Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help solving the problem


  • This topic is locked This topic is locked
13 replies to this topic

#1 Marco-63

Marco-63

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 02 August 2005 - 07:23 AM

Hi everybody.
I'm going crazy because I can not understand what's going on.
I noticed that the Norton Antivirus 2004 Auto protect was disabled and the Blackice firewall was also disabled. I tried some tasks ...
When I try to enable auto protect or firewall the program stop to respond to the mopuse click on the status bar.
The system hung up when I shut down Windows and does not go off (you see the standard msg "I'm updating the configuration files" in Italian - or something like that): I have to manually switch off.
I scanned the system with installed norton (the scan still works), with Symantec on-line scan, with TrojanHunter, with Spybot, with McAfee Stinger and found nothing.

I noticed that the system icon didn't work so I started the safe mode (F8) and disabled the system recovery mode. The system in safe mode shut down normally. After having disabled system recovery the icon appears in normal mode but hangs up when I access to the update section.

When I close and reopen the firewall, the following msg appears: "the blackice service is pausing to allow for system recovery".

Another odd thing: I can not uninstall Norton and can nto upgrade Blackice, but i can update virus definition with intelligent updater.

Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 20.38.52, on 29/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\Programmi\APC\PowerChute Business Edition\server\pbeserver.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\ati2sgag.exe
D:\Programmi\ISS\BlackICE\blackd.exe
C:\Programmi\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Programmi\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
D:\Programmi\ISS\BlackICE\rapapp.exe
C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\Programmi\File comuni\Stardock\TrayServer.exe
C:\Programmi\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2 a.exe
C:\Programmi\Java\j2re1.4.2_01\bin\jusched.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Elaborate Bytes\CloneDVD\ElbyCheck.exe
C:\Programmi\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
D:\Programmi\DU Meter\DUMeter.exe
C:\PROGRAMMI\FAXTALK COMMUNICATOR\FTCtrl32.exe
C:\Programmi\File comuni\Nokia\NCLTools\NclTray.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRAMMI\FAXTALK COMMUNICATOR\FAPIEXE.EXE
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Programmi\ScanSoft\OmniPagePro14.0\WorkFlowTray .exe
C:\Programmi\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Programmi\ScanSoft\OmniPagePro14.0\OpScheduler. exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Programmi\HP\HP Share-to-Web\hpgs2wnf.exe
D:\Programmi\ISS\BlackICE\blackice.exe
C:\Programmi\Bluetooth Software\BTTray.exe
C:\PROGRA~1\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\fpdisp5 a.exe
C:\Programmi\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
C:\Programmi\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\Programmi\Intuwave\Shared\mRouterRunTime\mRoute rRuntime.exe
D:\Programmi\Sony Handheld\Hotsync.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
E:\Utilities\procexp.exe
C:\WINDOWS\System32\wuauclt.exe
E:\temp\marco_sicur\HijackThis.exe
C:\Programmi\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/www%20MyIntranet/www.infinito.it/aikikai.tn/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programmi\TechSmith\SnagIt 7\SnagItBHO.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - D:\Programmi\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - D:\Programmi\Mass Downloader\MDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SYSTRAN Premium 4.0 - {D3919E1A-D6A5-11D6-AC3E-00B0D094B576} - C:\PROGRA~1\Systran\4_0\Premium\IEPlugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programmi\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Programmi\File comuni\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programmi\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5 a.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2 a.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programmi\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\Elaborate Bytes\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [LogonStudio] "C:\Programmi\WinCustomize\LogonStudio\logonstudio. exe" /RANDOM
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DU Meter] D:\Programmi\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [CallControl 4.5] C:\PROGRAMMI\FAXTALK COMMUNICATOR\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Programmi\File comuni\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Programmi\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Programmi\ScanSoft\OmniPagePro14.0\WorkFlowTray .exe"
O4 - HKLM\..\Run: [Opware14] "C:\Programmi\ScanSoft\OmniPagePro14.0\Opware14.exe "
O4 - HKLM\..\Run: [OpScheduler] "C:\Programmi\ScanSoft\OmniPagePro14.0\OpScheduler. exe"
O4 - HKLM\..\Run: [THGuard] "D:\Programmi\TrojanHunter\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Programmi\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_1
O4 - Startup: HotSync Manager.lnk = D:\Programmi\Sony Handheld\Hotsync.exe
O4 - Startup: Webshots.lnk = C:\Programmi\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlackICE PC Protection.lnk = D:\Programmi\ISS\BlackICE\blackice.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Event Reminder.lnk = C:\Programmi\PrintMaster 16\pmremind.exe
O4 - Global Startup: FinePrint Dispatcher.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\fpdisp5 a.exe
O4 - Global Startup: gwum.lnk = C:\Programmi\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PCSuiteperNokia6600 Detect.lnk = ?
O4 - Global Startup: PCSuiteperNokia6600 TS.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = D:\Programmi\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://D:\Programmi\Offline Explorer Enterprise\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://D:\Programmi\Offline Explorer Enterprise\Add_AllO.htm
O8 - Extra context menu item: Collegamenti a ritroso - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Scarica &tutto con Mass Downloader - D:\Programmi\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Scarica con &Mass Downloader - D:\Programmi\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Programmi\File comuni\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - D:\Programmi\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - D:\Programmi\Mass Downloader\massdown.exe
O9 - Extra button: Organizzatore ricerche - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programmi\File comuni\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programmi\File comuni\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programmi\File comuni\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D9FECE6-6940-4670-A40C-7AEE7A447AFC}: NameServer = 130.244.127.161,130.244.127.169,192.168.1.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\FILECO~1\Stardock\mcpstub.dll (file missing)
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\Programmi\APC\PowerChute Business Edition\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\Programmi\APC\PowerChute Business Edition\server\pbeserver.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - D:\Programmi\ISS\BlackICE\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Programmi\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programmi\Executive Software\Diskeeper\DkService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Programmi\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - D:\Programmi\ISS\BlackICE\rapapp.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Programmi\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:27 PM

Posted 02 August 2005 - 06:51 PM

Hello Marco-63 and welcome to the BC malware forum. I do not see any problems in this log. It is clean.

Let's try a different scan and see what it shows us.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here so I can review it.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Marco-63

Marco-63
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 03 August 2005 - 09:06 AM

WinPFind downloaded and run in safe mode. Hope somethig will come into view. This is the (long) log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.



If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.



Checking Selected Standard Folders



Checking %SystemDrive% folder...



Checking %ProgramFilesDir% folder...



Checking %WinDir% folder...



Checking %System% folder...

PEC2 05/01/2002 2.18.20 2011136 C:\WINDOWS\SYSTEM32\atl70.pdb

PEC2 31/08/2001 13.00.00 41144 C:\WINDOWS\SYSTEM32\dfrg.msc

PEC2 05/01/2002 5.48.16 9546752 C:\WINDOWS\SYSTEM32\mfc70.pdb

PEC2 05/01/2002 5.48.16 7564288 C:\WINDOWS\SYSTEM32\mfc70d.pdb

PEC2 05/01/2002 5.36.38 9538560 C:\WINDOWS\SYSTEM32\mfc70u.pdb

PEC2 05/01/2002 5.36.38 7597056 C:\WINDOWS\SYSTEM32\mfc70ud.pdb

PECompact2 07/07/2005 4.21.42 1371992 C:\WINDOWS\SYSTEM32\MRT.exe

aspack 07/07/2005 4.21.42 1371992 C:\WINDOWS\SYSTEM32\MRT.exe

UPX! 30/04/2004 20.46.24 28672 C:\WINDOWS\SYSTEM32\qtalt.ax

Umonitor 09/09/2002 14.51.08 648704 C:\WINDOWS\SYSTEM32\rasdlg.dll

UPX! 26/03/2004 15.32.36 116224 C:\WINDOWS\SYSTEM32\rmalt.ax

winsync 31/08/2001 13.00.00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu



Checking %System%\Drivers folder and sub-folders...



Checking the Windows folder for system and hidden files within the last 60 days...

02/08/2005 19.43.54 54156 C:\WINDOWS\QTFont.qfn

31/07/2005 20.22.32 0 C:\WINDOWS\LastGood\INF\enavweb.inf

31/07/2005 20.22.32 0 C:\WINDOWS\LastGood\INF\enavweb.PNF

12/07/2005 22.31.20 0 C:\WINDOWS\LastGood\INF\q903235.inf

12/07/2005 22.31.20 0 C:\WINDOWS\LastGood\INF\q903235.PNF

03/08/2005 15.40.22 8192 C:\WINDOWS\system32\config\default.LOG

03/08/2005 15.40.34 1024 C:\WINDOWS\system32\config\SAM.LOG

03/08/2005 15.40.28 12288 C:\WINDOWS\system32\config\SECURITY.LOG

03/08/2005 15.41.34 102400 C:\WINDOWS\system32\config\software.LOG

03/08/2005 15.40.30 1044480 C:\WINDOWS\system32\config\system.LOG

12/07/2005 22.31.14 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG

02/08/2005 20.14.54 6 C:\WINDOWS\Tasks\SA.DAT



Checking Selected Startup Folders



Checking files in %ALLUSERSPROFILE%\Startup folder...

24/11/2003 21.47.56 958 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Adobe Gamma Loader.lnk

05/04/2005 19.56.50 1744 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Avvio veloce di Adobe Reader.lnk

16/07/2005 19.34.56 719 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\BlackICE PC Protection.lnk

25/02/2004 19.13.18 569 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\BTTray.lnk

28/07/2004 19.28.30 1725 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Event Reminder.lnk

26/11/2003 21.28.02 1878 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\FinePrint Dispatcher.lnk

23/11/2003 23.16.14 919 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\gwum.lnk

09/10/2004 21.52.24 1795 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\HP Digital Imaging Monitor.lnk

26/11/2003 20.44.20 1864 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Logitech Desktop Messenger.lnk

23/11/2003 22.06.54 1744 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Microsoft Office.lnk

26/02/2004 19.08.00 609 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\PCSuiteperNokia6600 Detect.lnk

26/02/2004 19.08.00 619 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\PCSuiteperNokia6600 TS.lnk

26/11/2003 22.33.40 550 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Quicken Scheduled Updates.lnk



Checking files in %ALLUSERSPROFILE%\Application Data folder...

09/10/2004 21.53.24 342 C:\Documents and Settings\All Users\Dati applicazioni\hpzinstall.log



Checking files in %USERPROFILE%\Startup folder...

26/11/2003 22.39.12 661 C:\Documents and Settings\Marco\Menu Avvio\Programmi\Esecuzione automatica\HotSync Manager.lnk

21/11/2004 13.31.22 663 C:\Documents and Settings\Marco\Menu Avvio\Programmi\Esecuzione automatica\Webshots.lnk



Checking files in %USERPROFILE%\Application Data folder...

16/10/2004 23.16.42 155776 C:\Documents and Settings\Marco\Dati applicazioni\GDIPFONTCACHEV1.DAT



Checking Selected Registry Keys



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

=



[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]



[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CopyToCD

{2AA59FC0-31E8-42DA-9D3C-E9A52953853B} = C:\Programmi\VSO\copytodvd\CtcdShell.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Object Editor Default Menu Handle

{D0C7E9B2-209B-11D2-8D57-782BD5000000} = C:\Programmi\Object Desktop\Object Edit\oeext.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ObjectEditMenu

{9C1BBBA7-5606-48FC-B15E-890A96581BB8} = C:\Programmi\Object Desktop\Object Edit\OEMenuExt.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With

{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PowerArchiver

{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e} = C:\Programmi\PowerArchiver\PASHLEXT.DLL

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SnagItMainShellExt

{CF74B903-3389-469c-B3B6-0204D204FCBD} = C:\Programmi\TechSmith\SnagIt 7\SnagItShellExt.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu

{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TextPad

{2F25CF20-C569-11D1-B94C-00608CB45480} = C:\Programmi\TextPad\System\shellext.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter

{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = D:\Programmi\TrojanHunter\contmenu.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR

{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip

{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WS_FTP

{797F3885-5429-11D4-8823-0050DA59922B} = D:\Programmi\Ipswitch\WS_FTP Pro\wsftpsi.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}

Blocco menu Start = %SystemRoot%\system32\SHELL32.dll



[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\CopyToCD

{2AA59FC0-31E8-42DA-9D3C-E9A52953853B} = C:\Programmi\VSO\copytodvd\CtcdShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerArchiver

{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e} = C:\Programmi\PowerArchiver\PASHLEXT.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu

{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter

{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = D:\Programmi\TrojanHunter\contmenu.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR

{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip

{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WS_FTP

{797F3885-5429-11D4-8823-0050DA59922B} = D:\Programmi\Ipswitch\WS_FTP Pro\wsftpsi.dll



[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\CopyToCD

{2AA59FC0-31E8-42DA-9D3C-E9A52953853B} = C:\Programmi\VSO\copytodvd\CtcdShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing

{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SnagItMainShellExt

{CF74B903-3389-469c-B3B6-0204D204FCBD} = C:\Programmi\TechSmith\SnagIt 7\SnagItShellExt.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter

{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = D:\Programmi\TrojanHunter\contmenu.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR

{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip

{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL



[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}

= C:\Programmi\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll



[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}

HelperObject Class = C:\Programmi\TechSmith\SnagIt 7\SnagItBHO.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

AcroIEHlprObj Class = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}

= D:\PROGRA~1\SPYBOT~1\SDHelper.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{601ED020-FB6C-11D3-87D8-0050DA59922B}

WsftpBrowserHelper Class = D:\Programmi\Ipswitch\WS_FTP Pro\wsbho2k0.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}

Google Toolbar Helper = c:\programmi\google\googletoolbar2.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B930BA63-9E5A-11D3-A288-0000E80E2EDE}

IECatcher Class = D:\Programmi\Mass Downloader\MDHELPER.DLL



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}

&Suggerimenti = %SystemRoot%\System32\shdocvw.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{9455301C-CF6B-11D3-A266-00C04F689C50}

&Organizzatore ricerche = C:\Programmi\File comuni\Microsoft Shared\Encarta Researcher\EROPROJ.DLL



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Programmi\Norton AntiVirus\NavShExt.dll

{D3919E1A-D6A5-11D6-AC3E-00B0D094B576} = SYSTRAN Premium 4.0 : C:\PROGRA~1\Systran\4_0\Premium\IEPlugin.dll

{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\programmi\google\googletoolbar2.dll

{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} = SnagIt : C:\Programmi\TechSmith\SnagIt 7\SnagItIEAddin.dll



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}

MenuText = Sun Java Console :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{0FD01980-CCCB-11D3-80D4-0000E80E2EDE}

ButtonText = Mass Downloader : D:\Programmi\Mass Downloader\massdown.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9455301C-CF6B-11D3-A266-00C04F689C50}

ButtonText = Organizzatore ricerche :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B205A35E-1FC4-4CE3-818B-899DBBB3388C}

MenuText = :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E19ADC6E-3909-43E4-9A89-B7B676377EE3}

ButtonText = Sothink SWF Catcher :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}

ButtonText = Messenger : C:\Programmi\Messenger\MSMSGS.EXE



[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}

Media Band = %SystemRoot%\System32\browseui.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}

Barra di Explorer per la ricerca file = %SystemRoot%\system32\SHELL32.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}

History Band = %SystemRoot%\System32\shdocvw.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}

Explorer Band = %SystemRoot%\System32\shdocvw.dll



[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser

{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Indirizzo : %SystemRoot%\System32\browseui.dll

{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\programmi\google\googletoolbar2.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Indirizzo : %SystemRoot%\System32\browseui.dll

{0E5CBF21-D15F-11D0-8301-00AA005B4383} = Co&llegamenti : %SystemRoot%\system32\SHELL32.dll

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Programmi\Norton AntiVirus\NavShExt.dll

{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\programmi\google\googletoolbar2.dll

{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} = :



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

1A:Stardock TrayMonitor "C:\Programmi\File comuni\Stardock\TrayServer.exe"

PRONoMgr.exe C:\Programmi\Intel\NCS\PROSet\PRONoMgr.exe

SoundMan SOUNDMAN.EXE

ATIPTA C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe

ccApp "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"

Tweak UI RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

zBrowser Launcher C:\Programmi\Logitech\iTouch\iTouch.exe

Logitech Utility Logi_MwX.Exe

FinePrint Dispatcher v5 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe

pdfFactory Pro Dispatcher v2 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe

SunJavaUpdateSched C:\Programmi\Java\j2re1.4.2_01\bin\jusched.exe

QuickTime Task "C:\Programmi\QuickTime\qttask.exe" -atboottime

CloneDVDElbyDelay "C:\Programmi\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay

CloneCDTray "C:\Programmi\Elaborate Bytes\CloneCD\CloneCDTray.exe" /s

LogonStudio "C:\Programmi\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM

ezShieldProtector for Px C:\WINDOWS\System32\ezSP_Px.exe

TkBellExe "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot

DU Meter D:\Programmi\DU Meter\DUMeter.exe

CallControl 4.5 C:\PROGRAMMI\FAXTALK COMMUNICATOR\FTCtrl32.exe /autoload

NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe

Nokia Tray Application C:\Programmi\File comuni\Nokia\NCLTools\NclTray.exe

SSC_UserPrompt C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe

Babylon Client C:\Programmi\Babylon\Babylon.exe -AutoStart

HP Software Update "C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"

Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

RemoteControl C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe

Share-to-Web Namespace Daemon C:\Programmi\HP\HP Share-to-Web\hpgs2wnd.exe

SSBkgdUpdate "C:\Programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

WorkFlowTray "C:\Programmi\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"

Opware14 "C:\Programmi\ScanSoft\OmniPagePro14.0\Opware14.exe"

OpScheduler "C:\Programmi\ScanSoft\OmniPagePro14.0\OpScheduler.exe"

THGuard D:\Programmi\TrojanHunter\THGuard.exe



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

IMAIL Installed = 1

MAPI Installed = 1

MSFS Installed = 1



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe

STYLEXP C:\Programmi\TGTSoft\StyleXP\StyleXP.exe -Hide

updateMgr C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_1



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum

{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =

{0DF44EAA-FF21-4412-828E-260A8728E7F1} =





HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

dontdisplaylastusername 0

legalnoticecaption

legalnoticetext

shutdownwithoutlogon 1

undockwithoutlogon 1





[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]



HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

NoDriveTypeAutoRun 0





[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

0aMCPClient {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} = C:\Programmi\Common Files\Stardock\MCPCore.dll

PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll

CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll

WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll

SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

Shell = Explorer.exe

System =



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

= crypt32.dll



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

= cryptnet.dll



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

= cscdll.dll



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient

= C:\PROGRA~1\FILECO~1\Stardock\mcpstub.dll



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

= wlnotify.dll



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

= wlnotify.dll



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

= sclgntfy.dll



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

= WlNotify.dll



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

= wlnotify.dll



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB

= C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

= wlnotify.dll



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path

Debugger = ntsd -d



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

AppInit_DLLs wbsys.dll





Scan Complete

WinPFind v1.2.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.

Scan completed on 03/08/2005 15.48.43

Edited by Marco-63, 03 August 2005 - 09:09 AM.


#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:27 PM

Posted 03 August 2005 - 11:29 AM

Hi Marco-63. The WinPFind log is clean also. The issue that you are encountering cuold be cause by a faulty Norton update.

Try uninstalling all Norton products. Test the firewall and see if it is now working properly. If not, then uninstall that also. Now do a fresh install of any products that you uninstalled and test them again. Do not forget to update Norton after it is reinstalled.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Marco-63

Marco-63
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 04 August 2005 - 02:02 AM

The issue that you are encountering cuold be cause by a faulty Norton update.

Try uninstalling all Norton products. Test the firewall and see if it is now working properly. If not, then uninstall that also. Now do a fresh install of any products that you uninstalled and test them again. Do not forget to update Norton after it is reinstalled.

Cheers.

OT

I tried to uninstall Norton, but the system doesn't let my do that. Even with the specific utilities of Symantec I can not unistall the antivirus. On the contrary, I can normally update Norton with the new virus definition file. The Firewall appears blocked, because I can not uninstall nor upgrade.

Could it be a windows failure? Can I perhaps resolve it (without loosing installed programs) with sfc/scannow?

Edited by Marco-63, 04 August 2005 - 04:20 AM.


#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:27 PM

Posted 04 August 2005 - 08:30 AM

Hi Marco-63. You can try the sfc /scannow but I doubt that it will resolve any problems. The issue does appear to lie with Norton if it cannot be uninstalled. This is not a new issue with Norton products. If happens frequently.

If that is the case then you can try a manual uninstall as outlined here: How to uninstall Symantec products

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Marco-63

Marco-63
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 05 August 2005 - 02:20 AM

Hi OldTimer.
I've uninstalled Norton starting a safe mode section and allowing a selective startup with only the Microsoft services. Here are the instructions of Configuring Windows XP to clean boot.
After that I restarted the Pc normally and suddenly appeared some odd services (like c:\system32\AVCQY.exe). The system remains as before: firewall disabled, system control panel blocked.
I deleted the entries in registry (under MSConfig\Services, ControlSet001\Services, ControlSet003\Services and CurrentControlSet\Services), but some entries can not be deleted: ControlSet001\Enum\Root\LEGACY_xxx, ControlSet003\\Enum\Root\LEGACY_xxx and CurrentControlSet\\Enum\Root\LEGACY_xxx, where xxx are the names of the odd services

If I restart the computer with only the Microsoft services, all works properly.

How can I found out where is the virus in order to definitely kill it?

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:27 PM

Posted 05 August 2005 - 08:46 AM

Hi Marco-63. Try and ewido scan and see what it can find.

Download and install the trial version of the ewido security suite. Update the program and then do the following:
  • Click on the Scanner button.
  • Click on the Complete System Scan.
  • If anything is found you will be prompted to clean the first infected file found. Choose Clean and put a checkmark in the checkbox for Perform action on all infections and click the Ok button to continue the scan.
  • When the scan is complete close ewido and reboot the computer normally.
Post the ewido log back here.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 Marco-63

Marco-63
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 05 August 2005 - 09:51 AM

Is seems to be even more complicated.
I just finished to check the system with ewido.
I downloaded ewido e let it run (I had some problems during installation: it hung up during service installation. I reinstalled it a second time and run it.)
The first time I found and deleted the following viruses:

Spyware.Cookie.Spylog
TrojanSpy.Citifraud.b
Not-A-Virus.Tool.TPE.a
Worm.Family.c
TrojanDropper.Agent.cg
TrojanDropper.Delf.fd
Heuristic.Win32.Morphine-Crypted

Now the system seems clean (the secodn time ewido found nothing) but the situation is that I described before.

Edited by Marco-63, 05 August 2005 - 09:54 AM.


#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:27 PM

Posted 05 August 2005 - 10:32 AM

Hi Marco-63. Run another WinPFind log and let's see what it shows now. Also, what about BlackICE? Since Norton has been uninstalled is BlackICE still disabled?

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 Marco-63

Marco-63
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 16 August 2005 - 03:48 AM

Hi Marco-63. Run another WinPFind log and let's see what it shows now. Also, what about BlackICE? Since Norton has been uninstalled is BlackICE still disabled?

Cheers.

OT

Hi OldTimer.

After Norton uninstallation, BlackIce was still disabled.
I did that:

- started XP in safe mode, run msconfig and disabled all the services but Windows ones and disabled startup programs
- restarted XP in normal mode (without services and startup programs)
- launched the sfc /scannow and sfc /purgecache
- deleted content of Windows/prefetch
- enabled single services controlling the status of the firewall (when the firewall got disabled I re-installed the service that caused the problem)

I've not understood what was the problem but now XP works again. A complete system scan with Kaspersky did not show presence of viruses.

Edited by Marco-63, 16 August 2005 - 03:49 AM.


#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:27 PM

Posted 16 August 2005 - 09:54 AM

Hi Marco-63. Unless you know exactly when the issue started and what was going on at the time you will probably never know how it got started. It could hve been an infection that started it (many do try and disable anti-virus programs and firewalls) or it could have started with Norton.

So is everything back to normal and working properly? If so, I will close this topic.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 Marco-63

Marco-63
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 17 August 2005 - 02:07 AM

Yes, everything is running normal now. Thanks for the help.
Unfortunately I have not understood how it got started but ... I've learned a lot.

Many many thanks to OldTimer and to this wonderful Forum. :thumbsup: :flowers:

Marco

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:27 PM

Posted 17 August 2005 - 08:07 AM

You're very welcome Marco-63. I'm glad that we could help.

Now that your issues have been resolved I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users