Vesh Wolf

for some reason, when I attempt to run the GMER, it will scan all the way through, but the computer will not accept mouse clicks, mouse movement, or keyboard commands. Is there a way to to have it run in dos mode and automatically save the results?

Billy O'Neal

Hello, Vesh Wolf
Welcome to TSF

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:

• In the meantime, please refrain from making any changes to your computer.
• Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
• Finally, please reply using the button in the lower left hand corner of your screen.
• Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" .

No, GMER is a Windows NT app only. Won't work in DOS.

Try this one instead:

We need to run a Scan with DDS

1. Please download DDS, and save it to your desktop, from one of the following mirrors:
   • This is a mirror
   • This is another mirror
2. Disable any type of "Script Blockers" or "Script Protection" installed on your system.
3. Double click on your desktop.
4. If prompted by any script blocking tools, please allow any actions taken by DDS.
5. Two reports will open. Please reply with the generated reports:
   • DDS.txt <-- Copy and paste into your next post
   • Attach.txt <-- Attach to your next post

We Need to check for Rootkits with RootRepeal

1. Download RootRepeal from the following location and save it to your desktop:
   • RootRepeal
2. Extract RootRepeal.exe from the zip archive.
3. Open on your desktop.
4. Click the tab.
5. Click the button.
6. Check all six boxes:
7. Push Ok
8. Check the box for your main system drive (Usually C:), and press Ok.
9. Allow RootRepeal to run a scan of your system. This may take some time.
10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

In your next reply, please include the following:

• DDS.txt
• Attach.txt
• RootRepeal Log

Billy3

Vesh Wolf

DDS (Ver_09-02-01.01) - NTFSx86
Run by HP_Administrator at 16:31:35.05 on Tue 03/10/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.118 [GMT -4:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)
FW: Sygate Personal Firewall Pro *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\xampp\mysql\bin\mysqld-nt.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\xampp\apache\bin\apache.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Computer Lock Up\CompLockUp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Desktop Architect\datray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.pogo.com/home/home.do
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://www.incredimail.com/page.asp?page=reg_success&lang=9&version=5202407&setup_id=7&aff_id=101&addon=IncrediMail
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://as.weatherstudio.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcDFaDWeHPPJB7LTDJIsV0lCTWxW9ld6xHZuTN05d6FRcMztRuXIiFKrWRpNFs8RXD9yBFUK1czfn/7jBwTQgM7GKVBqmYW41Gwg/uG7vweo7H5xjsfysb/04vXPebgqoulxUdrRres90Y5fkdURfvzIg==
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
uURLSearchHooks: Twisted Raiders Toolbar: {2f6cbe35-fc01-455c-ad66-d44cdd87cee5} - c:\program files\twisted_raiders\tbTwi1.dll
uURLSearchHooks: darkavalon.us Toolbar: {928afffe-5c8e-45ee-90ba-4695bb7e55e7} - c:\program files\darkavalon.us\tbdar1.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Twisted Raiders Toolbar: {2f6cbe35-fc01-455c-ad66-d44cdd87cee5} - c:\program files\twisted_raiders\tbTwi1.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: darkavalon.us Toolbar: {928afffe-5c8e-45ee-90ba-4695bb7e55e7} - c:\program files\darkavalon.us\tbdar1.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
BHO: {FFDD804F-A7F8-4395-93D2-66A85DA2BDAB} - No File
TB: {15757333-2BCA-4B77-A807-D0955132F812} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
TB: Twisted Raiders Toolbar: {2f6cbe35-fc01-455c-ad66-d44cdd87cee5} - c:\program files\twisted_raiders\tbTwi1.dll
TB: darkavalon.us Toolbar: {928afffe-5c8e-45ee-90ba-4695bb7e55e7} - c:\program files\darkavalon.us\tbdar1.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: Burn4Free Toolbar: {55faf0f2-44d4-425f-b5f5-6b275b621eab} -
EB: MasterCook Bar: {c92041c1-6d22-4069-ba0e-66246aa752b0} - c:\windows\system32\shdocvw.dll
uRun: [Computer Lock Up] c:\program files\computer lock up\CompLockUp.exe
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Pando] "c:\program files\pando networks\pando\Pando.exe" /Minimized
uRun: [Desktop Architect] "c:\program files\desktop architect\datray.exe" -S
uRun: [Window Washer] c:\program files\webroot\washer\wwDisp.exe
uRun: [calnique] c:\program files\calnique\calnique.exe
uRun: [Calnique Alarm Clock] c:\program files\calnique\extras\alarmclock.exe
uRun: [DW6]
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Weather Clock]
uRun: [WeatherClock] c:\program files\weather clock\WeatherClock.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PC Pitstop Optimize Reminder] c:\program files\pcpitstop\optimize2\Reminder.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\lunaba~1.lnk - c:\program files\lunabar\Lunabar.exe
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\webshots.lnk - f:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-system: NoDispBackgroundPage = 1 (0x1)
IE: &Add animation to IncrediMail Style Box - c:\program files\incredimail\bin\resources\WebMenuImg.htm
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxpt141YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: MasterCook: Select Image - c:\program files\mastercook 9\web\MCIEContext.hta
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\hp_administrator\start menu\programs\imvu\Run IMVU.lnk
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0} - c:\windows\system32\shdocvw.dll
Trusted Zone: moove.com
Trusted Zone: trymedia.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://activation.rr.com/install/downloads/tgctlcm.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://download-games.pogo.com/online2/pogop/mahjong_escape_ancient_japan/SpinTopGamesLauncher.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\ip9ybdob.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1397988&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.pogo.com/home/home.do
FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\ip9ybdob.default\extensions\{928afffe-5c8e-45ee-90ba-4695bb7e55e7}\components\FFAlert.dll
FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\ip9ybdob.default\extensions\{fd0da580-5b4d-456a-89ad-880d05662db3}\components\FFAlert.dll
FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\ip9ybdob.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\ksolo\npAVX.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAbacheck.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npkanevapatch.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-10-17 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-10-17 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-10-17 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-10-17 10760]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2008-6-14 17408]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-10-17 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-10-17 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-10-17 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-10-17 4960]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s DefaultInstance [?]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2009-2-12 40576]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s DefaultInstance [?]
R3 keybmon;keybmon;c:\windows\system32\drivers\keybmon.sys [2007-9-16 4934]
R3 mousmon;mousmon;c:\windows\system32\drivers\mousmon.sys [2007-9-16 3491]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2007-10-28 31170]
S2 ICron;ICron;c:\cron\ICronService.exe [2000-5-28 341504]
S3 ONSREGED;ONSREGED;c:\windows\system32\drivers\ONSREGED.SYS [2006-7-26 7680]
S3 PCD5SRVC{085326CB-51A3560A-05010003};PCD5SRVC{085326CB-51A3560A-05010003} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2005-9-8 21120]
S4 vsdatant;vsdatant; [x]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-03-05 07:22 <DIR> --d----- c:\program files\Weather Clock
2009-03-03 05:15 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\SerpentOfIsis
2009-03-03 05:09 <DIR> --d----- c:\program files\games
2009-03-02 12:30 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\GigaTribe
2009-03-02 12:29 <DIR> --d----- c:\program files\GigaTribe
2009-02-22 01:06 61,440 a------- c:\windows\uninstall.exe
2009-02-21 07:58 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\mIRC
2009-02-21 07:58 <DIR> --d----- c:\program files\mIRC
2009-02-18 16:57 <DIR> --d----- C:\spoolerlogs
2009-02-17 22:59 2,938 a------- c:\windows\system32\b4413c42bb.ax
2009-02-17 22:52 27,136 a------- c:\windows\system32\lspiho.dll
2009-02-16 21:02 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\QQ Games Plugin
2009-02-16 21:00 <DIR> --d----- c:\program files\Tencent
2009-02-16 21:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Tencent
2009-02-16 20:59 <DIR> --d----- c:\program files\AIMTunes
2009-02-16 20:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2009-02-12 01:06 40,576 a------- c:\windows\system32\drivers\vrtaucbl.sys
2009-02-12 01:06 <DIR> --d----- c:\program files\Virtual Audio Cable
2009-02-09 19:58 249,856 a------- c:\windows\Sweetheart.scr
2009-02-09 19:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Softdisk LLC

==================== Find3M ====================

2009-02-21 23:51 509 a------- c:\program files\Shortcut to Weather Pulse.lnk
2009-02-12 00:32 31,744 a------- c:\windows\system32\avc2av.dll
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 05:10 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 05:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 01:25 634,024 a------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 01:23 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 06:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-03-04 22:12 0 a------- c:\program files\temp01
2004-09-28 16:22 911,360 a------- c:\program files\enhancer.8bf
2004-08-06 13:44 1,023,488 a------- c:\program files\Stamp.8bf
2004-07-06 16:07 657,408 a------- c:\program files\Chameleon.8bf
2004-07-01 21:50 881,664 a------- c:\program files\Retoucher.8bf
2007-10-28 07:53 2 a--shrot c:\windows\winstart.bat
2006-11-04 15:00 88 ---shr-- c:\windows\system32\32DB8F4B65.sys
2006-11-04 20:18 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-08-18 05:03 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat

============= FINISH: 16:31:46.63 ===============

Attached Files

	Attach.txt (15.2 KB, 2 views)
	rootrepeal.txt (3.8 KB, 5 views)

Billy O'Neal

Hello, Vesh Wolf
Gmer failed due to inferference from Sygate Personal Firewall.

Don't see a whole lot of issues in that log. Mostly housekeeping stuff.

Can you please describe the symtoms you're associating with the malware, if any?

We need to back up your registry

1. Please download ERUNT and save it to your desktop.
   (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
   (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
   (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
   (the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

We need to create an OTListIt2 Report

1. Please download OTListIt2 from one of the following mirrors:
   • This is THE Mirror
2. Save it to your desktop.
3. Double click on the icon on your desktop.
4. Click the "Scan All Users" checkbox.
5. Push the button.
6. Two reports will open, copy and paste them in a reply here:
   • OTListIt.txt <-- Will be opened
   • Extra.txt <-- Will be minimized

In your next reply, please include the following:

• OTListIt.txt
• Extra.txt

Billy3

Vesh Wolf

Browser crashes, Firefox, whenever there is a download. spoolsv.exe crashing, causing several other programs to crash as well. There's no printer attatched to this computer.

Plus an inability to boot into safe mode, no matter if it has networking or not.

Here's the text files you asked for

Attached Files

	Extras.Txt (73.6 KB, 1 views)
	OTListIt.Txt (116.8 KB, 1 views)

Billy O'Neal

Hello, Vesh Wolf
Looks like we need some bigger guns than OTLI for this job then :) .. was going to use OTLI for housekeeping but if you've got those kind of issues this will be better :)

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author:

How to run ComboFix:

1. Please download ComboFix from one of the following mirrors, and save it to your desktop.
   • This is a mirror.
   • This is another mirror.
   • This is yet another mirror.
2. Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
3. Double click on your desktop.
4. Read and accept (Press Yes) to the disclaimer.
5. For Windows XP Systems: Install the Recovery Console:
   • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
   • When prompted to accept the EULA, press OK.
   • Accept Microsoft's EULA (Press Yes).
   • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
6. ComboFix will run. Simply wait for it to finish.
7. When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)

NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:

• ComboFix.txt

Billy3

Vesh Wolf

Here's the combofix.txt

Attached Files

combofix.txt (30.7 KB, 6 views)

Billy O'Neal

Hello, Vesh Wolf
We need to re-run ComboFix with some additonal directives.

1. Please disable any running anti-virus programs.

   If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/topic114351.html

2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
4. Open notepad and copy/paste the text in the quotebox below into it:
   
   Code:

   file::
   c:\windows\uninstall.exe
   c:\windows\system32\b4413c42bb.ax
   c:\program files\temp01
   c:\program files\enhancer.8bf
   c:\program files\Stamp.8bf
   c:\program files\Chameleon.8bf
   c:\program files\Retoucher.8bf
   c:\windows\winstart.bat
   folder::
   c:\program files\AskPBar
   c:\program files\AskBarDis
   c:\documents and settings\HP_Administrator\Application Data\QQ Games Plugin
   c:\program files\darkavalon.us
   c:\program files\Twisted_Raiders
   c:\Program Files\Tencent\QQ Games
   registry::
   [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
   "BootExecute"=hex(7):61,75,74,6F,63,68,65,63,6B,00,61,75,74,6F,\
     63,68,6B,00,6C,73,64,65,6C,65,74,65,00,00
   [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
   "c:\\Program Files\\Tencent\\QQ Games\\QQGames.exe"=-
   "c:\\Program Files\\Tencent\\QQ Games\\QQGamesD.exe"=-
   "c:\\Program Files\\Tencent\\QQ Games\\Update\\Update.exe"=-
   regnull::
   [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}*]
   [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7129CE56-6141-5E78-1B43C38ACD84D6F1}\{8114B6F0-1072-5EBB-3EE28A5CFE52E012}\{69EA7742-3579-BB32-476F346B94EBE888}*]
   [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{729CD5EE-CFD4-2598-E99D0DF7791A50E3}\{F8FFDD05-44DF-5042-E601749BEB85FEB7}\{D29FFC2E-79FD-DC28-524A63CA31F9404E}*]
   [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74099617-91C0-6CB0-475BC8650FC6C929}\{C2CB2410-92BB-FC4E-376913EB15620FA4}\{B6CDFCFD-0A38-7380-A1288DE48E078F85}*]
   [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A1146105-B145-D547-791CC80E83BF21B6}\{DC78455E-4161-0768-1856DB98A0FFD8AF}\{619B65F9-9B50-CD99-3F29A63495E25D6C}*]
   [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A73A7B6D-D5C7-2D01-6A3ED58A203D5FEA}\{958FE6C0-B367-4AD6-C310294BFC5DB709}\{E2E9EAF6-387C-4947-07B2C800F4ACC9F3}*]
   DDS::
   Trusted Zone: moove.com
   Trusted Zone: trymedia.com

5. Save this as CFScript.txt, in the same location as ComboFix.exe
6. 
   Refering to the picture above, drag CFScript into ComboFix.exe
7. When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:

• ComboFix.txt

Billy3

Vesh Wolf

I saved it as log.txt and is attached.

Attached Files

log.txt (103.5 KB, 2 views)

Billy O'Neal

Hello, Vesh Wolf
We need to re-run ComboFix with some additonal directives.

1. Please disable any running anti-virus programs.

   If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/topic114351.html

2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
4. Open notepad and copy/paste the text in the quotebox below into it:
   
   Code:

   registry::
   [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
   "BootExecute"=hex(2):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20, \
   2a,20,6c,73,64,65,6c,65,74,65,00

5. Save this as CFScript.txt, in the same location as ComboFix.exe
6. 
   Refering to the picture above, drag CFScript into ComboFix.exe
7. When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:

• ComboFix.txt

Billy3

Vesh Wolf

Here is the newest combofix.txt file

Attached Files

combofix.txt (26.3 KB, 3 views)

Billy O'Neal

Hello, Vesh Wolf
I would like us to use ESET (NOD32)'s Online Scanner

1. Please go to ESET OnlineScan (NOD32)
2. You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
3. Now click Start
4. Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
5. Click Start
   • Note: (the Onlinescanner will now prepare itself for running on your pc)
6. To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
7. Press Scan
8. The Onlinescan will now start and scan your pc (this could take a while)
9. When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
10. Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
11. The Scanresults will now open in Notepad
12. Click into the text area, right-click and chose "select all" (or use <Control>+A)
13. Right-click again and chose "Copy" (or <Control>+C)
14. Close/Exit Notepad
15. Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.

Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:

• ESET OnlineScan's Log

Billy3

Vesh Wolf

Here is the Eset Online Scan results:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3939 (20090316)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=f6ebb8849c8fe041b63ed227be4f22c9
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-03-17 03:01:22
# local_time=2009-03-16 11:01:22 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=1757893
# found=19
# scan_time=21576
C:\Documents and Settings\HP_Administrator\Desktop\SHORTCUTS\Chat\VP stuff\Host Tools.zip probably a variant of Win32/Genetik trojan (deleted) 00000000000000000000000000000000
C:\Documents and Settings\HP_Administrator\Desktop\SHORTCUTS\Chat\VP stuff\Host Tools.zip »ZIP »Host Tools/HostToolsV5.exe probably a variant of Win32/Genetik trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\HP_Administrator\Desktop\SHORTCUTS\Chat\VP stuff\Host Tools\Host Tools\HostToolsV5.exe probably a variant of Win32/Genetik trojan (unable to clean - deleted) 00000000000000000000000000000000
F:\MUSIC\jayce everett.mp3 WMA/TrojanDownloader.GetCodec.C trojan (unable to clean - deleted) 00000000000000000000000000000000
F:\MUSIC\i want you so bad across.mp3 WMA/TrojanDownloader.GetCodec.C trojan (unable to clean - deleted) 00000000000000000000000000000000
F:\MUSIC\i will be there escape club.mp3 WMA/TrojanDownloader.GetCodec.C trojan (unable to clean - deleted) 00000000000000000000000000000000
F:\MUSIC\New Music\james blunt - goodbye my lover.mp3 WMA/TrojanDownloader.GetCodec.C trojan (unable to clean - deleted) 00000000000000000000000000000000
F:\MUSIC\New Music\grippin on sean garrett.mp3 WMA/TrojanDownloader.GetCodec.C trojan (unable to clean - deleted) 00000000000000000000000000000000
F:\MUSIC\New Music\grippon on.mp3 WMA/TrojanDownloader.GetCodec.C trojan (unable to clean - deleted) 00000000000000000000000000000000
F:\MUSIC\New Music\chatroom bob rivers.mp3 WMA/TrojanDownloader.GetCodec.C trojan (unable to clean - deleted) 00000000000000000000000000000000
F:\MUSIC\New Music\Bryan Ferry - Slave to love..mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) 5C607EA8D4DB23510C1B5B53CE9DE238
F:\MUSIC\New Music\Lenny Kravitz - Battlefield of love.mp3 WMA/TrojanDownloader.GetCodec.C trojan (unable to clean - deleted) 00000000000000000000000000000000
F:\MUSIC\New Music\delicious jim backus phyllis - greatest hits.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) C6DFFEC828C6764DDFAD691EEC55C0D3
F:\MUSIC\New Music\delicious jim backus phyllis.mp3 WMA/TrojanDownloader.GetCodec.C trojan (unable to clean - deleted) 00000000000000000000000000000000
F:\MUSIC\New Music\ghostriders in sky spiderball.mp3 WMA/TrojanDownloader.GetCodec.C trojan (unable to clean - deleted) 00000000000000000000000000000000
F:\MUSIC\New Music\gohst riders in sky spiderbait - greatest hits.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) C6DFFEC828C6764DDFAD691EEC55C0D3
F:\MUSIC\New Music\oh holy night eric cartman MTV.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) 62076EC580102B1C2B3A6DA054117D07
F:\MUSIC\New Music\santa esmeralda(Club RMX).mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) 0EB5FF74A6859F346C4096B9F428F88E
F:\MUSIC\DANCE-TECHNO\NEW\cherokee outlaw.mp3 WMA/TrojanDownloader.GetCodec.C trojan (unable to clean - deleted) 00000000000000000000000000000000

Billy O'Neal

That all looks much better :)

How are things running?

Billy3

Vesh Wolf

Things are a bit better. My browser is not crashing and the pc seems to be running alot more smoother. The only problem that is still occuring is I get that spoolsv.exe message again. Always occurs at the very begnning of my startup and it happens twice. Any suggestions? By the way I really appreciate all the help you've been giving me!

Billy O'Neal

Hello, Vesh Wolf
We need to execute a Batch File

1. Go to Start -> Run, and type "notepad" into the box.
2. Press ok.
3. Copy and paste the following code into notepad:
   
   Code:

   swreg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /s
   vfind -ltf C:\*spoolsv* > log.txt

4. Go to File -> Save
5. To the right of "Save as Type:" in the bottom of the window, change the ComboBox to "All Files"
6. Enter fix.bat into the "File name:" box just above the "Save as Type" box.
7. Double click fix.bat on your desktop.

1.[/b] Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: All files to your desktop.

2. Download Registry Search to your desktop.

• Right-click on the compressed RegSearch folder, and choose Extract All. In the box that pops open, click Next, then Next again, and then Finish. You now have another RegSearch folder on your desktop.
• Open the new folder, and double click on regsearch.exe.
• Click Import in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
• Click OK and Registry Search will scan your registry for the file(s). A Notepad box will open with a report, please save the report on your desktop.

Please post the RegSearch report in your next reply.

In your next reply, please include the following:

• Regsearch's log

Billy3

Vesh Wolf

Here is the regsearch log report

Attached Files

RegSearch.txt (3.3 KB, 4 views)

Billy O'Neal

Hmm... nothing out of the ordinary.

Can you take a screenshot of the error?

To do this, press the Pnt Scr key on your keyboard, go to start -> Run and type in MSPaint, then Paste the image into paint. You can then save the image to your desktop and attach it here.

If you have another screen capture method, such as TechSmith's excellent SnagIt tool (Which I used to take the pictures I used above), go ahead and use that :)

Billy3

Vesh Wolf

Here is the screen cap of the spoolsv error messages.

Attached Images

spoolsv error screen cap.jpg (42.2 KB, 6 views)

Billy O'Neal

Hello, Vesh Wolf
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.
Hmm... I'm unfirmiliar with that particular problem.

Please give this a shot:

We need to repair some of windows' internal registration settings

1. Please download Dial-A-Fix from one of the following mirrors:
   • Primary Mirror
   • Secondary Mirror
2. Extract the zip file to your desktop.
3. Double click Dial-a-Fix.exe to start the program.
4. Press the green double checkmark box (Looks like this: )
5. UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this:
   
6. When the window looks like this, press the GO button in the bottom of the window.
   
7. Exit/Close Dial-A-Fix

We need to run a system scan with Dr. Web CureIt

1. Please download DrWeb-CureIt & save it to your desktop.
   DO NOT perform a scan yet.
2. Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Do not select "Safe Mode with Networking" or "Safe Mode with Command Prompt".
3. Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
4. Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
5. Once the short scan has finished, Click Options > Change settings
6. Choose the "Scan tab" and UNcheck "Heuristic analysis"
7. Back at the main window, click "Complete Scan"
8. Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
9. When done, a message will be displayed at the bottom advising if any viruses were found.
10. Click "Yes to all" if it asks if you want to cure/move the file.
11. When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
12. Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
13. Save the DrWeb.csv report to your desktop.
14. Exit Dr.Web Cureit when done.
15. Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
16. After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

In your next reply, please include the following:

• Dr.Web's Log

Billy3