Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Problems with Sality (Tanatos/Heur) [Solved]

Started by Lorca , Dec 18 2008 01:40 AM

  • This topic is locked This topic is locked

#16
emeraldnzl
Posted 21 December 2008 - 09:16 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Lorca,

Pesky varmints aren't they.

Well lets see if you can run this and upload the file.

Download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program.
  • Under Additional Scans check the boxes beside Reg - App Paths, Reg - Desktop Components, Reg - Disabled MS Config Items, and File - Purity Scan.
  • Under Files Created Within and Files Modified Within change it to 90 days.
  • Under Rootkit Search change it to Yes
  • Check the box at the top-left beside Scan All Users
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way

PS: To attach a file, do the following:

* Click Add Reply
* Under the reply panel is the Attachments Panel
* Browse to find the attachment file you want to upload, highlight the file by clicking once on it, then click the green Upload button
* Once it has uploaded, click the Manage Current Attachments drop down box
* On the left you will see a icon like a letter with a little green cross on it. Please click on that and it should upload to the thread.

Edited by emeraldnzl, 21 December 2008 - 09:20 PM.

  • 0

Advertisements

#17
Lorca
Posted 21 December 2008 - 10:18 PM

Lorca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
I ran the scan, and attached the log!

Thanks for all your help!

Attached File  OTScanIt.Txt   211.33KB   215 downloads
  • 0

#18
emeraldnzl
Posted 22 December 2008 - 03:23 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Lorca,

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Processes - Safe List]
YY -> beip.exe -> %UserProfile%\Lokale Einstellungen\temp\beip.exe
YY -> kgklt.exe -> %UserProfile%\Lokale Einstellungen\temp\kgklt.exe
YY -> wincmtpm.exe -> %UserProfile%\Lokale Einstellungen\temp\wincmtpm.exe
YY -> winqvvnwu.exe -> %UserProfile%\Lokale Einstellungen\temp\winqvvnwu.exe
[Win32 Services - Safe List]
YY -> (avg8wd) AVG Free8 WatchDog [Win32_Own | Auto | Stopped] -> 
[Driver Services - Safe List]
YY -> (abp470n5) abp470n5 [Kernel | On_Demand | Running] -> 
YY -> (abp470n5) abp470n5 [Kernel | On_Demand | Running] -> 
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> %ProgramFiles%\AVG\AVG8\avgssie.dll [AVG Safe Search]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar mit Pop-Up-Blocker]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1078081533-73586283-725345543-1005\] > -> HKEY_USERS\S-1-5-21-1078081533-73586283-725345543-1005\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar mit Pop-Up-Blocker]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}:Exec [HKLM] -> [Button: PartyPoker.com]
YN -> {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}: [HKLM] -> [Menu: PartyPoker.com]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}" [HKLM] -> [PartyPoker.com]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}" [HKLM] -> [PartyPoker.com]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\ackq.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\ackq.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\ackq.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\apas.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\apas.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\apas.exe:*:Enabled:ipsec]
YY -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\beip.exe" -> C:\Dokumente und Einstellungen\Ludwig\Lokale Einstellungen\temp\beip.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\beip.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\bvrq.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\bvrq.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\bvrq.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\daob.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\daob.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\daob.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\egiba.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\egiba.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\egiba.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\errajn.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\errajn.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\errajn.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\ewtexa.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\ewtexa.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\ewtexa.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\hdomm.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\hdomm.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\hdomm.exe:*:Enabled:ipsec]
YY -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\kgklt.exe" -> C:\Dokumente und Einstellungen\Ludwig\Lokale Einstellungen\temp\kgklt.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\kgklt.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\mhjdwr.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\mhjdwr.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\mhjdwr.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\mjin.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\mjin.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\mjin.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\mpoaqo.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\mpoaqo.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\mpoaqo.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\nqgm.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\nqgm.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\nqgm.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\orec.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\orec.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\orec.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\qwlkqt.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\qwlkqt.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\qwlkqt.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\tlmvch.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\tlmvch.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\tlmvch.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\uodd.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\uodd.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\uodd.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\vvsfs.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\vvsfs.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\vvsfs.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winbcbj.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winbcbj.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winbcbj.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winbjaj.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winbjaj.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winbjaj.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winbvolh.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winbvolh.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winbvolh.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winclvjlp.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winclvjlp.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winclvjlp.exe:*:Enabled:ipsec]
YY -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wincmtpm.exe" -> C:\Dokumente und Einstellungen\Ludwig\Lokale Einstellungen\temp\wincmtpm.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wincmtpm.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\windxgsca.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\windxgsca.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\windxgsca.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winfcjhy.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winfcjhy.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winfcjhy.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winfyewam.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winfyewam.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winfyewam.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wingfiqav.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wingfiqav.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wingfiqav.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winjlkxu.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winjlkxu.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winjlkxu.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winjrmtx.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winjrmtx.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winjrmtx.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winlftn.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winlftn.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winlftn.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winmcdlo.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winmcdlo.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winmcdlo.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winnxuq.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winnxuq.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winnxuq.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winofthr.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winofthr.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winofthr.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winqeqm.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winqeqm.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winqeqm.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winqfrsop.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winqfrsop.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winqfrsop.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winqqyvr.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winqqyvr.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winqqyvr.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winquiw.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winquiw.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winquiw.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wintcvoc.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wintcvoc.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wintcvoc.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wintmeck.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wintmeck.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wintmeck.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wintyplw.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wintyplw.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wintyplw.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winwbku.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winwbku.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winwbku.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winwixb.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winwixb.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winwixb.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winwlwxhg.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winwlwxhg.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winwlwxhg.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winwyaieo.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winwyaieo.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winwyaieo.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winxlofx.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winxlofx.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winxlofx.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winxpxcw.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winxpxcw.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winxpxcw.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winxrkav.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winxrkav.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winxrkav.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winxrngi.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winxrngi.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winxrngi.exe:*:Enabled:ipsec]
YN -> "C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winykye.exe" -> C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winykye.exe [C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winykye.exe:*:Enabled:ipsec]
YN -> "C:\Programme\Java\jre1.6.0_07\bin\jucheck.exe" -> C:\Programme\Java\jre1.6.0_07\bin\jucheck.exe [C:\Programme\Java\jre1.6.0_07\bin\jucheck.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\system32\~.exe" -> C:\WINDOWS\system32\~.exe [C:\WINDOWS\system32\~.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\system32\CF18767.exe" -> C:\WINDOWS\system32\CF18767.exe [C:\WINDOWS\system32\CF18767.exe:*:Enabled:ipsec]
[Registry - Additional Scans - Safe List]
< App Paths [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
YN -> install.exe -> Reg Error: Value  does not exist or could not be read. [Reg Error: Value  does not exist or could not be read.]
[Files/Folders - Created Within 90 Days]
NY -> avgtdix.sys -> %SystemRoot%\System32\drivers\avgtdix.sys
NY -> avgldx86.sys -> %SystemRoot%\System32\drivers\avgldx86.sys
NY -> avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys
NY -> incavi.avm -> %SystemRoot%\System32\drivers\Avg\incavi.avm
NY -> miniavi.avg -> %SystemRoot%\System32\drivers\Avg\miniavi.avg
NY -> microavi.avg -> %SystemRoot%\System32\drivers\Avg\microavi.avg
NY -> avi7.avg -> %SystemRoot%\System32\drivers\Avg\avi7.avg
NY -> Avg -> %SystemRoot%\System32\drivers\Avg
NY -> antivir_workstation_winu_en_h.exe -> %SystemDrive%\antivir_workstation_winu_en_h.exe
NY -> setupeng.exe -> %UserProfile%\Desktop\setupeng.exe
NY -> sed.exe -> %SystemRoot%\sed.exe
NY -> $AVG8.VAULT$ -> %SystemDrive%\$AVG8.VAULT$
NY -> avg8 -> %AllUsersProfile%\Anwendungsdaten\avg8
NY -> avg_free_stf_en_8_176a1399.exe -> %SystemDrive%\avg_free_stf_en_8_176a1399.exe
[Files/Folders - Modified Within 90 Days]
NY -> kgklt.exe -> %UserProfile%\Lokale Einstellungen\temp\kgklt.exe
NY -> wincmtpm.exe -> %UserProfile%\Lokale Einstellungen\temp\wincmtpm.exe
NY -> beip.exe -> %UserProfile%\Lokale Einstellungen\temp\beip.exe
NY -> avgtdix.sys -> %SystemRoot%\System32\drivers\avgtdix.sys
NY -> avgldx86.sys -> %SystemRoot%\System32\drivers\avgldx86.sys
NY -> incavi.avm -> %SystemRoot%\System32\drivers\Avg\incavi.avm
NY -> avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys
NY -> microavi.avg -> %SystemRoot%\System32\drivers\Avg\microavi.avg
NY -> avi7.avg -> %SystemRoot%\System32\drivers\Avg\avi7.avg
NY -> miniavi.avg -> %SystemRoot%\System32\drivers\Avg\miniavi.avg
NY -> antivir_workstation_winu_en_h.exe -> %SystemDrive%\antivir_workstation_winu_en_h.exe
NY -> setupeng.exe -> %UserProfile%\Desktop\setupeng.exe
NY -> wklnhst.dat -> %AppData%\wklnhst.dat
NY -> avg_free_stf_en_8_176a1399.exe -> %SystemDrive%\avg_free_stf_en_8_176a1399.exe
NY -> setupeng.exe -> %SystemDrive%\setupeng.exe
NY -> wklntsk1.dat -> %AllUsersProfile%\Anwendungsdaten\Microsoft\Works\wklntsk1.dat
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.
  • 0

#19
Lorca
Posted 22 December 2008 - 05:57 PM

Lorca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
All done!
(The fix took a while though, I almost thought it froze before
it prompted me to restart!)

And about those weird .exe files in the TaskManager: The longer my computer is running, the more I have of them.
They all are random sequences of letters, with and without the "win-" prefix.
I usually end them as soon as I see them, but they just keep reappearing under different names!


Process Explorer.EXE killed successfully!
[Processes - Safe List]
No active process named beip.exe was found!
File C:\Dokumente und Einstellungen\Ludwig\Lokale Einstellungen\temp\beip.exe not found.
No active process named kgklt.exe was found!
File C:\Dokumente und Einstellungen\Ludwig\Lokale Einstellungen\temp\kgklt.exe not found.
No active process named wincmtpm.exe was found!
File C:\Dokumente und Einstellungen\Ludwig\Lokale Einstellungen\temp\wincmtpm.exe not found.
No active process named winqvvnwu.exe was found!
File C:\Dokumente und Einstellungen\Ludwig\Lokale Einstellungen\temp\winqvvnwu.exe not found.
[Win32 Services - Safe List]
Service avg8wd stopped successfully!
Service avg8wd deleted successfully!
File not found.
[Driver Services - Safe List]
Unable to stop service abp470n5!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abp470n5 deleted successfully.
Registry delete failed. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_abp470n5\ scheduled to be deleted on reboot.
Unable to delete service abp470n5!
File not found.
Unable to stop service abp470n5!
Registry delete failed. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_abp470n5\ scheduled to be deleted on reboot.
Unable to delete service abp470n5!
File not found.
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1078081533-73586283-725345543-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\ackq.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\apas.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\beip.exe deleted successfully.
File C:\Dokumente und Einstellungen\Ludwig\Lokale Einstellungen\temp\beip.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\bvrq.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\daob.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\egiba.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\errajn.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\ewtexa.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\hdomm.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\kgklt.exe deleted successfully.
File C:\Dokumente und Einstellungen\Ludwig\Lokale Einstellungen\temp\kgklt.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\mhjdwr.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\mjin.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\mpoaqo.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\nqgm.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\orec.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\qwlkqt.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\tlmvch.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\uodd.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\vvsfs.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winbcbj.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winbjaj.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winbvolh.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winclvjlp.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wincmtpm.exe deleted successfully.
File C:\Dokumente und Einstellungen\Ludwig\Lokale Einstellungen\temp\wincmtpm.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\windxgsca.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winfcjhy.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winfyewam.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wingfiqav.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winjlkxu.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winjrmtx.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winlftn.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winmcdlo.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winnxuq.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winofthr.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winqeqm.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winqfrsop.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winqqyvr.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winquiw.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wintcvoc.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wintmeck.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\wintyplw.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winwbku.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winwixb.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winwlwxhg.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winwyaieo.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winxlofx.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winxpxcw.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winxrkav.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winxrngi.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winykye.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Programme\Java\jre1.6.0_07\bin\jucheck.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\~.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\CF18767.exe deleted successfully.
[Registry - Additional Scans - Safe List]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\install.exe\ deleted successfully.
[Files/Folders - Created Within 90 Days]
C:\WINDOWS\System32\drivers\avgtdix.sys moved successfully.
C:\WINDOWS\System32\drivers\avgldx86.sys moved successfully.
C:\WINDOWS\System32\drivers\avgmfx86.sys moved successfully.
C:\WINDOWS\System32\drivers\Avg\incavi.avm moved successfully.
C:\WINDOWS\System32\drivers\Avg\miniavi.avg moved successfully.
C:\WINDOWS\System32\drivers\Avg\microavi.avg moved successfully.
C:\WINDOWS\System32\drivers\Avg\avi7.avg moved successfully.
C:\WINDOWS\System32\drivers\Avg folder moved successfully.
C:\antivir_workstation_winu_en_h.exe moved successfully.
C:\Dokumente und Einstellungen\Ludwig\Desktop\setupeng.exe moved successfully.
C:\WINDOWS\sed.exe moved successfully.
C:\$AVG8.VAULT$ folder moved successfully.
C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8\update\prepare folder moved successfully.
C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8\update\backup folder moved successfully.
C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8\update folder moved successfully.
C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8\scanlogs folder moved successfully.
C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8\Log folder moved successfully.
C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8\emc\Queue\TEMP folder moved successfully.
C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8\emc\Queue\OUT folder moved successfully.
C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8\emc\Queue\ACTIVE folder moved successfully.
C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8\emc\Queue folder moved successfully.
C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8\emc\Log folder moved successfully.
C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8\emc folder moved successfully.
C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8\Cfg folder moved successfully.
C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8\AvgAm folder moved successfully.
C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8\admincli folder moved successfully.
C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\avg8 folder moved successfully.
C:\avg_free_stf_en_8_176a1399.exe moved successfully.
[Files/Folders - Modified Within 90 Days]
File C:\Dokumente und Einstellungen\Ludwig\Lokale Einstellungen\temp\kgklt.exe not found!
File C:\Dokumente und Einstellungen\Ludwig\Lokale Einstellungen\temp\wincmtpm.exe not found!
File C:\Dokumente und Einstellungen\Ludwig\Lokale Einstellungen\temp\beip.exe not found!
File C:\WINDOWS\System32\drivers\avgtdix.sys not found!
File C:\WINDOWS\System32\drivers\avgldx86.sys not found!
File C:\WINDOWS\System32\drivers\Avg\incavi.avm not found!
File C:\WINDOWS\System32\drivers\avgmfx86.sys not found!
File C:\WINDOWS\System32\drivers\Avg\microavi.avg not found!
File C:\WINDOWS\System32\drivers\Avg\avi7.avg not found!
File C:\WINDOWS\System32\drivers\Avg\miniavi.avg not found!
File C:\antivir_workstation_winu_en_h.exe not found!
File C:\Dokumente und Einstellungen\Ludwig\Desktop\setupeng.exe not found!
C:\Dokumente und Einstellungen\Ludwig\Anwendungsdaten\wklnhst.dat moved successfully.
File C:\avg_free_stf_en_8_176a1399.exe not found!
C:\setupeng.exe moved successfully.
C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\Microsoft\Works\wklntsk1.dat moved successfully.
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5c8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.4.0 fix logfile created on 12222008_173414

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_5c8.dat not found!

Registry entries deleted on Reboot...
Registry delete failed. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_abp470n5\ scheduled to be deleted on reboot.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:49:22, on 22.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.t-online....w5_internet.htm
F2 - REG:system.ini: Shell=Explorer.exe ""
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [00PCTFW] "C:\Programme\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\RunOnce: [OTScanIt] "C:\Dokumente und Einstellungen\Ludwig\Desktop\OTScanIt2\OTScanIt2.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Programme\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6662.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: lxcz_device - Unknown owner - C:\WINDOWS\system32\lxczcoms.exe (file missing)
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Programme\PC Tools Firewall Plus\FWService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5163 bytes
  • 0

#20
emeraldnzl
Posted 22 December 2008 - 07:28 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hi Lorca,

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
When you return please post
  • Dr Web Cureit report
  • a new HijackThis log
  • 0

#21
Lorca
Posted 22 December 2008 - 07:45 PM

Lorca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
I'm not able to download it. When I click on the link, a web page pops up, but I can't see a file.
When I click right-click and save, a file starts (about 11,3MB), but at such a slow speed, the download
does not continue.

Maybe I can download it from somewhere else?
  • 0

#22
emeraldnzl
Posted 22 December 2008 - 08:03 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
I wonder is your firewall getting in the way?

If you haven't already done so please disable your firewall and try again. :)
  • 0

#23
Lorca
Posted 22 December 2008 - 08:09 PM

Lorca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
The firewall is off. Every time I try to start it up now, I get the error message I mentioned earlier.
("Error while unpacking program, code LP5. Please report to author.")

I tried to download it from download.com, but without success!
  • 0

#24
emeraldnzl
Posted 22 December 2008 - 08:28 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

("Error while unpacking program, code LP5. Please report to author.")


I think this error means a corrupt file. It can be caused by a number of things. Malware can interfere causing that error, sometimes a file gets corrupted in the download process or it could be an old anti-virus residue.

The tool we really need to use on your computer is SDFix. Unfortunately because of your problem with Safe Mode we haven't been able to get there. Our next option was to get rid of as sufficient malware to stop it interfering then try and fix your Safe Mode problem Hence OTScanIt and Dr Web CureIt.

Seeing that doesn't seem to be working lets now have a go at seeing if we can fix some things in Windows to see if we can get to Safe Mode.

Please note that Dial-A-Fix is only for Windows 2000/XP.

Download Dial-a-fix and save it to your desktop.

Double click the Dial-a-fix zip file and extract it to a folder on your Desktop.

Follow the tutorial here

Come back and tell me how you get on.
  • 0

#25
Lorca
Posted 22 December 2008 - 11:56 PM

Lorca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Hi emeraldnzl,

I used Dial-a-fix as outlined in the tutorial.
(When I first started it, it gave me another window
called "restrictive policies," which mentioned
the disabled task manager and registry tools. I chose not
to remove them.)

After I ran Dial-a-fix, I rebooted and tried the safe mode again,
but without success.

After that, I tried to download CureIt, but again, no success.

I know you did not mention another Hijack log, but here is one just in case:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:53:21, on 22.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winwqnkc.exe
C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winlpqvx.exe
C:\DOKUME~1\Ludwig\LOKALE~1\Temp\winymmw.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.t-online....w5_internet.htm
F2 - REG:system.ini: Shell=Explorer.exe ""
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Programme\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6662.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: lxcz_device - Unknown owner - C:\WINDOWS\system32\lxczcoms.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4897 bytes
  • 0

Advertisements

#26
emeraldnzl
Posted 23 December 2008 - 12:21 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

I used Dial-a-fix as outlined in the tutorial.
(When I first started it, it gave me another window
called "restrictive policies," which mentioned
the disabled task manager and registry tools. I chose not
to remove them.)


Should have thought of this earlier but this may well be why you can't boot into Safe Mode.

Are you in an office or university environment. Often administrators in these offices lock down computers on purpose?

Or perhaps you don't have administrative rights to that computer?

In either event you would need permission to allow us to make the necessary change to your machine.
  • 0

#27
Lorca
Posted 23 December 2008 - 12:29 PM

Lorca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
No, I'm at home, and I'm the administrator, but I've heard that the virus takes away certain rights.
(Hence the "task manager was disabled by your administrator" error message, and so on.)
  • 0

#28
emeraldnzl
Posted 23 December 2008 - 03:52 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

but I've heard that the virus takes away certain rights.


Yep, but we needed to make sure before we took action to fix it.

Now

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: Shell=Explorer.exe ""
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O23 - Service: lxcz_device - Unknown owner - C:\WINDOWS\system32\lxczcoms.exe (file missing)

Close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Next

Reboot your computer and see if you can get into Safe Mode. If you can proceed with the instructions for SDFix.
  • 0

#29
Lorca
Posted 23 December 2008 - 05:56 PM

Lorca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
I did the Hijack deletions, then tried the safe mode twice. No success.
  • 0

#30
emeraldnzl
Posted 23 December 2008 - 07:18 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Oh dear. :)

Please post another HijackThis log.

After that run OTScanIt2 again.

  • Double-click on OTScanIt2.exe to start the program.
  • Under Additional Scans check the boxes beside Reg - App Paths, Reg - Desktop Components, and Reg - Disabled MS Config Items.
  • Under Files Created Within and Files Modified Within change it to 90 days.
  • Under Rootkit Search change it to Yes
  • Check the box at the top-left beside Scan All Users
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way

PS: To attach a file, do the following:

* Click Add Reply
* Under the reply panel is the Attachments Panel
* Browse to find the attachment file you want to upload, highlight the file by clicking once on it, then click the green Upload button
* Once it has uploaded, click the Manage Current Attachments drop down box
* On the left you will see a icon like a letter with a little green cross on it. Please click on that and it should upload to the thread.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP