Runmgr.exe and host32.exe!!!

Unknown

Hi, just registered. I've had this problem for like a week now. I've tried deleting runmgr.exe and host32.exe, but they somehow keep coming back!! Everytime I connect to the net avast shows virus/trojans and stuff. My firewall has been disabled, and lost my "folder options" and being able to use "regedit". I found out how to re-enable the firewall,got my folder options back and can use regedit again, but it's still on here and I don't know what other damage they've done.

I don't know what to do anymore....:sad2: I tried Ad-aware, scanning for virus and my computer still isn't clean.

Katana

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

---

Click here to download HJTinstall.exe

• Save HJTinstall.exe to your desktop.
• Double click on the HJTinstall.exe icon on your desktop.
• By default it will install to C:\Program Files\Trend Micro\Hijack This.
• Click I accept
• Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
• Click Save to save the log file and then the log will open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Installed Programs

Please could you give me a list of the programs that are installed.

• Start HijackThis
• Click on the Misc Tools button
• Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

Syther

Hi thanks for the help!!:)

Don't know if this will make a difference, but some "winplug" virus/trojan seems to run as well when I connect to the net also.

Here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:15 PM, on 8/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\TMController.exe
C:\WINDOWS\system32\runmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ArcSoft\TotalMedia\TMMonitor.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TMController] C:\WINDOWS\system32\TMController.exe
O4 - HKLM\..\Run: [runmgr] C:\WINDOWS\system32\runmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: TMMonitor.lnk = C:\Program Files\ArcSoft\TotalMedia\TMMonitor.exe
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 5017 bytes


And the ComboFix log:

ComboFix 08-08-13.02 - OWNER 2008-08-13 22:14:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.159 [GMT -7:00]
Running from: C:\Documents and Settings\OWNER\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\OWNER\Application Data\macromedia\Flash Player\#SharedObjects\MM3SR2FU\interclick.com
C:\Documents and Settings\OWNER\Application Data\macromedia\Flash Player\#SharedObjects\MM3SR2FU\interclick.com\ud.sol
C:\Documents and Settings\OWNER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\OWNER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\OWNER\Start Menu\Programs\Startup\DW_Start.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BM4f526b84.txt
C:\WINDOWS\BM4f526b84.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AdCache
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\RCJjkUtv.ini
C:\WINDOWS\system32\RCJjkUtv.ini2
C:\WINDOWS\system32\yakufvxy.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

---

\Legacy_TNIDRIVER


((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.

2008-08-13 22:19 . 2008-08-13 22:19 54,156 --ah

---

C:\WINDOWS\QTFont.qfn
2008-08-13 22:19 . 2008-08-13 22:19 1,409 --a

---

C:\WINDOWS\QTFont.for
2008-08-13 22:01 . 2008-08-13 22:01 <DIR> d

---

C:\Program Files\Trend Micro
2008-08-13 21:53 . 2008-08-13 21:53 34,610 --a

---

C:\WINDOWS\system32\runmgr.exe
2008-08-13 21:53 . 2008-08-13 21:54 34,610 --a

---

C:\Documents and Settings\OWNER\runmgr.exe
2008-07-26 17:17 . 2008-07-26 17:17 <DIR> d

---

C:\Program Files\CF3B5
2008-07-26 17:14 . 2008-07-26 17:15 <DIR> d

---

C:\WINDOWS\system32\URTTemp
2008-07-26 13:20 . 2008-06-13 06:10 272,128

---

C:\WINDOWS\system32\drivers\bthport.sys
2008-07-26 13:20 . 2008-06-13 06:10 272,128

---

c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 05:16

---

d

---

w C:\Program Files\PeerGuardian2
2008-08-03 23:51

---

d

---

w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-08-03 23:47

---

d

---

w C:\Documents and Settings\OWNER\Application Data\dvdcss
2008-08-03 22:39

---

d

---

w C:\Documents and Settings\OWNER\Application Data\U3
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 02:23

---

d

---

w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-07-07 00:59

---

d

---

w C:\Program Files\Alwil Software
2008-06-29 03:08

---

d

---

w C:\Documents and Settings\OWNER\Application Data\ImgBurn
2008-06-29 03:06

---

d

---

w C:\Program Files\ImgBurn
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 21:29 24,192 ----a-w C:\Documents and Settings\OWNER\usbsermptxp.sys
2008-04-13 21:29 22,768 ----a-w C:\Documents and Settings\OWNER\usbsermpt.sys
2006-12-27 22:12 81,920 -c--a-w C:\Documents and Settings\OWNER\Application Data\ezpinst.exe
2006-12-27 22:12 47,360 -c--a-w C:\Documents and Settings\OWNER\Application Data\pcouffin.sys
2006-05-06 16:42 7,260,160 -c--a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 06:18 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2004-09-15 01:52 393216]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 13:09 157592]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-05-06 15:52 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-05-06 15:48 118784]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"TMController"="C:\WINDOWS\system32\TMController.exe" [2006-09-20 12:14 188492]
"runmgr"="C:\WINDOWS\system32\runmgr.exe" [2008-08-13 21:53 34610]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TMMonitor.lnk - C:\Program Files\ArcSoft\TotalMedia\TMMonitor.exe [2007-08-13 18:52:49 237568]
ZDWLan Utility.lnk - C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2007-08-18 16:22:31 475136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.CDVC"= cdvccodc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\ArcSoft\\TotalMedia\\TotalMedia.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 07:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 07:37]
R3 AV88BASE;Cx2388x Base Driver;C:\WINDOWS\system32\drivers\av88base.sys [2006-12-07 01:35]
S3 Abpsrs;Abpsrs;C:\WINDOWS\system32\drivers\cbidf2k.sys [2004-08-12 06:17]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys [2005-06-08 18:44]
S3 MayPro;TigerGame SuperJoy Box Pro Filter Service;C:\WINDOWS\system32\Drivers\MayPro.sys [2006-05-05 17:24]
S3 mqdmbus;Motorola DM Composite Driver (WDM);C:\WINDOWS\system32\DRIVERS\mqdmbus.sys [2006-07-13 13:58]
S3 mqdmmdfl;Motorola USB Modem (Filter);C:\WINDOWS\system32\DRIVERS\mqdmmdfl.sys [2006-07-13 14:02]
S3 mqdmmdm;Motorola USB Modem;C:\WINDOWS\system32\DRIVERS\mqdmmdm.sys [2006-07-13 14:03]
S3 mqdmserd;Motorola USB Diag;C:\WINDOWS\system32\DRIVERS\mqdmserd.sys [2006-07-13 14:03]
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2005-08-17 14:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39fca5dd-3e75-11dd-bb39-e28d10443b29}]
\Shell\Auto\command - D:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c970088-4b96-11dd-bb46-c2a583313d29}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a56d4312-72fb-11dc-bad1-de22ae2ca529}]
\Shell\Auto\command - D:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b70def19-66a4-11db-b933-0011114997de}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c75dc8c6-3294-11dd-bb2b-9b421c336729}]
\Shell\Auto\command - D:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f751194e-09a0-11dd-baef-a72a197a3626}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f751194f-09a0-11dd-baef-a72a197a3626}]
\Shell\Auto\command - H:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 18:13]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3da984e4-eb9a-45da-a4b3-20de5e8049dc} - C:\WINDOWS\system32\qqsrncql.dll
BHO-{613385A6-6522-453A-A097-0174DA148252} - C:\WINDOWS\system32\vtUkjJCR.dll
HKLM-Run-{15-58-8B-B7-DW} - C:\WINDOWS\system32\vdTMP\bvre32.exe
HKLM-Run-4c615818 - C:\WINDOWS\system32\yxvfukay.dll
HKLM-Run-BM4f526b84 - C:\WINDOWS\system32\anyryxrq.dll
HKLM-Run-RegistryMechanic - (no file)
Notify-khfEWMgE - khfEWMgE.dll


.

---

Supplementary Scan

---

.
FireFox -: Profile - C:\Documents and Settings\OWNER\Application Data\Mozilla\Firefox\Profiles\4rrrdxh8.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 22:19:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [1620] 0x81FE9020

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

---

Other Running Processes

---

.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-13 22:23:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-14 05:23:09

Pre-Run: 25,546,207,232 bytes free
Post-Run: 25,513,095,168 bytes free

198 --- E O F --- 2008-08-13 08:17:52

EDIT: Forgot the programs one:

2Wire Wireless Client
Ad-Aware SE Professional
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop CS
Adobe Reader 7.0.8
Adobe Shockwave Player
AnyDVD
Apple Software Update
ArcSoft TotalMedia
Avanquest update
avast! Antivirus
CD/DVD-ROM Generator 1.20
DVD Decrypter (Remove Only)
Easy CD-DA Extractor 10
Exact Audio Copy 0.95b4
FTP Surfer
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
HP Imaging Device Functions 5.3
HP Photosmart Essential
HP PSC & OfficeJet 5.3.B
HP Solution Center & Imaging Support Tools 5.3
HP Update
ImgBurn
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Adapters and Drivers
iPod Access for Windows v2.9.2
iPod for Windows 2006-03-23
IsoBuster 1.9.1
iTunes
K-Lite Mega Codec Pack 1.61
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Motorola Driver Installation
Motorola Phone Tools
Mozilla Firefox (2.0.0.16)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Music NFO Builder v1.19
Nintendo DS WIFI Max
PeerGuardian 2.0
PS3.ProxyServer
QuickTime
Registry Mechanic 6.0
SBC Yahoo! DSL Home Networking Installer
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Sonic RecordNow! Deluxe
SoundMAX
Tag&Rename 3.2
TigerGame PS/PS2 Game Controller Adapter
TMController
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
VideoLAN VLC media player 0.8.6c
Volume Logic Plug-in for Windows Media Player (remove only)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Yahoo! Messenger
ZyDAS IEEE 802.11 b+g Wireless LAN - USB


I also have another computer with almost the same problem, but I'll say it's worst on the other one. I think it got transfered over the network or something because this one was virus/trojan free until I connected it and got the same message of a virus in the temporary internet files.

Katana

Let's concentrate on this machine first.
Do you have a USB/Flash drive ?
If so please make sure it is inserted for all the following scans


Custom CFScript

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

  DirLook::
  C:\Program Files\CF3B5
  
  File::
  C:\WINDOWS\system32\runmgr.exe
  C:\Documents and Settings\OWNER\runmgr.exe
  
  Registry::
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "runmgr"=-
  
  

• Save this as CFScript.txt and place it on your desktop.
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan << LINK

• Click the Scan Now button
• Follow the prompts to install the Active X if necessary
• Go and make a cup of tea/coffee/beverage of your choice and watch some TV
• When the scan is finished, a report will be generated
• Next to Scan Details click the small Save button and save the report to your desktop.
• Please post the report in your reply.

Syther

here's the malwarebytes log:

Malwarebytes' Anti-Malware 1.24
Database version: 1053
Windows 5.1.2600 Service Pack 2

3:32:21 PM 8/14/2008
mbam-log-8-14-2008 (15-32-21).txt

Scan type: Full Scan (C:\|H:\|)
Objects scanned: 65251
Time elapsed: 48 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\DBReg (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\din3 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{44179BE7-E4EF-4175-9886-72A14B99F139}\RP158\A0134888.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{44179BE7-E4EF-4175-9886-72A14B99F139}\RP165\A0144058.exe (Adware.Insider) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hNF\srkawe3.exe (Trojan.StartPage) -> Quarantined and deleted successfully.
H:\Start.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


and the combofix log:

ComboFix 08-08-13.02 - Emilio 2008-08-14 14:28:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.264 [GMT -7:00]
Running from: C:\Documents and Settings\Emilio\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Emilio\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Emilio\runmgr.exe
C:\WINDOWS\system32\runmgr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Emilio\runmgr.exe
C:\WINDOWS\system32\runmgr.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.

2008-08-13 22:01 . 2008-08-13 22:01 <DIR> d

---

C:\Program Files\Trend Micro
2008-07-26 17:17 . 2008-07-26 17:17 <DIR> d

---

C:\Program Files\CF3B5
2008-07-26 17:14 . 2008-07-26 17:15 <DIR> d

---

C:\WINDOWS\system32\URTTemp
2008-07-26 13:20 . 2008-06-13 06:10 272,128

---

C:\WINDOWS\system32\drivers\bthport.sys
2008-07-26 13:20 . 2008-06-13 06:10 272,128

---

c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 20:32

---

d

---

w C:\Program Files\PeerGuardian2
2008-08-03 23:51

---

d

---

w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-08-03 23:47

---

d

---

w C:\Documents and Settings\Emilio\Application Data\dvdcss
2008-08-03 22:39

---

d

---

w C:\Documents and Settings\Emilio\Application Data\U3
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 02:23

---

d

---

w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-07-07 00:59

---

d

---

w C:\Program Files\Alwil Software
2008-06-29 03:08

---

d

---

w C:\Documents and Settings\Emilio\Application Data\ImgBurn
2008-06-29 03:06

---

d

---

w C:\Program Files\ImgBurn
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 21:29 24,192 ----a-w C:\Documents and Settings\Emilio\usbsermptxp.sys
2008-04-13 21:29 22,768 ----a-w C:\Documents and Settings\Emilio\usbsermpt.sys
2006-12-27 22:12 81,920 -c--a-w C:\Documents and Settings\Emilio\Application Data\ezpinst.exe
2006-12-27 22:12 47,360 -c--a-w C:\Documents and Settings\Emilio\Application Data\pcouffin.sys
2006-05-06 16:42 7,260,160 -c--a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\CF3B5 ----

2007-02-26 18:09 69632 --a

---

C:\Program Files\CF3B5\PS3.ProxyServer\PS3.ProxyServer.GUI.exe
2007-02-12 18:07 195 --a

---

C:\Program Files\CF3B5\PS3.ProxyServer\PS3.ProxyServer.GUI.exe.config
2007-01-04 22:00 45056 --a

---

C:\Program Files\CF3B5\PS3.ProxyServer\AxInterop.SHDocVw.dll
2007-01-04 22:00 131072 --a

---

C:\Program Files\CF3B5\PS3.ProxyServer\Interop.SHDocVw.dll
2006-05-08 15:19 8007680 --a

---

C:\Program Files\CF3B5\PS3.ProxyServer\Microsoft.mshtml.dll


((((((((((((((((((((((((((((( snapshot@2008-08-13_22.22.49.64 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-14 21:21:00 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_548.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 06:18 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2004-09-15 01:52 393216]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 13:09 157592]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-05-06 15:52 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-05-06 15:48 118784]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"TMController"="C:\WINDOWS\system32\TMController.exe" [2006-09-20 12:14 188492]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.CDVC"= cdvccodc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\ArcSoft\\TotalMedia\\TotalMedia.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 07:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 07:37]
R3 AV88BASE;Cx2388x Base Driver;C:\WINDOWS\system32\drivers\av88base.sys [2006-12-07 01:35]
S3 Abpsrs;Abpsrs;C:\WINDOWS\system32\drivers\cbidf2k.sys [2004-08-12 06:17]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys [2005-06-08 18:44]
S3 MayPro;TigerGame SuperJoy Box Pro Filter Service;C:\WINDOWS\system32\Drivers\MayPro.sys [2006-05-05 17:24]
S3 mqdmbus;Motorola DM Composite Driver (WDM);C:\WINDOWS\system32\DRIVERS\mqdmbus.sys [2006-07-13 13:58]
S3 mqdmmdfl;Motorola USB Modem (Filter);C:\WINDOWS\system32\DRIVERS\mqdmmdfl.sys [2006-07-13 14:02]
S3 mqdmmdm;Motorola USB Modem;C:\WINDOWS\system32\DRIVERS\mqdmmdm.sys [2006-07-13 14:03]
S3 mqdmserd;Motorola USB Diag;C:\WINDOWS\system32\DRIVERS\mqdmserd.sys [2006-07-13 14:03]
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2005-08-17 14:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39fca5dd-3e75-11dd-bb39-e28d10443b29}]
\Shell\Auto\command - D:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a56d4312-72fb-11dc-bad1-de22ae2ca529}]
\Shell\Auto\command - D:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b70def19-66a4-11db-b933-0011114997de}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c75dc8c6-3294-11dd-bb2b-9b421c336729}]
\Shell\Auto\command - D:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 18:13]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 14:30:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-14 14:31:47
ComboFix-quarantined-files.txt 2008-08-14 21:31:42
ComboFix2.txt 2008-08-14 05:23:16

Pre-Run: 23,655,948,288 bytes free
Post-Run: 23,642,546,176 bytes free

150 --- E O F --- 2008-08-13 08:17:52

I'll post the active scan log when it's done scanning!

Syther

The scan seems to always halt at 90%. I scanned it 4 times already and it always halts at 90%

Katana

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Syther

Here's the scan log:

---

KASPERSKY ONLINE SCANNER 7 REPORT
Friday, August 15, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 15, 2008 09:13:52
Records in database: 1094713

---

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 49972
Threat name: 9
Infected objects: 10
Suspicious objects: 0
Duration of the scan: 02:33:01


File name / Threat name / Threats count
C:\QooBox\Quarantine\C\Documents and Settings\Emilio\runmgr.exe.vir Infected: Trojan-Spy.Win32.VB.aqe 1
C:\QooBox\Quarantine\C\WINDOWS\system32\runmgr.exe.vir Infected: Trojan-Spy.Win32.VB.aqe 1
C:\Temp\nxSUbt99.exe Infected: Trojan-Downloader.Win32.Small.buy 1
C:\Temp\nxSUbt99.exe Infected: Trojan-Downloader.Win32.Small.vhb 1
C:\Temp\nxSUbt99.exe Infected: Trojan.Win32.Agent.lom 1
C:\Temp\nxSUbt99.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am 1
C:\Temp\nxSUbt99.exe Infected: Trojan.NSIS.StartPage.d 1
C:\Temp\nxSUbt99.exe Infected: Trojan.NSIS.StartPage.c 1
D:\Start.exe Infected: Backdoor.Win32.VB.czs 1
D:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\reg32.exe Infected: Trojan.Win32.Inject.ffv 1

The selected area was scanned.

Katana

I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.
The infection is delivered by Backdoor.Win32.VB.czs
It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:

• The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
• The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have a Backdoor Trojan, the worst kind.

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

• Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
• Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
• If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
  Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
• From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
• DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
• Take any other steps you think appropriate for an attempted identity theft.

While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063
Please let me know what you decide.

Syther

It seems it was on my ipod and usb drives. Is there away to remove it from them?

I'll be reformatting when I back up my data.

Katana

You need to look on your USB drives and IPod for a file called Start.exe and delete it.
Make sure you have all Hidden and System files visible.

Flash Disinfector by sUBs
Please download Flash_Disinfector.exe by sUBs and save it to your desktop:


* Double-click Flash_Disinfector.exe to run it.
* Follow any prompts that may appear.
* Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.


Please restart your computer.



Custom CFScript

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

  File::
  F:\Start.exe
  D:\Start.exe
  C:\Temp\nxSUbt99.exe
  C:\Start.exe
  
  Registry::
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{39fca5dd-3e75-11dd-bb39-e28d10443b29}]
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{a56d4312-72fb-11dc-bad1-de22ae2ca529}]
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{b70def19-66a4-11db-b933-0011114997de}]
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{c75dc8c6-3294-11dd-bb2b-9b421c336729}]
  
  

• Save this as CFScript.txt and place it on your desktop.
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Syther

If I deleted the start.exe from my Ipod and usb drives already, is the custom script still needed?

Katana

Yes, it stops the computer looking for the Start.exe file

Syther

If I do this will it still take affect even though I formatted and reinstalled or would I have to do it over again?

Katana

This is just a temporary measure until you reformat.
Once you have reformatted, the machine will not know to look for those files.

If you want to post a log after the format, I will check to make sure you are clean.

Katana

Here is a check list of items that you will need for a reformat.


1 - Backup Your Data
Copy all your data to a separate drive, CD, DVD, etc.
It may be a good idea to check the files that you backup with an online scanner, you don't want to be reinfected.
http://www.kaspersky.com/virusscanner

2 - Back Up Your Drivers
Particularly important if your computer was not delivered with driver CDs

Driver Genius Pro finds updates and backs up your drivers into an exe installer - very simple to re-install
Or there's the free DriverMax from http://www.innovative-sol.com

3 - Download Programs, Installers, and Updates
Make sure you have all the programs you will need to re-install such as an Antivirus, a Firewall, and, if not included on the installation disk, Microsoft's Service Pack 2 for Windows XP.
Take note of all the product keys and serial numbers. These may be on boxes, CDs, or in emails.

4 - Make Sure You Can Get Back Online
Check that you have modem drivers, set up instructions, and log-in details.

5 - Boot From The Windows CD and Install
Physically disconnect your internet cable between the computer and the modem/router
If your computer isn't set to boot from CD, look for the option to enter the BIOS setup during startup - usually Del, F1 or F2
In the BIOS, look for the option to change the order of boot devices
Select the CD drive as the first option
Save and exit

6 - Reload Drivers
Once the Windows installation is complete, re-load the drivers you save in 2 above

7 - Install Security Programs
Install your Antivirus, Firewall, and other security programs

8 - Install Any Microsoft Updates
Reconnect your computer to the internet and go to the Microsoft Updates site: http://update.microsoft.com/microsoftupdate
Download and install any required updates

9 - Install Any Programs
Finally, install any programs you need to run

If you have any questions, don't hesitate to ask.

Syther

Thanks for the help!! Finished one computer already and going on to the second one hopefully tomorrow. I'll post the virus scan logs when I finish with the 2nd one just to make sure every thing's ok!

Syther

Hi! It's me again. ... I keep getting this runmgr!!!

I've formatted the computer twice already and it keeps coming back. I just now turned on pc everything was fine before, and then I get the same virus alert message like before. I then went to kaspersky and started the scan.

Here's the KASPERSKY scan log:

---

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, August 26, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 27, 2008 02:43:45
Records in database: 1149792

---

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
F:\

Scan statistics:
Files scanned: 41058
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:34:14


File name / Threat name / Threats count
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\reg32.exe Infected: Trojan.Win32.Inject.ffv 1

The selected area was scanned.

The ethernet cord came out when it was around 90% and when I re-inserted it I checked the taskmanager and found out it was running.

Here's the high jack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:30 PM, on 8/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Emilio\runmgr.exe
C:\Documents and Settings\Emilio\runmgr.exe
C:\Documents and Settings\Emilio\runmgr.exe
C:\Documents and Settings\Emilio\runmgr.exe
C:\Documents and Settings\Emilio\runmgr.exe
C:\Documents and Settings\Emilio\runmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\Documents and Settings\Emilio\runmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219380704953
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 4989 bytes

and malwarebytes log:

Malwarebytes' Anti-Malware 1.25
Database version: 1088
Windows 5.1.2600 Service Pack 3

10:42:46 PM 8/26/2008
mbam-log-08-26-2008 (22-42-46).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 69598
Time elapsed: 1 hour(s), 13 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Katana

A couple of options,

1) Something that you are backing up is infected
2) You are using a Flash/USB device that is still infected
3) You are doing a repair install rather than a full reformat/reinstall.

Syther

Katana wrote:

A couple of options,

1) Something that you are backing up is infected
2) You are using a Flash/USB device that is still infected
3) You are doing a repair install rather than a full reformat/reinstall.

I'm sure I did everything right. I even deleted the partitions It had and recreated them. I'm sure nothing I backed up is infected or else my other pc would have it too. I used the pc around 5 times, and I barely used the internet. I only used it to re-download my programs and the first one was avast. It didn't have anything at the time until later when I turned it on and connected it to the internet.

Katana

Make sure you have any USB/Flash drives inserted during all the following. (including your iPod)



Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Trogan

Glad we could be of assistance! The help you received here was free.

This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead (grin)