thank you.How do I do that.

follow the instructions for xp on this page: http://www.pchell.com/virus/systemrestore.shtml do the re-enable first, then the disable, then re-enable.

have shut down system restore and i think xp auto erases all restore points and have rebooted but the virus is still there.
Dave.

See if this thread helps any:
http://www.daniweb.com/techtalkforums/thread13362.html

Thank you .I have done this and it is still here.

Find your prefetch folder and delete the contents.
When you close down system restore all items that are/were in that folder are completely eliminated. That being the case, the virus must be elsewhere.

Do a system search for the particular file, being exact in it's spelling. If found, delete it.

Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.

umm that looks like the program rather than the log...
the log file is stored in the directory you ran the script from, but it's a .txt file I think.

Have you considered AVG free antivirus? http://free.grisoft.com/freeweb.php/doc/2/

Thank you avg 7 did not pick it up.
I think this is the log

"Silent Runners.vbs", revision 31
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WinPatrol" = "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" ["BillP Studios"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs LLC"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}" = "Audio Media Properties Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\shmedia.dll" [MS]
"{352EC2B7-8B9A-11D1-B8AE-006008059382}" = "Shell Application Manager"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\appwiz.cpl" [MS]
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}" = "Directory Query UI"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\dsquery.dll" [MS]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\SCRNSAVE.EXE = "C:\WINDOWS\System32\Fish.scr" [null data]


Startup items in "david" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\david.HOME-9BM1C97ZZ3\Start Menu\Programs\Startup
"BHODemon 2.0" -> shortcut to: "C:\Program Files\BHODemon 2\BHODemon.exe" ["Definitive Solutions, Inc."]
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs LLC"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Please go here and have this file scanned.

C:\WINDOWS\System32\Fish.scr

Jotti's malware scan 2.42

File to upload & scan:
Powered by:


By uploading files to this online service you agree that your files will be stored locally for personal virus collection interests.

Furthermore: this service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, I cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, I am aware of the implications of a setup like this. I am sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). I am aware, in spite of efforts to proactively counter these, false positives might occur, for example. I do not consider this a very big issue, so please do not e-mail me about it. This is a simple online scan service, not the university of Wichita (however, manual correction is performed on a regular basis). Although I try to keep these results as accurate as humanly possible, the only viable conclusion to be drawn here: "100% protection" is a myth.

Scanning can take quite a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

This service costs me money. Dedicated hosting is not exactly free. If you feel this service is useful, please consider a (small) donation to help cover these expenses!

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, James Love, Gideon Pertzov, Malcolm Murray, Nigel Thomas, Wendy Dickerson, Anthony Midmore, "ethereal", Mark Rubins, Steve S., Eric Johansen, and some people who prefer to remain anonymous... many thanks to all!

Service load: 0% 100%

File: Fish.scr
Status: OK
Packers detected: None

AntiVir No viruses found (0.40 seconds taken)
Avast No viruses found (1.53 seconds taken)
AVG Antivirus No viruses found (0.75 seconds taken)
BitDefender No viruses found (0.46 seconds taken)
ClamAV No viruses found (0.91 seconds taken)
Dr.Web No viruses found (0.98 seconds taken)
F-Prot Antivirus No viruses found (0.09 seconds taken)
Fortinet No viruses found (0.44 seconds taken)
Kaspersky Anti-Virus No viruses found (0.99 seconds taken)
mks_vir No viruses found (0.23 seconds taken)
NOD32 No viruses found (0.49 seconds taken)
Norman Virus Control No viruses found (0.19 seconds taken)

Statistics
Last piece of malware found was W95/Pinfi.A in ClickAlot_.exe, detected by:

Scanner Malware name Time taken
AntiVir W32/Parite 0.36 seconds
Avast Win32arite 1.51 seconds
AVG Antivirus Win32/Parite 0.75 seconds
BitDefender Win32.Parite.B 0.46 seconds
ClamAV W32.Parite.B 0.62 seconds
Dr.Web Win32.Parite.2 0.85 seconds
F-Prot Antivirus W32/Parite.B 0.09 seconds
Fortinet W32/Parite.B 0.37 seconds
Kaspersky Anti-Virus Virus.Win32.Parite.b 0.98 seconds
mks_vir W95.Parite.B 0.65 seconds
NOD32 Win32/Parite.B 1.37 seconds
Norman Virus Control W95/Pinfi.A 0.49 seconds



Service statistics:

6022 files (4041 of those unique) have been uploaded & scanned since 14/02/2005, the day of the last database purge.
1147 of those 4041 files contained a virus or any other form of malware.
This page has been visited 9984 times in this time period.
This service managed to spot 114 pieces of malware no vendor used knew about at the time of uploading.
The service also warned against 706 suspicious files without any help from scanner results.
However, 0 files reported to be OK were found out to be malware later (this is checked daily).
As far as can be told, all this together makes this service 100.00% accurate. However, since it is very well possible malware has been uploaded no scanner knows about at this time, this number is to be taken with a proper amount of skepticism.

No I am not sitting still! A new, better version of this service is being developed.
If you have suggestions and/or comments, please send me them!
Most popular malware:

Rank Malware name Uploaded Last known filename
1 trojan.spy.agent.y 152 times mApLe_loot_and_vac___.exe
2 trojan.arun 45 times arun.exe
3 tr/startpage.tj 38 times addsu32.exe
4 worm/robobot 37 times install.exe
5 trojan-downloader.win32.agent.bq 36 times javaeu32.exe
6 tr/agent.bd 27 times Aimbot_funfado.rar
7 trojan.clicker.small.dm 25 times 1312887.exe
8 win32.worm.bropia.m 22 times MS-DOS_executable_rar.tar
9 win32:trojan-gen. {other} 22 times w32.exe
10 backdoor.inpru 19 times img1.gif
11 worm/sdbot.38400 14 times dikoweb.exe
12 behaveslike:trojan.downloader 13 times ajwqob.txt____________________
13 modification of win32.radix.24576 12 times GXHQ_MultiTrainer.exe
14 startpage.17.v 12 times CSRSSU.EXE
15 backdoor.agobot.3.dc3d9455 12 times t-nossl.exe





Virus definitions are updated every hour. Please do not upload tons of megabytes to this online scanner and download a decent anti virus package yourself. There is a 5Mb limit per file. Use this if you need to be sure a file is uninfected and you don't trust your own environment. Really abusive people will get a nice iptables -j DROP rule on this machine, which is not available in your local store.

ABUSE OF THIS SERVICE (INCLUDING UPLOADING DELIBERATELY MODIFIED -PACKED/ENCRYPTED/BYTESWAPPED- VERSIONS OF THE SAME SAMPLE) WILL RESULT IN AN IP BAN.

Please do not ask for any of these viruses, unless you work for an anti-virus vendor. They are not for trade.

Changelog - Frequently Asked Questions

Feedback/comments/questions/false positive reports

Copyright (C) Jordi Bosveld 2004-2005