Options
msn virus
i had the msn virus a friend of my said what to do
downloaded this Malwarebytes' Anti-Malware scan then get ComboFix close every window and scan and got told to post the report of the combofix here
ComboFix 08-03-14.4 - paul 2008-03-15 23:19:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.519 [GMT 0:00]
Running from: C:\Documents and Settings\paul\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.
2008-03-15 22:38 . 2008-03-15 22:38 <DIR> d
C:\Documents and Settings\paul\Application Data\Malwarebytes
2008-03-15 22:37 . 2008-03-15 22:37 <DIR> d
C:\Program Files\Malwarebytes' Anti-Malware
2008-03-15 22:37 . 2008-03-15 22:37 <DIR> d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-15 18:06 . 2008-03-15 18:06 <DIR> d
C:\Program Files\Enigma Software Group
2008-03-15 18:01 . 2008-03-15 18:05 <DIR> d-a
C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-14 20:42 . 2008-03-14 20:42 63 --a
C:\WINDOWS\system32\dc9e9b14
2008-03-14 20:35 . 2008-03-15 12:41 <DIR> d
C:\MSNCleaner
2008-03-14 20:26 . 2008-03-14 20:26 <DIR> d
C:\WINDOWS\SxsCaPendDel
2008-03-14 20:02 . 2008-03-14 19:50 691,545 --a
C:\WINDOWS\unins000.exe
2008-03-14 20:02 . 2008-03-14 20:02 2,549 --a
C:\WINDOWS\unins000.dat
2008-03-14 19:46 . 2008-03-14 19:50 <DIR> d
C:\Program Files\Spybot - Search & Destroy
2008-03-14 19:46 . 2008-03-15 16:51 <DIR> d
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-14 19:21 . 2008-03-14 19:21 <DIR> d
C:\Documents and Settings\All Users\Application Data\SITEguard
2008-03-14 19:18 . 2008-03-14 19:18 <DIR> d
C:\Program Files\Common Files\iS3
2008-03-14 19:18 . 2008-03-14 19:33 <DIR> d
C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-03-02 08:28 . 2008-03-02 08:28 <DIR> d
C:\Documents and Settings\laura\Application Data\AVG7
2008-03-02 08:28 . 2004-08-04 12:00 221,184 --a
C:\WINDOWS\system32\wmpns.dll
2008-02-17 15:10 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-02-15 14:24 . 2008-02-15 14:24 <DIR> d
C:\WINDOWS\Sun
2008-02-15 14:23 . 2008-02-15 14:23 <DIR> d
C:\Program Files\Java
2008-02-15 14:23 . 2008-02-15 14:23 <DIR> d
C:\Program Files\Common Files\Java
2008-02-15 14:23 . 2007-09-24 23:31 69,632 --a
C:\WINDOWS\system32\javacpl.cpl
2008-02-15 14:22 . 2008-02-15 14:24 671 --a
C:\WINDOWS\mozver.dat
2008-02-15 14:20 . 2008-02-15 14:20 <DIR> d---s---- C:\Documents and Settings\paul\UserData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 17:47
d
w C:\Documents and Settings\paul\Application Data\AVG7
2008-03-13 08:00
d
w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-06 20:03
d
w C:\Program Files\MSN Messenger
2008-02-15 08:00
d
w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-14 20:06
d
w C:\Program Files\Windows Live Toolbar
2008-02-14 20:06
d
w C:\Program Files\Windows Live Favorites
2008-02-14 20:06
d
w C:\Program Files\Real
2008-02-14 20:06
d
w C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-02-14 20:01
d
w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-14 13:45
d
w C:\Program Files\Yahoo!
2008-02-14 13:45
d
w C:\Program Files\CCleaner
2008-02-14 09:11 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-02-14 09:11 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-02-14 09:10
d
w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-14 09:01
d
w C:\Program Files\microsoft frontpage
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"SpyEmergency"="C:\Program Files\Spy Emergency 2005\SpyEmergency.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-15 08:11 579072]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 16:23 67584 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-14 10:26 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
S1 SpyEmrg;Spy Emergency Driver;C:\WINDOWS\system32\Drivers\spyemrg.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 22:48:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 23:20:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-15 23:21:26
ComboFix-quarantined-files.txt 2008-03-15 23:20:52
ComboFix2.txt 2008-03-15 22:58:50
.
2008-02-14 23:51:03 --- E O F ---
downloaded this Malwarebytes' Anti-Malware scan then get ComboFix close every window and scan and got told to post the report of the combofix here
ComboFix 08-03-14.4 - paul 2008-03-15 23:19:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.519 [GMT 0:00]
Running from: C:\Documents and Settings\paul\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.
2008-03-15 22:38 . 2008-03-15 22:38 <DIR> d
C:\Documents and Settings\paul\Application Data\Malwarebytes
2008-03-15 22:37 . 2008-03-15 22:37 <DIR> d
C:\Program Files\Malwarebytes' Anti-Malware
2008-03-15 22:37 . 2008-03-15 22:37 <DIR> d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-15 18:06 . 2008-03-15 18:06 <DIR> d
C:\Program Files\Enigma Software Group
2008-03-15 18:01 . 2008-03-15 18:05 <DIR> d-a
C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-14 20:42 . 2008-03-14 20:42 63 --a
C:\WINDOWS\system32\dc9e9b14
2008-03-14 20:35 . 2008-03-15 12:41 <DIR> d
C:\MSNCleaner
2008-03-14 20:26 . 2008-03-14 20:26 <DIR> d
C:\WINDOWS\SxsCaPendDel
2008-03-14 20:02 . 2008-03-14 19:50 691,545 --a
C:\WINDOWS\unins000.exe
2008-03-14 20:02 . 2008-03-14 20:02 2,549 --a
C:\WINDOWS\unins000.dat
2008-03-14 19:46 . 2008-03-14 19:50 <DIR> d
C:\Program Files\Spybot - Search & Destroy
2008-03-14 19:46 . 2008-03-15 16:51 <DIR> d
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-14 19:21 . 2008-03-14 19:21 <DIR> d
C:\Documents and Settings\All Users\Application Data\SITEguard
2008-03-14 19:18 . 2008-03-14 19:18 <DIR> d
C:\Program Files\Common Files\iS3
2008-03-14 19:18 . 2008-03-14 19:33 <DIR> d
C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-03-02 08:28 . 2008-03-02 08:28 <DIR> d
C:\Documents and Settings\laura\Application Data\AVG7
2008-03-02 08:28 . 2004-08-04 12:00 221,184 --a
C:\WINDOWS\system32\wmpns.dll
2008-02-17 15:10 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-02-15 14:24 . 2008-02-15 14:24 <DIR> d
C:\WINDOWS\Sun
2008-02-15 14:23 . 2008-02-15 14:23 <DIR> d
C:\Program Files\Java
2008-02-15 14:23 . 2008-02-15 14:23 <DIR> d
C:\Program Files\Common Files\Java
2008-02-15 14:23 . 2007-09-24 23:31 69,632 --a
C:\WINDOWS\system32\javacpl.cpl
2008-02-15 14:22 . 2008-02-15 14:24 671 --a
C:\WINDOWS\mozver.dat
2008-02-15 14:20 . 2008-02-15 14:20 <DIR> d---s---- C:\Documents and Settings\paul\UserData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 17:47
d
w C:\Documents and Settings\paul\Application Data\AVG7
2008-03-13 08:00
d
w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-06 20:03
d
w C:\Program Files\MSN Messenger
2008-02-15 08:00
d
w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-14 20:06
d
w C:\Program Files\Windows Live Toolbar
2008-02-14 20:06
d
w C:\Program Files\Windows Live Favorites
2008-02-14 20:06
d
w C:\Program Files\Real
2008-02-14 20:06
d
w C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-02-14 20:01
d
w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-14 13:45
d
w C:\Program Files\Yahoo!
2008-02-14 13:45
d
w C:\Program Files\CCleaner
2008-02-14 09:11 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-02-14 09:11 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-02-14 09:10
d
w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-14 09:01
d
w C:\Program Files\microsoft frontpage
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"SpyEmergency"="C:\Program Files\Spy Emergency 2005\SpyEmergency.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-15 08:11 579072]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 16:23 67584 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-14 10:26 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
S1 SpyEmrg;Spy Emergency Driver;C:\WINDOWS\system32\Drivers\spyemrg.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 22:48:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 23:20:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-15 23:21:26
ComboFix-quarantined-files.txt 2008-03-15 23:20:52
ComboFix2.txt 2008-03-15 22:58:50
.
2008-02-14 23:51:03 --- E O F ---
0
Comments
One of the tougher scenarios I run into while volunteering for this type of assistance is when someone has been making their own repairs, using tools they do not understand, even if it is on the advice of a friend. Where is the friend at this point of the repair suggestions, since they felt comfortable telling you to make these choices?
For now go ahead and go to the " Steps To Take Before Posting a HijackThis Log!", do those and make another go at it, and then we can see what remains to be addressed there.
a thank you to thomas for pointing me in the right direction on what to do on this forum
here is my hijackthis report
Logfile of HijackThis v1.99.1
Scan saved at 9:52:48 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpyEmergency] "C:\Program Files\Spy Emergency 2005\SpyEmergency.exe"
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?76ab1bca98424eb58bdd5f740588c781
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?76ab1bca98424eb58bdd5f740588c781
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
Let's address those remnants, then do a scan to check for anything remaining.
Go to Start > Run and type
cmd
and OK. Type (or copy\paste) the below commands and hit "Enter" after each line
sc config SpyEmrg start= disabled
sc stop SpyEmrg
sc delete SpyEmrg
Type Exit to close. You may get an error indicating it is already stopped, which is okay.
Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.
O4 - HKCU\..\Run: [SpyEmergency] "C:\Program Files\Spy Emergency 2005\SpyEmergency.exe"
Then Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).
To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.
To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".
Just post that log back here for review please.
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 18, 2008 12:03:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/03/2008
Kaspersky Anti-Virus database records: 636812
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 17725
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 00:21:00
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\paul\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Documents and Settings\paul\Application Data\Mozilla\Firefox\Profiles\jk1qqs11.default\cert8.db Object is locked skipped
C:\Documents and Settings\paul\Application Data\Mozilla\Firefox\Profiles\jk1qqs11.default\GoogleToolbarData\googlesafebrowsing.db Object is locked skipped
C:\Documents and Settings\paul\Application Data\Mozilla\Firefox\Profiles\jk1qqs11.default\history.dat Object is locked skipped
C:\Documents and Settings\paul\Application Data\Mozilla\Firefox\Profiles\jk1qqs11.default\key3.db Object is locked skipped
C:\Documents and Settings\paul\Application Data\Mozilla\Firefox\Profiles\jk1qqs11.default\parent.lock Object is locked skipped
C:\Documents and Settings\paul\Application Data\Mozilla\Firefox\Profiles\jk1qqs11.default\search.sqlite Object is locked skipped
C:\Documents and Settings\paul\Application Data\Mozilla\Firefox\Profiles\jk1qqs11.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\paul\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\jk1qqs11.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\jk1qqs11.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\jk1qqs11.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\jk1qqs11.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\paul\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\paul\Local Settings\History\History.IE5\MSHist012008031820080319\index.dat Object is locked skipped
C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\PhishingFilter\45E13EC5-3DB7-4B3D-9F80-073A58AB5E82.dat Object is locked skipped
C:\Documents and Settings\paul\ntuser.dat Object is locked skipped
C:\Documents and Settings\paul\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\paul\UserData\index.dat Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\loueyhhp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4EA88DCE-1786-4123-93F1-735B5BDDAD68}\RP34\A0001283.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4EA88DCE-1786-4123-93F1-735B5BDDAD68}\RP36\A0001477.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4EA88DCE-1786-4123-93F1-735B5BDDAD68}\RP37\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Kaspersky, if you don't plan to use it again, uninstalls through Add/Remove Programs.
The autoplay functions there were blocked as part of the procedures we did here. You can return those to the Windows default settings at this time by doing the following step, if you wish. This will allow autoplay for all drives such as CD-ROM and external drives.
Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it autofix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.
You can also at this time delete the files/folders of the tools we used. To assist with some of that download OTMoveIt2 and save the file to your desktop. This will help by automatically removing some of the tools we used.
Please double-click OTMoveIt.exe to run it and click on Cleanup (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator"). When you do this list of malware removal programs will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has downloaded, you'll be asked if you want to begin cleanup process? Select Yes.
OTMoveIt will search for and delete/uninstall all the tools that we have used to fix your problems and all their backup folders and then delete itself when you next reboot. At the end of the run you will receive a prompt to reboot, but save that for the next step.
Then reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.
You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.
When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.
In addition, I like to recommend reviewing the information Here to make sure you stay malware free.
Thank you very much for your help