Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack


  • Please log in to reply
19 replies to this topic

#1 azrael

azrael

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire
  • Local time:06:18 PM

Posted 09 February 2006 - 07:48 PM

Hi everyone I am getting so much grief I have decided to post a log in the hope that I don't have to reformat.Logfile of HijackThis v1.99.1
Scan saved at 00:44:20, on 10/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\WINDOWS\system32\gsicon.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ABC\abc.exe
C:\Documents and Settings\Azrael\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Canon Scanner Monitor 2.1] C:\Program Files\Canon\ScanGear Toolbox CS\SGTBPBM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?e48cfe2f6f7643a483f62f79e1157230
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?e48cfe2f6f7643a483f62f79e1157230
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: LearnKey LTF Applet - file://C:\WINDOWS\system32\lktest.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {61ECE47E-0000-0000-0000-000000000000} - http://www.gameshadow.com/download/version...owweb/setup.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {D6867DAF-DDD2-4559-ACFB-A46C38E847D0} (ActiveXATS.ActiveXDemo2) - http://cl-0062.web.uk.netscalibur.com/stud.../ActiveXATS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{C15EBC8A-A0D9-4456-A8F7-766F85C765B1}: NameServer = 212.159.6.10 212.159.6.9
O18 - Protocol: asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O20 - AppInit_DLLs: PAVWAIT.DLL C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 11 February 2006 - 07:32 AM

Hello azrael.

Welcome, I would like to take a look at this Log,
and I will get back to you as soon as I can.

Thank you,
ourwilly. :thumbsup:

#3 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 11 February 2006 - 05:24 PM

Hello azrael.

Please Note - as with all P2P sharing programs they are susceptible to various forms of malware
I would like to "suggest" the removal of P2P software from your system using Add/Remove.

In your next reply
Could you please give me some information on the problems that you are having.

Step 1.

For the fix to work you will need to Disable your Real Time Protection.

To Disable WinPatrol's protection.

* Right-click the 'Scotty Dog' icon in the system tray.
* Click "Always Run Winpatrol" to apply the reverse.
* When WinPatrol questions the Startup change, click Yes.
* Reboot the machine to complete the change.


Close any windows that are open.
Open HijackThis and select "Do A System Scan Only"
and place a "checkmark" next to all these entries:


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

Do you use protection software that Locks the homepage from changes'
or has the system administrator has put this into place, If not then have HijackThis fix these 06 line

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

and select "Fix checked".


Step 2.

Download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only and will help to clean up your system.


Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Please now Update and Run your Anti-Spyware Software.

Step 3.

Download WinPFind.zip from Here
- Extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
Do not Scan with it Yet..!!


Now Reboot your computer into Safe Mode.

Open the C:\WinPFind folder and double-click on WinPFind.exe.
- Click on the Start Scan button and wait for it to finish.
This program will scan large amounts of files on your computer for known patterns so please be patient while it works.
When it is done, the results of the scan will be displayed and it will create a log file at C:\WinPFind\WinPFind.txt.

Reboot back into Normal Mode.

Please Re-Scan with HijackThis and post.The new HJT log
and the WinPFind.txt result's
ourwilly. :thumbsup:

#4 azrael

azrael
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire
  • Local time:06:18 PM

Posted 13 February 2006 - 09:31 AM

Logfile of HijackThis v1.99.1
Scan saved at 14:09:00, on 13/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\WINDOWS\system32\gsicon.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dslagent.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Acoustica Spin It Again\spinitagain.exe
C:\Documents and Settings\Azrael\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Canon Scanner Monitor 2.1] C:\Program Files\Canon\ScanGear Toolbox CS\SGTBPBM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?e48cfe2f6f7643a483f62f79e1157230
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?e48cfe2f6f7643a483f62f79e1157230
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: LearnKey LTF Applet - file://C:\WINDOWS\system32\lktest.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {61ECE47E-0000-0000-0000-000000000000} - http://www.gameshadow.com/download/version...owweb/setup.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {D6867DAF-DDD2-4559-ACFB-A46C38E847D0} (ActiveXATS.ActiveXDemo2) - http://cl-0062.web.uk.netscalibur.com/stud.../ActiveXATS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{C15EBC8A-A0D9-4456-A8F7-766F85C765B1}: NameServer = 212.159.6.9 212.159.6.10
O18 - Protocol: asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O20 - AppInit_DLLs: PAVWAIT.DLL C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe


Hi there. This is the new Log.And to follow the WinPFind.Txt One of the things troubling me is I can't access my files by clicking my computer and then double clicking local disk. I get a message saying this torrent is a duplicate do you want to replace it. I always answer no. I am running ABC. The other main thing is I can't access my pictures in windows fax and picture viewer which is normally the default proram for this.If I want to check files even in Safe Mode I had to go through All programs-accessories-windows explorer. Thanks for your Help.

















WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 5/17/2004 04:05:18 44032 C:\WINDOWS\Unwash5.exe

Checking %System% folder...
PEC2 1/4/2006 00:57:38 59252 C:\WINDOWS\SYSTEM32\ansi.cfg
UPX! 12/20/2005 12:21:38 481280 C:\WINDOWS\SYSTEM32\aswBoot.exe
SAHAgent 2/28/2003 16:26:36 69027 C:\WINDOWS\SYSTEM32\clsid.log
aspack 1/26/2005 19:43:06 194560 C:\WINDOWS\SYSTEM32\crabs_highloop.scr
PEC2 8/23/2001 12:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 10/26/2004 22:38:24 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 10/26/2004 22:38:24 716800 C:\WINDOWS\SYSTEM32\DivX.dll
aspack 1/26/2005 19:51:22 194560 C:\WINDOWS\SYSTEM32\liquid_iconography_highloop.scr
PECompact2 1/5/2006 03:41:02 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/5/2006 03:41:02 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/3/2004 23:56:38 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/3/2004 23:56:46 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
aspack 11/13/2005 17:44:00 197120 C:\WINDOWS\SYSTEM32\Rumor has it.scr
aspack 12/26/2005 18:17:16 194560 C:\WINDOWS\SYSTEM32\the4400.scr
winsync 8/23/2001 12:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\Hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2/11/2006 12:59:24 H 54156 C:\WINDOWS\QTFont.qfn
1/2/2006 23:09:36 S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
2/13/2006 13:17:54 H 8192 C:\WINDOWS\system32\config\default.LOG
2/13/2006 13:18:28 H 1024 C:\WINDOWS\system32\config\SAM.LOG
2/13/2006 13:18:04 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
2/13/2006 13:20:12 H 86016 C:\WINDOWS\system32\config\software.LOG
2/13/2006 13:18:08 H 983040 C:\WINDOWS\system32\config\system.LOG
2/13/2006 13:16:48 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/3/2004 23:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/3/2004 23:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/3/2004 23:56:58 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/3/2004 23:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/3/2004 23:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Binatone 7/3/2003 06:47:08 290816 C:\WINDOWS\SYSTEM32\gsi.cpl
Microsoft Corporation 8/3/2004 23:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/3/2004 23:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/3/2004 23:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/3/2004 23:56:58 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/3/2004 23:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 6/3/2004 21:05:06 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 12:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/3/2004 23:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/3/2004 23:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/3/2004 23:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 2/24/2005 07:32:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/23/2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/3/2004 23:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/3/2004 23:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/3/2004 23:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/3/2004 23:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 23:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 03:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/3/2004 23:56:58 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/3/2004 23:56:58 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/3/2004 23:56:58 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/3/2004 23:56:58 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/3/2004 23:56:58 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/3/2004 23:56:58 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/3/2004 23:56:58 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/3/2004 23:56:58 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 12:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/3/2004 23:56:58 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/3/2004 23:56:58 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/3/2004 23:56:58 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/3/2004 23:56:58 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/3/2004 23:56:58 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/3/2004 23:56:58 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/3/2004 23:56:58 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/23/2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/3/2004 23:56:58 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/3/2004 23:56:58 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 03:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/29/2004 13:02:00 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/29/2004 12:48:28 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
9/29/2004 13:02:00 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
9/29/2004 12:48:28 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ASW
{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A} = C:\PROGRA~1\Agnitum\OUTPOS~1.0\op_shell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BCShellMenu
{7850a720-705f-11d0-a9eb-0080488625e5} = BCShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Cheetah Burner Menu
{88CBF1CB-6F55-11D8-ABF8-C5E6374AC960} = C:\Program Files\Cheetah Burner\CheetahCtxMnu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Ghostbusters
{200E90D1-B217-40BD-B2F4-95ABE4AA7816} = C:\Program Files\Antiy Labs\AGB4\AGBCM.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus
{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ASW
{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A} = C:\PROGRA~1\Agnitum\OUTPOS~1.0\op_shell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BCShellMenu
{7850a720-705f-11d0-a9eb-0080488625e5} = BCShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ContMenu
{EBDF1F20-C829-11D1-8233-0020AF3E97A6} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Kaspersky Anti-Virus
{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ASW
{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A} = C:\PROGRA~1\Agnitum\OUTPOS~1.0\op_shell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Cheetah Burner Menu
{88CBF1CB-6F55-11D8-ABF8-C5E6374AC960} = C:\Program Files\Cheetah Burner\CheetahCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ContMenu
{EBDF1F20-C829-11D1-8233-0020AF3E97A6} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Ghostbusters
{200E90D1-B217-40BD-B2F4-95ABE4AA7816} = C:\Program Files\Antiy Labs\AGB4\AGBCM.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
MSN Search Toolbar Helper = C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} = MSN Search Toolbar : C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{44627E97-789B-40d4-B5C2-58BD171129A1}
ButtonText = Outpost Firewall Pro Quick Tune :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
PPMemCheck c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
PestPatrol Control Center c:\PROGRA~1\PESTPA~1\PPControl.exe
nwiz nwiz.exe /install
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
GSICONEXE gsicon.exe
CookiePatrol c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
RegistryMechanic
Canon Scanner Monitor 2.1 C:\Program Files\Canon\ScanGear Toolbox CS\SGTBPBM.EXE
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
DSLAGENTEXE dslagent.exe USB
Outpost Firewall C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice

KAVPersonal50 "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
WinPatrol C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\CTFMON.EXE
WindowsRegKey update winupdate.exe
Spooler SubSystem App spoolsvc.exe
Window Monitor winmon32.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Window Monitor winmon32.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
vsmon 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk
backup C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\INTERV~1\Common\Bin\WINCIN~1.EXE
item InterVideo WinCinema Manager
backup C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\INTERV~1\Common\Bin\WINCIN~1.EXE
item InterVideo WinCinema Manager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk
backup C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\SONYCO~1\PICTUR~1\PICTUR~3\SonyTray.exe
item Picture Package Menu
backup C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\SONYCO~1\PICTUR~1\PICTUR~3\SonyTray.exe
item Picture Package Menu

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk
backup C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\SONYCO~1\PICTUR~1\PICTUR~1\RESIDE~1.EXE -h
item Picture Package VCD Maker
backup C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\SONYCO~1\PICTUR~1\PICTUR~1\RESIDE~1.EXE -h
item Picture Package VCD Maker

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\C-Media Mixer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Mixer
hkey HKLM
command Mixer.exe /startup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Mixer
hkey HKLM
command Mixer.exe /startup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\\NeroCheck.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\\NeroCheck.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 2
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions 0
NoRun 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs PAVWAIT.DLL C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2/13/2006 13:28:19

#5 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 14 February 2006 - 11:06 AM

Hello azrael.

Step 1.

Please Download killbox from : HERE.

Unzip the folder to your desktop

Double-click killbox.exe on your desktop.
Select the option Delete on reboot.
Now highlight and 'copy' the entire list of filepaths below

C:\WINDOWS\SYSTEM32\ansi.cfg
C:\WINDOWS\SYSTEM32\clsid.log


Open 'file' in the killbox menu at the top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines should be there together!

at the bottom select ALL FILES

Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.
Click YES

When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


Step 2.

Open Notepad, (Start | Run, type Notepad)
Click Format from the Notepad menu and ensure "Word Wrap" is NOT selected.
Copy ALL the Bold text below into Notepad.
Click File | Save As

Change the Save as type to All Files
Save it to your desktop as fix.reg


REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsRegKey update winupdate.exe"=-
"Spooler SubSystem App spoolsvc.exe"=-
"Window Monitor winmon32.exe"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Window Monitor winmon32.exe"=-




Locate Fix.reg on your desktop and double-click it.
When asked if you want to merge with the registry, click YES.


Step 3.

Once you have done that, Re-Scan with Panda ActiveScan
and perform a full system scan & save the result's.

Reboot your System.


Please download F-Secure Blacklight :thumbsup: from here: http://www.f-secure.com/blacklight/try.shtml

Save the program to o folder, for example c:\black

Go to Start --> Run --> type (or copy and paste) C:\black\blbeta.exe /expert (note there is a space between "blbeta.exe" and "/") and press the OK button.

Select "I accept the agreement" and then press the Next button.

Press the Scan button.

When it is done, press the Next button and then the Exit button.

Open the c:\black folder and you will find a log. Please post the content of that log.
Don't fix anything with BlackLight. Files found may be legitimate.


Please Re-scan with Hijack this and postThe new HJT log
The Panda scan result's
and The Blacklight log result's
ourwilly. :flowers:

#6 azrael

azrael
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire
  • Local time:06:18 PM

Posted 15 February 2006 - 07:21 AM

Hi there. I got to phase 2 and hit a slight hitch. I got a message when attempting to merge.Cannot import.The specified file is not a registry script.You can only import binary registry files from within the registry. So I paused at that moment. cheers.

#7 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 15 February 2006 - 04:46 PM

Hello azrael.

For Step 2 please try this.


Open Notepad, (Start | Run, type Notepad)
Click Format from the Notepad menu and ensure "Word Wrap" is NOT selected.
Copy the content of the quote box below into Notepad.
Click File | Save As

Change the Save as type to All Files
Save it to your desktop as fix.reg

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsRegKey update winupdate.exe"=-
"Spooler SubSystem App spoolsvc.exe"=-
"Window Monitor winmon32.exe"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Window Monitor winmon32.exe"=-



Locate Fix.reg on your desktop and double-click it.
When asked if you want to merge with the registry, click YES.

please continue with my instruction's.

ourwilly. :thumbsup:

#8 azrael

azrael
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire
  • Local time:06:18 PM

Posted 16 February 2006 - 07:42 AM

Logfile of HijackThis v1.99.1
Scan saved at 12:38:49, on 16/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\WINDOWS\system32\gsicon.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dslagent.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Azrael\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Canon Scanner Monitor 2.1] C:\Program Files\Canon\ScanGear Toolbox CS\SGTBPBM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [outpost_uninst] C:\DOCUME~1\Azrael\LOCALS~1\Temp\_uninstop.exe /u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?e48cfe2f6f7643a483f62f79e1157230
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?e48cfe2f6f7643a483f62f79e1157230
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: LearnKey LTF Applet - file://C:\WINDOWS\system32\lktest.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {61ECE47E-0000-0000-0000-000000000000} - http://www.gameshadow.com/download/version...owweb/setup.exe
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37600.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {D6867DAF-DDD2-4559-ACFB-A46C38E847D0} (ActiveXATS.ActiveXDemo2) - http://cl-0062.web.uk.netscalibur.com/stud.../ActiveXATS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{C15EBC8A-A0D9-4456-A8F7-766F85C765B1}: NameServer = 212.159.6.9 212.159.6.10
O18 - Protocol: asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O20 - AppInit_DLLs: pavwait.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe

Here is the hijack log I'll have to post the others later. Gotta rush and buy my daughter a new guitar Rock and roll can not wait Cheers

#9 azrael

azrael
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire
  • Local time:06:18 PM

Posted 17 February 2006 - 08:36 AM

Hi. OK Here are the other two logs.
Incident Status Location

Dialer:dialer.abr Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\startbf.inf
Dialer:dialer.xd Not disinfected C:\WINDOWS\switchagreement.txt
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Possible Virus. Not disinfected C:\Documents and Settings\Azrael\Desktop\audio setups\cdb\CDBlasterInstall.exe[gogo.dll]
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\Azrael\Desktop\backups\backup-20041028-125817-903.inf
Dialer:Dialer.XD Not disinfected C:\Documents and Settings\Azrael\Desktop\backups\backup-20060114-030310-553.inf
Dialer:Dialer.ABR Not disinfected C:\Documents and Settings\Azrael\Desktop\backups\backup-20060114-030313-545.inf
Dialer:Dialer.XD Not disinfected C:\Documents and Settings\Azrael\Desktop\backups\backup-20060116-001022-394.inf
Dialer:Dialer.ABR Not disinfected C:\Documents and Settings\Azrael\Desktop\backups\backup-20060116-001023-419.inf
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt[]
Virus:Eicar.Mod Not disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Dialer:Dialer.ABR Not disinfected C:\WINDOWS\Downloaded Program Files\startbf.inf


02/16/06 12:09:05 [Info]: BlackLight Engine 1.0.30 initialized
02/16/06 12:09:05 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/16/06 12:09:05 [Note]: 7019 4
02/16/06 12:09:05 [Note]: 7005 0
02/16/06 12:09:28 [Note]: 7006 0
02/16/06 12:09:28 [Note]: 7011 1860
02/16/06 12:09:29 [Note]: FSRAW library version 1.7.1014
02/16/06 12:26:27 [Note]: 7007 0

Hope it's all ok. Cheers.

#10 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 17 February 2006 - 02:48 PM

Hello azrael.

Please Print out these Instruction's

Please make sure that you can view all hidden files.
Instructions on how to do this can be found here: How to see hidden files in Windows

Could you please now Reboot your computer into Safe Mode.

Once you are in safe mode Navigate then Right-Click on and Delete these Bold Files:

C:\WINDOWS\DOWNLOADED PROGRAM FILES\startbf.inf
C:\WINDOWS\switchagreement.txt
C:\Documents and Settings\Azrael\Desktop\backups\backup-20041028-125817-903.inf
C:\Documents and Settings\Azrael\Desktop\backups\backup-20060114-030310-553.inf
C:\Documents and Settings\Azrael\Desktop\backups\backup-20060114-030313-545.inf
C:\Documents and Settings\Azrael\Desktop\backups\backup-20060116-001022-394.inf
C:\Documents and Settings\Azrael\Desktop\backups\backup-20060116-001023-419.inf
C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
C:\WINDOWS\Downloaded Program Files\startbf.inf
C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt[]

Reboot back into Normal mode.

Please visit this website: http://virusscan.jotti.org/

When you are on this website please select Browse and Navigate to this Bold File on your computer
C:\Documents and Settings\Azrael\Desktop\audio setups\cdb\CDBlasterInstall.exe

and then select Send File
could you please give me information on this file.

Please Re-scan with HijackThis and post the new HJT log
and the Jotti file result
I would like to ask how your system is running now.

ourwilly. :thumbsup:

#11 azrael

azrael
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire
  • Local time:06:18 PM

Posted 18 February 2006 - 08:38 AM

Here is a new HT log.

Logfile of HijackThis v1.99.1
Scan saved at 13:33:00, on 18/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\gsicon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dslagent.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\PestPatrol\ppmemcheck.exe
c:\Program Files\PestPatrol\cookiepatrol.exe
c:\Program Files\PestPatrol\ppcontrol.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Kerio\Personal Firewall\PERSFW.EXE
C:\Documents and Settings\Azrael\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Canon Scanner Monitor 2.1] C:\Program Files\Canon\ScanGear Toolbox CS\SGTBPBM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?e48cfe2f6f7643a483f62f79e1157230
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?e48cfe2f6f7643a483f62f79e1157230
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: LearnKey LTF Applet - file://C:\WINDOWS\system32\lktest.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {61ECE47E-0000-0000-0000-000000000000} - http://www.gameshadow.com/download/version...owweb/setup.exe
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37600.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {D6867DAF-DDD2-4559-ACFB-A46C38E847D0} (ActiveXATS.ActiveXDemo2) - http://cl-0062.web.uk.netscalibur.com/stud.../ActiveXATS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{C15EBC8A-A0D9-4456-A8F7-766F85C765B1}: NameServer = 212.159.6.9 212.159.6.10
O18 - Protocol: asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O20 - AppInit_DLLs: pavwait.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

One of the scanners on jotti found ADWARE.FASTSEEKER

I am not sure I have done everything right. Some files I could not find.

#12 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 18 February 2006 - 01:42 PM

Hello azrael.

I am not sure I have done everything right. Some files I could not find.


If possible Can you please tell me the files that were not found..?



One of the scanners on jotti found ADWARE.FASTSEEKER


Please Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.

C:\Documents and Settings\Azrael\Desktop\audio setups\cdb\CDBlasterInstall.exe

Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

It will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.


--------------------------------------

Please download, install, and update the ewido anti-malware:
  • When installing, under "Additional Options" uncheck
    "Install background guard"
    "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning Database could not be found!. This is normal so just click OK.
  • To launch ewido double-click the icon that should now be on your desktop.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes the status bar at the bottom will display Update successful.

    If you are having problems with the updater, you can use this link to manually update ewido.
    ewido manual updates.
  • Close ewido.
Reboot your computer into Safe Mode.
  • Now open ewido and click on scanner.
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite and reboot back into normal mode.


Please re-scan with HijackThis and post a new HJT log along with the Ewido scan results.

#13 azrael

azrael
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire
  • Local time:06:18 PM

Posted 19 February 2006 - 09:28 AM

These are the files I could not find and delete

C:\WINDOWS\DOWNLOADED PROGRAM FILES\startbf.inf

C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]

C:\WINDOWS\Downloaded Program Files\startbf.inf

That's all for now I will post the the logs a.s.a.p. Cheers.

#14 azrael

azrael
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire
  • Local time:06:18 PM

Posted 19 February 2006 - 12:22 PM

Here is Ewido scan report.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 16:13:29, 2/19/2006
+ Report-Checksum: FAEB3E2

+ Scan result:

:mozilla.22:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Euroclick : Ignored
:mozilla.23:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Euroclick : Ignored
:mozilla.24:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Adrevolver : Ignored
:mozilla.45:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Casalemedia : Ignored
:mozilla.46:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Casalemedia : Ignored
:mozilla.47:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Casalemedia : Ignored
:mozilla.48:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Casalemedia : Ignored
:mozilla.126:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Overture : Ignored
:mozilla.128:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Qksrv : Ignored
:mozilla.129:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Qksrv : Ignored
:mozilla.134:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Statcounter : Ignored
:mozilla.143:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Tradedoubler : Ignored
:mozilla.161:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Web-stat : Ignored
:mozilla.162:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Web-stat : Ignored
:mozilla.163:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Web-stat : Ignored
:mozilla.191:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Adrevolver : Ignored
:mozilla.192:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Adrevolver : Ignored
:mozilla.200:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Web-stat : Ignored
:mozilla.201:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Web-stat : Ignored
:mozilla.230:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Googleadservices : Ignored
:mozilla.231:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Googleadservices : Ignored
:mozilla.232:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Googleadservices : Ignored
:mozilla.233:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Googleadservices : Ignored
:mozilla.234:C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\default.u0y\cookies.txt -> TrackingCookie.Googleadservices : Ignored


::Report End

And here is Hijack.

Logfile of HijackThis v1.99.1
Scan saved at 17:13:34, on 19/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\WINDOWS\system32\gsicon.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dslagent.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Azrael\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Canon Scanner Monitor 2.1] C:\Program Files\Canon\ScanGear Toolbox CS\SGTBPBM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?e48cfe2f6f7643a483f62f79e1157230
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?e48cfe2f6f7643a483f62f79e1157230
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: LearnKey LTF Applet - file://C:\WINDOWS\system32\lktest.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {61ECE47E-0000-0000-0000-000000000000} - http://www.gameshadow.com/download/version...owweb/setup.exe
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37600.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {D6867DAF-DDD2-4559-ACFB-A46C38E847D0} (ActiveXATS.ActiveXDemo2) - http://cl-0062.web.uk.netscalibur.com/stud.../ActiveXATS.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{C15EBC8A-A0D9-4456-A8F7-766F85C765B1}: NameServer = 212.159.6.9 212.159.6.10
O18 - Protocol: asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-asp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O18 - Protocol: x-hsp - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\System32\hsppp.dll
O20 - AppInit_DLLs: pavwait.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Hi. I've got something which comes up at start it's called desktop.ini. Notepad opens two windows and displays a couple of lines shall I save them and post?

#15 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:06:18 PM

Posted 19 February 2006 - 12:39 PM

Hi,

ourwilly is not available until Tuesday.

Please follow these instructions to get rid of the desktop.ini / notepad problem.
http://support.microsoft.com/default.aspx?scid=330132

Your Sun Java version is vulnerable. !! First uninstall Sun Java from Add\Remove Programs. !!
Then install the latest version: http://www.java.com/en/download/manual.jsp

Your log looks clean. Do you have any other problems ?
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users