HijackThis.
Browse to that location with windows explorer, and double click on the HijackThis.exe program to run. Chose the 'Do a system scan and save a logfile'
That will allow you to save the log to the desktop (or some other place) and leave open a notepad file with the HijackThis log in it.

Post that log in your reply.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Unread postby mugatea » October 10th, 2006, 3:18 pm

Logfile of HijackThis v1.99.1
Scan saved at 20:10:25, on 10/10/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\E_S5I0C1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\HJT\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0000B4C32B4D} - C:\IDC\WEBKA.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\SYSTEM\E_S5I0C1.EXE /P31 "EPSON Stylus Photo RX420 Series" /O5 "LPT1:" /M "Stylus Photo RX420"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Kangaroo - {06A18DC1-FE86-11d3-B9AF-0000B4C32B4D} - http://knowledge-assistant.com/webka/toolbar/tbie.asp (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... n_ansi.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
mugatea
Active Member
 
Posts: 7
Joined: October 9th, 2006, 2:21 pm

Unread postby Blade81 » October 11th, 2006, 12:59 am

I am currently looking over your log. As I am an Undergraduate, everything that I post to you must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long. I will post back shortly with a potential fix.

Thanks for your patience! :)
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Unread postby Blade81 » October 12th, 2006, 12:17 am

Hi, I'm not sure if you knew this already but Microsoft doesn't anymore support Windows ME. That means you won't get any security updates for it. However, you should upgrade your IE with SP2.

I've again ran AVG which says nothing found but if I attempt to print my document off I get a virus warning from AVG and printer stops.
Could you tell me what warning message does AVG give?



Please download MWav eScan to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.

I need you to run MWav by double-clicking on mwav.exe
Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files

Please make sure ALL of these are checked, then press the Scan button.

*NOTE* MWav may pause and appear to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". Once the scan is complete, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely big so there is no way to post the whole log. I just need the infected items list from that window.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Unread postby mugatea » October 13th, 2006, 4:37 pm

Fri Oct 13 21:15:17 2006 => System found infected with internetwasherpro activex Spyware ({421a63ba-4632-43e0-a942-3b4ab645be51})! Action taken: No Action Taken.
Fri Oct 13 21:15:21 2006 => System found infected with hotbar Spyware/Adware ({b195b3b3-8a05-11d3-97a4-0004aca6948e})! Action taken: No Action Taken.
Fri Oct 13 21:15:34 2006 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gator.com !!!
Fri Oct 13 21:15:34 2006 => Object "gain.gator Spyware/Adware" found in File System! Action Taken: No Action Taken.

Fri Oct 13 21:15:36 2006 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\p3p\history\gator.com !!!
Fri Oct 13 21:15:36 2006 => Object "gain.gator Spyware/Adware" found in File System! Action Taken: No Action Taken.

Fri Oct 13 21:15:37 2006 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\p3p\history\gator.com !!!
Fri Oct 13 21:15:37 2006 => Object "gain.gator Spyware/Adware" found in File System! Action Taken: No Action Taken.

Fri Oct 13 21:15:37 2006 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\zango !!!
Fri Oct 13 21:15:37 2006 => Object "zango Spyware/Adware" found in File System! Action Taken: No Action Taken.

Fri Oct 13 21:15:38 2006 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\winpopup !!!
Fri Oct 13 21:15:38 2006 => Object "winpopup Spyware/Adware" found in File System! Action Taken: No Action Taken.

Fri Oct 13 21:15:46 2006 => Offending file found: C:\WINDOWS\tsuninst.exe
Fri Oct 13 21:15:46 2006 => System found infected with target saver Spyware/Adware (tsuninst.exe)! Action taken: No Action Taken.

Fri Oct 13 21:15:47 2006 => Offending file found: C:\WINDOWS\scrnsvr.exe
Fri Oct 13 21:15:47 2006 => System found infected with unknown bho Spyware/Adware (scrnsvr.exe)! Action taken: No Action Taken.

Fri Oct 13 21:16:23 2006 => Offending file found: C:\WINDOWS\Favorites\partys & making\ebay.url
Fri Oct 13 21:16:23 2006 => System found infected with ezula Spyware/Adware (ebay.url)! Action taken: No Action Taken.

Fri Oct 13 21:16:23 2006 => Offending file found: C:\WINDOWS\Favorites\best of the web\mp3.url
Fri Oct 13 21:16:23 2006 => System found infected with smitfraud Browser Hijacker (mp3.url)! Action taken: No Action Taken.

Fri Oct 13 21:16:28 2006 => Checking CLSID Reference Entries...
Fri Oct 13 21:16:30 2006 => Entry "HKCR\Nav2kAbout.Nav2kAboutExtension.1" refers to invalid object "{8A93465D-3A3D-11d3-A2D4-005004184DF1}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\Nav2kAbout.Nav2kAboutExtension" refers to invalid object "{8A93465D-3A3D-11d3-A2D4-005004184DF1}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\LiveUpdate.luNavCallBack.1" refers to invalid object "{09C9DBC1-893D-11D2-B40A-00600831DD76}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\LiveUpdate.luNavCallBack" refers to invalid object "{09C9DBC1-893D-11D2-B40A-00600831DD76}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\NortonAntiVirus.OfficeAntiVirus.1" refers to invalid object "{DE1F7EEF-1851-11D3-939E-0004AC1ABE1F}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\NortonAntiVirus.OfficeAntiVirus" refers to invalid object "{DE1F7EEF-1851-11D3-939E-0004AC1ABE1F}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\Symantec.luProductReg.1" refers to invalid object "{17580E5F-7B07-11D2-BF1F-00A024D73444}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\Symantec.luProductReg" refers to invalid object "{17580E5F-7B07-11D2-BF1F-00A024D73444}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\Symantec.luGroup.1" refers to invalid object "{2045EFE5-99CF-11D2-B40A-00600831DD76}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\Symantec.luGroup" refers to invalid object "{2045EFE5-99CF-11D2-B40A-00600831DD76}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\NetDetectController.NDScheduler.1" refers to invalid object "{1CEFD16C-91C2-4953-986E-EE77DE2DCF94}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\NetDetectController.NDScheduler" refers to invalid object "{1CEFD16C-91C2-4953-986E-EE77DE2DCF94}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\SWPlugin.NSWPluginView.1" refers to invalid object "{88734682-FCB2-11d2-B9D2-00C04FAC114C}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\SWPlugin.NSWPluginView" refers to invalid object "{88734682-FCB2-11d2-B9D2-00C04FAC114C}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\SWPlugin.NSWCategory.1" refers to invalid object "{88734683-FCB2-11d2-B9D2-00C04FAC114C}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\SWPlugin.NSWCategory" refers to invalid object "{88734683-FCB2-11d2-B9D2-00C04FAC114C}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\SWPlugin.NSWInternetCategory.1" refers to invalid object "{8D756A6D-FAAF-456B-B869-DE1ACBE66C63}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\SWPlugin.NSWInternetCategory" refers to invalid object "{8D756A6D-FAAF-456B-B869-DE1ACBE66C63}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\SWPlugin.NSWReportsCategory.1" refers to invalid object "{88734685-FCB2-11d2-B9D2-00C04FAC114C}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\SWPlugin.NSWReportsCategory" refers to invalid object "{88734685-FCB2-11d2-B9D2-00C04FAC114C}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\SWPlugin.NSWStatusCategory.1" refers to invalid object "{88734686-FCB2-11d2-B9D2-00C04FAC114C}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\SWPlugin.NSWStatusCategory" refers to invalid object "{88734686-FCB2-11d2-B9D2-00C04FAC114C}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\SWPlugin.NSWScanCategory.1" refers to invalid object "{88734687-FCB2-11d2-B9D2-00C04FAC114C}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\SWPlugin.NSWScanCategory" refers to invalid object "{88734687-FCB2-11d2-B9D2-00C04FAC114C}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\SWPlugin.NSWSchedulingCategory.1" refers to invalid object "{88734688-FCB2-11d2-B9D2-00C04FAC114C}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\SWPlugin.NSWSchedulingCategory" refers to invalid object "{88734688-FCB2-11d2-B9D2-00C04FAC114C}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\SWPlugin.NSWFrame.1" refers to invalid object "{88734684-FCB2-11d2-B9D2-00C04FAC114C}". Action Taken: No Action Taken.

Fri Oct 13 21:16:30 2006 => Entry "HKCR\SWPlugin.NSWFrame" refers to invalid object "{88734684-FCB2-11d2-B9D2-00C04FAC114C}". Action Taken: No Action Taken.

Fri Oct 13 21:16:31 2006 => Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.

Fri Oct 13 21:16:31 2006 => Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.

Fri Oct 13 21:16:31 2006 => Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.

Fri Oct 13 21:16:32 2006 => Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.

Fri Oct 13 21:16:32 2006 => Entry "HKCR\FASTPIXEL.FASTPIXEL.1" refers to invalid object "{6F79DCE0-DCF5-11D0-800E-080009E9498B)". Action Taken: No Action Taken.

Fri Oct 13 21:16:32 2006 => Entry "HKCR\BETTERPIXEL.BETTERPIXEL.1" refers to invalid object "{AD5EF240-9EBE-11D0-800E-080009E9498B)". Action Taken: No Action Taken.

Fri Oct 13 21:16:32 2006 => Entry "HKCR\ZoomBrowserEX.Document" refers to invalid object "{476A6961-6FF1-11D0-9742-00A0246B6561}". Action Taken: No Action Taken.

Fri Oct 13 21:16:32 2006 => Entry "HKCR\PhotoRecord.Album" refers to invalid object "{FEDCFFC1-BEC4-11D1-93B9-0060979C8AB8}". Action Taken: No Action Taken.

Fri Oct 13 21:16:33 2006 => Entry "HKCR\TCSHELLEX.The.Cleaner" refers to invalid object "{2DE506B9-4320-11D3-8E42-002035221EDA}". Action Taken: No Action Taken.

Fri Oct 13 21:16:34 2006 => Checking Module Usage Entries...
Fri Oct 13 21:16:34 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\IWCHECK.DLL". Action Taken: No Action Taken.

Fri Oct 13 21:16:34 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\SAIX.dll". Action Taken: No Action Taken.

Fri Oct 13 21:16:34 2006 => Checking User Trusted External App Entries...
Fri Oct 13 21:16:34 2006 => Checking Shared DLL Entries...
Fri Oct 13 21:16:34 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Symantec\S32STAT.DLL". Action Taken: No Action Taken.

Fri Oct 13 21:16:34 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Symantec\LiveUpdate\S32LIVE1.DLL". Action Taken: No Action Taken.

Fri Oct 13 21:16:34 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Symantec\LiveUpdate\S32LUIS1.DLL". Action Taken: No Action Taken.

Fri Oct 13 21:16:34 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Symantec\SYMEVNT.386". Action Taken: No Action Taken.

Fri Oct 13 21:16:34 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Symantec\SYMEVNT1.DLL". Action Taken: No Action Taken.

Fri Oct 13 21:16:34 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Symantec\S32EVNT1.DLL". Action Taken: No Action Taken.

Fri Oct 13 21:16:34 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Symantec\SYMEVENT.SYS". Action Taken: No Action Taken.

Fri Oct 13 21:16:35 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\SQLOLEDB.TXT". Action Taken: No Action Taken.

Fri Oct 13 21:16:36 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Borland Shared\BDE\IDAPINST.DLL". Action Taken: No Action Taken.

Fri Oct 13 21:16:36 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\OPDPRINT.DLL". Action Taken: No Action Taken.

Fri Oct 13 21:16:36 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\IWCHECK.DLL". Action Taken: No Action Taken.

Fri Oct 13 21:16:36 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-deu.nls". Action Taken: No Action Taken.

Fri Oct 13 21:16:36 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Deu.nls". Action Taken: No Action Taken.

Fri Oct 13 21:16:36 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\SAIX.dll". Action Taken: No Action Taken.

Fri Oct 13 21:16:36 2006 => Checking Installer Entries...
Fri Oct 13 21:16:36 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\WINDOWS\Start Menu\Programs\Productivity\". Action Taken: No Action Taken.

Fri Oct 13 21:16:37 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\WINDOWS\Start Menu\Programs\SHARP GSM GPRS Wizard\". Action Taken: No Action Taken.

Fri Oct 13 21:16:37 2006 => Checking Shared Tools Entries...
Fri Oct 13 21:16:37 2006 => Checking File Extension Entries...
Fri Oct 13 21:16:37 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".zbd". Action Taken: No Action Taken.

Fri Oct 13 21:16:37 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".CRD". Action Taken: No Action Taken.

Fri Oct 13 21:16:37 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".LIB". Action Taken: No Action Taken.

Fri Oct 13 21:16:37 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".gft". Action Taken: No Action Taken.

Fri Oct 13 21:16:37 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".tmp". Action Taken: No Action Taken.

Fri Oct 13 21:16:37 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".GDP". Action Taken: No Action Taken.

Fri Oct 13 21:16:37 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ppd". Action Taken: No Action Taken.

Fri Oct 13 21:16:37 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".PSF". Action Taken: No Action Taken.
mugatea
Active Member
 
Posts: 7
Joined: October 9th, 2006, 2:21 pm

Unread postby mugatea » October 13th, 2006, 5:00 pm

Could not remove anything on mwav escan because i needed to buy the product.
Could you please tell me where to get service pack 2 for windows ME and do i need to install it right away.
Thank You Lisa
mugatea
Active Member
 
Posts: 7
Joined: October 9th, 2006, 2:21 pm

Unread postby Blade81 » October 14th, 2006, 10:12 am

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    Image
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.



Could you please tell me where to get service pack 2 for windows ME and do i need to install it right away.

Unfortunately you won't get SP2 for Windows ME. :( When I asked to upgrade IE I wasn't sure whether or not SP2 would be available for ME.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Unread postby mugatea » October 22nd, 2006, 1:10 pm

Hi
Sorry it took so long replying
I've ran dr-web Cureit and say's no virus found
Lisa
mugatea
Active Member
 
Posts: 7
Joined: October 9th, 2006, 2:21 pm

Unread postby mugatea » October 22nd, 2006, 4:02 pm

Hi
Forgot to tell you i deleted refresh Derby before i ran the virus check, do i need to do anythink else?
Thank You Lisa
mugatea
Active Member
 
Posts: 7
Joined: October 9th, 2006, 2:21 pm

Unread postby Blade81 » October 23rd, 2006, 12:33 am

It's been over 10 days since your previous log post. Send me a fresh hjt log, please. :)
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Unread postby mugatea » October 24th, 2006, 1:37 pm

Hi
I have tryed to run HijackThis but cannot do it
Please help
Thank You Lisa
mugatea
Active Member
 
Posts: 7
Joined: October 9th, 2006, 2:21 pm

Unread postby Blade81 » October 24th, 2006, 1:58 pm

mugatea wrote:I have tryed to run HijackThis but cannot do it

Could you describe your problem a little bit? Does HijackThis give some error message or are there some other troubles?
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Unread postby agrarianmonk » November 1st, 2006, 2:44 pm

Whilst we appreciate that you may be busy, it has been 7 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 13 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware