0

Kristy, my apologies, I missed an important line with my cut and paste.... I have corrected the instruction, and taken the opp to add more files:
-you must be in an Administrator-privileged account to run this procedure...
Start Avenger; select “Input script manually” and then click the magnifying glass icon. Paste into the box these lines as one block:-

Files to delete:
C:\WINDOWS\system32\ogycsrw.exe
C:\WINDOWS\system32\hzhkhdet.exe
C:\WINDOWS\IFinst27.exe
C:\3b10545d3d62bb28bf60f37c
C:\WINDOWS\system32\pmbvkxh_nav.dat
C:\WINDOWS\system32\linkprd.exe
C:\WINDOWS\system32\ycbeg.ini2
C:\WINDOWS\system32\ycbeg.bak2
C:\WINDOWS\system32\ycbeg.bak1
C:\WINDOWS\system32\mlkkj.bak2
C:\WINDOWS\system32\mlkkj.ini2
C:\WINDOWS\system32\mlkkj.bak1
C:\WINDOWS\system32\f3pssavr.scr
C:\DOCUME~1\Kristy\APPLIC~1\bbbconfig.dat
C:\\DOCUME~1\\Kristy\\MYDOCU~1\\SCURIT~1\\TTRIB~1.EXE
C:\WINDOWS\WSYS049.SYS
C:\WINDOWS\system\tnebli.tmp
C:\WINDOWS\system32\ihhkj.tmp
C:\WINDOWS\system32\mlkkj.tmp
C:\WINDOWS\system32\ttvwa.tmp
C:\WINDOWS\system32\ycbeg.tmp

...and click Done, and finally the green light.
Follow promps to reboot your machine.
[The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.]
Avenger creates a log file that should open with the results of its actions. This file is located at C:\avenger.txt

===I want you to do a manual search for this file ; if you find it, delete it:
w03a1090.dll

Next do a Scan Only with hijackthis and check these two entries for fixing, and press Fix Checked:

O4 - Startup: .protected
O4 - Global Startup: .protected

See how you go..

0

it still says this is not a valid script and i cannot search for this file as the search function on windows doesnt work:( and with hijack this it said these 2 files are in use so cannot be deleted.

0

Kristy, re Avenger... did you enter the whole block including the files to delete label? I can enter it into avenger on my machine and it tis quite happy about it.
Try this online scanner... we'll have to give up on panda for the while. : http://www.kaspersky.com/virusscanner post the results.
Perhaps you can try Avenger on this file- paste in this block:

Files to delete:
C:\windows\.protected

Did you manage to run f-secure's blacklight?

0

One other thing, i asked earlier for you to remove Norton/Symantec from your sys - I then assumed that this file detected by combfix was a relic from that AV - it is likely a problem file, it IS in the wrong area, and you don't want it. Please paste these two lines into the Avenger text box:

Files to delete:
C:\symlcsv1.exe

If Avenger still is not working for you, then we can try this manual way: download Unlocker 1.8.5 from http://ccollomb.free.fr/unlocker/ -install it.
You will then have to navigate to every single one of those files and rclick them and select Delete. All 23 of them. :|
Run ComboFix again and post its log.

0

Status: 0xc0000034File C:\WINDOWS\system32\ycbeg.ini2 deleted successfully.File C:\WINDOWS\system32\ycbeg.bak2 deleted successfully.File C:\WINDOWS\system32\ycbeg.bak1 deleted successfully.File C:\WINDOWS\system32\mlkkj.bak2 deleted successfully.File C:\WINDOWS\system32\mlkkj.ini2 deleted successfully.File C:\WINDOWS\system32\mlkkj.bak1 deleted successfully.File C:\WINDOWS\system32\f3pssavr.scr deleted successfully.File C:\DOCUME~1\Kristy\APPLIC~1\bbbconfig.dat deleted successfully.Could not open file C:\\DOCUME~1\\Kristy\\MYDOCU~1\\SCURIT~1\\TTRIB~1.EXE for deletionDeletion of file C:\\DOCUME~1\\Kristy\\MYDOCU~1\\SCURIT~1\\TTRIB~1.EXE failed!Could not process line:C:\\DOCUME~1\\Kristy\\MYDOCU~1\\SCURIT~1\\TTRIB~1.EXEStatus: 0xc000003aFile C:\WINDOWS\WSYS049.SYS deleted successfully.File C:\WINDOWS\system\tnebli.tmp deleted successfully.File C:\WINDOWS\system32\ihhkj.tmp deleted successfully.File C:\WINDOWS\system32\mlkkj.tmp deleted successfully.File C:\WINDOWS\system32\ttvwa.tmp deleted successfully.File C:\WINDOWS\system32\ycbeg.tmp deleted successfully.Completed script processing.*******************Finished! Terminate.

0

"Kristy" - 07-04-30 12:54:42 Service Pack 2 ComboFix 07-04-25.4V - Running from: "C:\Program Files\AOL 9.0a\download\"(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~Folders Quarantined:C:\qoobox\purity\C\DOCUME~1C:\qoobox\purity\C\DOCUME~1\KristyC:\qoobox\purity\C\DOCUME~1\Kristy\APPLIC~1C:\qoobox\purity\C\DOCUME~1\Kristy\MYDOCU~1C:\qoobox\purity\C\DOCUME~1\Kristy\APPLIC~1\PPPATC~1C:\qoobox\purity\C\DOCUME~1\Kristy\MYDOCU~1\CROSOF~1C:\qoobox\purity\C\DOCUME~1\Kristy\MYDOCU~1\RACLE~1C:\qoobox\purity\C\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1C:\qoobox\purity\C\Program Files\APPATC~1C:\qoobox\purity\C\Program Files\CURITY~1C:\qoobox\purity\C\Program Files\DOBE~1C:\qoobox\purity\C\Program Files\SCURIT~1C:\qoobox\purity\C\Program Files\WNSXS~1C:\qoobox\purity\C\Program Files\YMBOLS~1C:\qoobox\purity\C\Program Files\Common Files\DOBE~1C:\qoobox\purity\C\Program Files\Common Files\RACLE~1C:\qoobox\purity\C\Program Files\Common Files\SKS~1C:\qoobox\purity\C\WINDOWS\CROSOF~1.NETC:\qoobox\purity\C\WINDOWS\DOBE~1C:\qoobox\purity\C\WINDOWS\MANTEC~1C:\qoobox\purity\C\WINDOWS\MCROSO~1C:\qoobox\purity\C\WINDOWS\system32\DOBE~1C:\qoobox\purity\C\WINDOWS\system32\YMANTE~1((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-30 ))))))))))))))))))))))))))))))))))2007-04-30 09:22 d-------- C:\avenger2007-04-30 09:20 60,416 --a------ C:\WINDOWS\system32\drivers\oryeobyk.sys2007-04-30 09:19 60,416 --a------ C:\WINDOWS\system32\drivers\ovygriae.sys2007-04-30 09:19 60,416 --a------ C:\WINDOWS\system32\drivers\fakofips.sys2007-04-30 09:16 126,976 --a------ C:\zip.exe2007-04-26 15:59 3,606 --a------ C:\WINDOWS\system32\tmp.reg2007-04-26 15:57 53,248 --a------ C:\WINDOWS\system32\Process.exe2007-04-26 15:57 51,200 --a------ C:\WINDOWS\system32\dumphive.exe2007-04-26 15:57 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe2007-04-26 09:19 d-------- C:\VundoFix Backups2007-04-25 19:10 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys2007-04-25 18:58 d-------- C:\Program Files\cc2007-04-25 18:53 49,152 --a------ C:\WINDOWS\nircmd.exe2007-04-25 14:42 d-------- C:\WINDOWS\system32\NtmsData2007-04-25 10:01 d-------- C:\Program Files\New Folder2007-04-24 18:46 d-------- C:\DOCUME~1\Kristy\APPLIC~1\Solitaire.Com2007-04-13 12:24 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield2007-04-13 12:06 d-------- C:\WINDOWS\system32\FlashAX2007-04-09 22:46 d-------- C:\Program Files\MSXML 4.02007-04-09 22:46 d-------- C:\3b10545d3d62bb28bf60f37c2007-04-09 19:50 d-------- C:\WINDOWS\network diagnostic2007-04-09 19:10 d-------- C:\WINDOWS\CAVTemp2007-04-09 15:45 95,760 --a------ C:\WINDOWS\system32\isafeif.dll2007-04-09 15:45 75,280 --a------ C:\WINDOWS\system32\vetredir.dll2007-04-09 15:45 75,280 --a------ C:\WINDOWS\system32\isafprod.dll2007-04-09 15:45 629,216 --a------ C:\WINDOWS\system32\drivers\vetefile.sys2007-04-09 15:45 32,528 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys2007-04-09 15:45 26,640 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys2007-04-09 15:45 21,648 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys2007-04-09 15:45 21,392 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys2007-04-09 15:45 108,544 --a------ C:\WINDOWS\system32\drivers\veteboot.sys2007-04-09 15:44 d-------- C:\Program Files\CA2007-04-09 15:44 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA2007-04-09 13:57 d-------- C:\Program Files\Smart PC Solutions2007-04-09 13:57 d-------- C:\DOCUME~1\Kristy\APPLIC~1\Smart PC Solutions2007-04-09 13:19 d-------- C:\Program Files\RegistrySmart2007-04-09 13:19 d-------- C:\DOCUME~1\Kristy\APPLIC~1\RegistrySmart2007-04-06 15:05 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!2007-04-06 15:03 d-------- C:\Program Files\Messenger Plus! Live2007-04-06 14:37 d-------- C:\DOCUME~1\Kristy\APPLIC~1\MSNInstaller2007-04-05 21:57 d-------- C:\DOCUME~1\Kristy\APPLIC~1\Screenshot Sender2007-04-04 18:48 77,160 --a------ C:\WINDOWS\DSETUP.dll2007-04-04 18:48 503,144 --a------ C:\WINDOWS\DXSETUP.exe2007-04-04 18:48 1,673,576 --a------ C:\WINDOWS\dsetup32.dll2007-04-03 14:27 1,246,096 ---hs---- C:\WINDOWS\system32\ttvwa.ini22007-03-30 14:28 1,257,356 ---hs---- C:\WINDOWS\system32\ttvwa.bak22007-03-29 13:26 1,261,135 ---hs---- C:\WINDOWS\system32\ttvwa.bak1(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))2007-04-29 20:17 -------- d-------- C:\Program Files\morpheus2007-04-26 09:26 -------- d-------- C:\Program Files\norton antivirus2007-04-15 18:23 -------- d-------- C:\Program Files\gpotato2007-04-15 14:22 874 --a------ C:\DOCUME~1\Kristy\APPLIC~1\adobedlm.log2007-04-15 14:22 6 --a------ C:\DOCUME~1\Kristy\APPLIC~1\dm.ini2007-04-14 16:46 -------- d--h----- C:\Program Files\installshield installation information2007-04-13 12:16 3583 --a--c--- C:\WINDOWS\mozver.dat2007-04-09 19:10 -------- d-------- C:\Program Files\windows nt2007-04-06 15:03 -------- d-------- C:\Program Files\msn messenger2007-03-31 19:59 -------- d-------- C:\DOCUME~1\Kristy\APPLIC~1\zylom2007-03-31 18:36 -------- d-------- C:\DOCUME~1\Kristy\APPLIC~1\mysterystudio2007-03-21 16:08 142568 --a------ C:\WINDOWS\system32linkprd.exe2007-03-20 12:13 -------- d-------- C:\DOCUME~1\Kristy\APPLIC~1\magic academy2007-03-19 00:43 155411 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll2007-03-15 13:12 -------- d-------- C:\Program Files\cyberlink2007-03-15 13:09 -------- d-------- C:\Program Files\epson2007-03-15 13:06 -------- d-------- C:\Program Files\logitech2007-03-15 12:55 -------- d--h----- C:\Program Files\zero g registry2007-03-14 21:27 -------- d-------- C:\DOCUME~1\Kristy\APPLIC~1\messengerskinner2007-03-10 19:24 -------- d-------- C:\Program Files\mythwar_en2007-03-09 23:51 -------- d-------- C:\DOCUME~1\Kristy\APPLIC~1\imvu2007-03-09 20:10 -------- d-------- C:\DOCUME~1\Kristy\APPLIC~1\utorrent2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys2007-03-06 01:23 -------- d-------- C:\Program Files\imvu2007-03-04 15:01 -------- d-------- C:\Program Files\webroot2007-02-26 11:53 164 --a------ C:\install.dat2007-02-08 00:39 6144 --ahs---- C:\Program Files\thumbs.db2007-02-05 21:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]"AOLDialer"="\"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe\"""LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE""BluetoothAuthenticationAgent"="\"rundll32.exe\" bthprops.cpl,,BluetoothAuthenticationAgent""HostManager"="\"C:\\Program Files\\Common Files\\AOL\\1149184109\\ee\\AOLSoftware.exe\"""NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup""MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe""Lexmark X84-X85 Button Monitor"="C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X84-X85.exe""Lexmark X84-X85 Button Manager"="C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X84-X85.exe""PrinTray"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe""SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\"""cctray"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\cctray\\cctray.exe\"""QOELOADER"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\CA Anti-Spam\\QSP-5.0.419.0\\QOELoader.exe\"""CAVRID"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\CA Anti-Virus\\CAVRID.exe\"""cafwc"="C:\\Program Files\\CA\\CA Internet Security Suite\\CA Personal Firewall\\cafw.exe -cl""wskveucd"="C:\\fbbqkmik.bat"[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe""msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]"Spyware Doctor"="""Nqnzqv"="C:\\DOCUME~1\\Kristy\\APPLIC~1\\PPPATC~1\\NPDB~1.EXE""DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]"NoCDBurning"=dword:00000000[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run][HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2] Source REG_SZ C:\Documents and Settings\Kristy\My Documents\ticker.html[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3] Source REG_SZ C:\Documents and Settings\Kristy\My Documents\babynew.html[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4] Source REG_SZ C:\Documents and Settings\Kristy\My Documents\baby_desktop.html[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFWHKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\AOL 9.0 Tray Icon.lnk""backup"="C:\\WINDOWS\\pss\\AOL 9.0 Tray Icon.lnkCommon Startup""location"="Common Startup""command"="C:\\PROGRA~1\\AOL9~1.0A\\aoltray.exe -check""item"="AOL 9.0 Tray Icon"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\BTTray.lnk""backup"="C:\\WINDOWS\\pss\\BTTray.lnkCommon Startup""location"="Common Startup""command"="C:\\PROGRA~1\\Belkin\\BLUETO~1\\BTTray.exe ""item"="BTTray"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk""backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup""location"="Common Startup""command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l""item"="Microsoft Office"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="TTRIB~1""hkey"="HKCU""command"="C:\\DOCUME~1\\Kristy\\MYDOCU~1\\SCURIT~1\\TTRIB~1.EXE""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="fts""hkey"="HKLM""command"="\"C:\\Program Files\\VoyagerTest\\fts.exe\"""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALServ]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="ALServ""hkey"="HKLM""command"="\"C:\\Program Files\\Altec Lansing\\AMS\\ALServ.exe\"""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="AOLDial""hkey"="HKLM""command"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="VM_STI""hkey"="HKLM""command"="C:\\WINDOWS\\VM_STI.EXE Cammaestro 4.2GU build 1105""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="rundll32""hkey"="HKLM""command"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="carpserv""hkey"="HKLM""command"="carpserv.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="ctfmon""hkey"="HKCU""command"="C:\\WINDOWS\\system32\\ctfmon.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="dslagent""hkey"="HKLM""command"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="dslstat""hkey"="HKLM""command"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gqxowron]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="TTRIB~1""hkey"="HKCU""command"="C:\\DOCUME~1\\Kristy\\MYDOCU~1\\SCURIT~1\\TTRIB~1.EXE""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="AOLHostManager""hkey"="HKLM""command"="C:\\Program Files\\Common Files\\AOL\\1149184109\\ee\\AOLHostManager.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Manager]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="AcBtnMgr_X84-X85""hkey"="HKLM""command"="C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X84-X85.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Monitor]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="ACMonitor_X84-X85""hkey"="HKLM""command"="C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X84-X85.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows""item"="????""hkey"="HKCU""command"="????""inimapping"="1"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="McAgent""hkey"="HKLM""command"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="McUpdate""hkey"="HKLM""command"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="MsgPlus""hkey"="HKLM""command"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\"""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="mimboot""hkey"="HKLM""command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mousepad]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="mousepad12""hkey"="HKLM""command"="C:\\windows\\mousepad12.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="msnmsgr""hkey"="HKCU""command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="NeroCheck""hkey"="HKLM""command"="C:\\WINDOWS\\system32\\NeroCheck.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="NvCpl""hkey"="HKLM""command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="RunDLL32""hkey"="HKLM""command"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="nwiz""hkey"="HKLM""command"="nwiz.exe /install""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpiStat]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="OpiStat""hkey"="HKLM""command"="C:\\Program Files\\OpiStat\\OpiStat\\OpiStat.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="printray""hkey"="HKLM""command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="qttask""hkey"="HKLM""command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="PDVDServ""hkey"="HKLM""command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\"""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows""item"="????""hkey"="HKCU""command"="????""inimapping"="1"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="Skype""hkey"="HKCU""command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="SOUNDMAN""hkey"="HKLM""command"="SOUNDMAN.EXE""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="jusched""hkey"="HKLM""command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="SweetIM""hkey"="HKLM""command"="C:\\Program Files\\Macrogaming\\SweetIM\\SweetIM.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="type32""hkey"="HKLM""command"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\"""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="mcvsshld""hkey"="HKLM""command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\"""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="mcmnhdlr""hkey"="HKLM""command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w03a1090.dll]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="RUNDLL32""hkey"="HKLM""command"="RUNDLL32.EXE w03a1090.dll,I2 00085ca3003a1090""inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]HTTPFilter REG_MULTI_SZ HTTPFilter\0\0LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0NetworkService REG_MULTI_SZ DnsCache\0\0DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0rpcss REG_MULTI_SZ RpcSs\0\0imgsvc REG_MULTI_SZ StiSvc\0\0termsvcs REG_MULTI_SZ TermService\0\0bthsvcs REG_MULTI_SZ BthServ\0\0WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ATWPKT2Contents of the 'Scheduled Tasks' folderC:\WINDOWS\tasks\A68FA4CC91845D2C.jobC:\WINDOWS\tasks\AppleSoftwareUpdate.jobC:\WINDOWS\tasks\CAAntiSpywareScan_Daily as Kristy at 15 45.jobC:\WINDOWS\tasks\McAfee.com Update Check (COMPUTER-Ed).jobC:\WINDOWS\tasks\McAfee.com Update Check (COMPUTER-Kristy).jobC:\WINDOWS\tasks\RegistrySmart Scheduled Scan.job********************************************************************catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.netRootkit scan 2007-04-30 13:11:46Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...scanning hidden services ...scanning hidden autostart entries ...scanning hidden files ...scan completed successfullyhidden processes: 0hidden services: 0hidden files: 0********************************************************************Completion time: 07-04-30 13:13:04C:\ComboFix-quarantined-files.txt ... 07-04-30 13:13C:\ComboFix2.txt ... 07-04-25 18:53

0

Kristy, do you have, or can you borrow, a windows installation CD? cos I think to get explorer working better you need to run system file checker. That is, start, run, type sfc /scannow -and Enter. That would/should fix any errors that some components may have.
Checking those logs you provided now...
Meanwhile, could you pls run Avenger again with this script to be pasted in?

Files to delete:
C:\windows\.protected
C:\symlcsv1.exe
C:\WINDOWS\IFinst27.exe
C:\3b10545d3d62bb28bf60f37c
C:\WINDOWS\system32\pmbvkxh_nav.dat
C:\WINDOWS\system32\linkprd.exe
C:\WINDOWS\system32\pmbvkxh_nav.dat
C:\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1\TTRIB~1.EXE

0

Hi everyone, my pc is running slower than usual. It keeps reading the hard disk and takes more than 10 sec to load a webpage.

Pls kindly advise and let me know if you need more info. Thanks a million :) Pls see the spykill's system analyzer log (not sure if this is same as hijackthis)below:

Report generated on 5/1/2007 4:41:02 AM

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=sg
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qsg10.hpwis.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/msgr7/*http://tw.search.yahoo.com
HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/msgr7/*http://tw.search.yahoo.com
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qsg10.hpwis.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qsg10.hpwis.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/msgr7/*http://tw.search.yahoo.com
HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
BrowserHelperObject: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [ file size: 399,424 bytes ]
BrowserHelperObject: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [ file size: 50,376 bytes ]
BrowserHelperObject: name not found - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - [ file size: File not found! ]
BrowserHelperObject: name not found - {A5366673-E8CA-11D3-9CD9-0090271D075B} - [ file size: File not found! ]
IE Toolbar: name not found - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - [ file size: File not found! ]
IE Toolbar: name not found - {8E718888-423F-11D2-876E-00A0C9082467} - [ file size: File not found! ]
IE Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [ file size: 399,424 bytes ]
HKLM\...\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ file size: 48,752 bytes ]
HKLM\...\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe [ file size: 85,696 bytes ]
HKLM\...\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe [ file size: 693,528 bytes ]
HKCU\...\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background [ file size: 145,056,491 bytes ]
HKCU\...\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet [ file size: 3,334,144 bytes ]
HKCU\...\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe [ file size: 13,312 bytes ]
HKCU\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [ file size: 145,056,491 bytes ]
Local user startup: Shortcut to BitComet.lnk = C:\Program Files\BitComet\BitComet.exe [ file size: 2,600,960 bytes ]
Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - [ file size: File not found! ]
Extra 'Tools' menu item: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - [ file size: File not found! ]
Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmestw.dll [ file size: 316,552 bytes ]
Extra 'Tools' menu item: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmestw.dll [ file size: 316,552 bytes ]
Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe [ file size: 1,482,752 bytes]
Extra 'Tools' menu item: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe [ file size: 1,482,752 bytes ]
DownloadedProgramFiles: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (name not found) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
DownloadedProgramFiles: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DownloadedProgramFiles: {D27CDB6E-AE6D-11CF-96B8-444553540000} (name not found) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Protocol handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll"
Protocol handler: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\System32\msdxm.ocx
Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
ShellServiceObjectDelayLoad: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - C:\PROGRA~1\COMMON~1\Stardock\MCPCore.dll
ShellServiceObjectDelayLoad: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll
ShellServiceObjectDelayLoad: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll
ShellServiceObjectDelayLoad: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - %SystemRoot%\System32\webcheck.dll
ShellServiceObjectDelayLoad: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\System32\stobject.dll
SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - %SystemRoot%\System32\browseui.dll
SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - %SystemRoot%\System32\browseui.dll
Service: Symantec Event Manager (ccEvtMgr) - Description: Symantec Event Manager Service - Company: Symantec Corporation - Filename: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Service: Symantec Settings Manager (ccSetMgr) - Description: Symantec Settings Manager Service - Company: Symantec Corporation - Filename: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
Service: Symantec AntiVirus Definition Watcher (DefWatch) - Description: Virus Definition Daemon - Company: Symantec Corporation - Filename: C:\Program Files\Symantec AntiVirus\DefWatch.exe
Service: Remote Procedure Call (RPC) (RpcSs) - Description: Unknown - Company: Unknown - Filename: Unknown
Service: StarWind iSCSI Service (StarWindService) - Description: StarWind iSCSI Target (Alcohol Edition) - Company: Rocket Division Software - Filename: C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Service: Windows Image Acquisition (WIA) (stisvc) - Description: Unknown - Company: Unknown - Filename: Unknown
Service: Symantec AntiVirus (Symantec AntiVirus) - Description: Symantec AntiVirus - Company: Symantec Corporation - Filename: C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Service: TrueVector Internet Monitor (vsmon) - Description: TrueVector Service - Company: Zone Labs Inc. - Filename: C:\WINDOWS\system32\ZoneLabs\vsmon.exe

0

Kristy, it is not important but you can skip my last post #38 to you re avenger - a more complete version follows this.
Please make a restore point before you do the next step..... I need you to run this batch file - it will list several registry keys to a text file in your C:\ root folder, C:\krquery.txt, and then remove them from the registry. To run the batchfile simply copy all the text between the stars below to a notepad [turn OFF wordwrap!!], name it bugremv.bat and save it [as All files] to your desktop. Then just dclick the icon to run it. Post me the txt file please.

******************************************************************
REM file to test if all entries exist and then delete them

reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run" /v wskveucd >c:\krquery.txt
reg query "HKEY_USERS\.default\software\microsoft\windows\currentversion\run" /v Nqnzqv >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg" >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gqxowron" >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load" >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run" >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w03a1090.dll" >> c:\krquery.txt

reg delete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run" /v wskveucd /f
reg delete "HKEY_USERS\.default\software\microsoft\windows\currentversion\run" /v Nqnzqv /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg" /va /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gqxowron" /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load" /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run" /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w03a1090.dll" /f

******************************************************************
Now, do you have a task scheduled such as a regular backup? I can see Apple, CA, McAfee and RegistrySmart, but there is another one....? Please check Scheduled Tasks via control panel and check this one:
[C:\WINDOWS\tasks\] A68FA4CC91845D2C.job -use detail view, tell me if it is yours; if it is not, or it looks doubtful, remove it [rclick, delete].

What is this? Do you know it? No? - then delete it.
C:\zip.exe

Delete C:\qoobox folder

0

..and here is a more complete list of files to paste into Avenger:

Files to delete:
C:\windows\.protected
C:\symlcsv1.exe
C:\WINDOWS\system32\ogycsrw.exe
C:\WINDOWS\system32\hzhkhdet.exe
C:\WINDOWS\IFinst27.exe
C:\3b10545d3d62bb28bf60f37c
C:\WINDOWS\system32\linkprd.exe
C:\WINDOWS\system32\pmbvkxh_nav.dat
C:\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1\TTRIB~1.EXE
C:\WINDOWS\system32\drivers\oryeobyk.sys
C:\WINDOWS\system32\drivers\ovygriae.sys
C:\WINDOWS\system32\drivers\fakofips.sys
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\ttvwa.ini2
C:\WINDOWS\system32\ttvwa.bak1
C:\WINDOWS\system32\ttvwa.bak2

When that completes, please UPDATE AVG AS, make sure that Recommended action is set to Quarantine [instructions in earlier post]; then run CCleaner, and lastly scan with AVG.
Post all those logs.

0

i already did post 38.. how do i make a restore point??... and no i cant get a windows cd :(

0

To make a restore point: Start > programs > accessories > system tools > system restore and follow instructions there.
[[the quick way in is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]
No prob with having done #38, just follow on. And nobody you know has a cd you can borrow? no nerdy kids nearby? Tell me about your puter, was it loaded with XP SP2 when you got it? If so, there is a chance that the necessary system repair files are in a hidden partition on it...

0

i hope that restore point worked through rstart run as system restore doesnt work!!ive asked everyone i know for a cd! the pc was already loaded with XP when purchased.

0

Logfile of The Avenger version 1, by Swandog46Running from registry key:\Registry\Machine\System\CurrentControlSet\Services\uqoivdrc*******************Script file located at: \??\C:\bclgskhk.txtScript file opened successfully.Script file read successfullyBackups directory opened successfully at C:\Avenger*******************Beginning to process script file:File C:\windows\.protected not found!Deletion of file C:\windows\.protected failed!Could not process line:C:\windows\.protectedStatus: 0xc0000034File C:\symlcsv1.exe not found!Deletion of file C:\symlcsv1.exe failed!Could not process line:C:\symlcsv1.exeStatus: 0xc0000034File C:\WINDOWS\system32\ogycsrw.exe not found!Deletion of file C:\WINDOWS\system32\ogycsrw.exe failed!Could not process line:C:\WINDOWS\system32\ogycsrw.exeStatus: 0xc0000034File C:\WINDOWS\system32\hzhkhdet.exe not found!Deletion of file C:\WINDOWS\system32\hzhkhdet.exe failed!Could not process line:C:\WINDOWS\system32\hzhkhdet.exeStatus: 0xc0000034File C:\WINDOWS\IFinst27.exe not found!Deletion of file C:\WINDOWS\IFinst27.exe failed!Could not process line:C:\WINDOWS\IFinst27.exeStatus: 0xc0000034Error: C:\3b10545d3d62bb28bf60f37c is a folder, not a file!Deletion of file C:\3b10545d3d62bb28bf60f37c failed!Could not process line:C:\3b10545d3d62bb28bf60f37cStatus: 0xc00000baFile C:\WINDOWS\system32\linkprd.exe not found!Deletion of file C:\WINDOWS\system32\linkprd.exe failed!Could not process line:C:\WINDOWS\system32\linkprd.exeStatus: 0xc0000034File C:\WINDOWS\system32\pmbvkxh_nav.dat not found!Deletion of file C:\WINDOWS\system32\pmbvkxh_nav.dat failed!Could not process line:C:\WINDOWS\system32\pmbvkxh_nav.datStatus: 0xc0000034Could not open file C:\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1\TTRIB~1.EXE for deletionDeletion of file C:\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1\TTRIB~1.EXE failed!Could not process line:C:\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1\TTRIB~1.EXEStatus: 0xc000003aFile C:\WINDOWS\system32\drivers\oryeobyk.sys deleted successfully.File C:\WINDOWS\system32\drivers\ovygriae.sys deleted successfully.File C:\WINDOWS\system32\drivers\fakofips.sys deleted successfully.File C:\WINDOWS\system32\tmp.reg deleted successfully.File C:\WINDOWS\system32\Process.exe deleted successfully.File C:\WINDOWS\system32\dumphive.exe deleted successfully.File C:\WINDOWS\system32\SrchSTS.exe deleted successfully.File C:\WINDOWS\system32\ttvwa.ini2 deleted successfully.File C:\WINDOWS\system32\ttvwa.bak1 deleted successfully.File C:\WINDOWS\system32\ttvwa.bak2 deleted successfully.Completed script processing.*******************Finished! Terminate.

0

! REG.EXE VERSION 3.0HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run wskveucd REG_SZ C:\fbbqkmik.bat! REG.EXE VERSION 3.0HKEY_USERS\.default\software\microsoft\windows\currentversion\run Nqnzqv REG_SZ C:\DOCUME~1\Kristy\APPLIC~1\PPPATC~1\NPDB~1.EXE! REG.EXE VERSION 3.0HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run item REG_SZ TTRIB~1 hkey REG_SZ HKCU command REG_SZ C:\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1\TTRIB~1.EXE inimapping REG_SZ 0HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exeHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALServHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialerHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPathHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgentHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPServiceHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exeHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXEHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXEHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GqxowronHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManagerHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button ManagerHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button MonitorHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LoadHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExeHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExeHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBootHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mousepadHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgrHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheckHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemonHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenterHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwizHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpiStatHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTrayHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime TaskHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControlHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkypeHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundManHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSchedHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIMHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan OnlineHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTaskHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w03a1090.dll! REG.EXE VERSION 3.0HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gqxowron key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run item REG_SZ TTRIB~1 hkey REG_SZ HKCU command REG_SZ C:\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1\TTRIB~1.EXE inimapping REG_SZ 0! REG.EXE VERSION 3.0HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load key REG_SZ SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows item REG_SZ ???? hkey REG_SZ HKCU command REG_SZ ???? inimapping REG_SZ 1! REG.EXE VERSION 3.0HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run key REG_SZ SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows item REG_SZ ???? hkey REG_SZ HKCU command REG_SZ ???? inimapping REG_SZ 1! REG.EXE VERSION 3.0HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w03a1090.dll key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run item REG_SZ RUNDLL32 hkey REG_SZ HKLM command REG_SZ RUNDLL32.EXE w03a1090.dll,I2 00085ca3003a1090 inimapping REG_SZ 0

0

i am out, totally out, of mouse batteries. It took me 5 minutes to navigate here with the keyboard!! So i'm off to bed; tomorrow I shall look at those logs.
What is inside folder C:\3B54105..... or similar?
Most of those "not found" files in the Avenger log you just posted were deleted in the #38 run - that's fine. What is the file in the middle of tht list above- C:|Docs and SETS\...\KRISTY\....TTRIB~1.exe ?? I think that is a problem to us... I'll work on it.

0

i have no idea what that file is and dont know where it is either! oh and AVG keeps crashing now!!

0

AVG broke? -that can happen. Uninstall it and reload, update; if you did not keep the original installer somewhere to reuse just dl a new copy.
Kristy, navigate to this file and delete it: C:\Documents and settings\Kristy\My documents\Scurit....?\ATTRIB....?.exe
If that works then delete the folder Scurit..?
Could not do it? Then download this program Unlocker 1.8.5 from http://ccollomb.free.fr/unlocker/ -install it. Then just rclick on ATTRIB....exe and select Unlocker from the menu, delete and Ok.
Still could not do it? Then save the text below as a batch file: copy all the text between the stars below to a notepad [turn OFF wordwrap!!], name it bugremv.bat and save it [as All files] to your desktop.
Restart in Safe mode and dclick the icon to run it. It will list to a text file in your C:\ root folder, C:\krquery.txt - post me that file please. If you need to use this method I have made the cmd screen pause [hit any key..] so that you can read if it carries out the delete command successfully - tell me if..

**************************************************************
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v TTRIB~1 > c: krquery.txt
cd My Documents
del /F SCURIT~1\TTRIB~1.EXE
del SCURIT~1
pause
**************************************************************
Do you have in your puter an i386 folder somewhere? It could be C:\i386, or you may have a hidden partition D:\ [to see if that exists start Disk Management: go run, diskmgmt.msc -and Enter. Tell me what you find cos we need i386 [it's up to 500MB, thousands of files...]
Still no luck with Vundofix running? -try downloading a fresh copy....

0

Kristy, let's try something else to get IE running... this is to check that the processes IE uses are correctly registered in your well, registry.. :). I wanted the CD or the i386 folder to check that the process libraries [dll's] were not broken, but we'll do this first.
Go Start, run, and paste in the first line below and press Enter. Wait as each dll is registered - it will display a window indicating the file ran successfully [or failed - don't worry about that..], after which you click OK.

regsvr32 urlmon.dll mshtml.dll shdocvw.dll browseui.dll jscript.dll vbscript.dll scrrun.dll msxml.dll actxprxy.dll softpub.dll wintrust.dll dssenh.dll

Now paste this line.... same process to follow.

regsvr32 rsaenh.dll gpkcsp.dll sccbase.dll slbcsp.dll cryptdlg.dll oleaut32.dll ole32.dll shell32.dll msjava.dll hlink.dll Schannel.dll Rsabase.dll initpki.dll

Tell me how you get on with IE now.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.