Malware name :Win32:Dialer - 1154 [Trj]

[angeaa]

I have  Avast 4 home edition for Windows 98 SE in Italian edition. I will translate from Italian to English the warnings received.
 FOUND MALWARE
 file name  : C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\GDYB0DIJ\2026[1].EXE\[UPX]
 Malware name :Win32:Dialer - 1154 [trj]
VPS version 0800208-0, 08/02/2008

For all the possible actions : "Move/Change name",  " delete" and " move to the trash" I received the same answer
        Avast File not compressed
it is not possible to process the file: C:\WINDOWS\TEMPORARY INTERNET  FILES\CONTENT.IE5\GDYB0DIJ\2026[1].EXE\[UPX].

So the only thing that I could do is to click on the OK tab.
I have non been able to find that  file  in the indicated directory.

Sometime this malware modifies the starting  pages of the Internet Option, with an address that changes every time.

[essexboy]

You have one of three or four possible malwares.  To determine which one it is and thereby the cure I would like you to run this analysis programme
 
Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
  
• When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[angeaa]

I have followed your mail .The file dss.exe is on the desktop but I am non able to start it neither with the double click, neither using the right click and then "open". I have tried also with the "Start" on the Taskbar and  the "RUN"  of the file DSS.exe. I have also paused  the Provider " Standard Protection" thinking that it was necessary to run  DSS.
 Nothing. The Malware has the same name, but change the directory.
The last two warnings are
2/9/08 5:53 PM
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\EJOPN1QO\2026[1].EXE\[UPX]
2/9/08 6:01 PM
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\GDYB0DIJ\2026[1].EXE\[UPX]
Attached are what appears on my computer

[essexboy]

OK  lets try a quick and dirty scan to see what I can glean from that

Download & Run HijackThis.exe

• Download HJTInstall.exe to your Desktop.
  
• Doubleclick HJTInstall.exe to install it.
  
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
  
• Click on Install.
  
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Copy/Paste the log to your next reply please.
  

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

[angeaa]

I have done what you suggested me. The log file is pasted below.
Anyhow I have send to  support@avast.com   a complete report of what happena when the Malware starts and what are the answers from AVAST when I use any of the actiona that AVAST suggest me to do.

If you want I can sent also this to you , together with the screenshot saved in a file .htm


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.27.19, on 12/02/08
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMMI\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\MHOTKEY.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\WINDOWS\SYSTEM\CHTVINIT.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAMMI\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAMMI\FILE COMUNI\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAMMI\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\E_S6I0A1.EXE
C:\IMAGEMATE COMPACTFLASH USB\SANDICON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAMMI\MICROSOFT OFFICE\OFFICE10\WINWORD.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fastweb.it/portale/?benvenuto=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAMMI\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\PROGRAMMI\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CHotKey] mHotkey.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\Run: [ChrontelInitTV] CHTVINIT.EXE
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [CreateCD50] "C:\Programmi\File comuni\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\SYSTEM\E_S6I0A1.EXE /P23 "EPSON Stylus D68 Series" /O5 "LPT1:" /M "Stylus D68"
O4 - HKLM\..\Run: [Device Detector] DEVDETECT.EXE -autorun
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SETUP98] C:\WINDOWS\98SETUP.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [wimsnn] Wscript C:\WINDOWS\LICENSEMSE.VBS /B
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKLM\..\RunServices: [avast!] C:\Programmi\Alwil Software\Avast4\ashServ.exe
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = fastweb.it
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 213.156.54.80,213.156.54.81

--
End of file - 5338 bytes

[philly12]

hmm..does ChronitelInitTV mean anything to you?  If it doesn't then C:\WINDOWS\SYSTEM\CHTVINIT.EXE might be bad.  The only odd ball file that sticks out is O4 - HKLM\..\Run: [wimsnn] Wscript C:\WINDOWS\LICENSEMSE.VBS /B    and from my google searches it is hard to tell what this is.  See if you can answer my questions and wait for an admin to help you out more

[essexboy]

Hi there nothing evident from the log so I will take a two prong approach here

FIRST

Download and run crapcleaner slim from here to clear your temp files http://www.majorgeeks.com/downloadget.php?id=4191&file=10&evp=a12d758b021af1a4f0a6bfe45b0c7a82

THEN

Download and then run SuperAntispyware

• On the first page select Check for Updates
  
• On completion select SCAN YOUR COMPUTER
  
• On the next page select COMPLETE SCAN and tick ALL your drives
  
• The next stage will take a while as your entire drive(s), memory and registry are scanned
• When it has completed click NEXT
  
• The next screen shows the problems found click OK
  
• On the next screen place a tick against all items and select NEXT
  
• Now to get the log Go to the PREFERENCES button on the right bottom
  
• Select the STATISTICS/LOG tab
  
• Highlight the scan just completed and click VIEW LOG
  
• This will open a notepad text file copy and paste this to your next reply

If you could post the superantispyware log on completion - both programmes work on win98

[angeaa]

I run Ccleaner  that I have installed following  your suggestions.
The log file  it is very long. If you want I can send to you.
I have also installed SuperAntiSpyware and the log file is pasted below.

 The virus is till here, in this session it started twice.
I want to know if I can install SpyWare Doctor 4.1 from Pctools ( freeware) and if I have  to uninstall Vast and after reinstall It again!

Moreover there is the Virus Cleaner from Avast. I do not know if  this software can run on Windows 98, and if can run without uninstalling Avast, and if it can find an delete my Virus.

I can send to you a file with a complete description and an attach file where you can see  what are the winnows that appears , when the virus start and Avast detect it.
Let me Know

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/19/2008 at 05:49 PM

Application Version : 3.9.1008

Core Rules Database Version : 3405
Trace Rules Database Version: 1397

Scan type       : Complete Scan
Total Scan Time : 01:06:59

Memory items scanned      : 219
Memory threats detected   : 0
Registry items scanned    : 2572
Registry threats detected : 0
File items scanned        : 33264
File threats detected     : 6

Adware.Tracking Cookie
   C:\WINDOWS\Profiles\io\Cookies\io@cgi-bin[1].txt
   C:\WINDOWS\Profiles\io\Cookies\io@mediaplex[1].txt
   C:\WINDOWS\Profiles\io\Cookies\io@cgi-bin[2].txt
   C:\WINDOWS\Profiles\io\Cookies\io@tribalfusion[1].txt
   C:\WINDOWS\Profiles\io\Cookies\io@statse.webtrendslive[2].txt
   C:\WINDOWS\Profiles\io\Cookies\io@www.banneradmin.rai[1].txt


I can post ( oe send where??) a complete report of what happens when the Malware starts and what are the answers from AVAST when I use any of the actions that AVAST suggest me to do,  together with 4  screenshots saved in a zip  file
Thanks

[essexboy]

Could you send me the file please.  I will PM my e-mail address

[angeaa]

This is the report and attached there is the zip File.

I have already sent  on 10 February 2008  this mail, written in Italian, to  support@avast.com.
Now I  am sending in English language, hoping to have an answer.
I cannot send the file that contains the Virus, because the  Avast 4 home edition for Windows 98 SE.
is able to detect the virus, but is unable to perform any suggested action on it, as you can see from the following. Moreover when I start  the scan of the system with Avast, this Virus is not detected!. If I make  a search of the infected  file,  it does not exists!. For this I cannot mail  it to virus@avast.com.
 I would like to know  if I can  run the free Avast virus Cleaner on my Windows 98 SE and if  this can solve the problem

REQUESTED INFO:

OPERATING  SYSTEM:  WINDOWS 98 SE
AVAST VERSION:  4 home edition version 4-7-1098 (for Windows 98)
VPS file 080218-0  18/02/2008
HARDWARE:
Intel Pentium III 850 MHz,   256 MB RAM
INTERNET CONNECTION:
 provider (FASTWEB) with Optic Fiber with   LAN port
EMAIL Program
Netscape V. 4.77
SECURITY SOFTWARE
Avast 4 home edition for Windows 98 SE.

ERROR MESSAGES
Avast send me an error that says:
FOUND MALWARE
 file name  : C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\GDYB0DIJ\2026[1].EXE\[UPX]
Malware name :Win32:Dialer - 1154 [trj]
see FIG 1 in  file SCREEN_SHOTS.zip attached
Whatever action I perform  "move/rename", or "Delete" or "Move to the Chest" I received the same answer
Avast File not compressed
it is not possible to process the file: C:\WINDOWS\TEMPORARY INTERNET  FILES\CONTENT.IE5\GDYB0DIJ\2026[1].EXE\[UPX].
see FIG 2 in  file SCREEN_SHOTS.zip attached

At this point I can only click on the  "OK" tab and continue.

The malware does non appear again, unless I start a connection to Internet.
The type of virus is always the same, the only change is the directory where Avast  find it.: For example another directory is this:
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\EJOPN1QO\2026[1].EXE\[UPX]
 I will add other  two information: Together with the Avast alarm, it appears always a pop by the BASE ACTIVITIES LIMITED 
see FIG 3in  file SCREEN_SHOTS.zip attached
I have been  also to see the Certification of this BASE ACTIVITIES LIMITED   and appears the  information
see FIG4 in  file SCREEN_SHOTS.zip attached
During this session, the virus has been detected from Avast and  I went to see the temporary Internet Files created at the moment in the same directory of Temporary Files. where today Avast found the virus.
 This are this files that  could be suspected.

C:\WINDOWS\Temporary Internet Files\Content.IE5\C161UV6L\sabupdate[1].html
C:\WINDOWS\Temporary Internet Files\Content.IE5\C161UV6L\ script-60[1].php
C:\WINDOWS\Temporary Internet Files\Content.IE5\C161UV6L\ track2[1].php
C:\WINDOWS\Temporary Internet Files\Content.IE5\C161UV6L\ winscript-57[1].htm

[essexboy]

Hi angeaa 98 is a hard thing to find programmes for but this should work

Download WinPFind35u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

• Close ALL OTHER PROGRAMS.
  
• Open the WinPFind35u folder and double-click on WinPFind35u.exe to start the program.
  
• Check the box that says Scan All User Accounts
  
• Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  
• Under Additional Scans check the following:
• Reg - BotCheck
• File - Additional Folder Scans
• File - Purity Scan

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
  
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
  
• Once it has uploaded, click the Manage Current Attachments drop down box
  
• Click on to insert the attachment into your post

[angeaa]

First of all:
The WinPFind35u.exe   cannot run on Windows 98. At the starting I received an error that says that cannot run on versions of Windows, prior of NT version!.

Second
I hope that you received the mail that I sent you, after my last post . It contains same info of the Post.
.

Third
Yesterday afternoon, Avast was able to find the virus  as usual when the Virus starts. But
clicking on "Move to the Chest" this time it worked. The file was really moved to the Chest. Then  I found the virus in the Chest. Before to cancel I  try to send the file with the Virus to Avast, as suggested. But the system was  blocked.
 Then I started again and this time I was able to send the virus, but there was a problem with the mail, and I closed without being able to  really  send the mail.

 In the evening I started the Avast Scan  with maximum protection, and there was not found any virus.
 Today I am not able to see the result of that  scan!
Could be Avast corrupted!?. In fact yesterday evening Avast  disappeared from the taskbar on the bottom.

Today I found the mail that was not sent, and after a series of trouble, I was able to send this mail to Avast::.
>>:_CHEST_ANALYZE_:<<

Virus name: Win32:Dialer-1154 [trj]
Original file location: C:\WINDOWS\TEMPORARY INTERNET
FILES\CONTENT.IE5\C161UV6L\2026[1].EXE
Computer name: IO
Transfer time: 21.02.2008 17:24:42
Modification time: 21.02.2008 15:22:38
Total size: 21840
Comment:

File ID: 5
Category: 1
OS:
Microsoft Windows 98 SE

When I open again Windows, the virus was still there. and the IEXPLORE  was blocked.. Then  I opened the  Chest and was able to cancel the file.
I was happy, but restarting Window the  Virus is more alive then before!
 I have not received any answer to mails sent to SUPPORT@avast.com   and VIRUS@avast.com
.
I have clicked also to "virus Archive", and found 4 virus named "2026", . but I do not know what else  I can do.
I want to know if I can install SpyWare Doctor 4.1 from Pctools ( freeware) and if I have  to uninstall Vast and after reinstall It again! Or if  I can use  Virus Cleaner from Avast, together with Avast antivirus

Post Scriptum

If I click on replay I have:

Attach:             (more attachments)
Allowed file types: txt, jpg, gif, png, log
Maximum attachment size allowed: 200 KB, per post: 4[/font][/font]

So It seems different from what you  write, but it seems that the attach work, unless there is a different way.

[essexboy]

Hi angeaa Yep I received your mail Thanks.  Download the pc tools as that appears to work with 98

What I really need to do is find the driver/initiator for the malware because until that is removed then no matter how often you put the alerted file in quarantine it will still re-appear

Lets try another of my analysis tools - this one does not say whether or not it works in 98 but then it does not say that it will not..


The zip files from this programme will need to be mailed to me as the forum will not accept them as attachments

We will now do a deep search of your processes and files

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
  
• Double click on AVZ.exe to run it.
  
• Run an update by clicking the Auto Update button on the Right of the Log window:
  
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box.
• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

[essexboy]

Thanks for the files angeaa.  A thorough search has only brought up one unknown  from which after 20 pages of google comes up unknown.  So I will quarantine that and see if that is the culprit

AVZ FIX

• Double click on AVZ.exe
• Click File > Custom scripts
• Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
  

Code: [Select]

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DeleteFile('C:\WINDOWS\SYSTEM\CHTVINIT.EXE');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

• Note: When you run the script, your PC will be restarted
• Click Run
• Restart your PC if it doesn't do it automatically.

ON COMPLETION

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach the zip file to your next post

[essexboy]

Yes it is a Russian programme and I think it has links with Kasperski.  There is an English forum now.  When you run it after the fix can you check you D drive as well ta