Hi Tampabelle,
sorry its taken me so long to get back to you - I went away for the weekend.
I looked for the file you said to delete but I couldn't find it at all. I carried out another AVG scan of the whole system and it looks completely clean except for an error on the boot sector. Ad-aware says its completely clean as well but I'm not buying it - I've had this 'all clear' before and the infection comes straight back. Anyway, here are the logs. As far as I'm aware, this is the complete log file saved after the scan.
Logfile of HijackThis v1.99.1
Scan saved at 19:09:47, on 12/11/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ALISNDMG.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TFNCKY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\APACHE TOMCAT 4.0\WEBAPPS\TOOLBOX\STATUSCLIENT\STATUSCLIENT.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\JAVASOFT\JRE\1.3.1\BIN\JAVAW.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS\AIRPLUS.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\MY DOCUMENTS\MY ANTIVIRUS ANTISPY\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.tiscali.c...ndex_first.htmlR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Network -p -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [THotkey] C:\WINDOWS\SYSTEM\THotkey.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoft.../as5/asinst.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky...ebscan_ansi.cabO16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) -
http://download.zone...canner37350.cabAVG (free edition) test results:
"Partition table (MBR)";"ok";"Quick checked"
"Boot sector of disk C:";"Reading error";"Error"
"System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load";"";"Scanned"
"System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Run";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnce";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServices";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Run";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnce";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServices";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit";"";"Scanned"
"System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell";"";"Scanned"
"System registry exefile\shell\open\command";"";"Scanned"
"System registry scrfile\shell\open\command";"";"Scanned"
"System registry scrfile\shell\config\command";"";"Scanned"
"System registry batfile\shell\open\command";"";"Scanned"
"System registry cmdfile\shell\open\command";"";"Scanned"
"System registry comfile\shell\open\command";"";"Scanned"
"System registry piffile\shell\open\command";"";"Scanned"
"System registry giffile\shell\open\command";"";"Scanned"
"System registry htmlfile\shell\open\command";"";"Scanned"
"System registry htafile\shell\open\command";"";"Scanned"
"System registry jpegfile\shell\open\command";"";"Scanned"
"System registry txtfile\shell\open\command";"";"Scanned"
"System registry regfile\shell\open\command";"";"Scanned"
"System registry cplfile\shell\cplopen\command";"";"Scanned"
"System registry Word.Document.8\shell\open\command";"";"Scanned"
"System registry WordPad.Document.1\shell\open\command";"";"Scanned"
"C:\PROGRA~1\ACCESS~1\WORDPAD.EXE";"ok";"Quick checked"
"C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE";"ok";"Quick checked"
"C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE";"ok";"Quick checked"
"C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE";"ok";"Quick checked"
"C:\PROGRA~1\INTERN~1\IEXPLORE.EXE";"ok";"Quick checked"
"C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE";"ok";"Quick checked"
"C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe";"ok";"Quick checked"
"C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe";"ok";"Quick checked"
"C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe";"ok";"Quick checked"
"C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe";"ok";"Quick checked"
"C:\Program Files\Microsoft Money\System\Money Express.exe";"ok";"Quick checked"
"C:\Program Files\Microsoft Works\WkDetect.exe";"ok";"Quick checked"
"C:\Program Files\Microsoft Works\wkfud.exe";"ok";"Quick checked"
"C:\Program Files\Microsoft Works\wkssb.exe";"ok";"Quick checked"
"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe";"ok";"Quick checked"
"C:\WINDOWS\NOTEPAD.EXE";"ok";"Quick checked"
"C:\WINDOWS\PCHealth\Support\PCHSCHD.EXE";"ok";"Quick checked"
"C:\WINDOWS\REGEDIT.EXE";"ok";"Quick checked"
"C:\WINDOWS\RUNDLL.EXE";"ok";"Quick checked"
"C:\WINDOWS\RUNDLL32.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\ALiSndMg.exe";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\HPBOID.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\HPBPRO.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\IRMON.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\MSHTA.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\MSTASK.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\SHELL32.DLL";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\SHIMGVW.DLL";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\SSDPSRV.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\STIMON.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\SYSTRAY.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\TFncKy.exe";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\THotkey.exe";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\TPWRTRAY.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\ZONELABS\vsmon.exe";"ok";"Quick checked"
"C:\WINDOWS\System32\Drivers\DCFSSVC.EXE";"ok";"Quick checked"
"C:\WINDOWS\System\Restore\STATEMGR.EXE";"ok";"Quick checked"
"C:\WINDOWS\TASKMON.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\kernel32.dll";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\wsock32.dll";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\user32.dll";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\shell32.dll";"ok";"Quick checked"
"A:\";"Cannot open; not checked!";"Not scanned"
"D:\";"Cannot open; not checked!";"Not scanned"
Personally, I can't make it out. I've hardly used this laptop for a while and just over a week ago it was clearly infected after the scans. Should I try to use this laptop more often so I can see if anything happens?
Thanks for your help once again Tampabelle
Dreadpiratedaz