Hi,
I think I may have several viruses on my computer. When I used Adaware it picked up dropper.delf, but AVG will not get it. I downloaded Hijacker and have listed the results below. If you could please help me it would be greatly appreciated!

Logfile of HijackThis v1.98.2
Scan saved at 4:54:16 PM, on 10/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8119cc25af88a612665dae1cb362d98f\update\update.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Katie\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {26BFFB87-5B07-4611-82BB-AF3947013FDD} (DAPCtl Class) - http://www.lexis.com/dl/IEDAP.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab

I think my last post had an error, so I am posting again
I think i have dropper.delf.3.bc. My adaware picked it up but AVG will not. Also, I keep getting a blue screen indicating that my computer must shut down. If you guys could help i would really appreciate it. My logfile is posted below.
Thanks,
Katie



Logfile of HijackThis v1.98.2
Scan saved at 4:54:16 PM, on 10/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8119cc25af88a612665dae1cb362d98f\update\update.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Katie\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {26BFFB87-5B07-4611-82BB-AF3947013FDD} (DAPCtl Class) - http://www.lexis.com/dl/IEDAP.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab

I have merged both of your post.

Question for you..Are you saying that when you run a scan with Adaware..that durring the scan your AVG or something popsup and states that your PC is infected with dropper.delf.3.bc. ?

If it is happening that way it is important.

Thanks

Your log is clean.

Which program detects it and exactly what does it call it?

Also, precisley where is the file located, according to the program that detected irt?

If your alert did come as i described above..be aware of this..


Antivirus Warning During A Scan With Ad-aware 6,


Note: Norton AntiVirus has been used as an example in this topic, but the same thing applies to any AntiVirus program that displays a warning duuring the scan with Ad-aware 6.

Hello.....
I hope to explain your misconceptions of the Ad-aware 6 program if there are any resulting from this kind of warning..
The Trojan or Virus warning you received means that the reported file was infected before and is residing in your system, it has nothing to do with the Ad-aware 6 program.
During the scanning process, Ad-aware 6 makes a local copy of the files it is about to scan (not executing them, of course) in a temporary folder that it creates within the Ad-aware 6 folder called cache, while Ad-aware 6 has the infected file open to scan, NAV sees it and reports it as infected. When the scan is finished the file is closed, there is no possible way for the file to execute during this process. When Ad-aware 6 has completed the system scan, the cache folder is deleted, that is why you cannot find it.
To be honest, the powerful scanning process that Ad-aware 6 uses has made it possible for your NAV to "see" this infection, something that it did not see on it own. Now that you know that it is there, you can take the proper steps in getting rid of this infection.
Most of the time NAV will give you the option to Quarantine\Remove\Ignore the file, it is highly suggested to have NAV quarantine the file if you have the oppertunity.
Then....
Since you have these files in quarantine, you may want to follow the NAV submission instructions and have them look at them.
After submitting them, I would also suggest rescanning your computer(s) with NAV. Make sure that you have the latest virus definitions for NAV using the Intelligent Updater: http://securityresponse.symantec.com/avcen...ges/US-N95.html
....or use the LiveUpdate feature.
Then run Ad-aware 6, if anything new is detected by NAV, have it quarantine them and repeat the process. The instructions that NAV has sent to the others that have submitted like files that I have read so far are to delete the files and replace them if necessary. You can use your own judgement there. If you do submit them to Symantic, you should receive instructions on how to proceed.
OK........
If you do not get the option to quarantine the files....
The solution is the following:
When NAV reports this file it will list the path to it.
This file may be in an archive....
The last entry in that path will be the Archive Filename.
Search for a file named XXXX, where the X's are the name of the Archive file in the path.
This file includes the infected file, and has nothing to do with Ad-aware.
You should unzip, and remove the infected file, or delete the entire archive.
It is advisable to copy the file to a 3.5 floppy for backup just in case, however if it is in an archive, it is in all probability not needed.
After you have removed the file, re-run Ad-aware 6 and the warning should not re-appear, if it does, repeat the process on the new one found.
Also, when you find the file, you may wish to submit it to Symantic for evaluation like I mentioned above.

These instructions are basically the same for all AntiVirus software out there that "discover" a virus during an Ad-aware 6 scan.

Once again. I stress the fact that Ad-aware 6 does not contain any virus\trojan files of any kind. If you have any more questions, please PM me....
HTH
Have fun..........

http://www.lavasoftsupport.com/index.php?showtopic=14501

so you should clean out System Volume Information Folder ( your system restore) and all of those folders in adaware..spybot..and AVG that might be containing that exploit wherein you have already capture it from doing damage on your PC..but the adaware scan found it in those place.



On the hijack backup, dump all those backups and AVG will not find them in there..also on your AVG vault that healed that stuff..clean out your vault also..the reason why avg has a vault and hijack has those backup of things you have cleaned off your main system..is just in case you did make a mistake and clean something off that was a mistake and you would need to replace it back on your PC to run..this is not the case with everything you did find.


Also then go to your Lavasoft Adaware..open it up and clean out its quarantine file...you see when Adaware scans ..AVG guard process can see all those quaratine files as if in the Temp file for a short time..you can not clean then there..so if you now clean up that adware section also..I think all of it will go away for you.


this will also help you understand Adaware and AVG when you have both on your PC.


the aaw cache is a temp file that empties when aaw is finished

IF you have any quarentined file in your anti virus, aaw will scan(open up) and then the anti virus will say it found a virus in CACHE of aaw
so clean out your quarentined files in your anti virus first!
hope this helps?

http://forum.emsisoft.com/viewtopic.php?p=...ht=adaware#1765

also see..
http://www.dslreports.com/forum/remark,8738536~mode=flat

***************************



What is System Restore?

One of the new features of Windows Me and Windows XP is System Restore. This feature, which is enabled by default, is used by Windows to restore files on your computer in case they become damaged. If you experience a problem with your system that is caused by software, System Restore gives you the opportunity to go back to a point where things were working correctly.

Windows XP stores this information in the SYSTEM VOLUME information folder. These folders are updated when the computer restarts.

NOTE: Both the _RESTORE folder in WinME and the System volume information folder in Win XP are marked with the hidden attribute, and, by default, Windows is set to not display such files or folders.

Even after you have found a virus and your AV has cleaned your PC you still might get an indication you still have the virus but it can not be deleted in these folders.

Problem is..the system restore also has a copy of all those virus and trojans that have infected your system. They are in a compressed mode...your ANTIVIRUS knows they are there but can not help you get rid of them, so you must do it manually.

GO TO THE FIRST LINK AND FOLLOW THE SCREEN SHOTS TO GET RID OF THIS IN THE "SYSTEM VOLUME" INFO FOLDER THE SECOND LINK WILL DO IT FOR WIN ME IN THE "_RESTORE FOLDER".


NAME: Disabling System Restore on Windows XP
ALIAS: Disabling Windows XP AutoRestore feature


http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

NAME: Disabling System Restore on Windows ME
ALIAS: Disabling Windows ME AutoRestore feature

http://www.europe.f-secure.com/v-descs/sfc_dis.shtml