Topic: Which files should i skip or delete?

[nalysha21]

Hi, i'm a newbie here... I've downloaded Kaspersky Internet Security 7.01 few days back and ran the 'Computer Protection Status'.  It has detected threats and prompted me to do the relevant actions however i'm not sure whether to skip or delete.  Here's the list:

1.   detected: adware not-a-virus:AdWare.Win32.BHO.ba   File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\780464DC.dll//CryptFF
2.   detected: adware not-a-virus:AdWare.Win32.BHO.ba   File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78070ED8.tmp//CryptFF
3.   detected: adware not-a-virus:AdWare.Win32.BHO.ba   File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\780A38D5.exe//CryptFF//stream//data0002
4.   detected: adware not-a-virus:AdWare.Win32.BHO.ba   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP266\A0086512.exe//stream//data0002
5.   detected: adware not-a-virus:AdWare.Win32.BHO.ba   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP266\A0086514.DLL
6.   detected: adware not-a-virus:AdWare.Win32.BHO.ba   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP294\A0090015.dll//CryptFF
7.   detected: adware not-a-virus:AdWare.Win32.BHO.ba   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP294\A0090016.exe//CryptFF//stream//data0002
8.   detected: adware not-a-virus:AdWare.Win32.BHO.ba   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP295\A0090044.DLL//CryptFF
9.   detected: adware not-a-virus:AdWare.Win32.VB.ad   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP293\A0089983.DLL
10.   detected: adware not-a-virus:AdWare.Win32.VB.ad   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP293\A0089997.dll
11.   detected: adware not-a-virus:AdWare.Win32.VB.ad   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP293\A0090000.exe
12.   detected: adware not-a-virus:AdWare.Win32.VB.ad   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP293\A0090000.exe//stream//data0006
13.   detected: adware not-a-virus:AdWare.Win32.VB.ad   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP294\A0090001.dll
14.   detected: adware not-a-virus:AdWare.Win32.VB.ad   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP294\A0090002.dll
15.   detected: adware not-a-virus:AdWare.Win32.VB.ad   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP294\A0090005.exe
16.   detected: adware not-a-virus:AdWare.Win32.VB.ad   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP294\A0090005.exe//stream//data0006
17.   detected: adware not-a-virus:AdWare.Win32.VB.ad   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP294\A0090030.DLL
18.   detected: adware not-a-virus:AdWare.Win32.VB.ad   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP295\A0090038.DLL
19.   detected: adware not-a-virus:AdWare.Win32.VB.ad   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP295\A0090046.DLL
20.   detected: adware not-a-virus:AdWare.Win32.VB.ad   File: C:\WINDOWS\system32\chszrs.dll
21.   detected: adware not-a-virus:AdWare.Win32.VB.ad   File: C:\WINDOWS\system32\winstlr32.exe
22.   detected: adware not-a-virus:AdWare.Win32.VB.ad   File: C:\WINDOWS\system32\winstlr32.exe//stream//data0006
23.   detected: adware not-a-virus:AdWare.Win32.VB.y   File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FD973B4.dll//CryptFF
24.   detected: adware not-a-virus:AdWare.Win32.VB.y   File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\780A38D5.exe//CryptFF
25.   detected: adware not-a-virus:AdWare.Win32.VB.y   File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\780A38D5.exe//CryptFF//stream//data0003
26.   detected: adware not-a-virus:AdWare.Win32.VB.y   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP266\A0086512.exe//stream//data0003
27.   detected: adware not-a-virus:AdWare.Win32.VB.y   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP294\A0090014.dll//CryptFF
28.   detected: adware not-a-virus:AdWare.Win32.VB.y   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP294\A0090016.exe//CryptFF
29.   detected: adware not-a-virus:AdWare.Win32.VB.y   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP294\A0090016.exe//CryptFF//stream//data0003
30.   detected: adware not-a-virus:AdWare.Win32.VB.y   File: C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP295\A0090043.DLL//CryptFF
31.   detected: adware not-a-virus:AdWare.Win32.VB.y   File: C:\WINDOWS\system32\~fdgrr.tmp
32.   detected: riskware Hidden data sending   Running process: C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
33.   detected: riskware Invader   Running process: c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe


Someone help me please   
Thank you.

[Samker]

Hi Nalysha21 & Welcome to SCF Portal.

Don't worry, it's look like you don't have some "hard" infection. For the start please first turn off system restore:

Steps to turn off System Restore
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.

After that you can delete (clean) all items except last two (32. and 33.).

That's answer for your question, but I'll suggest you also to make double check of your system 

Instruction:

1. Provide us all possible details related to yours problems / infection.

2. Run McAfee Online AntiVirus Scan: http://scforum.info/index.php/topic,734.0.html

3. Download & run HijackThis: http://scforum.info/index.php/topic,785.0.html

4. Provide us logs from HijackThis & McAfee Online Scan


We will wait your reply (with logs) and after that you will be sure is it your PC "clean".

Regards,

Samker

[Gerald309BCPCNet]

It might help to note security softwares (antivirus, antispyware) and what or how they remove threats presented to you.

1) Quarantine
2) Delete

The old "nobody's perfect" doesn't apply so much as "erring on the side of caution" does - in quality security software (antivirus, antispyware programs) which are known for virtually no 'false positives' (identifying valid applications, software, files, etc. as malware).

In antivirus, there is a possibility of recovering damaged files and so the Quarantine folder there assists this - although quality antivirus softwares have significantly sophisticated. A file in the Quarantine folder may give the ability to clean the file from the virus - or further to more sophisticated recoveries for more important documents and so on affected. Otherwise, detected known threats by quality antivirus programs are simply and safely deleted.

In antispyware it is more making sure a result is not a false positive - which is the heaviest usage of the antispyware Quarantine option. For spyware threats unsure of, the idea is to Quarantine a threat result as opposed to blindly deleting all results of a scan. This insures the security safety in navigating your computer and internet by disabling the threat contained in the Quarantine folder, disallowing it further interaction.

This then gives the ability to check out if it was found in a software installation that was bundled with adware or spyware. You can avoid the bad download again. Note in removing adware, sometimes the software will not work and sometimes it will. Adware is used to 'pay the bills' sometimes at the user's expense. After quarantining the suspected threat, you can then go back and try different softwares or other recently downloaded. If one of these no longer works - it is generally because the bundled adware has been disabled in the Quarantine folder. It is apparent this was the culprit of the adware generally and you uninstall that software or other for personal security browsing reasons. This is too common in adware bundled softwares generally at "free stuff" areas of downloads though they also occur as "drive by' installations on the net.

For deletion of spyware, the threat presented for quarantine or deletion can be reviewed as to whether it is software or the mentioned known threat. This should be easy enough in a quick search by name in a search engine for a known trusted software application or malware threat. Known threats are simply and safely deleted.

Always set a System Restore Point before changes to use for a System Restore to the point before changes.

gerald309bcpcnet webmaster bluecollarpc.net

[nalysha21]

Thank you Samker & Gerald309BCPCNet for the advises.

I've done the following accordingly:
- turn off system restore
- deleted the items except last two (32. Java and 33. Logitech)
- McAfee Online AntiVirus Scan didn't upload any dialogue box for more than 1hr so i ran the Trend Micro Housecall plus  Symantec Security Scan. Results attached in pdf file.
- Downloaded & run HijackThis.  Results attached in pdf file.

However i did not proceed any action for the scan results cos I'm not so sure.  I kept it idle/minimise.

Hope i did it correctly and do advise further instructions.

Thank you   


HJT log

hijackthis results
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:51 PM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\Symantec
Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Acer\VoIP Phone Charger\voip phone charger.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec
Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\DOCUME~1\MALYNA~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Malyna Yunos\My Documents\DL\HijackThis.exe

R0 -HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 -HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 -HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 -HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 -HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 -HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program
Files\Outlook Express\msimn.exe"
O2 -BHO: Adobe PDF Reader Link Helper -{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 -BHO: Lexmark Toolbar -{1017A80C-6F09-4548-A84D-EDD6AC9525F0} -C:\Program
Files\Lexmark Toolbar\toolband.dll
O2 -BHO: Skype add-on (mastermind) -{22BF413B-C6D2-4d91-82A9-A0F997BA588C} -
C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 -BHO: SSVHelper Class -{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -C:\Program
Files\Java\jre1.6.0_05\bin\ssv.dll
O2 -BHO: (no name) -{7E853D72-626A-48EC-A868-BA8D5E23E045} -(no file)
O2 -BHO: Windows Live Sign-in Helper -{9030D464-4C02-4ABF-8ECC-5164760863C6} -
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 -BHO: Google Toolbar Helper -{AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O3 -Toolbar: Acer eDataSecurity Management -{5CBE3B7C-1E47-477e-A7DD-396DB0476E29}
-C:\WINDOWS\system32\eDStoolbar.dll
O3 -Toolbar: Lexmark Toolbar -{1017A80C-6F09-4548-A84D-EDD6AC9525F0} -C:\Program
Files\Lexmark Toolbar\toolband.dll
O3 -Toolbar: &Google -{2318C2B1-4965-11d4-9B18-009027A5CD4F} -c:\program
files\google\googletoolbar1.dll
O4 -HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 -HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 -HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 -HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 -HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil
/RemAdvDef /Migration32
O4 -HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 -HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
/SYNC
O4 -HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
/IMEName
O4 -HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe"
runtime -Delay
O4 -HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 -HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 -HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 -HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 -HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 -HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 -HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent
O4 -HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 -HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 -HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer
ePower Management.exe boot
O4 -HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 -HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering
Technology\eRecovery\Monitor.exe
O4 -HKLM\..\Run: [LogitechVideo[inspector]] C:\Program
Files\Acer\OrbiCam\InstallHelper.exe /inspect
O4 -HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe
/automation
O4 -HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering
Technology\eDataSecurity\eDSloader.exe
O4 -HKLM\..\Run: [voip phone charger] "C:\Program Files\Acer\VoIP Phone
Charger\voip phone charger.exe"
O4 -HKLM\..\Run: [LXCRCATS] rundll32
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 -HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 -HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio
Shared\System\EngUtil.exe"
O4 -HKLM\..\Run: [ImInstaller_IncrediMail]
C:\DOCUME~1\MALYNA~1\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install.exe
-startup -product IncrediMail -cluster 1
O4 -HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec
Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program
Files\Common Files\Symantec
Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 -HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe
/QS
O4 -HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 -HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album
Starter Edition\3.2\Apps\apdproxy.exe"
O4 -HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader
8.0\Reader\Reader_sl.exe"
O4 -HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security
7.0\avp.exe"
O4 -HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 -HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony
Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 -HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 -HKCU\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 -HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat
7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 -Global Startup: Bluetooth.lnk = ?
O8 -Extra context menu item: Add to Anti-Banner -C:\Program Files\Kaspersky
Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 -Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 -Extra context menu item: Send to &Bluetooth Device... -C:\Program
Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 -Extra button: (no name) -{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -C:\Program
Files\Java\jre1.6.0_05\bin\ssv.dll
O9 -Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -C:\Program
Files\Java\jre1.6.0_05\bin\ssv.dll
O9 -Extra button: Web Anti-Virus statistics -
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} -C:\Program Files\Kaspersky Lab\Kaspersky
Internet Security 7.0\SCIEPlgn.dll
O9 -Extra button: Skype -{77BF5300-1474-4EC7-9980-D32B190E9B07} -C:\Program
Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 -Extra button: Research -{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 -Extra button: (no name) -{e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 -Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} -C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 -Extra button: Messenger -{FB5F1910-F110-11d2-BB9E-00C04F795683} -C:\Program
Files\Messenger\msmsgs.exe
O9 -Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} -C:\Program Files\Messenger\msmsgs.exe
O16 -DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control)
-http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 -DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.c
ab?1156735604234
O16 -DPF: {A672558F-A878-4D5A-A921-627C091CEB63} (Flatcast Producer 4.16) -
http://controls.flatcast-data.com/data/objects/NpFp41629.dll
O16 -DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) -
http://www.adobe.com/products/acrobat/nos/gp.cab
O16 -DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 -Protocol: skype4com -{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -
C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 -AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 -Service: Ati HotKey Poller -ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 -Service: Automatic LiveUpdate Scheduler -Symantec Corporation -C:\Program
Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 -Service: Kaspersky Internet Security 7.0 (AVP) -Kaspersky Lab -C:\Program
Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 -Service: AdminWorks Agent X6 (AWService) -Avocent Inc. -C:\Acer\Empowering
Technology\admServ.exe
O23 -Service: Bluetooth Service (btwdins) -Broadcom Corporation. -C:\Program
Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 -Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) -Unknown
owner -C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 -Service: CyberLink Task Scheduler (CTS) (CLSched) -Unknown owner -C:\Program
Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 -Service: Creative Service for CDROM Access -Creative Technology Ltd -
C:\WINDOWS\system32\CTsvcCDA.EXE
O23 -Service: CyberLink Media Library Service -Cyberlink -C:\Program
Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 -Service: Intel(R) PROSet/Wireless Event Log (EvtEng) -Intel Corporation -
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 -Service: Google Updater Service (gusvc) -Google -C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 -Service: InstallDriver Table Manager (IDriverT) -Macrovision Corporation -
C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 -Service: LiveUpdate -Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 -Service: LiveUpdate Notice Service -Symantec Corporation -C:\Program
Files\Common Files\Symantec
Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 -Service: Logitech Process Monitor (LVPrcSrv) -Logitech -c:\program
files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 -Service: lxcr_device --C:\WINDOWS\system32\lxcrcoms.exe
O23 -Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) -Intel
Corporation -C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 -Service: Cyberlink RichVideo Service(CRVS) (RichVideo) -Unknown owner -
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 -Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) -CACE
Technologies -C:\Program Files\WinPcap\rpcapd.exe
O23 -Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) -Intel
Corporation -C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 -Service: Symantec Core LC -Unknown owner -C:\Program Files\CommonFiles\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 -Desktop Component 0: (no name) -
http://www.slide.com/r/Ou04xl_Z7z85OmNQRMpBbrGRVbqrcdM0?view=original

End of file -14242 bytes



Symantec Security Scan Result

Scan Status:
Scan: 1
Start Scan: 04/11/08 10:00:19
Scan Targets: Running Processes;Entry Points;C:\:\
Virus Definitions: 04/10/08
Scan Count: 862345
Risks Found: 2
Risks resolved: 0
Risks unresolved: 2
Scan Time: 5977 sec
Complete Scan: 04/11/08 11:39:57

Resolved Threats:

Unresolved Threats:

Tracking Cookie
Virus ID: 4294909925
Risk: Low
Categories: Cookie
State: Unhandled

Cookie:
Cookie:malyna yunos@msnportal.112.2o7.net/
Cookie:malyna yunos@primedia.us.intellitxt.com/
Cookie:malyna yunos@ad.yieldmanager.com/
Cookie:malyna yunos@adsremote.scripps.com/
Cookie:malyna yunos@adopt.euroclick.com/
Cookie:malyna yunos@media.adrevolver.com/
Cookie:malyna yunos@hardwarezone.us.intellitxt.com/
Cookie:malyna yunos@perezhilton.us.intellitxt.com/
Cookie:malyna yunos@bigsoccer.us.intellitxt.com/
Cookie:malyna yunos@celebritywonder.us.intellitxt.com/

Scan Result

Infostealer.Bancos
Virus ID: 40050
Risk: High
Categories: Virus
State: Unhandled

Infection:
c:\windows\system32\brwsptnr.dll
Registry:

HKEY_USERS\S-1-5-21-1539978438-4064961459-143121428-1006\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN->iexplore.exe:1

Browser Cache



Nalysha, I was edited your post since we prefer to copy logs inside of post/replys. 


[attachment deleted by admin]

[attachment deleted by admin]

[Samker]

Ok Nalysha,

Please follow next instructions:

1. Uninstal your Symantec/Norton AV (traces) via Control Panel -> Ad Remove Programs ...

1. Download & Install Spybot Search & Destroy AntiSpyWare: http://scforum.info/index.php/topic,1138.0.html

2. Update the virus definitions (for both, Kaspersky & Spybot)
 
6. Run a full system scan and delete all the files detected (for both).

7. After that, please run another Online AV Scan, this time we choose Kaspersky ( http://scforum.info/index.php/topic,734.0.html )

8. Provide us also new logs HJT & Kaspersky

Regards,

Samker

[nalysha21]

thanks... will post it soon... Quite bz working these few days...

[nalysha21]

Hi,   Sorry for the late reply... 

I've deleted the files detected on Spybot Search & Destroy AntiSpyWare..Below is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:49 PM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Acer\VoIP Phone Charger\voip phone charger.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\DOCUME~1\MALYNA~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Malyna Yunos\My Documents\DL\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [voip phone charger] "C:\Program Files\Acer\VoIP Phone Charger\voip phone charger.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\MALYNA~1\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install.exe -startup -product IncrediMail -cluster 1
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156735604234
O16 - DPF: {A672558F-A878-4D5A-A921-627C091CEB63} (Flatcast Producer 4.16) - http://controls.flatcast-data.com/data/objects/NpFp41629.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: lxcr_device -   - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - http://www.slide.com/r/Ou04xl_Z7z85OmNQRMpBbrGRVbqrcdM0?view=original

--
End of file - 12211 bytes


and here's the Kaspersky log:

Scan Statistics:
   Total number of scanned objects: 122712
   Number of viruses found: 1
   Number of infected objects: 1   
           Number of suspicious objects: 0
   Duration of the scan process: 00:50:11

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\software.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\default.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY   Object is locked   skipped
C:\WINDOWS\system32\config\SAM   Object is locked   skipped
C:\WINDOWS\system32\config\SAM.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SYSTEM   Object is locked   skipped
C:\WINDOWS\system32\config\SOFTWARE   Object is locked   skipped
C:\WINDOWS\system32\config\DEFAULT   Object is locked   skipped
C:\WINDOWS\system32\config\SysEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\AppEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\SecEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\ACEEvent.evt   Object is locked   skipped
C:\WINDOWS\system32\config\Internet.evt   Object is locked   skipped
C:\WINDOWS\system32\drivers\fidbox.idx   Object is locked   skipped
C:\WINDOWS\system32\drivers\fidbox.dat   Object is locked   skipped
C:\WINDOWS\system32\drivers\fidbox2.idx   Object is locked   skipped
C:\WINDOWS\system32\drivers\fidbox2.dat   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR   Object is locked   skipped
C:\WINDOWS\system32\CatRoot2\edb.log   Object is locked   skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb   Object is locked   skipped
C:\WINDOWS\system32\h323log.txt   Object is locked   skipped
C:\WINDOWS\Temp\sqlite_1CEFRqshdVffxQ0   Object is locked   skipped
C:\WINDOWS\Temp\CLML_AGENT_LOG1.txt   Object is locked   skipped
C:\WINDOWS\Debug\PASSWD.LOG   Object is locked   skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log   Object is locked   skipped
C:\WINDOWS\Sti_Trace.log   Object is locked   skipped
C:\WINDOWS\wiaservc.log   Object is locked   skipped
C:\WINDOWS\wiadebug.log   Object is locked   skipped
C:\WINDOWS\WindowsUpdate.log   Object is locked   skipped
C:\WINDOWS\SchedLgU.Txt   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\49D04A78.def   Infected: not-a-virus:AdTool.Win32.Zango.b   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\LocalService\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Local Settings\Temp\Perflib_Perfdata_bc4.dat   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Local Settings\Temp\Perflib_Perfdata_a98.dat   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Local Settings\History\History.IE5\MSHist012008042020080421\index.dat   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Local Settings\Application Data\ApplicationHistory\ePower_DMC.exe.3ca0acde.ini.inuse   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Local Settings\Application Data\Acer Arcade\Log\Trace20080420.log   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Local Settings\Application Data\Mozilla\Firefox\Profiles\x1qxuu4b.default\Cache\_CACHE_MAP_   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Local Settings\Application Data\Mozilla\Firefox\Profiles\x1qxuu4b.default\Cache\_CACHE_001_   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Local Settings\Application Data\Mozilla\Firefox\Profiles\x1qxuu4b.default\Cache\_CACHE_002_   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Local Settings\Application Data\Mozilla\Firefox\Profiles\x1qxuu4b.default\Cache\_CACHE_003_   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Application Data\Mozilla\Firefox\Profiles\x1qxuu4b.default\parent.lock   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Application Data\Mozilla\Firefox\Profiles\x1qxuu4b.default\cert8.db   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Application Data\Mozilla\Firefox\Profiles\x1qxuu4b.default\key3.db   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Application Data\Mozilla\Firefox\Profiles\x1qxuu4b.default\history.dat   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Application Data\Mozilla\Firefox\Profiles\x1qxuu4b.default\formhistory.dat   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Application Data\Mozilla\Firefox\Profiles\x1qxuu4b.default\search.sqlite   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\Application Data\Mozilla\Firefox\Profiles\x1qxuu4b.default\urlclassifier2.sqlite   Object is locked   skipped
C:\Documents and Settings\Malyna Yunos\UserData\index.dat   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll   Object is locked   skipped
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLML_MAIN\CLML.db   Object is locked   skipped

Scan process completed.

[Samker]

Hi,   Sorry for the late reply... 

No problem, we are always here to help you. 


First you will need to clean Quarantine folder of you're "old" Norton AV:

- Open: My Computer -> C:\ -> Documents and Settings -> All Users (now open Tools -> Folder Options -> View (find this option "Show hidden files and folders" turn on this option and click Ok).

- After that open: Application Data -> Symantec -> Norton AntiVirus -> Quarantine (delete everything you find there).

- When you finish this go again in Folder Options and turn of "Show Hidden files and folders"

After that please run again HJT, check this items and choose fix option:

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\MALYNA~1\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install.exe -startup -product IncrediMail -cluster 1
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

After this fix your PC will be much faster, but we are not finish yet! 

When you finish all this, run again Kaspersky Online Scan & HJT and provide us new logs (please before running HJT turn off all possible programs).


cya later,

Samker