Malware! Can't access Add/Remove Programs!

Hi,

Recently I had a Trojan Malware infection that could not be cleaned. I downloaded AVG Anti-Spyware 7.5 and ran a scan and I 'healed' 2 treats.

After this AVG is running fine and any Malware treats that appear it runs a scan and heals.

However, my pc is still running slowly when I start it up and it takes about ten minutes from swtiching my computer on to get the wireless braodband connection running near normal speed, even then on certain days it is slow.

I am unable to access any system tasks like Add/Remove Programs as it reads

' This operation has been cancelled due to restrictions on this computer. Please contact your system administrator '

This did happen before but I 'checked' some Hijackthis entries and rebooted into safe mode and add/remove programs was restored.

Here is my Hijacthis log if someone could guide me through the process I would be grateful. Also, I have quite a few Anti Spyware programs on my PC, please advise if this is slowing things down and what I should remove.

Your help is really appreciated!

Hello...

Yes you have a few nasties that HijackThis and antivirus alone will not fix.

==========

Download and Install CCleaner (Crap Cleaner)

Be sure to un-check the Install Yahoo! Toolbar button during installation to avoid the unnecessary installation of the Yahoo! Toolbar.

Note: You don't need to run this yet but we will need it soon.

==========

Go to Start > Run > type Sevices.msc and click OK.
Find the AVG Anti-Spyware Guard and right click it and select Properties
Next to the Startup Type: use the dropdown box and select Disabled click OK.
Do the same for:
PCTools Spyware Doctor
Symantec or Norton <---Anything found with these names

==========

Open HijackThis and select "Do a system scan only"

Place a check mark next to these entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Matthew\Desktop\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SpywareBot Scanning Engine (SpywareBotSrv) - Unknown owner - C:\Program Files\SpywareBot\SpywareBotSrv.srv.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

Close all windows except for HijackThis and click "Fix checked"

Reboot the computer before continuing.

Note: some of the entries will most likely come back.

==========

* Please download Combofix by sUBs. Place it on your Desktop. combofix.exe
* Double click combofix.exe & follow the prompts. Enter 1 and press enter at the prompt.
* When finished, it shall produce a log for you. Attach that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

==========

Next post please attach:
Combofix log
New HijackThis log

Also, which antivirus program is paid for? (if any)

I need to know which ones are free or if they are trials or what.

I highly suggest you follow these instructions through and post the requested logs.

This is the second time you have asked for help and the problems are still continuing.

Hi,

I have followed your instructions, although when I tried to Run > Services.msc a message came up saying that the file could not be found. I was therfore not able to follow that stage.

I ran the Hijackthis and checked the entries you mentioned. I have also done the Combofix log.

With regards to free Antivirus that are installed on my pc. AVG was free, McAfee is free for a year so too Norton antivirus. Spwarebot and Spydoctor I have installed but if I want to remove the infections that they detect I need to pay to download their package.

I will take your advice on which ones to keep and which ones to ditch, but from what I have heard AVG version 7.5 is the best.

The logs are not showing any malware with the exception of SpywareBot.

SpywareBot is a rouge tool. It uses false findings to try to pressure people into buying the license. Once the license it paid for the findings mysteriously disappear. It needs to go.

I would suggest keeping AVG and uninstalling all others. Once we get the McAfee uninstalled then go to http://www.pctools.com/firewall/ and install this free firewall. I use it and like it better then any other.

If you have CCleaner we will try to uninstall some programs with it. If you don't have it then install CCleaner now.
Be sure to un-check the Install Yahoo! Toolbar button during installation to avoid the unnecessary installation of the Yahoo! Toolbar.

Open CCleaner and run the cleaner.
You may want to boot into safe mode before uninstalling these to have the best chance at removal.
Next click on the Tools tab and you will see a uninstall list.
Right click on any entry you want to uninstall and choose Run Uninstaller.
Remove any entry that has to do with:
McAfee
Network Assosiates
Symantec
Norton
SpywareBot

Let me know how this goes and we will go from there.

We still need to run another scan (or two)

Do you have your Windows XP CD?

Hi,

I ran CCleaner in normal mode and uninstalled McAfee and Norton, I couldn't find Symantec or Network Assosiates. With SpywareBot when I pressed 'Run Uninstall' and a message appeared saying:

'Service 'Antispyfilter' could not be stopped. Verify that you have sufficient privileges to stop system servies.'

This same message appeared when I tried to delete it from Add/Remove programs.

However, even though this message appeared in CCleaner it still got removed from the list, so I thought it had been removed.

When I rebooted after installing PC Tools firewal, I checked CCleaner and Spywarebot had reappeared so I tried to delete it in Safe Mode this time and it said that as Windows was in safe mode it could not be uninstalled.

As I am writing this message I just tried uninstalling it again from CCleaner and is seems it has been removed, without a message this time, for how long I don't know. It is also not showing from Add/Remove programs, so it may have worked.

I still have Spyware Doctor, Ad-Aware-se personal, Aol Spyware Proctection, Malwarebytes Rogue Roemover and Stopzilla installed. Should I uninstall any of these?

Also, when I start up my pc, Stopzilla appears saying that I have 148 infections and I need to subscribe to delete them.

This message has been appearing for a few months, but I was never sure if it was genuine as AVG is not mentioned these in it's scans. Two infections that Stopzilla lists are deemed critical. One of which says Location - hdlfoe. Element - Registry key. Type - spyware. HKLM\SYSTEM\CURRENT CONTROL.

Why does AVG not pick up on this and should I purchase StopZilla to remove these infections?

Also, after I checked the items you mentioned on Hijackthis, now when I start my pc a message appears saying AVG Anti-Spyware 7.5 version - connection to service failed. Please reinstall AVG Anti- Spyware 7.5, even though the AVG is still on my desktop and I can run scans, do you know what this is about.

Open AVG Antispyware and under the Shield settings turn off any real-time monitoring of the entire system.

If that doesn't clear it up then you can do a reinstall form here AVG Anti-Spyware Free

Stopzilla needs to be uninstalled. If there were that many instances of malware I would have seen it in the HijackThis log.

Have you ever used regedit and gone into the the registry to change or remove anything?

Post a new HijackThis log in the next post please.

Hi,

I have not uninstalled Stopzilla yet but will do, I just wanted you to look at the below. Just as with StopZilla, Spyware Doctor frequently brings up a list of infections that it wants me to register onto their site in order to cure. Should I delete this AV as well and the other AV I mentioned in my last email. Attached is my Hijackthis log.




Spyware Doctor Activity Report
Generated on 2007-11-17 17:32:04
Spyware Doctor HomepagePC Tools HomepageTechnical SupportScans (basic information only):Scan Results:
scan start:2007-11-17 19:00:00scan stop:2007-11-17 19:10:08scanned items:99541found items:29found and ignored:0tools used:General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX ScannerInfection NameLocationRiskAdvertisingC:\Documents and Settings\Matthew\Cookies\matthew@advertising[2].txtLowTracking Cookie(s)C:\Documents and Settings\Matthew\Cookies\matthew@atdmt[2].txtLowTracking Cookie(s)C:\Documents and Settings\Matthew\Cookies\matthew@bs.serving-sys[2].txt (Remnant)LowTracking Cookie(s)C:\Documents and Settings\Matthew\Cookies\matthew@bs.serving-sys[3].txtLowAdvertisingC:\Documents and Settings\Matthew\Cookies\matthew@doubleclick[2].txtLowTracking Cookie(s)C:\Documents and Settings\Matthew\Cookies\matthew@imrworldwide[2].txtLowTracking Cookie(s)C:\Documents and Settings\Matthew\Cookies\matthew@media.adrevolver[1].txtLowAdvertisingC:\Documents and Settings\Matthew\Cookies\matthew@mediaplex[1].txtLowTracking Cookie(s)C:\Documents and Settings\Matthew\Cookies\matthew@questionmarket[2].txtLowTracking Cookie(s)C:\Documents and Settings\Matthew\Cookies\matthew@serving-sys[2].txt (Remnant)LowTracking Cookie(s)C:\Documents and Settings\Matthew\Cookies\matthew@serving-sys[3].txtLowTracking Cookie(s)C:\Documents and Settings\Matthew\Cookies\matthew@tribalfusion[2].txtLowTracking Cookie(s)C:\Documents and Settings\Matthew\Cookies\matthew@uk.sitestat[1].txtLowTracking Cookie(s)C:\Documents and Settings\Matthew\Cookies\matthew@uk.sitestat[2].txtLowAdvertisingcookies.txt - Line #5LowFast Video Player DialerHKCU\Software\Microsoft\Windows\CurrentVersi on\Ext\Stats\{B5DD9A64-5C4B-4A48-BE56-97C1A8F85708}HighFast Video Player DialerHKCU\Software\Microsoft\Windows\CurrentVersi on\Ext\Stats\{B5DD9A64-5C4B-4A48-BE56-97C1A8F85708}##HighFast Video Player DialerHKCU\Software\Microsoft\Windows\CurrentVersi on\Ext\Stats\{B5DD9A64-5C4B-4A48-BE56-97C1A8F85708}\iexploreHighFast Video Player DialerHKCU\Software\Microsoft\Windows\CurrentVersi on\Ext\Stats\{B5DD9A64-5C4B-4A48-BE56-97C1A8F85708}\iexplore##HighFast Video Player DialerHKCU\Software\Microsoft\Windows\CurrentVersi on\Ext\Stats\{B5DD9A64-5C4B-4A48-BE56-97C1A8F85708}\iexplore##BlockedHighFast Video Player DialerHKCU\Software\Microsoft\Windows\CurrentVersi on\Ext\Stats\{B5DD9A64-5C4B-4A48-BE56-97C1A8F85708}\iexplore##CountHighFast Video Player DialerHKCU\Software\Microsoft\Windows\CurrentVersi on\Ext\Stats\{B5DD9A64-5C4B-4A48-BE56-97C1A8F85708}\iexplore##TimeHighFast Video Player DialerHKCU\Software\Microsoft\Windows\CurrentVersi on\Ext\Stats\{B5DD9A64-5C4B-4A48-BE56-97C1A8F85708}\iexplore##TypeHighCommon Components for TrojansHKCU\SOFTWARE\WgetMediumCommon Components for TrojansHKCU\SOFTWARE\Wget##MediumTrojan.PWS.Tanspy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Con trol Panel\loadHighTrojan.PWS.TanspyHKLM\SOFTWARE\Micro soft\Windows\CurrentVersion\Control Panel\load##HighTrojan.Downloader.HiddenHKLM\Softw are\Microsoft\Windows\CurrentVersion\DisabledRunHi ghTrojan.Downloader.HiddenHKLM\Software\Microsoft\ Windows\CurrentVersion\DisabledRun##HighScan Results:
scan start:2007-11-17 21:51:23scan stop:2007-11-17 21:51:50scanned items:5685found items:0found and ignored:0tools used:General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX ScannerInfection NameLocationRiskOther Sections:

I don't think Spywaredoctor should ask for a license to remove items found.

Uninstall that and Stopzilla and then download SUPERAntiSpyware Free and run it. These directions will tell how to set it up and also save a log for posting in the next reply.

Download Superantispyware (SAS)

SUPERAntispyware Free Edition

Install it and double-click the icon on your desktop to run it.
* It will ask if you want to update the program definitions, click Yes.
* Under Configuration and Preferences, click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked:
+ Close browsers before scanning
+ Scan for tracking cookies
+ Terminate memory threats before quarantining.
+ Please leave the others unchecked.
+ Click the Close button to leave the control center screen.
* On the main screen, under Scan for Harmful Software click Scan your computer.
* On the left check C:\Fixed Drive.
* On the right, under Complete Scan, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK.
* Make sure everything in the white box has a check next to it, then click Next.
* It will quarantine what it found and if it asks if you want to reboot, click Yes.
* To retrieve the removal information for me please do the following:
+ After reboot, double-click the SUPERAntiSpyware icon on your desktop.
+ Click Preferences. Click the Statistics/Logs tab.
+ Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
+ It will open in your default text editor (such as Notepad/Wordpad).
+ Please save the notepad file to your desktop by clicking (in notepad) "File" "Save As".
* Click close and close again to exit the program.
* Please add the log as an attachment in the next post.

Hi,

The log is below.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/18/2007 at 03:40 PM
Application Version : 3.9.1008
Core Rules Database Version : 3346
Trace Rules Database Version: 1347
Scan type : Complete Scan
Total Scan Time : 01:35:33
Memory items scanned : 545
Memory threats detected : 0
Registry items scanned : 5693
Registry threats detected : 7
File items scanned : 103447
File threats detected : 116
MyWay Search Assistant Computers
HKLM\Software\Classes\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32#ThreadingModel
HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\Programmable
C:\PROGRAM FILES\MYWAYSA\SRCHASDE\DESRCAS.DLL
Adware.Tracking Cookie
C:\Documents and Settings\Matthew\Cookies\matthew@richmedia.yahoo[1].txt
C:\Documents and Settings\Matthew\Cookies\matthew@sensismediasmart. com[1].txt
C:\Documents and Settings\Matthew\Cookies\matthew@ad.uk.tangozebra[1].txt
C:\Documents and Settings\Matthew\Cookies\matthew@ads.guardian.co[1].txt
C:\Documents and Settings\Matthew\Cookies\matthew@adopt.euroclick[2].txt
C:\Documents and Settings\Matthew\Cookies\matthew@bs.serving-sys[1].txt
C:\Documents and Settings\Matthew\Cookies\matthew@doubleclick[2].txt
C:\Documents and Settings\Matthew\Cookies\matthew@uk.sitestat[1].txt
C:\Documents and Settings\Matthew\Cookies\matthew@imrworldwide[2].txt
C:\Documents and Settings\Matthew\Cookies\matthew@revsci[1].txt
C:\Documents and Settings\Matthew\Cookies\matthew@uk.sitestat[2].txt
C:\Documents and Settings\Matthew\Cookies\matthew@ad.yieldmanager[2].txt
C:\Documents and Settings\Matthew\Cookies\matthew@itxt.vibrantmedia[1].txt
C:\Documents and Settings\Matthew\Cookies\matthew@advertising[1].txt
C:\Documents and Settings\Matthew\Cookies\matthew@media.sensis.com[1].txt
C:\Documents and Settings\Matthew\Cookies\matthew@hitbox[2].txt
C:\Documents and Settings\Matthew\Cookies\matthew@atdmt[2].txt
C:\Documents and Settings\Matthew\Cookies\matthew@tribalfusion[2].txt
C:\Documents and Settings\Matthew\Cookies\matthew@questionmarket[1].txt
C:\Documents and Settings\Matthew\Cookies\matthew@serving-sys[3].txt
C:\Documents and Settings\Matthew\Cookies\matthew@media.adrevolver[1].txt
C:\Documents and Settings\Matthew\Cookies\matthew@ehg-bbcworldwide.hitbox[1].txt
C:\Documents and Settings\Matthew\Cookies\matthew@mediaplex[1].txt
C:\Documents and Settings\Matthew\Cookies\matthew@www.googleadservi ces[1].txt
C:\Documents and Settings\Matthew\Cookies\matthew@amznmothercare.12 2.2o7[1].txt
C:\Documents and Settings\Matthew\Cookies\matthew@bs.serving-sys[2].txt
C:\Documents and Settings\Matthew\Cookies\matthew@serving-sys[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@247realmedia[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@2o7[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@a.websponsors[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@ad.yieldmanager[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@ad1.emediate[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@adbrite[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@adinterax[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@adopt.euroclick[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@adopt.specificcli ck[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@adrevolver[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@adrevolver[4].txt
C:\Documents and Settings\Raphael\Cookies\raphael@ads.adbrite[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@ads.adsag[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@ads.guardian.co[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@ads.pointroll[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@ads.telegraph.co[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@adserve.v-store.co[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@adserver.actionsm[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@adserver.matchcra ft[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@adtech[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@adv.webmd[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@advertising[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@allyours.virginme dia[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@apmebf[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@atdmt[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@bluestreak[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@brightcove.112.2o 7[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@bs.serving-sys[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@bs.serving-sys[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@casalemedia[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@chokertraffic[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@doubleclick[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@drivecleaner[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@e2.emediate[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@ehg-aig.hitbox[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@ehg-bbcworldwide.hitbox[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@ehg-bskyb.hitbox[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@ehg-thegroup.hitbox[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@fastclick[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@go.winantivirus[3].txt
C:\Documents and Settings\Raphael\Cookies\raphael@keywordmax[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@maxserving[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@media.adrevolver[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@media.adrevolver[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@media.adrevolver[4].txt
C:\Documents and Settings\Raphael\Cookies\raphael@mediaplex[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@microsofteup.112. 2o7[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@msnaccountservice s.112.2o7[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@msnportal.112.2o7[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@mywebsearch[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@nextag[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@opodo.122.2o7[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@overture[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@perf.overture[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@qksrv[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@questionmarket[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@roiservice[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@rotator.adjuggler[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@server.iad.livepe rson[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@server.iad.livepe rson[3].txt
C:\Documents and Settings\Raphael\Cookies\raphael@serving-sys[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@sitestats.tiscali .co[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@spamblockerutilit y[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@stats.drivecleane r[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@stats1.reliablest ats[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@statse.webtrendsl ive[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@tacoda[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@tradedoubler[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@trafficmp[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@tribalfusion[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@try.starware[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@virginmedia[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@winantivirus[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@www.dgm2[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@www.etracker[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@www.fpctraffic2[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@www.googleadservi ces[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@www.googleadservi ces[3].txt
C:\Documents and Settings\Raphael\Cookies\raphael@www.googleadservi ces[4].txt
C:\Documents and Settings\Raphael\Cookies\raphael@www2.addfreestats[1].txt
C:\Documents and Settings\Raphael\Cookies\raphael@yadro[2].txt
C:\Documents and Settings\Raphael\Cookies\raphael@zedo[1].txt
Unclassified.SpywareBot (Not A Threat)
HKU\S-1-5-21-3824677044-2972337935-749607674-1006\Software\SpywareBot
Malware.LocusSoftware Inc/BestSellerAntivirus
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\RAPHAEL\APPLICATION DATA\INSTALL_EN[2].EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP159\A0231467.EXE
Trojan.WinAntiSpyware/WinAntiVirus 2006
C:\QOOBOX\QUARANTINE\C\DOCUME~1\MATTHEW\APPLIC~1\W INANTIVIRUSPRO2007FREEINSTALL[1].EXE.VIR
C:\QOOBOX\QUARANTINE\C\DOCUME~1\RAPHAEL\APPLIC~1\W INANTIVIRUSPRO2007FREEINSTALL[1].EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP139\A0037747.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP139\A0037748.EXE

Were all of these items removed by SUPERAntispyware?

Well, they were quarantined, as per your instructions.

OK, I want to run one more scan and then we will begin trying to get your add/remove programs back.

Please download Vundofix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Please let Vundo finish, sometimes it can take multiple passes

Also, have you ever been in the registry?

I have not been in the registry, no. I can confirm Add/remove programs is back and the computer is faster then it was before when I start up.

So I think the problems has been solved. Many thanks for all your help.

Hopfully I won't need use up your time again, but would you still like me to run the scan that you mentioned?