Having found a PC I was asked to clean in a terrible state, I gave it the full treatment of all the tools I could get my hands on. There was Winantivirus Pro 2006 (still showing as an independant icon in the control panel in safe mode), multiple dll error messeges and the major problem of the PC crashing after about a minute or two whilst in normal mode. I followed this procedure and ran the following progs:

Installed Antivirus and Firewall
Turned off System Restore
Booted into Safe Mode
Ran CCleaner
Ran AVG Scan
Ran Stinger
Ran Spybot
Ran Adaware
Ran CWShredder
Ran Trojan Hunter
Ran VX2 Cleaner
Ran WinSockFix
Ran Virtumundobegone (Nothing Found! - Exciting!!!! hmmm)
Ran fixdxc.reg (which removed Deluxe Communications)

I am now left with the following HJT Log which was obtained in Safe mode as I still get the PC crashing constantly whilst in Normal mode. Also, Whilst in normal mode, I put in my flash drive and it does not appear. Is there a driver problem?

I would appreciate any help available - Many Thanks

Alex



Logfile of HijackThis v1.99.1
Scan saved at 15:12:10, on 27/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137183239\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~2\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0v\aoltray.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Try opening Start >> Run type in prefetch. Select all files from this folder and delete them.
Then start >> run type in msconfig and disable all start up programs and reboot.
Post the results.

Thanks for the reply, I tried the above steps and rebooted into safe mode. I still get MSN Messenger starting and appearing on screen. The computer also turned itself off after a couple of minutes again. I tried to change the name of HJT to scan.exe while in Safe Mode and ran the scan, it came out with this log.


Logfile of HijackThis v1.99.1
Scan saved at 14:23:12, on 28/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\HJT\scan.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Thanks

Alex

That log looks clean.

To discount any hardware issues, crack the machine open and make sure the fans are working.
Also, place your hand to the rear of the psu and make sure the psu fan is operating properly.

If they are, try running rootkit revealer get it at the bottom of this page (http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx).
Also run autoruns to see what is actually running on this machine get it here (http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx).
If it reveals more processes than windows is reporting, post them here.

I just re-read my post above and it sounds confusing - my fault. I'll try to explain better.

I can boot into safe mode and it'll run all day and night. The moment I boot into normal mode, it launches MSN messenger, AVG, and then switches itself off after about 1 minute.

I have just turned system restore back on before it crashed and tried to see what was available down that route - no checkpoints available, the've all disappeared.

I am still confronted with a winantivirus pro 2006 icon in the control panel.

I will now try those instructions you posted above.

Thanks

If you are willing to get your hands dirty, I'll help you track down the root of that piece of *malware*. :).

first, open regedit and export the registry.

next, delete these keys:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce fat.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run winantiviruspro2006
HKEY_CLASSES_ROOT\antiviruscom.avofficeprotect
HKEY_CLASSES_ROOT\antiviruscom.avofficeprotect.1
HKEY_CLASSES_ROOT\antiviruscom.avofficeprotect.1\clsid
HKEY_CLASSES_ROOT\antiviruscom.avofficeprotect\clsid
HKEY_CLASSES_ROOT\appid\{367a86a5-d048-4785-86be-4e2706aafdd9}
HKEY_CLASSES_ROOT\appid\winpgi.dll appid
HKEY_CLASSES_ROOT\avexplorer.shellextension
HKEY_CLASSES_ROOT\avexplorer.shellextension.2
HKEY_CLASSES_ROOT\avexplorer.shellextension.2\clsid
HKEY_CLASSES_ROOT\avexplorer.shellextension\clsid
HKEY_CLASSES_ROOT\avexplorer.shellextension\curver
HKEY_CLASSES_ROOT\clsid\{1ac5c88a-dea7-462b-a232-04af5ca42e7e}
HKEY_CLASSES_ROOT\clsid\{1ac5c88a-dea7-462b-a232-04af5ca42e7e} appid
HKEY_CLASSES_ROOT\clsid\{2178f3fb-2560-458f-bdee-631e2fe0dfe4}
HKEY_CLASSES_ROOT\clsid\{723d54c7-7483-4eb8-8eed-ce5b2aea534d}
HKEY_CLASSES_ROOT\clsid\{b2a3156e-3332-4b47-af5a-5b121503514f}
HKEY_CLASSES_ROOT\clsid\{b5141620-c2b2-4d95-9f0f-134d99c87ab0}
HKEY_CLASSES_ROOT\iefwbho.iefw
HKEY_CLASSES_ROOT\iefwbho.iefw.2
HKEY_CLASSES_ROOT\iefwbho.iefw.2\clsid
HKEY_CLASSES_ROOT\iefwbho.iefw\clsid
HKEY_CLASSES_ROOT\iefwbho.iefw\curver
HKEY_CLASSES_ROOT\interface\{0b9a27eb-125f-4f3e-a35c-2769c47a1442}
HKEY_CLASSES_ROOT\interface\{e18b69d0-7e9e-4c6e-bdd8-879a1fff7123}
HKEY_CLASSES_ROOT\interface\{e18b69d0-7e9e-4c6e-bdd8-879a1fff7123}\proxystubclsid
HKEY_CLASSES_ROOT\interface\{e18b69d0-7e9e-4c6e-bdd8-879a1fff7123}\proxystubclsid32
HKEY_CLASSES_ROOT\interface\{e18b69d0-7e9e-4c6e-bdd8-879a1fff7123}\typelib
HKEY_CLASSES_ROOT\interface\{e18b69d0-7e9e-4c6e-bdd8-879a1fff7123}\typelib version
HKEY_CLASSES_ROOT\typelib\{1234890a-5e6e-4867-8136-ca6f1456b235}
HKEY_CLASSES_ROOT\typelib\{1234890a-5e6e-4867-8136-ca6f1456b235}\1.0
HKEY_CLASSES_ROOT\typelib\{1234890a-5e6e-4867-8136-ca6f1456b235}\1.0\0\win32
HKEY_CLASSES_ROOT\typelib\{1234890a-5e6e-4867-8136-ca6f1456b235}\1.0\flags
HKEY_CLASSES_ROOT\typelib\{1234890a-5e6e-4867-8136-ca6f1456b235}\1.0\helpdir
HKEY_CLASSES_ROOT\typelib\{2bc32ef8-bb73-4099-bb2e-0f2951b3e276}
HKEY_CLASSES_ROOT\typelib\{2bc32ef8-bb73-4099-bb2e-0f2951b3e276}\1.0
HKEY_CLASSES_ROOT\typelib\{2bc32ef8-bb73-4099-bb2e-0f2951b3e276}\1.0\0\win32
HKEY_CLASSES_ROOT\typelib\{2bc32ef8-bb73-4099-bb2e-0f2951b3e276}\1.0\flags
HKEY_CLASSES_ROOT\typelib\{2bc32ef8-bb73-4099-bb2e-0f2951b3e276}\1.0\helpdir
HKEY_CLASSES_ROOT\typelib\{367a86a5-d048-4785-86be-4e2706aafdd9}
HKEY_CLASSES_ROOT\typelib\{367a86a5-d048-4785-86be-4e2706aafdd9}\1.0
HKEY_CLASSES_ROOT\typelib\{367a86a5-d048-4785-86be-4e2706aafdd9}\1.0\0\win32
HKEY_CLASSES_ROOT\typelib\{367a86a5-d048-4785-86be-4e2706aafdd9}\1.0\flags
HKEY_CLASSES_ROOT\typelib\{367a86a5-d048-4785-86be-4e2706aafdd9}\1.0\helpdir
HKEY_CLASSES_ROOT\typelib\{732b6533-7f78-4c47-9c01-2979ba0829b9}
HKEY_CLASSES_ROOT\typelib\{732b6533-7f78-4c47-9c01-2979ba0829b9}\1.0
HKEY_CLASSES_ROOT\typelib\{732b6533-7f78-4c47-9c01-2979ba0829b9}\1.0\0\win32
HKEY_CLASSES_ROOT\typelib\{732b6533-7f78-4c47-9c01-2979ba0829b9}\1.0\flags
HKEY_CLASSES_ROOT\typelib\{732b6533-7f78-4c47-9c01-2979ba0829b9}\1.0\helpdir
HKEY_CLASSES_ROOT\wap6.pcheck
HKEY_CLASSES_ROOT\wap6.pcheck.1
HKEY_CLASSES_ROOT\wap6.pcheck.1\clsid
HKEY_CLASSES_ROOT\wap6.pcheck\clsid
HKEY_CLASSES_ROOT\wap6.pcheck\curver
HKEY_CLASSES_ROOT\winpgintegrator.ieintegrator
HKEY_CLASSES_ROOT\winpgintegrator.ieintegrator.1
HKEY_CLASSES_ROOT\winpgintegrator.ieintegrator.1\clsid
HKEY_CLASSES_ROOT\winpgintegrator.ieintegrator\clsid
HKEY_CLASSES_ROOT\winpgintegrator.ieintegrator\curver
HKEY_CURRENT_USER\software\winantivirus pro 2006
HKEY_CURRENT_USER\software\winantivirus pro 2006 active
HKEY_CURRENT_USER\software\winantivirus pro 2006 allowpopupclicktype
HKEY_CURRENT_USER\software\winantivirus pro 2006 blockdomainonpopups
HKEY_CURRENT_USER\software\winantivirus pro 2006 blockdomainpopuplimit
HKEY_CURRENT_USER\software\winantivirus pro 2006 defaultaction
HKEY_CURRENT_USER\software\winantivirus pro 2006 iepage
HKEY_CURRENT_USER\software\winantivirus pro 2006 mozillapage
HKEY_CURRENT_USER\software\winantivirus pro 2006 normalizeaddborders
HKEY_CURRENT_USER\software\winantivirus pro 2006 normalizeaddmenuandtoolbar
HKEY_CURRENT_USER\software\winantivirus pro 2006 normalizefittodesktop
HKEY_CURRENT_USER\software\winantivirus pro 2006 normalizeopenedpopups
HKEY_CURRENT_USER\software\winantivirus pro 2006 startblockontimedpopups
HKEY_CURRENT_USER\software\winantivirus pro 2006 storehistory
HKEY_CURRENT_USER\software\winantivirus pro 2006 timedpopuplimit
HKEY_CURRENT_USER\software\winantivirus pro 2006\settings enableieblocksite
HKEY_CURRENT_USER\software\winantivirus pro 2006\settings enableis
HKEY_CURRENT_USER\software\winantivirus pro 2006\settings isscanmask
HKEY_CURRENT_USER\software\winantivirus pro 2006\settings lastlogontime
HKEY_CURRENT_USER\software\winantivirus pro 2006\settings mailprotect
HKEY_CURRENT_USER\software\winantivirus pro 2006\settings needresetasactive
HKEY_CURRENT_USER\software\winantivirus pro 2006\settings needresetfwactive
HKEY_CURRENT_USER\software\winantivirus pro 2006\settings needresetisactive
HKEY_CURRENT_USER\software\winantivirus pro 2006\settings onpopupeventpopupsnum
HKEY_CURRENT_USER\software\winantivirus pro 2006\settings updatedata
HKEY_CURRENT_USER\software\winantivirus pro 2006\settings updatedatabin
HKEY_CURRENT_USER\software\winantivirus pro 2006\settings virusshield
HKEY_CURRENT_USER\software\winantivirus pro 2006\settings vsscan
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{2178f3fb-2560-458f-bdee-631e2fe0dfe4}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{b5141620-c2b2-4d95-9f0f-134d99c87ab0}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run winantiviruspro2006
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce fat.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls c:\program files\common files\winantivirus pro 2006\wapchk.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\wa6p_is1
HKEY_LOCAL_MACHINE\software\winantivirus pro 2006


then,
delete these files:
%program_files%\common files\uwa6pcw.exe
%program_files%\winantivirus pro 2006\activate.exe
%program_files%\winantivirus pro 2006\compwiz.exe
%profile%\local settings\temp\icd1.tmp\uwa6p_0001_n91m1807netinstaller.exe
winantiviruspro2006freeinstall_de.exe
winantiviruspro2006freeinstall.exe
%profile%\local settings\temp\~wa6psetup.exe
setup.exe
613d6c0a.exe
%program_files%\winantivirus pro 2006\vaext.exe
%program_files%\winantivirus pro 2006\winav.exe
%system%\stera.exe
%windows%\temp\~wa6psetup.exe
%program_files%\winantivirus pro 2006\pv.exe
%program_files%\winantivirus pro 2006\updater.exe
%program_files%\winantivirus pro 2006\unins000.exe
%program_files%\winantivirus pro 2006\fat.exe
%program_files%\winantivirus pro 2006\fopn.exe
%program_files%\winantivirus pro 2006\fwsvc.exe
%program_files%\winantivirus pro 2006\install.exe
%program_files%\winantivirus pro 2006\insthelp.exe
%program_files%\winantivirus pro 2006\plugins\ua27308.dll
%program_files%\winantivirus pro 2006\plugins\ua27307.dll
%program_files%\winantivirus pro 2006\plugins\ua27306.dll
%program_files%\winantivirus pro 2006\plugins\ua27305.dll
%program_files%\winantivirus pro 2006\plugins\ua27304.dll
%program_files%\winantivirus pro 2006\plugins\ua27303.dll
%program_files%\winantivirus pro 2006\plugins\ua27302.dll
%program_files%\winantivirus pro 2006\plugins\ua27301.dll
%program_files%\winantivirus pro 2006\plugins\ua27217.dll
%program_files%\winantivirus pro 2006\plugins\ua27216.dll
%program_files%\winantivirus pro 2006\plugins\ua27215.dll
%program_files%\winantivirus pro 2006\plugins\ua27214.dll
%program_files%\winantivirus pro 2006\plugins\ua27213.dll
%program_files%\winantivirus pro 2006\plugins\ua27212.dll
%program_files%\winantivirus pro 2006\plugins\ua27211.dll
%program_files%\winantivirus pro 2006\plugins\ua27210.dll
%program_files%\winantivirus pro 2006\plugins\ua27209.dll
%program_files%\winantivirus pro 2006\plugins\ua27208.dll
%program_files%\winantivirus pro 2006\plugins\ua27207.dll
%program_files%\winantivirus pro 2006\plugins\ua27206.dll
%program_files%\winantivirus pro 2006\plugins\ua27205.dll
%program_files%\winantivirus pro 2006\plugins\ua27204.dll
%program_files%\winantivirus pro 2006\plugins\ua27203.dll
%program_files%\winantivirus pro 2006\plugins\ua27202.dll
%program_files%\winantivirus pro 2006\plugins\ua27201.dll
%program_files%\winantivirus pro 2006\plugins\scanwin1.dll
%program_files%\winantivirus pro 2006\plugins\scantroj.dll
%program_files%\winantivirus pro 2006\plugins\scantool.dll
%program_files%\winantivirus pro 2006\plugins\scanscr.dll
%program_files%\winantivirus pro 2006\plugins\scanothr.dll
%program_files%\winantivirus pro 2006\plugins\scanmcr1.dll
%program_files%\winantivirus pro 2006\plugins\scankrnl.dll
%program_files%\winantivirus pro 2006\plugins\scanfunc.dll
%program_files%\winantivirus pro 2006\plugins\scandos1.dll
%program_files%\winantivirus pro 2006\plugins\scandldr.dll
%program_files%\winantivirus pro 2006\plugins\scanbcdr.dll
%program_files%\winantivirus pro 2006\msvcr71.dll
%program_files%\winantivirus pro 2006\plugins\scanadwr.dll
%program_files%\winantivirus pro 2006\plugins\borlndmm.dll
%program_files%\winantivirus pro 2006\msvcp71.dll
%program_files%\winantivirus pro 2006\mfc71.dll
%program_files%\winantivirus pro 2006\iefwbho.dll
%program_files%\winantivirus pro 2006\fopnl.dll
%program_files%\winantivirus pro 2006\download\qzcqublp\uadaily.dll
%program_files%\winantivirus pro 2006\download\ccniyvgs\uadaily.dll
%program_files%\winantivirus pro 2006\download\ccniyvgs\ua27304.dll
%program_files%\winantivirus pro 2006\download\ccniyvgs\ua27303.dll
%program_files%\winantivirus pro 2006\download\ccniyvgs\ua27301.dll
%program_files%\winantivirus pro 2006\download\ccniyvgs\scankrnl.dll
%program_files%\winantivirus pro 2006\atl71.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27305.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27304.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27303.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27302.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27301.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27217.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27216.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27215.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27214.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27213.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27212.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27211.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27210.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27209.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27208.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27207.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27206.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27205.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27204.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27203.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27202.dll
%program_files%\winantivirus pro 2006\plugins\unpepack.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27201.dll
%program_files%\winantivirus pro 2006\plugins\unpacks2.dll
%program_files%\winantivirus pro 2006\plugins\unpacks.dll
%program_files%\winantivirus pro 2006\plugins\unpack.dll
%program_files%\winantivirus pro 2006\plugins\unmime.dll
%program_files%\winantivirus pro 2006\plugins\unamscan.dll
%program_files%\winantivirus pro 2006\plugins\unadbx.dll
%program_files%\winantivirus pro 2006\plugins\unacpu.dll
%program_files%\winantivirus pro 2006\plugins\uadaily.dll
%program_files%\winantivirus pro 2006\sporder.dll
%program_files%\winantivirus pro 2006\rulsrv.dll
%program_files%\winantivirus pro 2006\rpt.dll
%program_files%\winantivirus pro 2006\plugins\update\uadaily.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27308.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27307.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27306.dll
%program_files%\winantivirus pro 2006\winpgi.dll
%program_files%\winantivirus pro 2006\wav6com.dll
%program_files%\winantivirus pro 2006\sqlite3.dll
%program_files%\winantivirus pro 2006\avkernel.dll
%program_files%\winantivirus pro 2006\asmngr.dll
%program_files%\common files\winantivirus pro 2006\wapchk.dll
wapchk{5c092e82-a2b0-442b-bc0b-b84bda5ffbd1}.dll



you will need to search for these files and delete them:
~wa6psetup.exe
3025389
3025391
3025396
3025397
3025402
3025405
3025408
3025411
3025417
3025422
3025424
3025624
3025627
3025629
3025638
3025643
3025644
3025645
3025646
3025647
3025648
3025649
3025654
3025657
3025658
3025659
3025664
3025665
3025671
613d6c0a.exe
a0013895.ex_
activate.exe
asmngr.dll
av.cpl
avkernel.dll
compwiz.ex_
compwiz.exe
e21cf2ed.exe.lnk
fat.exe
fopn.exe
fopn.sys
fopnl.dll
fwsvc.exe
iefwbho.dll
install winantivirus pro 2006 .lnk
install.exe
insthelp.exe
pv.exe
rpt.dll
rulsrv.dll
scanadwr.dll
scanbcdr.dll
scandos1.dll
scanfunc.dll
scankrnl.dll
scanmcr1.dll
scanothr.dll
scantool.dll
scantroj.dll
scanwin1.dll
setup.exe
sqlite3.dll
stera.exe
ua27201.dll
ua27203.dll
ua27204.dll
ua27206.dll
ua27207.dll
ua27209.dll
ua27210.dll
ua27212.dll
ua27213.dll
ua27214.dll
ua27215.dll
ua27216.dll
ua27217.dll
ua27301.dll
ua27302.dll
ua27303.dll
ua27304.dll
ua27305.dll
ua27306.dll
ua27307.dll
ua27308.dll
uadaily.dll
unadbx.dll
unamscan.dll
uninstall winantivirus pro 2006.lnk
uninstallpage.html
unmime.dll
unpack.dll
unpacks.dll
unpacks2.dll
unpepack.dll
updater.exe
uwa6p_0001_n91m1807netinstaller.exe
uwa6p_0001_n91m1807netinstaller.inf
uwa6pcw.exe
vaext.exe
vspf_hk5.sys
vspf5.sys
wapchk.dl_
wapchk.dll
winantiviruspro2006freeinstall_de.exe
winav.exe
winav.xml
winpgi.dll
%common_desktopdirectory%\winantivirus pro 2006.lnk
%common_programs%\winantivirus pro 2006\uninstall winantivirus pro 2006.lnk
%common_programs%\winantivirus pro 2006\winantivirus pro 2006 manual.lnk
%common_programs%\winantivirus pro 2006\winantivirus pro 2006.lnk
%profile%\application data\winantivirus pro 2006\logs\update.log
%profile%\application data\winantivirus pro 2006\logs\wa6support.log
%profile%\application data\winantivirus pro 2006\logs\winav.log
wapchk{5c092e82-a2b0-442b-bc0b-b84bda5ffbd1}.dll
wav6com.dll
winantivirus pro 2006 manual.lnk
winantivirus pro 2006.lnk
winantiviruspro2006freeinstall.exe
%profile%\local settings\temp\~wa6psetup.exe
%profile%\local settings\temp\icd1.tmp\uwa6p_0001_n91m1807netinstaller.exe
%profile%\local settings\temp\icd1.tmp\uwa6p_0001_n91m1807netinstaller.inf
%program_files%\common files\uwa6pcw.exe
%program_files%\common files\winantivirus pro 2006\wapchk.dll
%program_files%\winantivirus pro 2006\activate.exe
%program_files%\winantivirus pro 2006\atl71.dll
%program_files%\winantivirus pro 2006\av.ini
%program_files%\winantivirus pro 2006\avcom.log
%program_files%\winantivirus pro 2006\avkernel.dll
%program_files%\winantivirus pro 2006\awbase\database\enemies.dat
%program_files%\winantivirus pro 2006\awbase\vbpv.dat
%program_files%\winantivirus pro 2006\bksites.dat
%program_files%\winantivirus pro 2006\bnlink.dat
%program_files%\winantivirus pro 2006\bpupdater.dat
%program_files%\winantivirus pro 2006\sporder.dll
%program_files%\winantivirus pro 2006\updater.exe
%program_files%\winantivirus pro 2006\vaext.exe
%program_files%\winantivirus pro 2006\wav6com.dll
%program_files%\winantivirus pro 2006\winav.exe
%program_files%\winantivirus pro 2006\winav.xml
%program_files%\winantivirus pro 2006\winpgi.dll
%program_files%\winantivirus pro 2006\worldmap.swf
%system%\stera.exe
%windows%\temp\~wa6psetup.exe
%program_files%\winantivirus pro 2006\plugins\update\ua27305.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27306.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27307.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27308.dll
%program_files%\winantivirus pro 2006\plugins\update\uadaily.dll
%program_files%\winantivirus pro 2006\plugins\update\wininit.ini
%program_files%\winantivirus pro 2006\plugins\vbpv.dat
%program_files%\winantivirus pro 2006\pmedium.bin
%program_files%\winantivirus pro 2006\prc.dat
%program_files%\winantivirus pro 2006\prerules.xml
%program_files%\winantivirus pro 2006\programs.bin
%program_files%\winantivirus pro 2006\ps.dat
%program_files%\winantivirus pro 2006\pv.dat
%program_files%\winantivirus pro 2006\pv.exe
%program_files%\winantivirus pro 2006\res\cross.gif
%program_files%\winantivirus pro 2006\res\register.gif
%program_files%\winantivirus pro 2006\res\wa6p.gif
%program_files%\winantivirus pro 2006\rpt.dll
%program_files%\winantivirus pro 2006\rulsrv.dll
%program_files%\winantivirus pro 2006\settings.bin
%program_files%\winantivirus pro 2006\sqlite3.dll
%program_files%\winantivirus pro 2006\sr.log
%program_files%\winantivirus pro 2006\st.dat
%program_files%\winantivirus pro 2006\support.url
%program_files%\winantivirus pro 2006\ubupdater.dat
%program_files%\winantivirus pro 2006\unins000.dat
%program_files%\winantivirus pro 2006\unins000.exe
%program_files%\winantivirus pro 2006\uninstall.ico
%program_files%\winantivirus pro 2006\uninstallpage.html
%program_files%\winantivirus pro 2006\up.dat
%program_files%\winantivirus pro 2006\updater.dat
%program_files%\winantivirus pro 2006\plugins\ua27308.dll
%program_files%\winantivirus pro 2006\plugins\uadaily.dll
%program_files%\winantivirus pro 2006\plugins\unacpu.dll
%program_files%\winantivirus pro 2006\plugins\unadbx.dll
%program_files%\winantivirus pro 2006\plugins\unamscan.dll
%program_files%\winantivirus pro 2006\plugins\unmime.dll
%program_files%\winantivirus pro 2006\plugins\unpack.dll
%program_files%\winantivirus pro 2006\plugins\unpacks.dll
%program_files%\winantivirus pro 2006\plugins\unpepack.dll
%program_files%\winantivirus pro 2006\plugins\update\.ua27215.dll.uqvnur
%program_files%\winantivirus pro 2006\plugins\update\.uadaily.dll.srutf8
%program_files%\winantivirus pro 2006\plugins\unpacks2.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27201.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27202.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27203.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27204.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27205.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27206.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27207.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27208.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27209.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27210.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27211.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27212.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27213.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27214.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27215.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27216.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27217.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27301.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27302.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27303.dll
%program_files%\winantivirus pro 2006\plugins\update\ua27304.dll
%program_files%\winantivirus pro 2006\asmngr.dll
%program_files%\winantivirus pro 2006\asupdater.dat
%program_files%\winantivirus pro 2006\compwiz.exe
%program_files%\winantivirus pro 2006\download\ccniyvgs\index.html
%program_files%\winantivirus pro 2006\download\ccniyvgs\scankrnl.dll
%program_files%\winantivirus pro 2006\download\ccniyvgs\ua27301.dll
%program_files%\winantivirus pro 2006\download\ccniyvgs\ua27303.dll
%program_files%\winantivirus pro 2006\download\ccniyvgs\ua27304.dll
%program_files%\winantivirus pro 2006\download\ccniyvgs\uadaily.dll
%program_files%\winantivirus pro 2006\download\ccniyvgs\vbpv.dat
%program_files%\winantivirus pro 2006\download\qzcqublp\uadaily.dll
%program_files%\winantivirus pro 2006\fat.exe
%program_files%\winantivirus pro 2006\fopn.exe
%program_files%\winantivirus pro 2006\fopn.sys
%program_files%\winantivirus pro 2006\fopnl.dll
%program_files%\winantivirus pro 2006\fwsvc.exe
%program_files%\winantivirus pro 2006\history.db
%program_files%\winantivirus pro 2006\iefwbho.dll
%program_files%\winantivirus pro 2006\img\button.gif
%program_files%\winantivirus pro 2006\img\button2.gif
%program_files%\winantivirus pro 2006\img\header.gif
%program_files%\winantivirus pro 2006\img\logo.gif
%program_files%\winantivirus pro 2006\img\spacer.gif
%program_files%\winantivirus pro 2006\img\thumbs.db
%program_files%\winantivirus pro 2006\img\top_line.gif
%program_files%\winantivirus pro 2006\img\top1.jpg
%program_files%\winantivirus pro 2006\img\top2.jpg
%program_files%\winantivirus pro 2006\index.dat
%program_files%\winantivirus pro 2006\insthelp.exe
%program_files%\winantivirus pro 2006\lapv.dat
%program_files%\winantivirus pro 2006\license.rtf
%program_files%\winantivirus pro 2006\install.exe
%program_files%\winantivirus pro 2006\mfc71.dll
%program_files%\winantivirus pro 2006\msvcr71.dll
%program_files%\winantivirus pro 2006\online.url
%program_files%\winantivirus pro 2006\pgbase\vbpv.dat
%program_files%\winantivirus pro 2006\pgupdater.dat
%program_files%\winantivirus pro 2006\phigh.bin
%program_files%\winantivirus pro 2006\plugins\.ua27215.dll.uqvnur
%program_files%\winantivirus pro 2006\plugins\.uadaily.dll.srutf8
%program_files%\winantivirus pro 2006\plugins\borlndmm.dll
%program_files%\winantivirus pro 2006\plugins\index.html
%program_files%\winantivirus pro 2006\plugins\newvir.dat
%program_files%\winantivirus pro 2006\msvcp71.dll
%program_files%\winantivirus pro 2006\plugins\scanadwr.dll
%program_files%\winantivirus pro 2006\plugins\scanbcdr.dll
%program_files%\winantivirus pro 2006\plugins\scandldr.dll
%program_files%\winantivirus pro 2006\plugins\scandos1.dll
%program_files%\winantivirus pro 2006\plugins\scanfunc.dll
%program_files%\winantivirus pro 2006\plugins\scankrnl.dll
%program_files%\winantivirus pro 2006\plugins\scanmcr1.dll
%program_files%\winantivirus pro 2006\plugins\scanothr.dll
%program_files%\winantivirus pro 2006\plugins\scanscr.dll
%program_files%\winantivirus pro 2006\plugins\scantool.dll
%program_files%\winantivirus pro 2006\plugins\scantroj.dll
%program_files%\winantivirus pro 2006\plugins\scanwin1.dll
%program_files%\winantivirus pro 2006\plugins\set6d.tmp
%program_files%\winantivirus pro 2006\plugins\setd.tmp
%program_files%\winantivirus pro 2006\plugins\ua27201.dll
%program_files%\winantivirus pro 2006\plugins\ua27202.dll
%program_files%\winantivirus pro 2006\plugins\ua27203.dll
%program_files%\winantivirus pro 2006\plugins\ua27204.dll
%program_files%\winantivirus pro 2006\plugins\ua27205.dll
%program_files%\winantivirus pro 2006\plugins\ua27206.dll
%program_files%\winantivirus pro 2006\plugins\ua27207.dll
%program_files%\winantivirus pro 2006\plugins\ua27208.dll
%program_files%\winantivirus pro 2006\plugins\ua27209.dll
%program_files%\winantivirus pro 2006\plugins\ua27210.dll
%program_files%\winantivirus pro 2006\plugins\ua27211.dll
%program_files%\winantivirus pro 2006\plugins\ua27212.dll
%program_files%\winantivirus pro 2006\plugins\ua27213.dll
%program_files%\winantivirus pro 2006\plugins\ua27214.dll
%program_files%\winantivirus pro 2006\plugins\ua27215.dll
%program_files%\winantivirus pro 2006\plugins\ua27216.dll
%program_files%\winantivirus pro 2006\plugins\ua27217.dll
%program_files%\winantivirus pro 2006\plugins\ua27301.dll
%program_files%\winantivirus pro 2006\plugins\ua27302.dll
%program_files%\winantivirus pro 2006\plugins\ua27303.dll
%program_files%\winantivirus pro 2006\plugins\ua27304.dll
%program_files%\winantivirus pro 2006\plugins\ua27305.dll
%program_files%\winantivirus pro 2006\plugins\ua27306.dll
%program_files%\winantivirus pro 2006\plugins\ua27307.dll

Delete these directories:
%profile%\application data\winantivirus pro 2006
%program_files%\common files\winantivirus pro 2006
%program_files%\winantivirus pro 2006
%program_files%\winantivirus pro 2006\awbase
%program_files%\winantivirus pro 2006\awbase\database
%program_files%\winantivirus pro 2006\download
%program_files%\winantivirus pro 2006\img
%program_files%\winantivirus pro 2006\pgbase
%program_files%\winantivirus pro 2006\plugins
%program_files%\winantivirus pro 2006\plugins\update
%program_files%\winantivirus pro 2006\res

Let me know how it goes.

I found this info here (http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453098448), but it took 5 minutes for the page to load (with a 6 Mbps connection), so I posted the relevant information here.

I tried to get into the registry earlier, but it beeps as I hit OK after typing in regedit into the run box. Then it comes up with a messege telling me that 'regedit is not a valid win32 application'!

Is there an alternative route into the registry?

perform a search on your machine to see if regedit is still on there. If not, I'll post a copy for you to reinstall.

Just in case, Regedit (http://dynamicit.us/spezial/regedit.exe) place this in the C:\windows directory.
This program could have corrupted regedit, so maybe you should replace it anyway.

I went through the above list and I cannot find any of the files I need to delete. The search is coming up dry each time.

I am about to try to sort those entries in the registry. I found them but could not open them for some reason. (I'm still in safe mode - Normal mode is crashing still)

It seems I can't delete these keys -

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce fat.exe
HKEY_CLASSES_ROOT\antiviruscom.avofficeprotect
HKEY_CLASSES_ROOT\antiviruscom.avofficeprotect.1
HKEY_CLASSES_ROOT\avexplorer.shellextension
HKEY_CLASSES_ROOT\avexplorer.shellextension.2
HKEY_CLASSES_ROOT\iefwbho.iefw
HKEY_CLASSES_ROOT\iefwbho.iefw.2
HKEY_CLASSES_ROOT\wap6.pcheck
HKEY_CLASSES_ROOT\wap6.pcheck.1

All the other items on the list, includin keys, files and directories, does not exist on the computer.

I am still affected with the crashing problem in normal mode.

Just for the record, here's the current HJT log with the name changed to scan.exe.

Logfile of HijackThis v1.99.1
Scan saved at 15:48:14, on 29/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\scan.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LZDWAK - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\LZDWAK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Open regedt32 Click edit >> permissions and make sure your account has the permissions to edit the registry keys. You cannot edit the registry through this interface, you will have to close it down and open regedit for that. You may also try booting into safe mode to see if they can be deleted that way.

Does the system crash while you are scanning, or does it just crash sitting there?
Have you used msconfig to turn off all TSRs?

Hi

I will struggle to get time to work on this PC today, nevertheless, I will try my best :) .

As far as the questions above go, I am doing all the work in Safe Mode. I am unable to do almost anything in Normal Mode as it crashes (reboots) after about 1 minute regardless of whether I'm doing anything or not. It even crashes at the initial page where we select which user account to use.

I do have permission to edit the registry as I made a backup then deleted a key, before reinstating the backup.

I turned off all the startups in Msconfig way at the start of this problem as one of the initial possible solutions.

I am loathed to spend much more time on this machine as I really do have other things I must be getting on with, as I'm sure you have to. I feel like formatting and reinstalling XP. :o Patience is not one of my best features. :D I'll give it today and then I'll admit defeat (unless you are compelled to see this thing through :) )

Thanks

Alex

I tried to open regedit32 in Start>Run, but it could not find it. I also searched for it in the XP search facility. Once again, it came up dry.

Try RUN> chkdsk /f this should restore lost files

Try RUN> chkdsk /f this should restore lost files
I tried this but it just flashed up a dos window and shut it down instantly.

I tried to look at the running processes in normal mode prior to the system switching off. A file called wuauclt.exe was appearing just as it crashed, so I googled for info anf discovered that it is a legit windows file. But also and interestingly, it can appear as a malicious file. So I had a look in the system32 folder (which does not show up in the WINDOWS folder even when hidden folders are set to be viewed), and found two sets of the file. One set of two had the windows logo and the other set was unrecognised as a file format. I deleted wuauclt.cll and a wuauclt without a file extension to see what would happen. I didn't delete them from the recycle bin just incase. Lo and behold, the deletion of these files has cured the problem of the machine crashing. It has been on for around two hours constant now. I also restarted it a few times to ensure it was booting normally.

Now I find that the System32 folder is opening on startup. What would cause that?

There is also a wee text box opening with copyright info just above the tray.

I ran the tools again just as I did in the first post.

Anyway, here is the latest HJT log run in Normal Mode:

Logfile of HijackThis v1.99.1
Scan saved at 16:06:16, on 30/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\VoyagerTest\fts.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1137183239\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1137183239\ee\AOLServiceHost.exe
c:\program files\common files\aol\1137183239\ee\services\antiSpywareApp\ve r2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1137183239\ee\AOLServiceHost.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\TrojanHunter 4.6\TrojanHunter.exe
C:\HJT\scan.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [obj 4 dart burn] C:\Documents and Settings\All Users\Application Data\warn soap obj 4\Hide Hold.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin]
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e34.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137183239\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e34.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~2\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0v\aoltray.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LZDWAK - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\LZDWAK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Could this be a hardware problem? I seen computer with weak battery have that type of problem, If the clock is keeping correct time, then the battery would be ok, a small 3 volt that keeps the BIOS set. this is the case for laptop or desktop, If you can get to the BIOS and set the clock. Turn the computer off, and disconnect the AC power for about four hours. Turn the computer back on go to the BIOS and check the time. If the time is slow, then you have a weak battery.

Run MemTest86+ and test your memory for errors.

Have a look at this article:
http://support.microsoft.com/?kbid=170086
Virus infections are tough to track down, and they wreak havoc on your registry. I could go on all day about them. Anyway, your at the end of your road with this thing. Way to go keeping an eye out for rogue services. The people that write this crap mask their files as legitimate OS files. Sometimes you have to research legit files to verify they are what they are.
With any luck you won't have to nuke and pave. Especially all the time you have spent on it.
Good Luck.

I tried to clean it up some more by doing what I normally do (use the Castlecops database).

Here is the HJT log as it stands now:

Logfile of HijackThis v1.99.1
Scan saved at 09:47:37, on 01/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\VoyagerTest\fts.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\HJT\scan.exe.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~2\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0v\aoltray.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LZDWAK - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\LZDWAK.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks for all the help. I have returned tre computer to the customer, running very well. All back to normal. I tinkered with the log just before I returned it and it is now booting and running normally.

Many Thanks

Alex

That's good hear. I'm glad you got it fixed.