Posts by Beetlebum

After destroying my power supply when trying to clean the pc above I finally fitted a new one but still have the same problem above. I have a boot disc for windows and will try the following fix to see if it works sometime over the weekend:

1. Boot using your winxp cd.
2. Enter recovery console.
3. at the command prompt go to
C:/windows/system32
4. next type:
copy userinit.exe wsaupdater.exe
5. exit and reboot normally. You should now be able to logon. But you're not done yet!
6. run regedit
7. find the Userinit key in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\
8. modify the entry:
C:\WINDOWS\System32\wsaupdater.exe
so that it reads:
C:\WINDOWS\System32\userinit.exe

Just wondering if anyone has any comments before I do something else to knacker my desktop? I found the fix at computing.net by Tom's guide. I have a laptop as well so can check here more often than before when I was checking at work and following printed out instructions....sigh....its either this fix or pay the man a lot of money to reformat hd I think....bigger sigh.

I've just had a look through MS Update pages and I think that 2 of the 4 updates I downloaded yesterday were the malicious software removal tool and the other one was a Cumulative Security Update for Active X killbits Windows XP. I remember seeing the second one as had never heard of it before. There were a whole lot of updates released for XP HE yesterday and the list is here:
http://www.microsoft.com/downloads/results.aspx?NextOrPrevClause=1%7c-02%2f10%2f2009%2010%3a38%3a08.927&DisplayLang=en&categoryid=7&sortCriteria=date&sortOrder=descending&nr=20

Hi folks. Hope someone can help. Yesterday I restarted my pc after downloading the latest windows update. Instead of doing what I would normally do and installing it while logged in I let the computer wait to install the updates and then turn itself off. Now when I start the pc and click on my name to log in windows starts to log in and I see the picture from the desktop background and then it immediately logs out again without even getting to the taskbar. The same thing happens when I boot into safe mode. At the same time that I was installing the windows update (there were 4 files contained in the update and they were just what MS call essential updates) I had uninstalled a couple of games without restart and had updated nokia pc suite also without restart.

Obviously as I can't log in I can't post any scans but this link has the most recent HJT logs that I have http://www.daniweb.com/forums/thread168044.html

I think the only way to get access to find out what's happening is to be able to get into have a look using DOS commands but I have no knowledge of this. I think I should be able to get a DOS prompt from booting into safe mode. I will be at work for the next 7 hours at least so if anyone can post something in that time that I can give a go when I get home …

Thanks Crunchie. Again. I now have a new problem but will link back here as can't access my system now.

Could it be because I can't disable the system restore? Apart from Spysweeper the only other thing that I have is peerguardian on top of the AVG that I already mentioned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:43:16, on 15/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Kontiki\KService.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\John\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/fuji/defaults/su/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 …

I did close everything but will give it a go with spysweeper turned off.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:18:33, on 14/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\John\Desktop\HiJackThis.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/fuji/defaults/su/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - …

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:03:41, on 14/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\John\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/fuji/defaults/su/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program …

From the front page of this section I have had the gay porn fetish thing and the prunnet.exe (also from a website that suddenly got taken down) and now badly affected (somehow) by the generic host processes. I also have the red X next to the clock that I have had previously with a pop up message about running a spysweep. I have been using the AVG 8 program and running it in safe mode. Have also run MBAM recently. Not so long ago I removed spybot search and destroy as thought it was having an effect on IE. Anyway here are a couple of logs. I tried to reinstall spybot yesterday but got some weird kind of errors. Even running in safe mode the NT/ SYSTEM came up with a message (this was the first time I had seen anything like this in many years of using a pc) saying that my system was going to shut down but AVG did complete. I enclose the AVG scan below as well as my latest HJT log. I had problems not so long ago that mostly were fixed by coming on here but have a bad feeling that I am going to have to format the hd this time as too many problems. I can log on from home but have already got ATF cleaner on a pen drive to try and use this evening.

VG 8.0 Anti-Virus command line scanner
Copyright (c) 1992 - 2008 AVG Technologies
…

I have a similar problem to this. Will get online in safe mode tonight and post some new logs up here to see if yet again I can get problem with pc fixed.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file "C:\WINDOWS\system32\buritos.exe" not found!
Deletion of file "C:\WINDOWS\system32\buritos.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\Program Files\rgwwnlc" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

I guess buritos.exe must have been fixed by the malware removal program that I used earlier.

Here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:53:16, on 21/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
…

Malwarebytes' Anti-Malware 1.25
Database version: 1071
Windows 5.1.2600 Service Pack 3

08:08:38 20/08/2008
mbam-log-08-20-2008 (08-08-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 266006
Time elapsed: 2 hour(s), 34 minute(s), 20 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 31
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 94

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\gbynkvsh\gretqdkx.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sah86 (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sah86 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sah86 (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\XP_SecurityCenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Classes\hol5_vxiewer.full.1 (Trojan.FakeAlert) -> Quarantined and deleted …

I can't open spybot search and destroy. All the functions are there in the icon in the task bar but the only one that doesn't function is the Run Spybot S&D. It doesn't work from here or from the desktop.

Ok. Last night I was clicked a link to an archived page on a forum that I moderate on and there was some kind of nasty trojan on there. I pulled the plug on my it connection but have now got some major issues. These include task manager being disabled, windows firewall being disabled, I don't seem to have admin access and can't run programs such as Spybot search and destroy, Combofix or Vondofix. As well as this IE has some kind of redirect on it when you do a search and the homepage has also been changed. The desktop background has also been compromised. I did manage to run webroot spysweeper and it fixed a nasty hacker trojan and a few other things. At the time of whatever it was coming into my pc teatimer (from spybot) showed a load of reg changes happening that I tried to block but it seems that it was bipassed. I have posted my HJT log below and there are a couple of entries such as burito.exe that I need to remove from my quick inspection but I really need expert opinions. Just out of note Imabunny.exe. is renamed HJT so that is not one to worry about.

I am already thinking that this is going to be a format the hd only solution but wanted to get some opinions first. I am at work at the moment so won't be able to do any of your suggestions until around 1800 uk …

Been getting some extra help from someone else. The first thing so far was downloading and running the LOP uninstaller which cleared the pop up windows. (The 4file thing was a lop infection) The other steps are the ones that you suggested and then running a scan with Dr Web Cureit that has identified a few more problems mostly in the system restore directory but has fixed my flash drive problem. I will let you know the other steps and post some logs of what I found and what the other person said to fix the problems.

Thanks for your help suspsichio it has been greatly appreciated and we at least managed to get started on getting rid of the problems. Thank good ness it wasn't virtumundo tho.

I removed the one you posted the 4 file one. Interestingly enough I have spybot in time running(tells me about changes to the reg) and shortly after I removed it I got an alert that it was trying to reinstall. Ran AVG again-just a few cookies and 3 cookies with spybot search and destroy. Just posting the logs here for you to have a look at while I am sleeping..lol. It sucks when your pc doesn't work properly.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:21:23, on 30/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\John\Desktop\imabummy.exe.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://luminis.leedsmet.ac.uk/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = 
       

Started 19th october between 1100hrs and 1400hrs.

Then I was away for a while and when I came back I knew I had a problem. I then started running scans from Saturday 27th october and installed the virgin media pc guard software. Sometime in the evening of 27/10 I put my flash drive in got a warning message about that xls thing mentioned earlier and I quarantined it straight away.

I can't remember if I put something on the flash drive on the 19th that the new anti virus picked up when I got back or if that is a wholly different problem from the other pc while I was away.

On the 19th I still had my normal windows explorer interface although I only used it for about 2 hours after when I thought the problem had occured until 27th. Whatever happened when I came back was an exacerbation of what started on 19th. Most of these started happening when I tried to delete what is shown as RB3E.tmp and RB4.tmp from the recycle bin and they wouldn't delete. When I click on either of these and look at the properties it says that the origin is the RECYCLER. The problems I have are two that my navigation around windows is messed up-no address bar File View Options etc and when I open Internet explorer I get the pop ups to ads.

That task is back in the windows task window but it has now …

There was just that one that you pointed out that I deleted and the other two were and apple software updater that I always cancel and a task for a adware program that I thought might be worth a shot earlier today...it wasn't it was one of those that you have to buy when you get to the end. The one that you were wondering about had the c:\docume~1\john\applic~1\4file\Tick Scr Ace.exe when I clicked on the properties. I am not sure what you mean by entry line data..

"c:\docume~1\john\applic~1\4file\Tick Scr Ace.exe"

I have no idea what it is so I have deleted it. It runs every hour from midnight on 00:00 on 19th. this is just before I went away for a couple of weeks and I have a feeling it may have been after I clicked on something called winzix that has some kind of trojan bundled in it. This was the mistake that I referred to earlier in this thread. I onle had 3 scheduled tasks and have got rid of them all. I will do a reboot and see what happens. Do you want some more scans?

ok. I deleted the mountpoint and that worked and it hasn't come back after a restart. Something positive has now happened and I can double click the main drive and move into it without having to right click and press explore. The navigation buttons and address bar are still not there tho. My new HJT and Combofix logs are below....they both look pretty clean now...next steps anyone please? Thansk again suspishio.
ComboFix 07-10-29.1 - John 2007-10-29 19:49:33.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.470 [GMT 0:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe

(((((((((((((((((((((((((   Files Created from 2007-09-28 to 2007-10-29  )))))))))))))))))))))))))))))))

2007-10-29 17:57    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-29 16:04    <DIR>    d--------   C:\Documents and Settings\John\Application Data\AdwareAlert
2007-10-29 13:06    51,200  --a------   C:\WINDOWS\NirCmd.exe
2007-10-29 13:02    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\ATI
2007-10-29 12:10    <DIR>    d--------   C:\VundoFix Backups
2007-10-28 21:57    <DIR>    d--------   C:\Documents and Settings\John\Application Data\Grisoft
2007-10-28 21:57    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-28 21:57    10,872  --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-28 21:14    <DIR>    d--------   C:\Program Files\Spyware Doctor
2007-10-28 17:26    <DIR>    d--------   C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-27 20:44    <DIR>    d--h-----   C:\WINDOWS\PIF
2007-10-27 20:31    55,296  --a------   C:\WINDOWS\system32\drivers\rp_skt32.sys
2007-10-27 20:31    48,384  --a------   C:\WINDOWS\system32\drivers\rp_pkt32.sys
2007-10-27 20:30    <DIR>    d--------   C:\Program Files\Raxco
2007-10-27 20:30    <DIR>    d--------   C:\Program Files\Common Files\Scanner
2007-10-27 20:30    <DIR>    d--------   C:\Program Files\Common Files\Authentium
2007-10-27 20:30    <DIR>    d--------   C:\Program Files\CA
2007-10-27 20:30    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Raxco
2007-10-27 20:27    <DIR>    d--------   C:\Documents and Settings\John\Application Data\InstallShield
2007-10-27 20:26    <DIR>    d--------   C:\Program Files\Virgin Broadband
2007-10-27 20:26    <DIR>    d--------   C:\Documents …

Combofix has found this little bugger:
---------------------------------------------------------
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6f4e191-a188-11db-a13d-0017316a33df}]
Auto\command - sal.xls.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe
---------------------------------------------------------

If anyone knows should I delete this from the reg? I have tried following the trend advice but can't seem to open anything with the autorun.inf

I typed:
'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b6f4e191-a188-11db-a13d-0017316a33df}\autorun.inf' but don't think this is correct.

The trend advice is here: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FVB%2ECII&VSect=Sn

I already did the first bit where I removed the two reg entries but haven't done anything else yet due to my lack of knowledge...

Is there any chance that the pc the flash drive was in before was the source? If it was that means big probs for my mum. God knows how I am going to tell her to fix it. Thanks for your help so far Suspishio. It was 27th october when I saw a notification of this.

I have run HJT and Combofix and removed one BHO that had 'no file' listed with it. I have posted the HJT and Combofix logs beneath.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:37:18, on 29/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\John\Desktop\imabummy.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://luminis.leedsmet.ac.uk/cp/home/loginf[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://red.clientapps.yahoo.com/customize/fuji/defaults/su/*http://www.yahoo.com[/url]
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in …

Found it in the meantime. I, like another poster, don't have the facilities to remove the hd or put it in a secure connection like you suggest. Any other suggestions?

Having a few problems booting into safemode but I have run Vundofix and Virtumundobegone as suggested by Crunchie and neither of them detected anything. Don't suppose you have a link to your post of 27 august? Had a look at your previous posts but couldn't find it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:37, on 29/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\John\My Documents\My Received Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://luminis.leedsmet.ac.uk/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/fuji/defaults/su/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: Adobe PDF Reader Link Helper …

I have run the trend online virus scanner (left it running hen I went to sleep as was taking so long) and it identified three things:

Adware_savenow

EXPL_CabFile

TSPY_WinTrim.AJ

Will post back when I have fixed what I can. Unfortunately there is nothing in the database for the EXPL_cabfile. Will post another HJT log after I have fixed this stuff and done a restart.

I think I installed some kind of Trojan by mistake (which I think I have removed) and it is now bringing pop up internet explorer windows to all kinds of advertising. Rather more worryingly it has had a strange effect on windows explorer and when I double click on the main drive it doesn't open and I have to click explore instead. As yet I haven't done a sys restore as have a lot of stuff on my pc I don't want to lose.
HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:29:40, on 28/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\John\My Documents\My Received …

I have followed the advice in this thread installing and using Ccleaner and ewido. Here are my HJT and ewido logs was wondering if someone can have a look at them for me and let me know if everything is ok please?

ewido log:
ewido anti-malware - Scan report
---------------------------------------------------------


+ Created on:           12:28:11, 16/06/2006
+ Report-Checksum:      DE2E4DEF


+ Scan result:


[280] C:\Program Files\HighMAT CD Writing Wizard\HMTCD.exe -> Adware.Agent : Cleaned with backup
C:\WINDOWS\system32\drivers\helpsys\msnexplorer.exe -> Backdoor.Agent.vk : Cleaned with backup
C:\Documents and Settings\John Boy\My Documents\My Received Files\pic1392.exe -> Backdoor.Agent.vk : Cleaned with backup
C:\Program Files\ratDVD\wXEBSettings.exe -> Adware.Agent : Cleaned with backup
C:\Program Files\Yahoo!\Messenger\ycomp.dll -> Adware.Yahoo : Cleaned with backup
C:\Program Files\HighMAT CD Writing Wizard\HMTCD.exe -> Adware.Agent : Cleaned with backup
C:\System Volume Information\_restore{847EFD80-7A7E-4349-AFA1-E4168C583A44}\RP761\A0118301.exe -> Adware.Agent : Cleaned with backup
C:\System Volume Information\_restore{847EFD80-7A7E-4349-AFA1-E4168C583A44}\RP761\A0118324.exe -> Adware.Agent : Cleaned with backup



::Report End


HJT log:
Logfile of HijackThis v1.97.3
Scan saved at 12:30:12, on 16/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\dudez\protowall\ProtoWall.exe
C:\PROGRA~1\ASHAMPOO\ASHAMP~1\TASKPL~1.EXE
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\myspac.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\John Boy\Desktop\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lmu.ac.uk/lis/lss/portal/students.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
       

I have this too. Am trying to get advice somewhere else and will let you know if there is a reply there first. However there is info here: http://www.daniweb.com/techtalkforums/thread45144.html

After messing around with the internet for a while I finally had the courage to open up my pc case and find that my processor fan is probably toasted and completely clogged up with dust, probably from the cold damp basement I used to live in and that I probably won't be able to complete my 3500 word assignment due in a week on thursday. Hence I found my way here!!! Hello all...hope my time here will be fruitful and after realising that there is nothing to be afraid of inside my case I might just have to do some more experimenting (inside the case not with anything else :o )

How do all? For quite a while my pc has been making a lot of noise when starting up and then just before christmas and going on holiday for three weeks it started crashing unexpectedly...anyway to cut a long story short I have got the Motherboard monitor program and figured out that every time my pc crashed it was due to overheating. I have since removed and cleaned the AKASA AMD Lo-noise 7 cm fan (up to XP3200) from the case and the CPU diode temperature has dropped from above 80degrees to a stable 55-60 degrees However the fan is not rotating at all. The two things that I need to know are 1.Can I run a test to see if this fan has been burnt out and if it still works? and 2. Where can anyone recommend to get a new one if I can figure out that it is blown? I have seen them reasonably priced online just not with cheap postage. I am a noob to messing around with motherboards so please try and explain things at toddler level in your replies.