windows script hosting keeps popping up! [Moved From General Security}

[FIFI]

Hi, all.

My pc keeps popping up 'windows script hosting' window and 'My documents' window on every startup after logging in. Well, it's not really irritating, but i prefer not to have them, if possible. My pc started behaving like this after i installed Avast!home edition, which is not the cause, i guess, as that wasn't the first time for me to install Avast antivirus--i already installed that av in many other computers before.

I've tried finding such entries in 'startup' and also in 'msconfig', but i can't any of them.

Could anyone help me the problem that i am having with the pop-up thing?
Any troubleshooting/suggestion is very much welcomed.


Regards,
F I F I.

P.S. Here is the HijackThis Logfile in case it's needed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:14 PM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe,userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5235 bytes

[tetonbob]

Hi FIFI -

HijackThis logs are only to be posted in this forum. I've moved your thread.

I can see what's likely causing that, but the question remains ... "Why is it there?" For that, more info is required.

First....

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe,userinit.exe

Close HijackThis now.

---------------------------------------------------------------------------------------------

Please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

[FIFI]

I guess I really to say sorry to you, as I didn’t pay attention to your instructions.

I did the DSS scanning first before I fixed the entry that you told me to do in HijackThis scanning.
Once I realized that I hadn’t fixed that particular entry in HJT, I went back to fix-checked the entry directly…then I double-clicked the dss.exe again from the desktop, hoping to get the main.txt as well as extra.txt as the reports to be posted back here. Unfortunately, this second-time scanning, after I did the first scanning before fixing the HJT entry (which resulted in main.txt and extra.txt) and fixed the HJT entry (F2-REG:System.ini:….) only popped up main.txt as the text file.

So, instead of attaching one file, I am going to attach two files. One is the ‘extra.txt’ file and the other is the ‘main_after.txt’ (which is taken after running the dss scan for the second time after fixing the HJT entry).

I hope you understand what I mean . Anyway, here is the summary of what I actually did:
1. I downloaded DSS, saved in desktop, then I ran it, which resulted in ‘main.txt’ (which I now change into main_before.txt) and ‘extra.txt’ text files.
2. Then I realized that I should have fix-checked the HJT entry that you told me to, so I went back and did the scan only with HJT and fix-checked that entry.
3. I ran dss once again (hoping to get new text files after fixing that entry), but it only popped up ‘main.txt’ (which I now change into main_after.txt), no ‘extra.txt.’ file.


Here is the ‘main_before.txt’ file (which is taken for the very first time before fixing the HJT entry):

Deckard's System Scanner v20071014.68
Run by Administrator on 2007-11-29 11:43:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2007-11-29 19:43:59 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2007-11-28 19:09:27 UTC - RP2 - Installed Ad-Aware 2007
1: 2007-11-28 19:07:32 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 77% (more than 75%).
Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:08 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe,userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-1454471165-706699826-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'XP')
O4 - HKUS\S-1-5-21-1454471165-706699826-682003330-1003\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'XP')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5537 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BIOS - c:\windows\system32\drivers\bios.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>

S3 st3bus28 - c:\windows\system32\drivers\st3bus28.sys (file missing)
S3 st3mp28 - c:\windows\system32\drivers\st3mp28.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Description: ST3MP28 SCSI Controller
Device ID: ROOT\*ST3L28\0000
Manufacturer: (Standard mass storage controllers)
Name: ST3MP28 SCSI Controller
PNP Device ID: ROOT\*ST3L28\0000
Service: st3mp28

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: Plug and Play BIOS Extension
Device ID: ROOT\SYSTEM\0003
Manufacturer: (Standard system devices)
Name: Plug and Play BIOS Extension
PNP Device ID: ROOT\SYSTEM\0003
Service: st3bus28


-- Files created between 2007-10-29 and 2007-11-29 -----------------------------

2007-11-29 11:42:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-29 11:34:48 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-29 11:34:48 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-29 11:34:48 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-11-29 11:34:48 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-11-29 11:34:47 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-29 11:34:47 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-29 11:34:47 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-29 11:34:47 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-11-29 11:34:47 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-28 13:40:33 0 d-------- C:\Program Files\Trend Micro
2007-11-28 11:10:46 0 d-------- C:\Program Files\Spyware Doctor
2007-11-28 11:10:46 0 d-------- C:\Documents and Settings\XP\Application Data\PC Tools
2007-11-28 11:10:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-28 11:09:29 0 d-------- C:\Program Files\Lavasoft
2007-11-28 11:09:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-28 11:08:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-28 11:08:19 0 d-------- C:\Program Files\SpywareBlaster
2007-11-27 14:53:09 0 d-------- C:\Documents and Settings\XP\Application Data\U3
2007-11-27 12:35:57 0 d-------- C:\WINDOWS\pss
2007-11-27 12:21:27 0 d-------- C:\Program Files\Alwil Software
2007-11-10 12:58:12 0 d-------- C:\Documents and Settings\XP\Application Data\funkitron
2007-10-31 14:29:09 0 d--h----- C:\Program Files\Zero G Registry
2007-10-31 14:28:31 0 d--h----- C:\Documents and Settings\XP\InstallAnywhere
2007-10-31 12:29:47 0 d-------- C:\Documents and Settings\XP\Application Data\Macromedia
2007-10-31 12:29:17 0 d-------- C:\Program Files\GameHouse


-- Find3M Report ---------------------------------------------------------------

2007-11-28 11:08:59 0 d-------- C:\Program Files\Common Files
2007-10-31 14:35:32 0 d-------- C:\Program Files\Sports Interactive
2007-10-25 08:22:30 0 d-------- C:\Program Files\FM Modifier 2.1
2007-10-22 15:39:04 0 d-------- C:\Program Files\Musicmatch
2007-10-22 15:33:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-22 15:30:22 1306 --a------ C:\Program Files\INSTALL.LOG
2007-10-20 11:18:07 0 d-------- C:\Program Files\KONAMI
2007-10-20 11:15:54 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-10-20 11:12:10 0 d-------- C:\Program Files\Game
2007-10-20 10:29:15 0 d-------- C:\Program Files\Common Files\InstallShield
2007-10-18 15:02:12 17 --a------ C:\WINDOWS\popcinfo.dat
2007-10-01 18:07:54 0 d-------- C:\Program Files\Stock


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTrayp"="VTtrayp.exe" [02/06/2007 06:30 AM C:\WINDOWS\system32\VTTrayp.exe]
"VTTimer"="VTTimer.exe" [09/21/2006 03:36 PM C:\WINDOWS\system32\VTTimer.exe]
"SkyTel"="SkyTel.EXE" [05/16/2006 05:04 PM C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [02/26/2007 02:03 PM C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 02:40 PM]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [05/10/2005 03:04 PM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [05/10/2005 03:04 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/27/2007 03:03 PM]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 05:43 PM C:\WINDOWS\Alcmtr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 07:24 PM]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [08/14/2007 05:02 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 08:56 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [11/16/2006 06:04 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [8/1/2007 11:23:55 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe,userinit.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"




-- End of Deckard's System Scanner: finished at 2007-11-29 11:45:48 ------------


And here are the two attached files:

[tetonbob]

Posted so I can read it better. Don't really need the before.

Deckard's System Scanner v20071014.68
Run by Administrator on 2007-11-29 11:57:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:21 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-1454471165-706699826-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'XP')
O4 - HKUS\S-1-5-21-1454471165-706699826-682003330-1003\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'XP')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5299 bytes

-- Files created between 2007-10-29 and 2007-11-29 -----------------------------

2007-11-29 11:42:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-29 11:34:48 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-29 11:34:48 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-29 11:34:48 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-11-29 11:34:48 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-11-29 11:34:47 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-29 11:34:47 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-29 11:34:47 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-29 11:34:47 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-11-29 11:34:47 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-28 13:40:33 0 d-------- C:\Program Files\Trend Micro
2007-11-28 11:10:46 0 d-------- C:\Program Files\Spyware Doctor
2007-11-28 11:10:46 0 d-------- C:\Documents and Settings\XP\Application Data\PC Tools
2007-11-28 11:10:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-28 11:09:29 0 d-------- C:\Program Files\Lavasoft
2007-11-28 11:09:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-28 11:08:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-28 11:08:19 0 d-------- C:\Program Files\SpywareBlaster
2007-11-27 14:53:09 0 d-------- C:\Documents and Settings\XP\Application Data\U3
2007-11-27 12:35:57 0 d-------- C:\WINDOWS\pss
2007-11-27 12:21:27 0 d-------- C:\Program Files\Alwil Software
2007-11-10 12:58:12 0 d-------- C:\Documents and Settings\XP\Application Data\funkitron
2007-10-31 14:29:09 0 d--h----- C:\Program Files\Zero G Registry
2007-10-31 14:28:31 0 d--h----- C:\Documents and Settings\XP\InstallAnywhere
2007-10-31 12:29:47 0 d-------- C:\Documents and Settings\XP\Application Data\Macromedia
2007-10-31 12:29:17 0 d-------- C:\Program Files\GameHouse


-- Find3M Report ---------------------------------------------------------------

2007-11-28 11:08:59 0 d-------- C:\Program Files\Common Files
2007-10-31 14:35:32 0 d-------- C:\Program Files\Sports Interactive
2007-10-25 08:22:30 0 d-------- C:\Program Files\FM Modifier 2.1
2007-10-22 15:39:04 0 d-------- C:\Program Files\Musicmatch
2007-10-22 15:33:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-22 15:30:22 1306 --a------ C:\Program Files\INSTALL.LOG
2007-10-20 11:18:07 0 d-------- C:\Program Files\KONAMI
2007-10-20 11:15:54 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-10-20 11:12:10 0 d-------- C:\Program Files\Game
2007-10-20 10:29:15 0 d-------- C:\Program Files\Common Files\InstallShield
2007-10-18 15:02:12 17 --a------ C:\WINDOWS\popcinfo.dat
2007-10-01 18:07:54 0 d-------- C:\Program Files\Stock


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTrayp"="VTtrayp.exe" [02/06/2007 06:30 AM C:\WINDOWS\system32\VTTrayp.exe]
"VTTimer"="VTTimer.exe" [09/21/2006 03:36 PM C:\WINDOWS\system32\VTTimer.exe]
"SkyTel"="SkyTel.EXE" [05/16/2006 05:04 PM C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [02/26/2007 02:03 PM C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 02:40 PM]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [05/10/2005 03:04 PM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [05/10/2005 03:04 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/27/2007 03:03 PM]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 05:43 PM C:\WINDOWS\Alcmtr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 07:24 PM]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [08/14/2007 05:02 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 08:56 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [11/16/2006 06:04 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [8/1/2007 11:23:55 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"




-- End of Deckard's System Scanner: finished at 2007-11-29 11:57:53 ------------

[tetonbob]

I don't see any active infection. Did the scripting popup stop?

Please run this online scan to help look for remnants.

First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

[FIFI]

really sorry again this time, tetonbob...

This computer of mine is not connected to internet. In fact, no connection at all ...I use my friend's computer to post in this forum.

Is there any other way to troubleshoot this scripting pop up, without performing the online scan? (the 'windows script hosting' and 'my documents' windows still pop up on every boot).

[tetonbob]

Well, to rule out malware as the cause, because I'm not sure it is, I'd like to get some sort of scanner run on the machine which provides me with useful output.

Assuming you're transporting logs from the affected machine to friend's machine with USB stick or other removable media, we can use this freestanding scanner to accomplish the same thing.

Download this to removable media, and transport it to the affected machine.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

• Doubleclick the drweb-cureit.exe file.
• Click on Start, and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, we need to change the default settings.
• In the Menu Bar, Go to Options>Change Settings.
• Click on the Actions tab
• Using the drop down menus, change each item under Objects, Infected Packages and Malware to Report, then click OK
• Next, tick the Complete Scan radio button.
• Click the green arrow at the right, and the scan will start.
• Click 'No to All' if it asks if you want to cure/move the file.
• After the scan has completed, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Ignore and close any windows which open, prompting you to buy DrWeb.
• Post the contents of the log from Dr.Web you saved previously in your next reply.

[tetonbob]

Hi FIFI -

Also, please do this. create this batch on the friend's machine, and carry it to the affected machine, so you can copy/paste and not potentially cause any syntax errors.

Open notepad and copy/paste the text in the codebox below into it:

Code:

 
@echo off
If exist C:\peek.txt del /q /s C:\peek.txt
regedit /a C:\peek.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" 
start notepad C:\peek.txt

Save this as peek.bat Choose to "Save type as - All Files"
It should look like this:

Carry this batch to the affected machine.

Double click on peek.bat & allow it to run

Post back the contents of the notepad file which opens.

[FIFI]

Short scan resulted in no virus found.

Complete scan resulted in one virus found--it is the removable media that I use to transfer file from the affected comp to my friend's--

What is shocking is that the scripting is now gone, i don't know how or why, do u?
However there is one new thing that i find quite disturbing: after booting and loading desktop icons, my pc takes around 1-2 minutes to be able to access files, which used to be only 20-30 seconds loading. is there a new problem here?

Here is the Dr.Web report:
killVBS.vbs F:\ VBS.Generic.553


report from the new batch (peek.bat) file:
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec"="1"
"ExcludeProfileDirs"="Local Settings;Temporary Internet Files;History;Temp"
"BuildNumber"=dword:00000a28



Was it because of the removable media that I got the scripting pops up?
I do have a real time antivirus and spyware doctor...how could it be not detected by them then?

anyway, what to do next? is it done?

[tetonbob]

Flash drives are often victim to infection.

Can you delete the file DrWeb found on the removable media?

[tetonbob]

Also, as far as loading times go, it looks like you've added both Ad-Aware and Spyware Doctor recently? They are both fighting for resources on startup, as they are both running services.

Uninstall one, or both, and see what your machine feels like then.

[FIFI]

The file found by DrWeb has been deleted.

I already uninstalled Ad-aware2007, and my pc starts to behave faster than before it was affected.

I prefer not to uninstall spyware doctor as it is said to be a real time anti spyware. Is that ok?

Thanks for the help given, tetonbob.

[tetonbob]

That's fine. Having the two of them installed at the same time seems to negatively affect some machines.

Empty your Recycle Bin.

Clear your temp files. (Start > Run > cleanmgr)

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

---------------------------------------------------------------------------------------------



Think prevention:

PC Safety and Security--What Do I Need?

Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• MAKING INTERNET EXPLORER SAFER

Please respond to this thread one more time so we can mark this thread as resolved.

[FIFI]

Ok, that's all then.

Thanks for the articles and also the help given, you are awesome, tetonbob.

Hopefully everything should be ok now, or else i might come and talk to you again here

My gratitude to TSF and all of the people behind the scene.
You're doing a great job, guys!