Nasty stuff here??

[Romanov77]

I'll keep it short and clear....

My pc runs slower, uses more cpu resources and sometimes makes wierd loading noises when idle.

Here's my process tab:
http://img405.imageshack.us/img405/5192/part1a9rd.jpg part1
http://img405.imageshack.us/img405/4203/part28ly.jpg part 2

My hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 21.01.01, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Programmi\IPM\Adsl\DataWay\dslstat.exe
C:\WINDOWS\system32\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Diskeeper\DkService.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10MT2.EXE
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Programmi\IPM\Adsl\DataWay\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programmi\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Cerca con Google - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organizzatore ricerche - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programmi\File comuni\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66CE1236-582E-4BB3-949C-6CADA9643808}: NameServer = 85.37.17.11 151.99.125.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programmi\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe



Any ideas??
Is there any dangerous or redundand item I can get rid of??

Thanks in advance folks of techsupport

[Romanov77]

sorrry to bump this...

[Romanov77]

Sorry to bump this again, but the problem is persisting...

[tetonbob]

Sorry for the delay.....I'm not seeing anything in that log. It's entirely possible with noises that it's hardware related. Let's run some tools and see what shakes out.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download CWShredder . Do not run it yet.

Please download Ad-aware at http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates. Also go to http://www.lavasoftusa.com/software/...2cleaner.shtml to download the plug-in for fixing VX2 variants. Do not run the tool yet, once updated and installed, close it.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Run CWShredder. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Run Adaware now. Go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.htm#adaware for better scan results. Run the scan and fix everything that it finds.


Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Note: There is no need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective.


Restart in normal mode.

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

• Choose Save, NOT run, and save to your desktop
• Double-click the tmas-web-scan.exe icon
• It will say "Loading TrendMicro definitions".
• Click "Start Scan"

After it's done scanning, click "Scan Results"

• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.

Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
2. Click On 'Scan Now'
3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
4. Begin the scan by selecting My Computer
   * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
5. If it finds any malware, it will offer you a report. Click on see report
6. Then click Save report
7. Post the contents of the report in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Restart and run a new HijackThis scan. Save the log file and post it here.

So, please return with results from:

Ewido
TrendMicro AntiSpyware
Panda Active Scan
HJT

[Romanov77]

Thanks for the reply!

Here's what I did:

Ewido found around 70 things,I ignored only 2 I knew safe.
On the 2nd scan, found nothing

Trendmicro also found nothing

The panda scan found 2 spyware and 2 dialers, but I accidentally lost the log, Il'll make a new scan as soon as I have time.
Also, the 4 stuff it found were not disinfected, but only detected...is this normal?

[tetonbob]

Yes, with Panda that is often the case, which is why we ask for results to be posted.

We'll be waiting for the logs.

Are the noises and CPU usage still occurring?

[Romanov77]

Quote:

Originally Posted by tetonbob

Yes, with Panda that is often the case, which is why we ask for results to be posted.

We'll be waiting for the logs.

Are the noises and CPU usage still occurring?

The noises no...the cpu usage is still a bit high...
A couple of months ago I upgraded from 512 to 1024mb of ram, and the usage often reached zero...now its always more than 2-3% with VERY high peaks.

Here's the Panda log:
cident Status Location

Dialer:dialer.xd No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\start77.inf
Dialer:dialer.cos No disinfected C:\Documents and Settings\Alessandro\Documenti\exsplorer.lnk
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\ied.inf
Adware:Adware/PurityScan No disinfected C:\WINDOWS\Downloaded Program Files\start.INF
Dialer:Dialer.XD No disinfected C:\WINDOWS\Downloaded Program Files\start77.inf


Should I delete this stuff manually??

[tetonbob]

Delete the following files:

C:\WINDOWS\DOWNLOADED PROGRAM FILES\start77.inf
C:\Documents and Settings\Alessandro\Documenti\exsplorer.lnk
C:\WINDOWS\Downloaded Program Files\ied.inf
C:\WINDOWS\Downloaded Program Files\start.INF
C:\WINDOWS\Downloaded Program Files\start77.inf

Run a new HijackThis scan. Save the log file and post it here.

Create a uninstall list:

• Open HiJackThis
• Click on the configure button on the bottom right
• Click on the tab "Misc Tools"
• Click on the Box that says "Open Uninstall Manager"
• Click on the button "Save list"
• Copy and past the List from the notebook onto your post

Quote:

A couple of months ago I upgraded from 512 to 1024mb of ram, and the usage often reached zero...now its always more than 2-3% with VERY high peaks.

That doesn't seem very high at all to me, unless I'm misinterpreting what you've written. Peaks are normal. Extended periods of max usage are not.

Have you installed any new programs recently?

[Romanov77]

Thanks for the support!

I looked for the files, but I found only one (I deleted it of course), the second, no traces of the others despite I made him showing the hidden files....I even tried the windows search, but found nothing

Here's the unistall log:

ACDSee 6.0 PowerPack
Ad-aware 6 Professional
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Photoshop 7.0
Advanced System Optimizer 2.01.2
Aggiornamento rapido per Windows XP - KB887472
ArcSoft VideoImpression 1.6
AVG Free Edition
BitTorrent 4.0.1
BlindWrite suite
CleanUp!
Command & Conquer Generals
Corel Uninstaller
Corso Excel 2000
Creative DVD Audio Plugin for Audigy Series
Dawn Of War - Winter Assault
DawnOfWar
Derive 5
Derive 6
Diablo II
Digital Camera
Diskeeper Professional Edition
DivX Player
Dizionario italiano De Mauro
Doom 3
Duke Nukem - Manhattan Project
DVD Shrink 3.2
EPSON PhotoQuicker3.2
ewido security suite
FlexiMusic Wave Editor
FuhQuake v0.31
Futuremark Measurement Services Client
Google Earth
Google Toolbar for Internet Explorer
Heroes of Might And Magic IV: Equilibris
Heroes of Might and Magic® III Complete
Heroes of Might and Magic® IV: Winds of War
Installazione Guidata Alice
InterActual Player
InterVideo WinDVD 6
jv16 PowerTools 1.4.1
K-Lite Codec Pack 2.34 Full
L&H TTS3000 Italiano
Lavasoft VX2 Cleaner
Logger Pro 3.2.1 Italiano
Mathematica 5
Microsoft .NET Framework 1.1
Microsoft Encarta Enciclopedia Premium DVD
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Office XP Professional con FrontPage
Modem DataWay Telecom Italia
Mozilla Firefox (1.0.7)
MSN Messenger 7.0
Nero Suite
NVIDIA Drivers
Panda ActiveScan
PDF Password Remover v2.2
PowerArchiver 2004 v9.20
ProfPDF Protection Manager 1.1
Quake
RealPlayer
Shockwave
Software per stampante EPSON
Sound Blaster Live!
Spybot - Search & Destroy 1.4
Star Trek Armada II
Star Wars Jedi Knight Jedi Academy
Star Wars JK II Jedi Outcast
Starcraft
Sygate Personal Firewall Pro
TextBridge Pro Millennium Business Edition
The Hobbit(TM)
The Simpsons Hit & Run(TM)
Trust 150 Spacecam Portable
Ulead Photo Express 3.0 SE
Virtual Pool 3
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
WinUAE 1.0
ZDaemon (remove only)

[tetonbob]

I think you're in the clear, but I'd like a different online scan opinion to be sure.

First, do this:

I see CleanUp on your system. If it's version 4.0, run it with the setting indicated below. If it's not version 4.0, please follow these instructions:

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Next, perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Also, please post a new HJT log.

How is your system now?

[Romanov77]

It found a lot of stuff...:(

KASPERSKY ON-LINE SCANNER REPORT
Sunday, October 16, 2005 13:07:47
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/10/2005
Kaspersky Anti-Virus database records: 145074
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 77433
Number of viruses found: 9
Number of infected objects: 16
Number of suspicious objects: 1
Duration of the scan process: 6306 sec

Infected Object Name - Virus Name
C:\Programmi\Innovative Solutions\Innovative System Optimizer - Platinum Edition version 2\Undo\10_27_2004_15_10.REG Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{A2581547-F3BE-45EB-B732-AF75AA126907}\RP151\A0038352.exe Infected: Net-Worm.Win32.Padobot.m
C:\System Volume Information\_restore{A2581547-F3BE-45EB-B732-AF75AA126907}\RP151\A0038353.exe Infected: Net-Worm.Win32.Padobot.m
C:\System Volume Information\_restore{A2581547-F3BE-45EB-B732-AF75AA126907}\RP151\A0038354.exe Infected: Net-Worm.Win32.Padobot.m
C:\System Volume Information\_restore{A2581547-F3BE-45EB-B732-AF75AA126907}\RP151\A0038355.exe Infected: Net-Worm.Win32.Padobot.m
C:\System Volume Information\_restore{A2581547-F3BE-45EB-B732-AF75AA126907}\RP151\A0038356.exe Infected: Backdoor.Win32.Rbot.aeu
C:\System Volume Information\_restore{A2581547-F3BE-45EB-B732-AF75AA126907}\RP151\A0038357.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{A2581547-F3BE-45EB-B732-AF75AA126907}\RP151\A0038358.exe Infected: Backdoor.Win32.Wootbot.u
C:\System Volume Information\_restore{A2581547-F3BE-45EB-B732-AF75AA126907}\RP151\A0038359.exe Infected: Net-Worm.Win32.Padobot.m
C:\System Volume Information\_restore{A2581547-F3BE-45EB-B732-AF75AA126907}\RP151\A0038360.exe Infected: Net-Worm.Win32.Padobot.m
C:\System Volume Information\_restore{A2581547-F3BE-45EB-B732-AF75AA126907}\RP151\A0038361.exe Infected: Net-Worm.Win32.Padobot.f
C:\System Volume Information\_restore{A2581547-F3BE-45EB-B732-AF75AA126907}\RP151\A0038362.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{A2581547-F3BE-45EB-B732-AF75AA126907}\RP151\A0038363.exe Infected: Net-Worm.Win32.Padobot.m
C:\System Volume Information\_restore{A2581547-F3BE-45EB-B732-AF75AA126907}\RP151\A0038364.exe Infected: Net-Worm.Win32.Padobot.m
C:\System Volume Information\_restore{A2581547-F3BE-45EB-B732-AF75AA126907}\RP151\A0038365.exe Infected: Backdoor.Win32.SdBot.rw
C:\WINDOWS\system32\.pif Infected: Trojan-Downloader.BAT.Ftp.z
C:\WINDOWS\system32\tmp1.com Infected: Worm.Win32.Wilab.b

Scan process completed.


How can I remove all this malware now??

[tetonbob]

Most of that is in the System Restore points, and essentially harmless (unless you were to use System Restore before we cleared the points.) We will flush the System Restore points now, and set you a new clean point.

Please clear your System Restore Points by doing the following:

To turn off System Restore,Click Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

Reboot your System.

Now create a new Restore Point:

To turn on System Restore,Click Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

Download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)


Launch KillBox.exe & select the following options:

• delete on Reboot

Select all the filenames below & then right-click & select Copy

• C:\WINDOWS\system32\.pif
  C:\WINDOWS\system32\tmp1.com

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Quote:

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

Run a new scan with Kaspersky, and also with Panda. Post the results. Just trying to make sure we got it all. Also post a new HJT log, please.

[Romanov77]

I think you got them all, because now the cpu usage is back to 0%-3%!!

Thanks for the help, I'ltry to post the panda log as soon as possible!

Btw, I noticed that My fully updated AVG failed to notice all this malware...
Is this normal? Should I get a better antivirus?
And what about the antispyware programs??

[tetonbob]

I have several recommendations I'll make once I'm sure you're in the clear. It takes several layers of protection to keep the bad guys at bay. An AV program is but one of these layers.

AVG does a good job. You have to run regular scans with it as well as have the real-time protection enabled. Also make sure it is set to scan your email.

In addition to the Panda, be sure to run Kaspersky online again. Also run a new scan with HJT, save the log, and post it here.

Please bring back these logs:

Kaspersky
Panda
HijackThis

[Romanov77]

Sorry if I didnt posted them yet, but Im very busy, I'll do it as soon as I can.

Can I make the 2 scans simultaneously?

[tetonbob]

Not recommended.

[Romanov77]

Quote:

Originally Posted by tetonbob

Not recommended.

Reason?

I did it many times with spybot & ad-aware...

I hope Ive not damaged anything

[tetonbob]

In all this time, you could have run the scans and posted the requested logs. It's unwise to run more than one scanner at a time. It hogs resources, and one can miss while the other is looking at it.

If you like, we can close this thread, and I'll give you some protection advice:

We still have a few items to address.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewall
• ZoneAlarm

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

[Romanov77]

Ok, close it.

Thanks for the help and for the suggestions, you guys of techsupport are by far the best guys I ever found on the net :)