WXP SP2

Frequently I get a "program not responding" error. Usually I can close the offending program and restart. Then it's OK.
I'm thinkinmg of saving all my data and fdisking my HDD and start anew, loading only the programs that are essential. Then startadding programs and testing after each addition. Does this sound like a good idea or is there something else I should try?
Bill:confused: :confused:

I would clear out all of your temp folders and caches, defrag the system and then see if you still have the problem... I would also look at how much RAM you are running to see if it is enough for WinXP...

Following up on the RAM concept...You might want to have a look at System Information and see how much RAM you have available. It will also let you know how much RAM you have.

Start>Programs>Accessories>System Tools>System Information

[edit] LOL...that sounded a bit confusing... You will find the total RAM in your machine...and the total you currently have available... Does that make more sense? :rolleyes:

I would clear out all of your temp folders and caches, defrag the system and then see if you still have the problem... I would also look at how much RAM you are running to see if it is enough for WinXP...
My physical memory is 512MB
My available phisical mewmmory is 167MB
I am getting ready to clean up the disk. Defrag,temp folders, etc.

I suspect a corrupted or poorly written program running on your system. Have you tried any online virus scanners? You can run Trend Micro's HouseCall for free. Just a thought.

Heres some info on the memory issue if you think that is what's causing the problem.
did you mean to say 512? 412 is an unusual amount of memory. Something else you can check if your paging file? You can increase the amount of "virtual memory" you have on your PC so that when your memory fills up it infrequently used data can be written to the hard drive. When your memory is full this can cause the PC to run slower, but it will prevent the software from locking up. I recommend setting the virtual memory to about double the ammound of physical memory.

Right click on my computer and click properties. Click the "advanced" tab and then click "settings" under the "performance" section. Clickt he "advanced" tab. Under "virtual memory" click the change button if the total page file size displayed is less than what you want it to be.

Ok. I changed the virtual memory to 1025, was 768.
Additionally, I just had a "program not responding" error. This occurred when I opened WordPerfect. Only other things running were my email program (Incrdimail) and my browser. IE6. This occurred before I changed memory.
Incidentally the HDD is heavily fragmented 69%. Will take aa long time to defrag. So will wait until I am not using the computer for awhile. Might even be tonight.

Incidentally the HDD is heavily fragmented 69%. Will take aa long time to defrag. So will wait until I am not using the computer for awhile. Might even be tonight.

Have been trying to defrag using Diskeeper for two hours now. The thermometer scale goes to 12% and stays there. I waiteds two hours with no change. Finally stopped it.
Any ideas there?

It can work to defrag in Safe Mode... The other option is to disconnect from the internet completely and shut down all programs, including firewall and antivirus... Also make sure the screensaver is turned off... Be sure to reboot before reconnecting to the internet so that everything is loaded again...

Also, it would be a good idea to post a HijackThis log so we can look at what might be running that isn't needed and check for infections...

http://www.merijn.org/programs.php

To run HJT, extract it to a permanent folder such as one you create like C:\HJT or the Desktop. Close all open windows and
browsers and make sure that all programs are enabled if you use msconfig. Run it and Scan, then Save the log.
When the log window appears, Right click to Copy it, open your browser and come here to Paste the entire log. Do
not make any changes until it is checked since most items are either benign or essential to the computer. Make sure that WordWrap is turned off in Notepad
and use as many posts as needed to paste it all here...

I ran Trend Micro's HouseCall and got rid of any b ad stuff, I hope, I removed "Diskeeper" and reinstalled. Defragged my HDD and am now patiently waiting for a few days to see if therte is any improvement. Already I notice a speed increase.
Thank you all.
Bill

If HouseCall found malware, there is likely to be more... Again, I suggest posting a HJT log...

Also, any speed improvement you see would be optimal now, it will only get slower with time... If you are infected, it is likely to get slower quite quickly...

OK Budfred, Here it is.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:23:38 AM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess .exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess .exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.ex e
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Documents and Settings\William Lockie\Desktop\MAINT\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredimail.com/english
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 4.0\FpLaunch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Freeze.com Helper - {D6A99B1F-FAB9-4FA5-9C9D-D0D0CF846C05} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Diskeeper.lnk = C:\Program Files\Executive Software\DiskeeperWorkstation\Diskeeper.msc
O4 - Global Startup: SpybotSD.lnk = C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - [url]http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175284717784[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175287807510[/url]
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - [url]http://ak.imgag.com/imgag/cp/install/AxCtp2.cab[/url]
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - [url]http://ak.imgag.com/imgag/cp/install/Crusher.cab[/url]
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - [url]http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab[/url]
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - [url]http://driveragent.com/files/driveragent.cab[/url]
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8991 bytes

You will probably see some more improvement if you fix these... Open a HJT scan and put checks by:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: Freeze.com Helper - {D6A99B1F-FAB9-4FA5-9C9D-D0D0CF846C05} - (no file)

Close all open windows except HJT and press Fix checked...

Let me know if you see a difference... It may also be a good idea to run this:

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall...

Here's the rest.



(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll [2003-06-20 19:57]
{4401FDC3-7996-4774-8D2B-C1AE9CD6CC25}=C:\Program Files\E-Book Systems\FlipAlbum 4.0\FpLaunch.dll [2000-08-21 12:39]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{724d43a9-0d85-11d4-9908-00400523e39a}=C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2007-04-26 10:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AtiPTA"="atiptaxx.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"AtiPTA"="atiptaxx.exe" [])

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-04-26 10:17]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"RoboForm"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runservices]
"RegisterDropHandler"="C:\\PROGRA~1\\TEXTBR~1.0\\Bin\\REGIST~1.EXE"


HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^sbc self support tool.lnk
C:\Program Files\SBC Self Support Tool\bin\matcli.exe -boot

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ghoststarttrayapp
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\indexsearch
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\instantaccess
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\microsoft location finder
"C:\Program Files\Microsoft Location Finder\LocationFinder.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs
"C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\registerdrophandler
C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunkist2k
C:\Program Files\Multimedia Card Reader\shwicon2k.exe


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070515-165208-738
O2 - BHO: Freeze.com Helper - {D6A99B1F-FAB9-4FA5-9C9D-D0D0CF846C05} - (no file)
backup-20070515-165208-205
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com[/url]
backup-20070515-165208-478
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com[/url]
backup-20070515-165208-460
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html[/url]
backup-20070515-165208-534
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com[/url]
backup-20070515-165208-613
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com[/url]
backup-20070515-165208-585
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html[/url]

************************************************** ******************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-05-15 17:04:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


************************************************** ******************

Completion time: 2007-05-15 17:04:55
C:\ComboFix-quarantined-files.txt ... 2007-05-15 17:04

The first part


"William Lockie" - 2007-05-15 16:55:34 Service Pack 2
ComboFix 07-05.13.V - Running from: "C:\Download\ComboFix\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-15 ))))))))))))))))))))))))))))))))))


2007-05-14 13:15 <DIR> d-------- C:\DOCUME~1\WILLIA~1\.housecall6.6
2007-05-13 20:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-12 11:03 3,670,016 --a------ C:\DOCUME~1\WILLIA~1\ntuser.dat
2007-05-12 09:39 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\XnView
2007-05-12 09:36 <DIR> d-------- C:\Program Files\XnView
2007-05-11 15:40 184,320 --------- C:\WINDOWS\system32\ssce5332.dll
2007-05-11 12:43 <DIR> d-------- C:\WINDOWS\YourScreenSaverResources
2007-05-11 12:43 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\YourScreen
2007-05-06 15:26 <DIR> d-------- C:\Program Files\StartUp Organizer
2007-05-06 15:26 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\MetaProducts
2007-05-05 20:26 1,308,272 --a------ C:\WINDOWS\dummy.exe
2007-05-04 18:45 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\ScanSoft
2007-05-03 18:46 <DIR> d-------- C:\Program Files\IrfanView
2007-05-02 11:38 41 --------- C:\WINDOWS\system32\vcmlx32n.dll
2007-05-02 11:32 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\ACD Systems
2007-04-27 08:55 <DIR> d-------- C:\Program Files\RegistrySmart
2007-04-27 08:55 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\RegistrySmart
2007-04-26 12:20 <DIR> d-------- C:\Program Files\RJL Software, Inc
2007-04-25 19:05 <DIR> d-------- C:\Backup MyPC
2007-04-19 09:51 38,912 --------- C:\WINDOWS\system32\picn20.dll
2007-04-19 09:51 3,051,520 --------- C:\WINDOWS\UNNeroVision.exe
2007-04-19 09:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-04-19 09:49 3,051,520 --------- C:\WINDOWS\UNNMP.exe
2007-04-19 09:48 8,704 --------- C:\WINDOWS\system32\drivers\InCDrec.sys
2007-04-19 09:48 33,536 --------- C:\WINDOWS\system32\drivers\InCDrm.sys
2007-04-19 09:48 3,067,904 --------- C:\WINDOWS\NuNinst.exe
2007-04-19 09:48 29,440 --------- C:\WINDOWS\system32\drivers\InCDpass.sys
2007-04-19 09:48 102,016 --------- C:\WINDOWS\system32\drivers\InCDfs.sys
2007-04-19 09:48 <DIR> d-------- C:\WINDOWS\InCD
2007-04-19 09:46 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-04-19 09:46 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2007-04-19 09:45 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-04-19 09:45 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-04-19 09:45 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2007-04-19 09:45 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-04-19 09:45 155,648 --------- C:\WINDOWS\system32\NeroCheck.exe
2007-04-19 09:45 106,496 --------- C:\WINDOWS\system32\TwnLib20.dll
2007-04-19 09:45 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-04-19 09:45 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-04-19 09:45 <DIR> d-------- C:\Program Files\Ahead
2007-04-17 15:44 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\Ahead
2007-04-15 13:32 <DIR> d-------- C:\Program Files\Plextor
2007-04-15 11:44 <DIR> d-------- C:\Program Files\FxFoto
2007-04-15 11:44 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\FxFotoDB


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


2007-05-15 08:32:56 512 ----a-w C:\ScanSectorLog.dat
2007-05-14 23:51:28 749 ----a-w C:\WINDOWS\PowerReg.dat
2007-05-13 23:06:04 -------- d-----w C:\Program Files\Calendar Creator 7.0
2007-05-08 16:30:27 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\Corel
2007-05-05 05:00:29 27,262,976 ----a-w C:\VIRTPART.DAT
2007-05-05 03:16:57 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\Help
2007-04-27 15:30:38 -------- d-----w C:\Program Files\IncrediMail
2007-04-12 18:45:15 -------- d-----w C:\Program Files\Belarc
2007-04-12 01:36:43 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-12 01:36:12 -------- d-----w C:\Program Files\Creative
2007-04-12 01:30:45 -------- d-----w C:\Program Files\hp deskjet 5550 series
2007-04-12 01:27:13 -------- d-----w C:\Program Files\Hewlett-Packard
2007-04-12 01:22:56 -------- d-----w C:\Program Files\Hp
2007-04-11 23:51:27 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-04-11 02:06:06 1,100 ------w C:\WINDOWS\system32\d3d8caps.dat
2007-04-08 20:26:49 -------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-04-04 15:10:40 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\DMCache
2007-04-03 20:09:04 -------- d-----w C:\Program Files\SiS7012
2007-04-03 19:47:44 -------- d-----w C:\Program Files\Microsoft Location Finder
2007-04-03 19:47:25 -------- d-----w C:\Program Files\Microsoft Streets & Trips
2007-04-01 21:15:29 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\Roxio
2007-04-01 20:02:32 -------- d-----w C:\Program Files\Siber Systems
2007-03-31 20:56:26 -------- d-----w C:\Program Files\Common Files\Borland Shared
2007-03-31 20:55:21 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-31 20:55:13 -------- d-----w C:\Program Files\WordPerfect Office 12
2007-03-31 20:54:19 -------- d-----w C:\Program Files\Common Files\Corel
2007-03-31 20:38:40 -------- d-----w C:\Program Files\E-Book Systems
2007-03-31 20:36:05 2,272 ------w C:\WINDOWS\system32\w95inf16.dll
2007-03-31 20:36:04 4,608 ------w C:\WINDOWS\system32\w95inf32.dll
2007-03-31 20:35:21 -------- d-----w C:\Program Files\ArcSoft
2007-03-31 20:20:33 -------- d-----w C:\Program Files\Ulead Systems
2007-03-31 20:20:33 -------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-03-31 20:13:19 -------- d-----w C:\Program Files\QuickTime
2007-03-31 20:11:39 -------- d-----w C:\Program Files\Common Files\Canopus Shared
2007-03-31 20:11:34 -------- d-----w C:\Program Files\Canopus
2007-03-31 20:02:09 -------- d-----w C:\Program Files\Kodak
2007-03-31 20:00:51 -------- d-----w C:\Program Files\Common Files\Kodak
2007-03-31 18:33:16 -------- d-----w C:\Program Files\Avery Dennison
2007-03-31 02:54:06 -------- d-----w C:\Program Files\Messenger
2007-03-30 23:51:06 -------- d-----w C:\Program Files\VERITAS Software
2007-03-30 22:23:37 -------- d-----w C:\Program Files\Movie Maker
2007-03-30 22:20:30 -------- d-----w C:\Program Files\Windows NT
2007-03-30 19:46:37 -------- d-----w C:\Program Files\Microsoft Agent
2007-03-30 19:46:21 -------- d-----w C:\Program Files\TextBridge Pro 9.0
2007-03-30 19:46:19 -------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-03-30 19:32:12 -------- d-----w C:\Program Files\Executive Software
2007-03-30 19:20:33 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\MSN6
2007-03-30 00:53:31 -------- d-----w C:\Program Files\Symantec
2007-03-30 00:53:20 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\Symantec
2007-03-30 00:53:19 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-03-30 00:48:05 -------- d-----w C:\Program Files\ScanSoft
2007-03-29 23:01:04 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\Intuit
2007-03-29 23:00:43 -------- d-----w C:\Program Files\ItsDeductible2006
2007-03-29 23:00:26 -------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2007-03-29 22:58:43 -------- d-----w C:\Program Files\Common Files\Intuit
2007-03-29 22:57:41 -------- d-----w C:\Program Files\TurboTax
2007-03-29 22:57:27 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\InstallShield
2007-03-29 22:41:08 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\Motive
2007-03-29 21:59:37 -------- d-----w C:\Program Files\Common Files\Motive
2007-03-29 21:59:35 -------- d-----w C:\Program Files\SBC Self Support Tool
2007-03-29 21:41:31 -------- d-----w C:\Program Files\Common Files\efax
2007-03-29 21:37:12 -------- d-----w C:\Program Files\Multimedia Card Reader
2007-03-29 20:40:20 -------- d-----w C:\Program Files\ACD Systems
2007-03-29 20:37:31 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\Share-to-Web Upload Folder
2007-03-29 20:37:15 -------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-03-29 20:03:57 -------- d-----w C:\Program Files\Yahoo!
2007-03-29 19:49:11 -------- d-----w C:\Program Files\SBC
2007-03-29 19:47:31 -------- d-----w C:\Program Files\SBC Yahoo!
2007-03-29 19:13:09 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\VERITAS
2007-03-29 19:12:48 -------- d-----w C:\Program Files\Stomp
2007-03-29 17:14:02 -------- d-----w C:\Program Files\microsoft frontpage
2007-03-29 17:13:29 0 --sha-r C:\MSDOS.SYS
2007-03-29 17:13:29 0 --sha-r C:\IO.SYS
2007-03-29 17:13:29 0 ----a-w C:\CONFIG.SYS
2007-03-29 17:13:29 0 ----a-w C:\AUTOEXEC.BAT
2007-03-29 17:11:42 -------- d-----w C:\Program Files\Online Services
2007-03-29 17:10:37 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-03-29 17:09:29 21,640 ------w C:\WINDOWS\system32\emptyregdb.dat
2007-03-29 17:09:06 -------- d--h--w C:\Program Files\WindowsUpdate
2007-03-29 17:08:53 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-03-29 08:56:00 -------- d-----w C:\Program Files\Common Files\ODBC
2007-03-29 08:55:53 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-03-17 13:43:01 292,864 ------w C:\WINDOWS\system32\winsrv.dll
2007-03-09 08:02:00 75,512 ----a-w C:\WINDOWS\zllsputility.exe
2007-03-09 08:01:42 1,087,216 ------w C:\WINDOWS\system32\zpeng24.dll
2007-03-08 15:36:28 577,536 ------w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ------w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ------w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ------w C:\WINDOWS\system32\win32k.sys
2007-03-01 23:44:04 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-02-05 20:17:02 185,344 ------w C:\WINDOWS\system32\upnphost.dll

There is at least one file that I can't identify... Please find it and check Properties to see if it is a recognizable company... If it is not, post whatever you find here:

C:\WINDOWS\system32\vcmlx32n.dll

Use Windows Search to find it and used Advanced options to look in hidden/system folders...

Also, it would be a good idea to run this, just in case:

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
Just before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

There is at least one file that I can't identify... Please find it and check Properties to see if it is a recognizable company... If it is not, post whatever you find here:

C:\WINDOWS\system32\vcmlx32n.dll

[/list]

The file is located in C;\windows\system32
Type...................Application Extension
Opens with ........ Unknown Application
Size...................41 bytes
Created..............May 2, 2007

I cannot remember what I may have installed on that date. Any way to check?

Other stuff in your post to follow.

Bill

First part
Here is the report from SDFix. It in two parts.

The HiJack log in the next post.


Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2re s.dll,-22019"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:Inc rediMail"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2re s.dll,-22019"


Remaining Files:
---------------


Checking For Files with Hidden Attributes:

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c509 Packet\3C5X9PD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c556 Packet\3C556.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c59x Packet\3C59XPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1200 Packet\EC32PD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1203 Packet\PCIPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1204 Packet\VLNWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207 Packet\PCIPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207C Packet\PCIPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207D Packet\ACCPKT.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207F Packet\EN5251PD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207TX Packet\PCIPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1208 Packet\1208PD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1625 Packet\NEPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1640 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1650 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1651 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1652 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1653 Packet\NE2PD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1656 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1657 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1658 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN166X Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2216 Packet\PCMPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2218 Packet\PCMPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2228 Packet\PCMPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2320 Packet\EN5251PD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DEVICE.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYB.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MODE.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MOUSE.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\NETBIND.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Paralink.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\command. com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMBIO.C OM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMDOS.C OM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE450 Packet\DE450.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE500 Packet\DE500.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWorks ISA (DE305) Packet\DE305.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DE400 Packet\De400pd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DMF560-TX Packet\Lmpd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DT620 Packet\Dt620pd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\IBM Crystal LAN Packet\Epktisa.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Kingston EtheRx KNE110TX Packet\Ktc110p.com

Second part

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD 10-100AL Packet\L100al.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-CDF Packet\Ldcdt.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-PCI2TL Packet\Ldpcil.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Melco LPC2-T\Lpchkat2.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FNW9x00T - ENW8300T Packet\fetpkt.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\FETPKT.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\Rtspkt.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\PXE Packet Driver\Undipd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\SN 2000p Packet\PNPPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\WaveLAN Packet\Wvlan42.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX Packet\Cbepd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS Packet\Xpspd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10 - RE100 Packet\Ce3pd.com
C:\WINDOWS\twain.dll
C:\WINDOWS\twain_32.dll
C:\WINDOWS\system32\msvcp60.dll
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS16.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\E.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\GUEST.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MSCDEX.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Net.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OHCI.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\PROTMAN.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\UHCI.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX\Cbendis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet 10-100 + Modem\Cbendis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS\Xpsndis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom PE3-10Bx\Pe3ndis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Re-100Btx + Ce3B-100Btx\Ce3ndis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10BT\Ce3ndis.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Usbd.sys
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI1394.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI2DOS.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI4DOS.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8DOS.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8U2.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPICD.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIOHCI.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIUHCI.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BOOTSRV.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\bootsrv16.sys
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTCDROM.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTDOSM.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\COUNTRY.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DISPLAY.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DLSHELP.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\FLASHPT.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\HIMEM.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYBOARD.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\msbootsrv16.sy s
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OAKCDROM.SYS

Finished

HiJack log

This done with ALL windows closed.

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD 10-100AL Packet\L100al.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-CDF Packet\Ldcdt.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-PCI2TL Packet\Ldpcil.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Melco LPC2-T\Lpchkat2.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FNW9x00T - ENW8300T Packet\fetpkt.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\FETPKT.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\Rtspkt.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\PXE Packet Driver\Undipd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\SN 2000p Packet\PNPPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\WaveLAN Packet\Wvlan42.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX Packet\Cbepd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS Packet\Xpspd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10 - RE100 Packet\Ce3pd.com
C:\WINDOWS\twain.dll
C:\WINDOWS\twain_32.dll
C:\WINDOWS\system32\msvcp60.dll
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS16.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\E.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\GUEST.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MSCDEX.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Net.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OHCI.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\PROTMAN.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\UHCI.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX\Cbendis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet 10-100 + Modem\Cbendis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS\Xpsndis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom PE3-10Bx\Pe3ndis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Re-100Btx + Ce3B-100Btx\Ce3ndis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10BT\Ce3ndis.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Usbd.sys
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI1394.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI2DOS.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI4DOS.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8DOS.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8U2.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPICD.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIOHCI.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIUHCI.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BOOTSRV.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\bootsrv16.sys
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTCDROM.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTDOSM.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\COUNTRY.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DISPLAY.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DLSHELP.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\FLASHPT.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\HIMEM.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYBOARD.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\msbootsrv16.sy s
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OAKCDROM.SYS

Finished

You actually didn't post the HJT log... Try again...

For this:

C:\WINDOWS\system32\vcmlx32n.dll

Please go to Jotti's malware scan at http://virusscan.jotti.org/ and upload the file for scanning and post the results here.

Hope I go it right this time!

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:41:43 PM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess .exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess .exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.ex e
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
C:\Documents and Settings\William Lockie\Desktop\MAINT\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredimail.com/english
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 4.0\FpLaunch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Diskeeper.lnk = C:\Program Files\Executive Software\DiskeeperWorkstation\Diskeeper.msc
O4 - Global Startup: SpybotSD.lnk = C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - [url]http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175284717784[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175287807510[/url]
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - [url]http://ak.imgag.com/imgag/cp/install/AxCtp2.cab[/url]
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - [url]http://ak.imgag.com/imgag/cp/install/Crusher.cab[/url]
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - [url]http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab[/url]
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - [url]http://driveragent.com/files/driveragent.cab[/url]
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 7990 bytes

Your log looks okay... Did you get the Jotti results?? How is your system running??

It appears that you are not running an antivirus program and that is extremely dangerous... If so, we can discuss options when it looks like you are clean...

Your log looks okay... Did you get the Jotti results?? How is your system running??

It appears that you are not running an antivirus program and that is extremely dangerous... If so, we can discuss options when it looks like you are clean...

It seems to run a bit faster. But that response is subjective so will give it time. Have not had any "not responding" error the past couple of days.
Regarding the antivirus....I am using ZoneAlarm with the AV turned on.
Regarding the Jotti results. ...... I will do that in thew morning and get it to you.
Now tell me what I have done with HJT. SDFix, Combofix and now Jotti. This stuff is Greek to me.
Wht do you think of me making a Norton Ghost backup of C: drive once all is clear?
Bill

Jotti Results

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: vcmlx32n.dll
Status: OK
MD5 a432fa7cde6c0985d3bf4334c43f0cd4
Packers detected: -

Scanner results
Scan taken on 17 May 2007 04:03:33 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: DQB.EXE (MD5: 09f5c73a4f440e03964241c723aa301b, size: 50008 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir TR/Spy.Viking.Gen
ArcaVir X
Avast Win32:Lineage-377
AVG Antivirus X
BitDefender Win32.Worm.Viking.IZ
ClamAV X
Dr.Web Win32.HLLW.Gavir.72
F-Prot Antivirus X
F-Secure Anti-Virus Worm.Win32.Viking.bx
Fortinet X
Kaspersky Anti-Virus Worm.Win32.Viking.bx
NOD32 probably a variant of Win32/Viking
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
VirusBuster X
VBA32 MalwareScope.Worm.Viking.5


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

Copyright © 2004-2007 Jordi Bosveld <jotti@jotti.org>

It seems to run a bit faster. But that response is subjective so will give it time. Have not had any "not responding" error the past couple of days.
Regarding the antivirus....I am using ZoneAlarm with the AV turned on.
Regarding the Jotti results. ...... I will do that in thew morning and get it to you.
Now tell me what I have done with HJT. SDFix, Combofix and now Jotti. This stuff is Greek to me.
Wht do you think of me making a Norton Ghost backup of C: drive once all is clear?
Bill

I think you need to double check that antivirus... Your log shows ZA firewall, but it doesn't indicate that the antivirus is running... Do you get regular notices of updates?? If not, it is probably turned off... If you are getting updates, I am surprised that it is not showing in the log...

I am not sure what that second issue is in the Jotti log... It seems to be in reference to a file: DQB.EXE
Did you also scan a file by that name?? If so, it appears that it is malware and it should be killed...

As for what you did with the scans and fixes, some were mainly to check and some would also fix malware if it was found... HJT fixes Registry entries and deletes some files... The only definitive issue found was the entries I asked you to fix with HJT....

Here is my prevention speech to help avoid future infection:

This is a good time to set up protection against further attacks. Read the article linked below about "How did I
get infected". You need an antivirus that is updated, a good firewall (a router firewall is not enough) and a
spyware blocker like SpywareBlaster and also IE-Spyads. All of these have good free versions available... be very
cautious about any security software that advertises in popups or other intrusive ways, they are not only usually
useless, but also often have malware in them....

http://forums.spywareinfo.com/index.php?showtopic=60955