Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistant Virus Alert Pop Up - Pls Help


  • This topic is locked This topic is locked
20 replies to this topic

#1 akyra

akyra

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 26 March 2006 - 07:12 PM

Hi

I am seriously hoping that you can help us, my husbands pc got this pop up window 2 days ago saying that he had infections and trying to steer us to purchase their software

we ran AVG, A2 both found nothing

we then ran spybot search and destroy, which said that it found a few things and dealt with them but still it did not rid us of it

we have since ran Ewido and adaware se, still to no avail

we have followed instructions re: performing the scans in safe mode, they all say that they have found stuff and that they have removed it but none of it is this spyware quake that we are plagued with

one of the programs we were recommended to try was smitrem, we did and are now not sure this was good as other programs see it as potential risk??

on every boot up we get a windows installer box, if we click cancel then the spywarequake 2.0 program does not install itself but we still get the pop up window saying we are infected.

windows defender has detected this program trying to change autostart/runkeys and has said it has blocked it but still we are plagued.

have ran an activescan and its report is as follows


Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected F:\Documents and Settings\Ky McKenzie\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected F:\Documents and Settings\Ky McKenzie\Desktop\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected F:\Documents and Settings\Ky McKenzie\Local Settings\Application Data\Mozilla\Firefox\Profiles\4a8llly4.default\Cache\3EFBEAA3d01[Process.exe]


and the hijack this report is as follows


Logfile of HijackThis v1.99.1
Scan saved at 00:44:30, on 27/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\ewido anti-malware\ewidoctrl.exe
F:\Program Files\ewido anti-malware\ewidoguard.exe
F:\WINDOWS\System32\snmp.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\Windows Defender\MSASCui.exe
F:\WINDOWS\System32\ctfmon.exe
F:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\DOCUME~1\KYMCKE~1\LOCALS~1\Temp\Rar$EX01.438\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "F:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] F:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe



am really hoping one of you in the know guys can help, otherwise the only solution we can see is to wipe the hard drive and reinstall which would mean he will lose a lot of stuff that although not the end of the world to lose as nothing really is, we would rather not lose it.

Many thanks in advance

Cheyenne and Akyra

****~Mod Edit Moved to HJT forum - rigel~****

Edited by rigel, 26 March 2006 - 08:22 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 PM

Posted 27 March 2006 - 06:44 AM

Hello,

* Download Roguescanfix from here:
http://www.martijnc.be/tools/roguescanfix.exe
Download it to your desktop.
Doubleclick roguescanfix.exe
Click the 'install' button.
This will create a new folder on your desktop called Roguescanfix.
Open that folder and click: Run.bat
This tool needs internet connection so it can download an additional file to let the tool work properly.
If your firewall gives an alert, allow it instead of blocking it.
Let the tool perform its job.

Let me know if that solved the problem.

Edited by miekiemoes, 27 March 2006 - 07:17 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 akyra

akyra
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 28 March 2006 - 10:33 AM

Hi

Thank you for your reply

We downloaded it and did as instructed and it has gone, but we are unsure if it has left any residual problems as we are experiencing the following.

We have still got the windows installer box poping up on each boot up, just after we sign in and before most things have finished loading themselves, it stays for a while (approx 5 mins) and then dissappears.

Several times explorer has opened and then notified us that it is experiencing problems and will close, its not doing it all the time but several times in one day seemed very strange as we have never had it do this much before, oh and the majority of the time it was when we are trying to get into the control panel.

Once again many thanks for your help

Cheyenne and Akyra

p.s. dont know if this is related but whilst i was typing this, every so many words the cursor would dissappear and i would get a noise on each key press. Using mozilla firefox case thats of any relevance.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 PM

Posted 28 March 2006 - 10:43 AM

Hi, it's better to post a new hijackthislog, because normally the infection you were dealing with, never comes alone. Strange it didn't show other related files in your first log, maybe it should show them now.

Also perform next:

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer"
8. When the scan is complete choose to save the results as "Save as Text"
9. Post the Kaspersky scan results in your next reply and a new hijackthislog.

by the way, I see you didn't unzip/extract hijackthis.. and it's still in the tempfolder.
So I strongly advise to unzip/extract hijackthis.zip.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

Edited by miekiemoes, 28 March 2006 - 10:44 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 PM

Posted 28 March 2006 - 10:59 AM

By the way.. can you tell me exactly for what program this Windows Installer box is appearing? Because as I see from your first log, It didn't show any entries that could causing this, unless it's hidden or uses another startup method.
That's why i also want you to perform next:

Download winpfind

Reboot in SAFE MODE !! Important !!
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key

Doubleclick winpfind.exe
Click start Scan.
It will scan for a while, so please be patient.
Let it finish the job.

Reboot back to normal mode.

Post the contents of winpfind.txt which is present in the winpfind-folder in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 akyra

akyra
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 01 April 2006 - 04:36 AM

Ok, firstly let me pls say sorry for taking so long to reply, ive been ill and dont want you to think i dont appreciate your help.

Anyway here goes, fresh hijack this log


Logfile of HijackThis v1.99.1
Scan saved at 10:33:13, on 01/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\ewido anti-malware\ewidoctrl.exe
F:\Program Files\ewido anti-malware\ewidoguard.exe
F:\WINDOWS\System32\tcpsvcs.exe
F:\WINDOWS\System32\snmp.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\SOUNDMAN.EXE
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\WINDOWS\System32\ctfmon.exe
F:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
F:\Documents and Settings\Ky McKenzie\Desktop\hijackthis_v1.99.1\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] F:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe

#7 akyra

akyra
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 01 April 2006 - 06:47 AM

The Kaspersky report


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, April 01, 2006 12:44:32
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 1/04/2006
Kaspersky Anti-Virus database records: 185452
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
F:\
G:\
H:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 53689
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 1757 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.

#8 akyra

akyra
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 01 April 2006 - 07:29 AM

Ok heres the last one.


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
UPX! 27/01/2006 22:38:10 503296 F:\WINDOWS\SYSTEM32\aswBoot.exe
PEC2 31/03/2003 13:00:00 41397 F:\WINDOWS\SYSTEM32\dfrg.msc
PTech 14/02/2006 10:20:14 550120 F:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 10/03/2006 01:10:36 4799320 F:\WINDOWS\SYSTEM32\MRT.exe
aspack 10/03/2006 01:10:36 4799320 F:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 31/03/2003 13:00:00 631808 F:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 31/03/2003 13:00:00 1309184 F:\WINDOWS\SYSTEM32\wbdbase.deu
Umonitor 31/03/2003 13:00:00 631808 F:\WINDOWS\SYSTEM32\_003799_.tmp.dll

Checking %System%\Drivers folder and sub-folders...
UPX! 14/03/2006 11:25:02 763616 F:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 14/03/2006 11:25:02 763616 F:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 14/03/2006 11:25:02 763616 F:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 14/03/2006 11:25:02 763616 F:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 04/08/2004 06:41:38 1309184 F:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in F:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
01/04/2006 12:50:48 S 2048 F:\WINDOWS\bootstat.dat
24/02/2006 20:32:44 HS 66936 F:\WINDOWS\dlinfo_0.drv
29/03/2006 18:23:06 H 54156 F:\WINDOWS\QTFont.qfn
26/03/2006 18:56:50 RH 749 F:\WINDOWS\WindowsShell.Manifest
26/03/2006 18:56:56 H 65 F:\WINDOWS\Downloaded Program Files\desktop.ini
26/03/2006 18:57:30 HS 67 F:\WINDOWS\Fonts\desktop.ini
01/04/2006 10:37:52 H 0 F:\WINDOWS\LastGood\INF\oem9.inf
01/04/2006 10:37:54 H 0 F:\WINDOWS\LastGood\INF\oem9.PNF
26/03/2006 18:56:56 H 65 F:\WINDOWS\Offline Web Pages\desktop.ini
28/03/2006 16:39:20 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_10.cab
28/03/2006 16:39:20 RHS 25530 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_11.cab
28/03/2006 16:39:20 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_12.cab
28/03/2006 16:39:20 RHS 26317 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_13.cab
28/03/2006 16:39:20 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_14.cab
28/03/2006 16:39:20 RHS 26387 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_15.cab
28/03/2006 16:39:20 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_16.cab
28/03/2006 16:39:22 RHS 26657 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_17.cab
28/03/2006 16:39:22 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_18.cab
28/03/2006 16:39:22 RHS 26652 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_19.cab
28/03/2006 16:39:22 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_20.cab
28/03/2006 16:39:22 RHS 26255 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_21.cab
28/03/2006 16:39:22 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_22.cab
28/03/2006 16:39:22 RHS 26108 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_23.cab
28/03/2006 16:39:22 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_24.cab
28/03/2006 16:39:22 RHS 26449 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_25.cab
28/03/2006 16:39:22 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_26.cab
28/03/2006 16:39:22 RHS 25853 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_27.cab
28/03/2006 16:39:22 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_28.cab
28/03/2006 16:39:22 RHS 26290 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_29.cab
28/03/2006 16:39:22 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_30.cab
28/03/2006 16:39:24 RHS 26383 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_31.cab
28/03/2006 16:39:24 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_32.cab
28/03/2006 16:39:24 RHS 26291 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_33.cab
28/03/2006 16:39:24 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_34.cab
28/03/2006 16:39:24 RHS 25896 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_35.cab
28/03/2006 16:39:24 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_36.cab
28/03/2006 16:39:24 RHS 26494 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_37.cab
28/03/2006 16:39:24 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_38.cab
28/03/2006 16:39:24 RHS 26229 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_39.cab
28/03/2006 16:39:24 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_40.cab
28/03/2006 16:39:24 RHS 26467 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_41.cab
28/03/2006 16:39:24 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_42.cab
28/03/2006 16:39:24 RHS 26283 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_43.cab
28/03/2006 16:39:24 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_44.cab
28/03/2006 16:39:24 RHS 26320 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_45.cab
28/03/2006 16:39:26 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_46.cab
28/03/2006 16:39:26 RHS 26284 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_47.cab
28/03/2006 16:39:26 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_48.cab
28/03/2006 16:39:26 RHS 26290 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_49.cab
28/03/2006 16:39:26 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_50.cab
28/03/2006 16:39:26 RHS 26126 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_51.cab
28/03/2006 16:39:26 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_52.cab
28/03/2006 16:39:16 RHS 26173 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_6.cab
28/03/2006 16:39:20 RHS 25959 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_7.cab
28/03/2006 16:39:20 RHS 10470 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_8.cab
28/03/2006 16:39:20 RHS 25566 F:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_9.cab
26/03/2006 18:58:10 H 528384 F:\WINDOWS\repair\ntuser.dat
26/03/2006 18:56:50 RH 749 F:\WINDOWS\system32\cdplayer.exe.manifest
26/03/2006 18:56:56 RH 488 F:\WINDOWS\system32\logonui.exe.manifest
26/03/2006 18:56:50 RH 749 F:\WINDOWS\system32\ncpa.cpl.manifest
26/03/2006 18:56:50 RH 749 F:\WINDOWS\system32\nwc.cpl.manifest
26/03/2006 18:56:50 RH 749 F:\WINDOWS\system32\sapi.cpl.manifest
26/03/2006 18:56:56 RH 488 F:\WINDOWS\system32\WindowsLogon.manifest
26/03/2006 18:56:50 RH 749 F:\WINDOWS\system32\wuaucpl.cpl.manifest
08/03/2006 08:59:38 S 9341 F:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\kb914798.cat
14/02/2006 10:20:42 S 7086 F:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WGA.cat
01/04/2006 12:52:12 H 12288 F:\WINDOWS\system32\config\default.LOG
26/03/2006 19:43:24 H 0 F:\WINDOWS\system32\config\default.tmp.LOG
01/04/2006 12:52:44 H 1024 F:\WINDOWS\system32\config\SAM.LOG
01/04/2006 12:50:48 H 16384 F:\WINDOWS\system32\config\SECURITY.LOG
01/04/2006 12:52:44 H 94208 F:\WINDOWS\system32\config\software.LOG
26/03/2006 19:43:24 H 0 F:\WINDOWS\system32\config\software.tmp.LOG
01/04/2006 12:52:12 H 864256 F:\WINDOWS\system32\config\system.LOG
26/03/2006 19:43:10 H 0 F:\WINDOWS\system32\config\system.tmp.LOG
26/03/2006 19:43:06 H 1024 F:\WINDOWS\system32\config\TempKey.LOG
26/03/2006 19:43:24 H 1024 F:\WINDOWS\system32\config\userdiff.LOG
26/03/2006 18:58:10 H 1024 F:\WINDOWS\system32\config\userdifr.LOG
01/04/2006 10:00:54 H 1024 F:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
26/03/2006 19:03:52 HS 113 F:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
26/03/2006 19:03:52 HS 113 F:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
26/03/2006 19:03:52 HS 67 F:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
27/03/2006 00:10:00 HS 67 F:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
27/03/2006 00:10:00 HS 67 F:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0DAFK5YF\desktop.ini
27/03/2006 00:10:00 HS 67 F:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X67S96N\desktop.ini
27/03/2006 00:10:00 HS 67 F:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CPYF01I3\desktop.ini
27/03/2006 00:10:00 HS 67 F:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\K1QJS9U3\desktop.ini
24/03/2006 19:07:20 HS 388 F:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\3cd9bfc0-d0db-46f8-8272-d8f6100ecd66
24/03/2006 19:07:20 HS 24 F:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
24/03/2006 15:07:58 HS 388 F:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\f49740e4-5652-4ad0-89de-080ef2be7301
24/03/2006 15:07:58 HS 24 F:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
26/03/2006 19:11:54 RHS 13698 F:\WINDOWS\system32\Restore\filelist.xml
01/04/2006 12:55:16 H 370 F:\WINDOWS\Tasks\MP Scheduled Scan.job
01/04/2006 12:49:54 H 6 F:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 31/03/2003 13:00:00 66048 F:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 15/08/2003 08:37:10 10435072 F:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 31/03/2003 13:00:00 578560 F:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04/08/2004 08:56:58 110592 F:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 31/03/2003 13:00:00 129024 F:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04/08/2004 08:56:58 80384 F:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 31/03/2003 13:00:00 150016 F:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 31/03/2003 13:00:00 292352 F:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 31/03/2003 13:00:00 121856 F:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 04:41:00 208896 F:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10/11/2005 14:03:50 49265 F:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 31/03/2003 13:00:00 187904 F:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 31/03/2003 13:00:00 559616 F:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 31/03/2003 13:00:00 35840 F:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04/08/2004 08:56:58 25600 F:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 31/03/2003 13:00:00 256000 F:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 31/03/2003 13:00:00 36864 F:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 31/03/2003 13:00:00 109056 F:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 31/03/2003 13:00:00 268288 F:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 31/03/2003 13:00:00 28160 F:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 31/03/2003 13:00:00 90112 F:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04/08/2004 08:56:58 148480 F:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 F:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 31/03/2003 13:00:00 66048 F:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 31/03/2003 13:00:00 578560 F:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 31/03/2003 13:00:00 129024 F:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 31/03/2003 13:00:00 150016 F:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 31/03/2003 13:00:00 292352 F:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 31/03/2003 13:00:00 121856 F:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29/08/2002 04:41:00 208896 F:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 31/03/2003 13:00:00 187904 F:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 31/03/2003 13:00:00 559616 F:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 31/03/2003 13:00:00 35840 F:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 31/03/2003 13:00:00 256000 F:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 31/03/2003 13:00:00 36864 F:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 31/03/2003 13:00:00 109056 F:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 31/03/2003 13:00:00 147456 F:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 31/03/2003 13:00:00 268288 F:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 31/03/2003 13:00:00 28160 F:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 31/03/2003 13:00:00 90112 F:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Realtek Semiconductor Corp. 15/08/2003 08:37:10 10435072 F:\WINDOWS\SYSTEM32\ReinstallBackups\0011\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
24/12/2005 15:18:38 1764 F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
26/03/2006 18:58:08 HS 84 F:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
24/12/2005 12:30:16 1598 F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
26/03/2006 18:46:38 HS 62 F:\Documents and Settings\All Users\Application Data\desktop.ini
15/03/2006 14:42:34 1359 F:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
24/12/2005 11:46:48 HS 84 F:\Documents and Settings\Ky McKenzie\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
24/12/2005 11:37:02 HS 62 F:\Documents and Settings\Ky McKenzie\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = F:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = F:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = F:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu
{AB77609F-2178-4E6F-9C4B-44AC179D937A} = F:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = F:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = F:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = F:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= F:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : F:\WINDOWS\system32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SoundMan SOUNDMAN.EXE
AVG7_CC F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
SunJavaUpdateSched F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
avast! F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE F:\WINDOWS\System32\ctfmon.exe
Ashampoo PopUpBlocker F:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
msnmsgr "F:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus 3


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
NoActiveDesktopChanges 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = F:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoAddingComponents 0
NoComponents 0
NoDeletingComponents 0
NoEditingComponents 0
NoCloseDragDropBands 0
NoMovingBands 0
NoHTMLWallPaper 1
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0
ForceActiveDesktopOn 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoColorChoice 0
NoSizeChoice 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0
NoDispAppearancePage 0
NoDispBackgroundPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = F:\WINDOWS\System32\stobject.dll
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = F:\WINDOWS\System32\upnpui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = F:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 01/04/2006 12:57:50


oh, nearly forgot

that installer thing - it comes up on every boot up, its the standard windows grey and blue box, it says windows installer in the blue bit and starting to install in the grey bit, it stays up for approx 1 minute then dissappears. I can see nothing to indicate what it is trying to install.

Thanks for your help

Akyra and Cheyenne


oh and i dont know if this is significant or not, but it does seem to be very slow in booting up, it seems to sit on the windows is starting up screen for ages, much longer than it ever did before.

Edited by akyra, 01 April 2006 - 07:31 AM.


#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 PM

Posted 01 April 2006 - 07:40 AM

Hello,

I can't see anything suspicious here though..
The windows installer must be related with a legit program starting up, trying to update or whatever.

Can you check and fix next entries in your log?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE

Let me know if that solved your problem. OSA.exe is not required anyway since it is a resource hog.
By the way, it is a real bad idea you have two antivirus installed and running and it wouldn't suprise me it's also related with one of the antivirus.
So I strongly recommend you uninstall Avast or AVG, because Several together can give problems and decrease the reliability of it seriously!

By the way, I still see a policy set which need to get fixed, so perform next:

Open notepad and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]
"NoHTMLWallPaper"=-


Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Daniel12

Daniel12

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 03 April 2006 - 09:59 AM

I have the exact same problem and virus,

I can offer advice in the fact that Norton helped me clear the virus, and this post got rid of the pop up on my system tray. But I also have the windows installer pop-up, and this pop up tells me to reinstall Norton, which i did, but no luck because it still comes back.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 PM

Posted 03 April 2006 - 10:10 AM

malware related problem is already solved here. Only the windows installer problem now.
Nothing Norton related here. ;)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Daniel12

Daniel12

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 03 April 2006 - 10:43 AM

alright, sorry.

Just that i have the same problem, and when my windows installer pops up, it asks me to reinstall norton antivirus. I just thought that if they have norton it could be the same problem. Although, everything is fine with my norton, i would just assume that this virus is asking you to uninstall antivirus protection programs.

#13 akyra

akyra
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 04 April 2006 - 02:44 AM

Hi

I have uninstalled Avast, and have checked and fixed those two entries in the hijackthis log, and have done the registry fix.

It does seem to be booting a bit quicker now, so the only thing left is this installer thing, but i suppose if its not doing anything bad then we can just ignore it.

One thing i have noticed tho, is that windows defender is constantly trying to download and install the same update, i was therefore wondering if this was possibly related to the installer box. So i thought i would just uninstall defender to see if the installer box dissappeared and it wont let me uninstall it.

in the blue top section it says "Add or Remove Programs"
in the grey section it says "The windows installer service could not be accessed. This can occur if you are running windows in safe mode, or if the windows installer is not correctly installed. Contact your support personnel for assistance.

Could this be the cause of our problem?

Also dont know if this is significant or not, but service pack 2 will not install, it downloaded fine but when it tried to install it got just under halfway along the progress bar and then an error sounded and a box appeared saying "access denied". Had to click ok, it then said it would remove what it had done so far, but did warn that somethings may not work properly in the future because of cancelling the update. Ok i know that having service pack 2 is not considered important by a lot of people but i thought knowing this may be important to your analysis. i did a quick google on it and it led me to this page http://support.microsoft.com/kb/873148 as its about stuff in the registry its not something that i would mess around with without taking further advice.

AVG has warned us that there was something wrong with our windows firewall, so i went into the control panel and clicked on the firewall icon and it said that there was a problem, anyway googled that and found this, its the exact message we get if we try to access the firewall settings. http://windowsxp.mvps.org/sharedaccess.htm

This is turning into a nightmare, just seems to be one problem after another, doesn't it! Hubby is getting really peeved at not being able to use his computer too.

Thankyou ever so much for your help

Regards

Akyra and Cheyenne

Edited by akyra, 04 April 2006 - 05:32 AM.


#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 PM

Posted 04 April 2006 - 06:09 AM

Hello,

Well, the main problem you are having is the problem with windows installer and that may explain why you get that box at startup and why your Windows Update fails as well.
Take a look here for the solution:

http://support.microsoft.com/default.aspx?...kb;en-us;315353

Concerning your Windows Firewall, try next:

1. go to start > run and copy and paste next command in the field:

NETSH FIREWALL RESET

Click ok

Wait till the Dosprompt (black window) closes again.
Then look if you can access the firewall settings again.
If this doesn't work, go to step 2.

2. Go to start > run and copy and paste next command in the field:

services.msc

Search in the list for Windows Firewall/Internet Connection Sharing (ICS) <== if this isn't present, go to step 3.

Click "stop" there.
click OK and close the window.

Then go back to your Controlpanel and click: Windows Firewall
You should get an error then.. telling you that the service Windows Firewall/Internet Connection Sharing (ICS) is disabled/stopped and if you want to enable/start it.
Click Yes/ok
So the service should be started again and you will be able to change settings in it.

3. (Only perform this if previous steps failed)
Download this regfix:
http://windowsxp.mvps.org/reg/sharedaccess.reg
Place it on your desktop.
Now doubleclick sharedaccess.reg
Ckick yes/ok at the prompt.

Then REBOOT!! Important!

After reboot, go to start > run and copy and paste next command in the field:

NETSH FIREWALL RESET

Click ok

Wait till the Dosprompt (black window) closes again.
Then look if you can access the firewall settings again.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 akyra

akyra
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 04 April 2006 - 11:36 AM

Hi

With regards to the windows installer issue, i went to the webpage and followed the instructions, upon performing task 5 i got a windows installer message box saying " ! An event was unable to invoke any of the subscribers"

I see it says at the bottom of this page that if you are unsuccessful, that you should perform a windows repair, is that the way forward now?


I then tried the 3 steps regarding the firewall, no.1 did not work, no.2 it was not present so performed no.3 and unfortunatly as soon as i said yes to it restarting the same error message that i had before came up.


Regards

Akyra and Cheyenne

Edited by akyra, 04 April 2006 - 11:38 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users