[Resolved]lost everything on pc.........help please

[karl111]

no i wish to use this one, what it was is this was in my favs and when i lost everything i typed in tech support in google and back came that one, as in my favs this is tech support, sorry about that, but this was the one i intended to use and wanted to use after being helped very good here before!
again my apologies, i will tell the other forum.

[Carolyn]

Hello,

Remove Poker programs
From your log I can see you've installed poker programs. A lot of poker programs are infected/can infect you with malware.
I would advise you to go to Add/Remove programs and uninstall your poker programs.

Here are links to some poker sites regarded as safe for your reference.
1. http://www.pokerstars.net/ - This is a free to use/play site with play money.
2. http://www.pokerstars.com/ - This is a free to use/play site with play money and real money.

---------------------------------------------------------------------------------------
Download and Run FixWarout
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Please post the contents of the logfile C:\fixwareout\report.txt

----------------------------------------------------------------------------------------------------
Download and run F-Secure Blacklight

• Please download F-Secure Blacklight (fsbl.exe) from here
  
• Save into C:\ with a name of fsbl.exe
  
• Go to Start > Run
  
• Copy and paste the contents of the below codebox into the run box
  

  Code:

  C:\fsbl.exe /expert

  
  
• Click OK
  
• This will launch BlackLight
  
• Select I accept the agreement
  
• Click Next
  
• Click Scan
  
• Wait for the scan to finish
  
• Click on Next>
  
• Click Exit
  
• A logfile will have been created in the C:\ drive
  
• It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
  
• Use notepad to open that log
  
• Post the contents of that log as a reply to this topic.
  

-----------------------------------------------------------------------------------------------------
Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
   
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
   
3. When the downloads have finished, click on Settings.
   
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
   
6. Once the scan is complete, it will display the results. Click on View Scan Report.
   
7. You will see a list of infected items there. Click on Save Report As....
   
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
   
9. Please post this log in your next reply.

Please post the following:

1. The fixwareout report
   
2. The Blacklight log
   
3. The Kaspersky log
   
4. A fresh HijackThis log

_________________
Member of Alliance of Security Analysis Professionals™ and UNITE
I was trained to help others by Malware Removal University

[karl111]

on to it now, be back with results, cannot remove one poker site, i go to add/remove programs, i click on pacific poker and then click remove but it comes back saying couldnt open INSTAL.LOG.FILE

[karl111]

fixwareout.

Username "KARL" - 02/09/2008 17:29:57 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"AOL_Demo"="C:\\Applications\\Tool\\AOL Demo\\DSGDemo.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"VTTimer"="VTTimer.exe"
"VTTrayp"="VTtrayp.exe"
"SoundMan"="SOUNDMAN.EXE"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"eBayToolbar"="C:\\Program Files\\eBay\\eBay Toolbar2\\eBayTBDaemon.exe"
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Snapfire\\Corel Photo Downloader.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe -expressboot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"SweetIM"="C:\\Program Files\\SweetIM\\Messenger\\SweetIM.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"zzz_ImInstaller_IncrediMail"="\"C:\\Documents and Settings\\KARL\\Local Settings\\Temp\\ImInstaller\\IncrediMail\\IncrediMail_Install.exe\" -startup -product IncrediMail "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Power2GoExpress"=""
"MsnMsgr"="\"C:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"IncrediMail"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe /c"
"Magentic"="C:\\PROGRA~1\\Magentic\\bin\\Magentic.exe /c"
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
....
Hosts file was reset, If you use a custom hosts file please replace it...
C:\WINDOWS\repair\autoexec.nt missing
C:\WINDOWS\repair\Config.nt missing
~~~~~ End report ~~~~~

[karl111]

blacklight log.


09/02/08 18:12:32 [Info]: BlackLight Engine 1.0.70 initialized
09/02/08 18:12:32 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/02/08 18:12:32 [Note]: 7019 4
09/02/08 18:12:32 [Note]: 7005 0
09/02/08 18:13:29 [Note]: 7006 0
09/02/08 18:13:29 [Note]: 7011 1632
09/02/08 18:13:29 [Note]: 7035 0
09/02/08 18:13:29 [Note]: 7026 0
09/02/08 18:13:29 [Note]: 7026 0
09/02/08 18:13:32 [Note]: FSRAW library version 1.7.1024
09/02/08 18:20:58 [Note]: 7007 0

[karl111]

i think this is the kerpesky log, my pc crashed and when i put it back on, i had this log in desktop, if it isnt let me know, thank you.

#
# An unexpected error has been detected by Java Runtime Environment:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x67a6878a, pid=2288, tid=4016
#
# Java VM: Java HotSpot(TM) Client VM (10.0-b23 mixed mode windows-x86)
# Problematic frame:
# C [Opera.dll+0x21878a]
#
# If you would like to submit a bug report, please visit:
# http://java.sun.com/webapps/bugreport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#

--------------- T H R E A D ---------------

Current thread (0x08ba8c00): JavaThread "Finalizer" daemon [_thread_in_native, id=4016, stack(0x08e30000,0x08f30000)]

siginfo: ExceptionCode=0xc0000005, reading address 0x02b0d000

Registers:
EAX=0x02a1f430, EBX=0x028a4500, ECX=0x3ffc490c, EDX=0x00000000
ESP=0x08f2f864, EBP=0x08f2f86c, ESI=0x02b0d000, EDI=0x029920d4
EIP=0x67a6878a, EFLAGS=0x00010216

Top of Stack: (sp=0x08f2f864)
0x08f2f864: 00a27640 00000028 08f2f898 6787dcf6
0x08f2f874: 028a452c 02a1f458 ffffffd8 028a4500
0x08f2f884: 02a1f430 00000028 0000000a 10522f58
0x08f2f894: 028a4500 08f2f8f8 678c370c 0000000a
0x08f2f8a4: 02a4fe88 02a4fe88 00a27638 679dad49
0x08f2f8b4: 02a4fe88 08ba8c00 10100858 67bde9d7
0x08f2f8c4: 000000c7 00000000 028ae768 00000000
0x08f2f8d4: 06b37669 08ba8cf4 08f2f8e4 08f2f8e8

Instructions: (pc=0x67a6878a)
0x67a6877a: 00 00 00 75 15 c1 e9 02 83 e2 03 83 f9 08 72 2a
0x67a6878a: f3 a5 ff 24 95 a4 88 a6 67 90 8b c7 ba 03 00 00


Stack: [0x08e30000,0x08f30000], sp=0x08f2f864, free space=1022k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C [Opera.dll+0x21878a]
C [Opera.dll+0x2dcf6]
C [Opera.dll+0x7370c]
J com.opera.EcmaScriptObject.unref()V
J com.opera.JSObject.finalize()V
v ~BufferBlob::StubRoutines (1)

Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
J com.opera.EcmaScriptObject.unProtect(Lcom/opera/CPointer;)V
J com.opera.EcmaScriptObject.unref()V
J com.opera.JSObject.finalize()V
v ~BufferBlob::StubRoutines (1)
J java.lang.ref.Finalizer.invokeFinalizeMethod(Ljava/lang/Object;)V
J java.lang.ref.Finalizer.runFinalizer()V
J java.lang.ref.Finalizer$FinalizerThread.run()V
v ~BufferBlob::StubRoutines (1)

--------------- P R O C E S S ---------------

Java Threads: ( => current thread )
0x09518000 JavaThread "AWT-EventQueue-7" [_thread_blocked, id=2632, stack(0x1b660000,0x1b760000)]
0x0cb53800 JavaThread "Thread-3556" [_thread_in_native, id=2864, stack(0x1b560000,0x1b660000)]
0x0cb8a800 JavaThread "AWT-EventQueue-6" [_thread_blocked, id=3976, stack(0x0f190000,0x0f290000)]
0x08b47400 JavaThread "Thread-3437" [_thread_blocked, id=3836, stack(0x0bb50000,0x0bc50000)]
0x0954e800 JavaThread "TimerQueue" daemon [_thread_blocked, id=3880, stack(0x0ca30000,0x0cb30000)]
0x09498800 JavaThread "Thread-3432" [_thread_blocked, id=3872, stack(0x0c4a0000,0x0c5a0000)]
0x09478000 JavaThread "AWT-EventQueue-0" [_thread_blocked, id=4052, stack(0x0b940000,0x0ba40000)]
0x09476c00 JavaThread "AWT-Windows" daemon [_thread_in_native, id=4048, stack(0x0b840000,0x0b940000)]
0x09476000 JavaThread "AWT-Shutdown" [_thread_blocked, id=4044, stack(0x0b740000,0x0b840000)]
0x09472c00 JavaThread "Java2D Disposer" daemon [_thread_blocked, id=4040, stack(0x0b640000,0x0b740000)]
0x08bca000 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=4032, stack(0x09230000,0x09330000)]
0x08bbc000 JavaThread "CompilerThread0" daemon [_thread_blocked, id=4028, stack(0x09130000,0x09230000)]
0x08bbac00 JavaThread "Attach Listener" daemon [_thread_blocked, id=4024, stack(0x09030000,0x09130000)]
0x08bba000 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=4020, stack(0x08f30000,0x09030000)]
=>0x08ba8c00 JavaThread "Finalizer" daemon [_thread_in_native, id=4016, stack(0x08e30000,0x08f30000)]
0x08ba8000 JavaThread "Reference Handler" daemon [_thread_blocked, id=4012, stack(0x08d30000,0x08e30000)]
0x00996c00 JavaThread "main" [_thread_in_native, id=2304, stack(0x00030000,0x00130000)]

Other Threads:
0x08ba3800 VMThread [stack: 0x08c30000,0x08d30000] [id=4008]
0x08bcb400 WatcherThread [stack: 0x09330000,0x09430000] [id=4036]

VM state:not at safepoint (normal execution)

VM Mutex/Monitor currently owned by a thread: None

Heap
def new generation total 960K, used 116K [0x10010000, 0x10110000, 0x104f0000)
eden space 896K, 6% used [0x10010000, 0x1001e438, 0x100f0000)
from space 64K, 93% used [0x10100000, 0x1010eed0, 0x10110000)
to space 64K, 0% used [0x100f0000, 0x100f0000, 0x10100000)
tenured generation total 5020K, used 3530K [0x104f0000, 0x109d7000, 0x14010000)
the space 5020K, 70% used [0x104f0000, 0x10862a10, 0x10862c00, 0x109d7000)
compacting perm gen total 12288K, used 9768K [0x14010000, 0x14c10000, 0x18010000)
the space 12288K, 79% used [0x14010000, 0x1499a048, 0x1499a200, 0x14c10000)
No shared spaces configured.

Dynamic libraries:
0x00400000 - 0x0041b000 C:\Program Files\Opera\opera.exe
0x7c900000 - 0x7c9b0000 C:\WINDOWS\system32\ntdll.dll
0x7c800000 - 0x7c8f5000 C:\WINDOWS\system32\kernel32.dll
0x7e410000 - 0x7e4a0000 C:\WINDOWS\system32\USER32.dll
0x77f10000 - 0x77f57000 C:\WINDOWS\system32\GDI32.dll
0x76390000 - 0x763ad000 C:\WINDOWS\system32\IMM32.DLL
0x77dd0000 - 0x77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 - 0x77f01000 C:\WINDOWS\system32\RPCRT4.dll
0x629c0000 - 0x629c9000 C:\WINDOWS\system32\LPK.DLL
0x74d90000 - 0x74dfb000 C:\WINDOWS\system32\USP10.dll
0x77c10000 - 0x77c68000 C:\WINDOWS\system32\msvcrt.dll
0x48000000 - 0x48027000 C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
0x71ab0000 - 0x71ac7000 C:\WINDOWS\system32\WS2_32.dll
0x71aa0000 - 0x71aa8000 C:\WINDOWS\system32\WS2HELP.dll
0x62000000 - 0x62080000 C:\PROGRA~1\Google\GOOGLE~3\GoogleDesktopResources_en_gb.dll
0x71a50000 - 0x71a8f000 C:\WINDOWS\system32\mswsock.dll
0x67850000 - 0x68038000 C:\Program Files\Opera\Opera.dll
0x763b0000 - 0x763f9000 C:\WINDOWS\system32\comdlg32.dll
0x77f60000 - 0x77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
0x773d0000 - 0x774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\COMCTL32.dll
0x7c9c0000 - 0x7d1d7000 C:\WINDOWS\system32\SHELL32.dll
0x774e0000 - 0x7761d000 C:\WINDOWS\system32\ole32.dll
0x77120000 - 0x771ab000 C:\WINDOWS\system32\OLEAUT32.dll
0x77c00000 - 0x77c08000 C:\WINDOWS\system32\VERSION.dll
0x76b40000 - 0x76b6d000 C:\WINDOWS\system32\WINMM.dll
0x71ad0000 - 0x71ad9000 C:\WINDOWS\system32\WSOCK32.dll
0x5ad70000 - 0x5ada8000 C:\WINDOWS\system32\uxtheme.dll
0x10000000 - 0x10009000 C:\Program Files\SweetIM\Messenger\mgAdaptersProxy.dll
0x7c360000 - 0x7c3b6000 C:\Program Files\SweetIM\Messenger\MSVCR71.dll
0x74720000 - 0x7476b000 C:\WINDOWS\system32\MSCTF.dll
0x009f0000 - 0x009ff000 C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL
0x755c0000 - 0x755ee000 C:\WINDOWS\system32\msctfime.ime
0x76380000 - 0x76385000 C:\WINDOWS\system32\Msimg32.dll
0x77920000 - 0x77a13000 C:\WINDOWS\system32\SETUPAPI.dll
0x01a40000 - 0x01a60000 C:\Program Files\Opera\vxmplugin.dll
0x01a60000 - 0x01b47000 C:\Program Files\Opera\vxm.dll
0x01b50000 - 0x01b67000 C:\Program Files\Opera\xmlparse.dll
0x01b70000 - 0x01cd9000 C:\Program Files\Opera\vxmservices.dll
0x77b40000 - 0x77b62000 C:\WINDOWS\system32\appHelp.dll
0x76fd0000 - 0x7704f000 C:\WINDOWS\system32\CLBCATQ.DLL
0x77050000 - 0x77115000 C:\WINDOWS\system32\COMRes.dll
0x77a20000 - 0x77a74000 C:\WINDOWS\System32\cscui.dll
0x76600000 - 0x7661d000 C:\WINDOWS\System32\CSCDLL.dll
0x031b0000 - 0x031d7000 C:\Program Files\IncrediMail\bin\B4ImApp.dll
0x76c30000 - 0x76c5e000 C:\WINDOWS\system32\WINTRUST.dll
0x77a80000 - 0x77b14000 C:\WINDOWS\system32\CRYPT32.dll
0x77b20000 - 0x77b32000 C:\WINDOWS\system32\MSASN1.dll
0x76c90000 - 0x76cb8000 C:\WINDOWS\system32\IMAGEHLP.dll
0x72d20000 - 0x72d29000 C:\WINDOWS\system32\wdmaud.drv
0x72d10000 - 0x72d18000 C:\WINDOWS\system32\msacm32.drv
0x77be0000 - 0x77bf5000 C:\WINDOWS\system32\MSACM32.dll
0x77bd0000 - 0x77bd7000 C:\WINDOWS\system32\midimap.dll
0x03a80000 - 0x03b37000 C:\Program Files\Opera\ecictts.dll
0x03e50000 - 0x0400d000 C:\Program Files\Opera\ecienus.syn
0x76f20000 - 0x76f47000 C:\WINDOWS\system32\DNSAPI.dll
0x76fc0000 - 0x76fc6000 C:\WINDOWS\system32\rasadhlp.dll
0x05d90000 - 0x05da4000 C:\WINDOWS\system32\CavEmLSP.dll
0x662b0000 - 0x66308000 C:\WINDOWS\system32\hnetcfg.dll
0x71a90000 - 0x71a98000 C:\WINDOWS\System32\wshtcpip.dll
0x20000000 - 0x202c5000 C:\WINDOWS\system32\xpsp2res.dll
0x75e90000 - 0x75f40000 C:\WINDOWS\system32\SXS.DLL
0x6d7c0000 - 0x6da10000 C:\Program Files\Java\jre1.6.0_07\bin\client\jvm.dll
0x6d270000 - 0x6d278000 C:\Program Files\Java\jre1.6.0_07\bin\hpi.dll
0x76bf0000 - 0x76bfb000 C:\WINDOWS\system32\PSAPI.DLL
0x6d770000 - 0x6d77c000 C:\Program Files\Java\jre1.6.0_07\bin\verify.dll
0x6d310000 - 0x6d32f000 C:\Program Files\Java\jre1.6.0_07\bin\java.dll
0x6d7b0000 - 0x6d7bf000 C:\Program Files\Java\jre1.6.0_07\bin\zip.dll
0x6d000000 - 0x6d12e000 C:\Program Files\Java\jre1.6.0_07\bin\awt.dll
0x73000000 - 0x73026000 C:\WINDOWS\system32\WINSPOOL.DRV
0x73760000 - 0x737a9000 C:\WINDOWS\system32\ddraw.dll
0x73bc0000 - 0x73bc6000 C:\WINDOWS\system32\DCIMAN32.dll
0x6d210000 - 0x6d263000 C:\Program Files\Java\jre1.6.0_07\bin\fontmanager.dll
0x74e30000 - 0x74e9c000 C:\WINDOWS\system32\RICHED20.DLL
0x6d570000 - 0x6d583000 C:\Program Files\Java\jre1.6.0_07\bin\net.dll
0x76fb0000 - 0x76fb8000 C:\WINDOWS\System32\winrnr.dll
0x76f60000 - 0x76f8c000 C:\WINDOWS\system32\WLDAP32.dll
0x6d590000 - 0x6d599000 C:\Program Files\Java\jre1.6.0_07\bin\nio.dll
0x0bfd0000 - 0x0c084000 C:\Documents and Settings\KARL\Local Settings\Temp\jkos-KARL\binaries\kosglue-7.0.25.0.dll
0x7c420000 - 0x7c4a7000 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll
0x78130000 - 0x781cb000 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
0x78050000 - 0x78120000 C:\WINDOWS\system32\WININET.dll
0x0c090000 - 0x0c099000 C:\WINDOWS\system32\Normaliz.dll
0x78000000 - 0x78045000 C:\WINDOWS\system32\iertutil.dll
0x0f290000 - 0x0f2d7000 C:\Documents and Settings\KARL\Local Settings\Temp\jkos-KARL\binaries\kave.dll
0x0f2e0000 - 0x0f2ed000 C:\Documents and Settings\KARL\Local Settings\Temp\jkos-KARL\binaries\FSSync.dll
0x74980000 - 0x74a93000 C:\WINDOWS\system32\msxml3.dll
0x77690000 - 0x776b1000 C:\WINDOWS\system32\NTMARTA.DLL
0x71bf0000 - 0x71c03000 C:\WINDOWS\system32\SAMLIB.dll
0x77fe0000 - 0x77ff1000 C:\WINDOWS\system32\Secur32.dll
0x76d60000 - 0x76d79000 C:\WINDOWS\system32\IPHLPAPI.DLL
0x76d80000 - 0x76d9e000 C:\WINDOWS\system32\DHCPCSVC.DLL
0x77d00000 - 0x77d33000 C:\WINDOWS\system32\netman.dll
0x76d40000 - 0x76d58000 C:\WINDOWS\system32\MPRAPI.dll
0x77cc0000 - 0x77cf2000 C:\WINDOWS\system32\ACTIVEDS.dll
0x76e10000 - 0x76e35000 C:\WINDOWS\system32\adsldpc.dll
0x5b860000 - 0x5b8b4000 C:\WINDOWS\system32\NETAPI32.dll
0x76b20000 - 0x76b31000 C:\WINDOWS\system32\ATL.DLL
0x76e80000 - 0x76e8e000 C:\WINDOWS\system32\rtutils.dll
0x76400000 - 0x765a5000 C:\WINDOWS\system32\netshell.dll
0x76c00000 - 0x76c2e000 C:\WINDOWS\system32\credui.dll
0x76ee0000 - 0x76f1c000 C:\WINDOWS\system32\RASAPI32.dll
0x76e90000 - 0x76ea2000 C:\WINDOWS\system32\rasman.dll
0x76eb0000 - 0x76edf000 C:\WINDOWS\system32\TAPI32.dll
0x73030000 - 0x73040000 C:\WINDOWS\system32\WZCSAPI.DLL
0x7db10000 - 0x7db9a000 C:\WINDOWS\system32\WZCSvc.DLL
0x76d30000 - 0x76d34000 C:\WINDOWS\system32\WMI.dll
0x76f50000 - 0x76f58000 C:\WINDOWS\system32\WTSAPI32.dll
0x76360000 - 0x76370000 C:\WINDOWS\system32\WINSTA.dll
0x606b0000 - 0x607bd000 C:\WINDOWS\system32\ESENT.dll

VM Arguments:
jvm_args: abort exit -Xbootclasspath/p:C:\Program Files\Opera\Classes\Opera.jar;C:\Program Files\Opera\Program\Plugins;C:\Program Files\Mozilla Firefox\plugins;C:\Program Files\Opera\Program\Plugins\npds.zip;C:\Program Files\Java\jre1.6.0_07\lib\jaws.jar;C:\Program Files\Java\jre1.6.0_07\lib\plugin.jar -Djava.security.policy=C:\Program Files\Opera\Classes\Opera.policy -Dbrowser.opera.classpath=C:\Program Files\Opera\Classes\Opera.jar
java_command: <unknown>
Launcher Type: generic

Environment Variables:
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_06\lib\ext\QTJava.zip
PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Opera
USERNAME=KARL
OS=Windows_NT
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 4, GenuineIntel



--------------- S Y S T E M ---------------

OS: Windows XP Build 2600 Service Pack 2

CPU:total 1 (1 cores per cpu, 1 threads per core) family 15 model 6 stepping 4, cmov, cx8, fxsr, mmx, sse, sse2, sse3

Memory: 4k page, physical 489904k(139136k free), swap 1146024k(560276k free)

vm_info: Java HotSpot(TM) Client VM (10.0-b23) for windows-x86 JRE (1.6.0_07-b06), built on Jun 10 2008 01:14:11 by "java_re" with MS VC++ 7.1

time: Tue Sep 02 23:17:58 2008
elapsed time: 1024 seconds

[Carolyn]

Nope, that's not a Kaspersky log.
_________________
Member of Alliance of Security Analysis Professionals™ and UNITE
I was trained to help others by Malware Removal University

[karl111]

bare with me, it says that something wrong with the java script go online to fix this!!

[karl111]

pc keeps crashing, when i turn back on i have to start the kerpesky scan again but i get this message as well.

<www.kaspersky.com>

Starting Java applet has failed! Please go online to use this program.

[Carolyn]

Forget the Kaspersky scan for now.

When the PC crashes, are there any error messages? Is it crashing during the Kaspersky scan?
_________________
Member of Alliance of Security Analysis Professionals™ and UNITE
I was trained to help others by Malware Removal University

[karl111]

yes, i believe it is during the scan as im doing nothing else but browsing!

[Carolyn]

Hi,

Backup Your Registry with ERUNT

• Please use the following link and scroll down to ERUNT and download it.
  http://aumha.org/freeware/freeware.php
  
• For version with the Installer:
  Use the setup program to install ERUNT on your computer
  
• For the zipped version:
  Unzip all the files into a folder of your choice.
  

Click Erunt.exe to backup your registry to the folder of your choice.

Note:to restore your registry, go to the folder and start ERUNT.exe

Open Notepad!
Copy and Paste everything from the Quote box into Notepad:

[karl111]

hijack log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:17:14, on 03/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Paltalk Messenger\paltalk.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.the-exit.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.blueyonder.co.uk:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [AOL_Demo] C:\Applications\Tool\AOL Demo\DSGDemo.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] "C:\Documents and Settings\KARL\Local Settings\Temp\ImInstaller\IncrediMail\IncrediMail_Install.exe" -startup -product IncrediMail
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Magentic] C:\PROGRA~1\Magentic\bin\Magentic.exe /c
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: PacificPoker4 - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe

--
End of file - 10151 bytes

[Carolyn]

Please let me know if you are able to run the Kaspersky online scan or if you are getting any errors/crashing.
_________________
Member of Alliance of Security Analysis Professionals™ and UNITE
I was trained to help others by Malware Removal University

[karl111]

just this one just after it d/ls and i click scan, this pops up.


<www.kaspersky.com>

Starting Java applet has failed! Please go online to use this program. thats in a pop up.
under d/loading and installing is this.

Please wait until the program's applet has been loaded, and a Java plug-in security warning message has appeared. If you click Cancel, you'll need to close the Kaspersky Online Scanner 7.0 window and open it again to continue installation.

Starting Java applet has failed! Please go online to use this program.