Help... multiple viruses found!

I’ve got the below viruses on my computer. They’re in the chest, but something is still wierd with my computer. It’s running really really slow and it keeps trying to sign online by itself ALL the time.
Anyhow, what do I do now? ???

[i]Virus has been detected!
File Name: awttq.dll
FileID: 7
Virus Description: Win32:Virtumonde-BD [Adw]
C:\WINDOWS\system32

Virus has been detected!
File Name: k11u72.exe
FileID: 6
Virus Description: Win32:VB-TGS [Trj]
C:\Program Files\poolsv

Virus has been detected!
File Name: k11u72[1].exe
FileID: 5
Virus Description: Win32:VB-TGS [Trj]
C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IES\CD2JS…

Virus has been detected!
File Name: retadpu77.exe
FileID: 4
Virus Description: Win32:Agent-HKJ [Trj]
C:\WINDOWS[/i]

Leave then in the chest, there is a special tool to deal with the Virtumonde malware.

VIRTUMONDE - Vundo Fix - Aliases - WinFixer / Virtumonde / Msevents / Trojan.vundo.
Here are the cleansing instructions for Virtumonde: http://www.bleepingcomputer.com/forums/topic18610.html
Download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
When VundoFix re-opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from “Click the
Scan for Vundo button.” when VundoFix appears at reboot.

A log will be produced which you can post in your next response.

Below is an example of a Vundo infection, though there are many different filenames.

O2 - BHO: (no name) - {EFCB1D95-FFF6-47BB-B6C9-61A523F04322} - C:\WINDOWS\system32\vturr.dll
[/b]O20 - Winlogon Notify: vturr - C:\WINDOWS\system32\vturr.dll[/b]

I ran the VundoFix, it found something but it couldn’t be deleted so it had to do it on reboot. Although it never produced a log, I’m not sure why. I then rebooted my computer again and I started getting virus warnings like crazy, I just couldn’t keep up with it! Then I tried signing online (I have dial-up) and it won’t let me. I just keep getting various error messages. I’m pretty sure that has something to do with this virus. Not sure what to do considering I can’t get online with that computer.

The log will be C:\Vundofix.txt

Here’s the log:

[i]VundoFix V6.5.4

Checking Java version…

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 8:50:05 AM 7/10/2007

Listing files found while scanning…

C:\windows\system32\jkkllkj.dll

Beginning removal…

Attempting to delete C:\windows\system32\jkkllkj.dll
C:\windows\system32\jkkllkj.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal…

Attempting to delete C:\windows\system32\jkkllkj.dll
C:\windows\system32\jkkllkj.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version…

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 9:17:21 AM 7/10/2007

Listing files found while scanning…

No infected files were found.

VundoFix V6.5.4

Checking Java version…

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 10:41:10 AM 7/10/2007

Listing files found while scanning…

No infected files were found.

Beginning removal…[/i]

:frowning:

Hi tryan21,

Please download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

After posting the ComboFix log Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialog boxes until you get to the Select Addition Tasks dialog.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialog box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


EDIT:
Forgot to ask you to donwload/install the latest version of Java which you can get here

http://filehippo.com/download_java_runtime/

When installation is complete, open Add/Remove Programs in the Control Panel and uninstall any versions of Java older than the one you just downloaded. You have an exploitable version and the update process will not remove it automatically.

here’s the combofix log:
“Tara & Paul” - 2007-07-13 16:19:52 - ComboFix 07-07-13.8 - Service Pack 2, v.2096 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\poolsv
C:\Program Files\poolsv\is67389.exe
C:\Program Files\poolsv\svhost.exe
C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe
C:\Program Files\svhost
C:\WINDOWS\poolsv.exe
C:\WINDOWS\svhost.exe

((((((((((((((((((((((((( Files Created from 2007-06-13 to 2007-07-13 )))))))))))))))))))))))))))))))

2007-07-13 15:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-13 10:56 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NetZero
2007-07-12 12:18 d-------- C:\Program Files\NetZero
2007-07-10 08:50 d-------- C:\VundoFix Backups
2007-07-04 09:24 126,976 --a------ C:\WINDOWS\xhelper.dll
2007-06-30 19:26 d-------- C:\WINDOWS\SxsCaPendDel

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-13 17:56:18 -------- d-----w C:\Program Files\Connection Wizard
2007-07-04 16:13:17 -------- d-----w C:\Program Files\mobile PhoneTools
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{52706EF7-D7A2-49AD-A615-E903858CF284}]
2005-06-27 17:06 175560 --a------ C:\Program Files\NetZero\qsacc\X1IEBHO.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-11-09 15:21 440056 --a------ C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-07-04 09:24 126976 --a------ C:\WINDOWS\xhelper.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{A8FB8EB3-183B-4598-924D-86F0E5E37085}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 08:42]
“WatchDog”=“C:\Program Files\mobile PhoneTools\WatchDog.exe” [2004-08-14 04:42]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 03:06]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe” [2006-11-09 15:07]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NetZero_uoltray”=“C:\Program Files\NetZero\exec.exe” [2005-06-28 12:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
“untd_recovery”=“C:\Program Files\NetZero\qsacc\x1exec.exe”

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“MySpaceIM”=C:\Program Files\MySpace\IM\MySpaceIM.exe


catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-13 16:23:10
Windows 5.1.2600 Service Pack 2, v.2096 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0


Completion time: 2007-07-13 16:24:50
C:\ComboFix-quarantined-files.txt … 2007-07-13 16:24

--- E O F ---

hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:11 PM, on 7/13/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe”
O4 - HKCU..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKUS\S-1-5-18..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User ‘Default user’)
O8 - Extra context menu item: Display All Images with Full Quality - “res://C:\Program Files\NetZero\qsacc\appres.dll/228”
O8 - Extra context menu item: Display Image with Full Quality - “res://C:\Program Files\NetZero\qsacc\appres.dll/227”
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.adobe.com
O15 - Trusted Zone: http://www.java.com
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


End of file - 4832 bytes

I’m not an expert on HijackThis… But you can check the automatic analysis of your HijackThis log here.

You can find more info in the links of the last column of this table.
That info could guide you on the cleaning process.
Anyway, if you have doubts, just post here.
Also, take a careful look at the first column of the table:

  1. If you don’t recognize a legit program in one of the items marked as FIX IF UNKNOWN, please post it back here and maybe we can help you. Or, if you’re sure it’s a malware item, you can remove it as posted bellow.

  2. If you agree with the automatic classification of the infected items marked as FIX (CHECK NOTES!), you can turn back to HijackThis program, check the box of this item and then remove it using the button ‘Fix checked’.

Hope it helps.

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

You need to update Sun Java as you are running is out of date. Get the latest version, once you have done this, uninstall all older versions from Control Panel > Add/Remove Programs.
http://www.java.com/en/download/index.jsp

You don’t appear to have an active firewall, or it is disabled or you are using XP’s firewall, this is an essential for your security. What is your firewall ?

Redundant BHO entry
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)

Adware - Must be fixed! xmlhelper.dll - Parasite detected by Kaspersky, http://www.kaspersky.com/ antivirus as not-a-virus:AdWare.Win32.Agent.db
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll

There were a couple backdoor trojans there and I’ll want to check a little further to make sure everything is gone.

First, open HJT again and click to Do a System Scan Only. When the scan is finished place a check mark next to these lines

[b]O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll

O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab[/b]

Make sure all other windows are closed, including your browser, and click Fix Checked.

Now download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file path below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\xhelper.dll

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Next, download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press “Enter”.
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically ‘C:\SDFix’) Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back on

Also, make sure to get those old versions of Java uninstalled.

File/Folder C:\WINDOWS\xhelper.dll not found.

Created on 07/15/2007 13:14:33

Its OK that the file was not found. When we fix an 02 line in HJT it will attempt to delete the file as well as the registry entry. The file deletion isn’t always successfull so I wanted to double check that it was truely gone.

Don’t forget to run SDFix when you have a chance.

I have uninstalled all old versions of java. I cannot update though because I can’t get online with that computer. And the only computer that I can get online with doesn’t have a CD burner, so all I’m working with is floppy. Also, about the firewall, I’m using XP’s firewall and it says it’s enabled.

Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically ‘C:\SDFix’) Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back on

This will not work. It gets to the screen that says starting repairs then the screen goes black. I then have to restart my computer because it won’t do anything. What am I doing wrong? ???

Download LSPFix and bring it to the computer we’re working on

http://cexx.org/lspfix.htm

If you can fit the uncompressed (exe) version use that as it will run from the floppy. Otherwise use the zip file and uncompress it on the C: drive. The program is pretty straight forward - it will either tell you there were no problems found or list fixes in the Remove pane. If it does find problems clicking the Finish button runs the fix and might restore your internet connection. Let me know if this helps.

I’m not sure why SDFix is not functioning but boot into normal mode and see if any log was produced (c:\rapport.txt). Even if repairs were not made there, may be helpful information in the log if one was created.

There is no log under c:\rapport.txt
When I ran LSPFix it said “no problems found”.
I can now get online so something I did along the way must have helped.
Now, the problem I have is that I can’t update Java. I keep getting the following error messages:

[i]Windows Installer
This instillation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.

Error – Java™ Update
Unable to launch the Java™ Update installer: This instillation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.[/i]

We’ll take care of installing the new Java a little later - it probably just needs to be downloaded again. The important thing is the exploitable version is gone now.

How is the computer acting now that its back on the internet?

Instead of SDFix, lets take a close look at what’s going on.

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

 Non-Microsoft only

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Copy/Paste the information in you next respons and I will review it. This log will be quite long and will require several posts to fit everything.

WinPFind3 logfile created on: 7/17/2007 11:17:50 AM
WinPFind3U by OldTimer - Version 1.0.39 Folder = C:\Documents and Settings\Tara & Paul\Desktop\WinPFind3u
Microsoft Windows XP Service Pack 2, v.2096 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2096)

127.53 Mb Total Physical Memory | 56.52 Mb Available Physical Memory | 44.32% Memory free
307.45 Mb Paging File | 161.02 Mb Available in Paging File | 52.37% Paging File free
Paging file location(s): C:\pagefile.sys 192 384;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 6.00 Gb Total Space | 2.82 Gb Free Space | 47.06% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: TARA_PAUL
Current User Name: Tara & Paul
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
ashdisp.exe → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 8:42:48 AM | Attr = ]
ashmaisv.exe → %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 9:04:38 AM | Attr = ]
ashserv.exe → %ProgramFiles%\Alwil Software\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 8:42:40 AM | Attr = ]
ashwebsv.exe → %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 8:41:28 AM | Attr = ]
aswupdsv.exe → %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 8:29:56 AM | Attr = ]
exec.exe → %ProgramFiles%\NetZero\exec.exe → NetZero [Ver = 4, 3, 0, 0 | Size = 768000 bytes | Modified Date = 6/28/2005 12:11:48 PM | Attr = ]
exec.exe → %ProgramFiles%\NetZero\exec.exe → NetZero [Ver = 4, 3, 0, 0 | Size = 768000 bytes | Modified Date = 6/28/2005 12:11:48 PM | Attr = ]
jusched.exe → %ProgramFiles%\Java\jre1.5.0_10\bin\jusched.exe → Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 49263 bytes | Modified Date = 11/9/2006 3:07:30 PM | Attr = ]
lexbces.exe → %System32%\LEXBCES.EXE → Lexmark International, Inc. [Ver = 8.16 | Size = 303104 bytes | Modified Date = 2/24/2003 10:52:00 PM | Attr = ]
lexpps.exe → %System32%\LEXPPS.EXE → Lexmark International, Inc. [Ver = 8.16 | Size = 174592 bytes | Modified Date = 2/24/2003 10:50:00 PM | Attr = ]
nzspc.exe → %ProgramFiles%\NZSearch\nzspc.exe → United Online, Inc. [Ver = 2.2.05 | Size = 311362 bytes | Modified Date = 7/10/2006 11:00:52 PM | Attr = ]
watchdog.exe → %ProgramFiles%\mobile PhoneTools\WatchDog.exe → [Ver = | Size = 45056 bytes | Modified Date = 8/14/2004 4:42:20 AM | Attr = ]
winpfind3u.exe → %UserDesktop%\WinPFind3u\WinPFind3U.exe → OldTimer Tools [Ver = 1.0.38.0 | Size = 322048 bytes | Modified Date = 6/23/2007 3:15:54 PM | Attr = ]
x1exec.exe → %ProgramFiles%\NetZero\qsacc\X1Exec.exe → NetZero, Inc. [Ver = 3.6.00 | Size = 241664 bytes | Modified Date = 6/27/2005 5:06:14 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 8:29:56 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 8:42:40 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 9:04:38 AM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 8:41:28 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] → %System32%\dmadmin.exe → Microsoft Corp., Veritas Software [Ver = 2600.2096.503.0 | Size = 224768 bytes | Modified Date = 3/11/2004 6:18:58 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] → %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe → Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 2/3/2007 8:03:56 PM | Attr = ]
(LexBceS) LexBce Server [Win32_Own | Auto | Running] → %System32%\LEXBCES.EXE → Lexmark International, Inc. [Ver = 8.16 | Size = 303104 bytes | Modified Date = 2/24/2003 10:52:00 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
Adobe Reader Speed Launcher → %ProgramFiles%\Adobe\Reader 8.0\Reader\Reader_sl.exe → Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 40048 bytes | Modified Date = 5/11/2007 3:06:32 AM | Attr = ]
avast! → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 8:42:48 AM | Attr = ]
SunJavaUpdateSched → %ProgramFiles%\Java\jre1.5.0_10\bin\jusched.exe → Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 49263 bytes | Modified Date = 11/9/2006 3:07:30 PM | Attr = ]
WatchDog → %ProgramFiles%\mobile PhoneTools\WatchDog.exe → [Ver = | Size = 45056 bytes | Modified Date = 8/14/2004 4:42:20 AM | Attr = ]
< OptionalComponents [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ →
IMAIL → Installed = 1 →
MAPI → Installed = 1 →
MSFS → Installed = 1 →
< Run [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
NetZero_uoltray → %ProgramFiles%\NetZero\exec.exe → NetZero [Ver = 4, 3, 0, 0 | Size = 768000 bytes | Modified Date = 6/28/2005 12:11:48 PM | Attr = ]
spc_w → %ProgramFiles%\NZSearch\nzspc.exe → United Online, Inc. [Ver = 2.2.05 | Size = 311362 bytes | Modified Date = 7/10/2006 11:00:52 PM | Attr = ]
< RunOnce [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce →
untd_recovery → %ProgramFiles%\NetZero\qsacc\X1Exec.exe → NetZero, Inc. [Ver = 3.6.00 | Size = 241664 bytes | Modified Date = 6/27/2005 5:06:14 PM | Attr = ]
< SecurityProviders [HKLM] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders →
< Winlogon settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< CurrentVersion Policy Settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} → 1073741857 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1} → 32 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\dontdisplaylastusername → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaption → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticetext → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\shutdownwithoutlogon → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\undockwithoutlogon → 1 →
< CurrentVersion Policy Settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 36 →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveAutoRun → ÿÿÿÿ →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ → →
< HOSTS File > (734 bytes) → C:\WINDOWS\System32\drivers\etc\Hosts →
127.0.0.1 localhost → →
< Internet Explorer Settings > → →
HKLM: Default_Page_URL → http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome