Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Targetsaver & Deskbar Infections.


  • This topic is locked This topic is locked
12 replies to this topic

#1 dave1971

dave1971

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 12 September 2006 - 05:09 PM

Hi everyone, I posted this in the 'am I infected' board too before I spotted this one, I've removed alot off of the machine in the last week but these two I'm having trouble with. For some reason the MS Home network that this is the main computer on is now blocking internet access to the Windows '98 computer that connects throught this one. Any help would appreciated. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 22:55:17, on 9/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Mixer.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tony\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0A36BA0-6FF0-4241-AF61-3D24F10E7007}: NameServer = 80.225.254.178 80.225.254.186
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Microsoft Language Service (Windows Language Service) - Unknown owner - C:\WINNT\alg.exe (file missing)

BC AdBot (Login to Remove)

 


#2 dave1971

dave1971
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 13 September 2006 - 08:26 AM

Bump...can anyone help at all? Everytime I run Spybot S & D it finds Targetsaver & Deskbar but cannot remove them and I cannot find any specific resources to get rid of them, would be glad of any help to diagnose the HJT file above.

Thanks.

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:13 AM

Posted 17 September 2006 - 02:56 PM

Hello dave1971 and welcome to the BC HijackThis forum. The first thing we need to do is update the operating system on this computer.

Your operating system is extremely out of date. By not keeping the OS updated the computer is vulnerable to every infection on the net and in emails today and trying to repair an unpatched system is virtually impossible. For update purposes, Microsoft has even stopped supporting a system that is this far out of date. Go to the Microsoft Windows XP Service Pack 1.a site and install Service Pack 1a.

Once that is done, go back to the Windows Update site and install all available Critical Updates but do not install SP2 at this time. This will patch the system with the most current security fixes and plug all the known holes which are present on this system. If you are not on a broadband connection the Service Pack can be obtained from Microsoft for a nominal shipping fee.

After all of the updates have been performed post a new HijackThis log back here using the Add Reply button and I will review it when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 dave1971

dave1971
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 18 September 2006 - 10:56 AM

Hi Oldtimer and thanks very much for the reply.

I may be stuck between a rock and hard place as I stopped being able to get updates recently because Windows validation decided the OS wasn't a genuine copy, until then I had it set on auto update but am now unable to do anything without paying 93.00 to MS to get a 'Validation pack' which seems unfair as we got the computer second-hand with it all previously installed.

I'm now resigned to backing up all the stuff I need from there and replacing the OS completely if nothing can be done, most of the spyware is off of there now but I'm having to re-run Network set-up everytime I re-boot as well now to enable my second pc access to the internet, and if I try and uninstall Stopzilla it begins to crash and reboot itself over and over and I have to system restore.

If there is anything that can be done I'd appreciate any advice but I understand from your advice it may not be possible. Thanks anyway, this is a brilliant forum.

PS. I've gone to the link you provided and it's allowed the pc to download sp1 but I'll have to wait and see if it allows the install without a valid licence key, I'm on dsl but it's not a superfast connection so it will be a while!

Edited by dave1971, 18 September 2006 - 11:03 AM.


#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:13 AM

Posted 18 September 2006 - 06:50 PM

Hi dave1971. Ok, let's see what we can do.

There is a file missing named alg.exe. It is used for internet connection sharing but is normally located in the system32 folder. Thus, it might have been compromised.

Let's remove the bad service and then scan and see if there is a good copy of alg.exe still on the system.

Open Notepad and Copy/Paste the contents of the quote box below into the new document:

@ECHO OFF
cd\winnt
sc config "Windows Language Service" start= disabled
sc stop "Windows Language Service"
sc delete "Windows Language Service"
attrib -s -r -h alg.exe
del alg.exe
exit


Save the document to your desktop as rservice.bat and close Notepad. Locate the rservice.bat file on your desktop and double-click on it to run the batch file.

Now let's search for a good backup. Perform a search for this file. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.alg.exe
Post back the information regarding what copies (if any) of the file are found. Include the location and file size of any copies found.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 dave1971

dave1971
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 20 September 2006 - 11:30 AM

Hi again OT and thanks for trying.

These two files were found.

ALG.EXE-231187DC.pf in C:\WINNT\Prefetch and is 23KB

alg in C:\WINNT\system32 and is 40KB and it says it's an Application Layer Gateway Service in properties.


Thanks,

Dave.

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:13 AM

Posted 20 September 2006 - 06:09 PM

Hi dave1971. The alg.exe should be the file for Application Layer Gateway service (not the Windows Language Service that we removed).

Let's run a different scanner so I can check the services installed.

Download WinPFind2.zip and unzip it to your Desktop. It will create a folder named WinPFind2. Do NOT run the program directly from the zip file.
  • Open the WinPFind2 folder and double-click on winpfind2.exe to start the program.
  • In the Other Options group check the 2 checkboxes for Show All.
  • In the AddOn-Options group click the checkboxes for
    • HKCU_IEDesktop.def
    • Policies.def
    • SID_Run_Policies.def
    to select them.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button to post the information back here and I will review it when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 dave1971

dave1971
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 21 September 2006 - 05:41 AM

Hi OT,

I think I've done this right.

Logfile created on: 09/21/2006 11:36
WinPFind2 by OldTimer - Version 1.0.10 Folder = C:\Documents and Settings\Tony\Desktop\WinPFind2\
Microsoft Windows XP (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2600.0000)


< All Processes >
\systemroot\system32\smss.exe - (Microsoft Corporation )
\??\c:\winnt\system32\csrss.exe - (Microsoft Corporation )
\??\c:\winnt\system32\winlogon.exe - (Microsoft Corporation )
c:\winnt\system32\services.exe - (Microsoft Corporation )
c:\winnt\system32\lsass.exe - (Microsoft Corporation )
c:\winnt\system32\svchost.exe [C:\WINNT\SYSTEM32\SVCHOST -K RPCSS] - (Microsoft Corporation )
(RpcSs) C:\WINNT\system32\rpcss.dll - (Microsoft Corporation )
c:\winnt\system32\svchost.exe [C:\WINNT\SYSTEM32\SVCHOST.EXE -K NETSVCS] - (Microsoft Corporation )
(AppMgmt) C:\WINNT\System32\appmgmts.dll - (Microsoft Corporation )
(AudioSrv) C:\WINNT\System32\audiosrv.dll - (Microsoft Corporation )
(BITS) C:\WINNT\System32\qmgr.dll - (Microsoft Corporation )
(Browser) C:\WINNT\System32\browser.dll - (Microsoft Corporation )
(CryptSvc) C:\WINNT\System32\cryptsvc.dll - (Microsoft Corporation )
(Dhcp) C:\WINNT\System32\dhcpcsvc.dll - (Microsoft Corporation )
(dmserver) C:\WINNT\System32\dmserver.dll - (Microsoft Corp. )
(ERSvc) C:\WINNT\System32\ersvc.dll - (Microsoft Corporation )
(EventSystem) C:\WINNT\System32\es.dll - (Microsoft Corporation )
(FastUserSwitchingCompatibility) C:\WINNT\System32\shsvcs.dll - (Microsoft Corporation )
(helpsvc) %WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll - (File not found))
(HidServ) C:\WINNT\System32\hidserv.dll - (File not found))
(lanmanserver) C:\WINNT\System32\srvsvc.dll - (Microsoft Corporation )
(lanmanworkstation) C:\WINNT\System32\wkssvc.dll - (Microsoft Corporation )
(Messenger) C:\WINNT\System32\msgsvc.dll - (Microsoft Corporation )
(Netman) C:\WINNT\System32\netman.dll - (Microsoft Corporation )
(Nla) C:\WINNT\System32\mswsock.dll - (Microsoft Corporation )
(NtmsSvc) C:\WINNT\system32\ntmssvc.dll - (Microsoft Corporation )
(RasAuto) C:\WINNT\System32\rasauto.dll - (Microsoft Corporation )
(RasMan) C:\WINNT\System32\rasmans.dll - (Microsoft Corporation )
(RemoteAccess) C:\WINNT\System32\mprdim.dll - (Microsoft Corporation )
(Schedule) C:\WINNT\system32\schedsvc.dll - (Microsoft Corporation )
(seclogon) C:\WINNT\System32\seclogon.dll - (Microsoft Corporation )
(SENS) C:\WINNT\system32\sens.dll - (Microsoft Corporation )
(SharedAccess) C:\WINNT\System32\ipnathlp.dll - (Microsoft Corporation )
(ShellHWDetection) C:\WINNT\System32\shsvcs.dll - (Microsoft Corporation )
(srservice) C:\WINNT\System32\srsvc.dll - (Microsoft Corporation )
(TapiSrv) C:\WINNT\System32\tapisrv.dll - (Microsoft Corporation )
(TermService) C:\WINNT\System32\termsrv.dll - (Microsoft Corporation )
(TermService) C:\WINNT\System32\termsrv.dll - (Microsoft Corporation )
(Themes) C:\WINNT\System32\shsvcs.dll - (Microsoft Corporation )
(TrkWks) C:\WINNT\system32\trkwks.dll - (Microsoft Corporation )
(uploadmgr) %WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll - (File not found))
(W32Time) C:\WINNT\System32\w32time.dll - (Microsoft Corporation )
(winmgmt) C:\WINNT\system32\wbem\WMIsvc.dll - (Microsoft Corporation )
(WmdmPmSN) C:\WINNT\System32\MsPMSNSv.dll - (Microsoft Corporation )
(Wmi) C:\WINNT\System32\advapi32.dll - (Microsoft Corporation )
(wuauserv) C:\WINNT\System32\wuauserv.dll - (Microsoft Corporation )
(WZCSVC) C:\WINNT\System32\wzcsvc.dll - (Microsoft Corporation )
c:\program files\common files\stopzilla!\szserver.exe - ( )
c:\winnt\explorer.exe - (Microsoft Corporation )
c:\winnt\mixer.exe - (C-Media Electronic Inc. (www.cmedia.com.tw) )
c:\program files\msn apps\updater\01.02.3000.1001\en-gb\msnappau.exe - (Microsoft Corporation )
c:\program files\common files\logitech\qcdriver2\lvcoms.exe - (Logitech Inc. )
c:\program files\ewido anti-spyware 4.0\ewido.exe - (Anti-Malware Development a.s. )
c:\program files\stopzilla!\stopzilla.exe - (International Software Systems Solutions )
c:\winnt\system32\ctfmon.exe - (Microsoft Corporation )
c:\program files\msn messenger\msnmsgr.exe - (Microsoft Corporation )
c:\winnt\system32\svchost.exe [C:\WINNT\SYSTEM32\SVCHOST.EXE -K NETWORKSERVICE] - (Microsoft Corporation )
(Dnscache) C:\WINNT\System32\dnsrslvr.dll - (Microsoft Corporation )
c:\program files\sagem\sagem f@st 800-840\dslmon.exe - ( )
c:\program files\ulead systems\ulead photo express 2 se\calcheck.exe - (Ulead Systems, Inc. )
c:\winnt\system32\svchost.exe [C:\WINNT\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE] - (Microsoft Corporation )
(Alerter) C:\WINNT\system32\alrsvc.dll - (Microsoft Corporation )
(LmHosts) C:\WINNT\System32\lmhsvc.dll - (Microsoft Corporation )
(RemoteRegistry) C:\WINNT\system32\regsvc.dll - (Microsoft Corporation )
(SSDPSRV) C:\WINNT\System32\ssdpsrv.dll - (Microsoft Corporation )
(upnphost) C:\WINNT\System32\upnphost.dll - (Microsoft Corporation )
(WebClient) C:\WINNT\System32\webclnt.dll - (Microsoft Corporation )
c:\winnt\system32\lexbces.exe - (Lexmark International, Inc. )
c:\winnt\system32\spoolsv.exe - (Microsoft Corporation )
c:\winnt\system32\lexpps.exe - (Lexmark International, Inc. )
c:\program files\antivir personaledition classic\sched.exe - (Avira GmbH )
c:\program files\ewido anti-spyware 4.0\guard.exe - (Anti-Malware Development a.s. )
c:\winnt\system32\svchost.exe [C:\WINNT\SYSTEM32\SVCHOST.EXE -K IMGSVC] - (Microsoft Corporation )
(stisvc) C:\WINNT\system32\wiaservc.dll - (Microsoft Corporation )
c:\winnt\system32\wdfmgr.exe - (Microsoft Corporation )
c:\program files\internet explorer\iexplore.exe - (Microsoft Corporation )
c:\winnt\system32\alg.exe - (Microsoft Corporation )
c:\documents and settings\tony\desktop\winpfind2\winpfind2.exe - (OldTimer Tools )

< Registry Entries >

[>> Internet Explorer Settings <<]
HKLM->Main\\Start Page - http://www.google.co.uk/
HKLM->Main\\Search Page - http://www.google.com
HKLM->Main\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKLM->Main\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKLM->Main\\Local Page - %SystemRoot%\system32\blank.htm
HKCU->Main\\Start Page - http://www.google.co.uk/
HKCU->Main\\Search Bar -
HKCU->Main\\Search Page - http://www.google.com
HKCU->Main\\Default_Page_URL -
HKCU->Main\\Default_Search_URL -
HKCU->Main\\Local Page - C:\WINNT\System32\blank.htm
HKLM->Search\\CustomizeSearch - http://ie.search.msn.com/en-gb/srchasst/srchcust.htm
HKCU->Internet Settings\\ProxyEnable - 0

[>> BHO's <<]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSNToolBandBHO = C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll (Microsoft Corporation )
{E3215F20-3212-11D6-9F8B-00D0B743919D} - STOPzilla Browser Helper Object = C:\Program Files\STOPzilla!\SZIEBHO.dll (International Software Systems Solutions )

[>> Internet Explorer Bars, Toolbars and Extensions <<]

[HKLM-> Internet Explorer Bars]
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
{FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - Real.com = C:\WINNT\System32\Shdocvw.dll (Microsoft Corporation )

[HKCU-> Internet Explorer Bars]
{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )

[HKLM-> Internet Explorer ToolBars]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio = C:\WINNT\System32\msdxm.ocx ( )
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN = C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll (Microsoft Corporation )

[HKCU-> Internet Explorer ToolBars]
ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN = C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll (Microsoft Corporation )

[HKCU-> Internet Explorer CmdMapping]
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - 8196 - Reg Data missing or invalid
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - 8192 - Reg Data missing or invalid
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - 8195 - Reg Data missing or invalid
{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8194 - Windows Messenger
NextId - 8197

[HKLM-> Internet Explorer Extensions]
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - ButtonText: Real.com = Reg Data missing or invalid (File not found))
{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\MSMSGS.EXE (Microsoft Corporation )

[HKCU-> Internet Explorer Menu Extensions]
E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 (Microsoft Corporation )

[>> Approved Shell Extensions (Non-Microsoft only) <<]

[HKLM-> Approved Shell Extensions]
{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data missing or invalid (File not found))
{11C1D741-A95B-11d2-8A80-0080ADB32FF4} - FTP Surfer Shell Extension = Reg Data missing or invalid (File not found))
{11C1D741-A95B-11d2-8A80-0080ADB32FF4} (HKCU CLSID) - FTP Surfer Shell Extension = C:\Program Files\Whisper Technology\FTP Surfer\wtftpshx.dll (Whisper Technology Limited )
{1AEB1360-5AFC-11D0-B806-00C04FD706EC} - Office Graphics Filters Thumbnail Extractor = Reg Data missing or invalid (File not found))
{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll (File not found))
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} - Shell Extension for Malware scanning = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH )
{500202A0-731E-11D0-B829-00C04FD706EC} - LNK file thumbnail interface delegator = Reg Data missing or invalid (File not found))
{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data missing or invalid (File not found))
{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data missing or invalid (File not found))
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data missing or invalid (File not found))
{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINNT\System32\hticons.dll (Hilgraeve, Inc. )
{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} - Thumbnails = Reg Data missing or invalid (File not found))
{E0BD38EB-C8EC-11D2-B274-B493B003B125} - East-Tec Eraser Context Menu Shell Extension = C:\PROGRA~1\EAST-T~1\eteshell.dll (EAST Technologies )
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc. )
{F0F08737-0C36-101B-B086-0020AF07D0F4} - Quick View Plus - Shell Extension object = Reg Data missing or invalid (File not found))
{fe1290f0-cfbd-11cf-a330-00aa00c16e65} - Directory Namespace = Reg Data missing or invalid (File not found))

[>> ContextMenuHandlers (Non-Microsoft only) <<]

[HKLM-> ContextMenuHandlers]
* - East-TecEraser - {E0BD38EB-C8EC-11D2-B274-B493B003B125} = C:\PROGRA~1\EAST-T~1\eteshell.dll (EAST Technologies )
* - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
* - Shell Extension for Malware scanning - {45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH )
Directory - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
Folder - East-TecEraser - {E0BD38EB-C8EC-11D2-B274-B493B003B125} = C:\PROGRA~1\EAST-T~1\eteshell.dll (EAST Technologies )
Folder - Shell Extension for Malware scanning - {45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH )

[>> ColumnHandlers (Non-Microsoft only) <<]

[HKLM-> ColumnHandlers]
Folder - {7f9609be-af9a-11d1-83e0-00c04fb6e984} - Fax Tiff Data Column Provider = %SystemRoot%\system32\faxshell.dll (File not found))
Folder - {F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Shell Extension = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc. )

[>> File Associations Keys <<]
HKLM->SOFTWARE\Classes\.bat\\'' - batfile
HKLM->SOFTWARE\Classes\batfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.cmd\\'' - cmdfile
HKLM->SOFTWARE\Classes\cmdfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.com\\'' - comfile
HKLM->SOFTWARE\Classes\comfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.exe\\'' - exefile
HKLM->SOFTWARE\Classes\exefile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.hta\\'' - htafile
HKLM->SOFTWARE\Classes\htafile\shell\open\command\\'' - C:\WINNT\System32\mshta.exe "%1" %*
HKLM->SOFTWARE\Classes\.js\\'' - JSFile
HKLM->SOFTWARE\Classes\jsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.jse\\'' - JSEFile
HKLM->SOFTWARE\Classes\jsefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.scr\\'' - scrfile
HKLM->SOFTWARE\Classes\scrfile\shell\open\command\\'' - "%1" /S
HKLM->SOFTWARE\Classes\.vbe\\'' - VBEFile
HKLM->SOFTWARE\Classes\vbefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.vbs\\'' - VBSFile
HKLM->SOFTWARE\Classes\vbsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsf\\'' - WSFFile
HKLM->SOFTWARE\Classes\wsffile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsh\\'' - WSHFile
HKLM->SOFTWARE\Classes\wshfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.txt\\'' - txtfile
HKLM->SOFTWARE\Classes\txtfile\shell\open\command\\'' - %SystemRoot%\system32\NOTEPAD.EXE %1

[>> Registry Run Keys <<]
HKLM->Run\\!ewido - "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized (Anti-Malware Development a.s. )
HKLM->Run\\avgnt - "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min (Avira GmbH )
HKLM->Run\\C-Media Mixer - Mixer.exe /startup (C-Media Electronic Inc. (www.cmedia.com.tw) )
HKLM->Run\\LVCOMS - C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE (Logitech Inc. )
HKLM->Run\\msnappau - "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe" (Microsoft Corporation )
HKLM->Run\\PE2CKFNT SE - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe ( )
HKLM->Run\\STOPzilla - C:\Program Files\STOPzilla!\STOPzilla.exe /autostart (International Software Systems Solutions )
HKLM->Run\\Synchronization Manager - mobsync.exe /logon (Microsoft Corporation )
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1
HKCU->Run\\CTFMON.EXE - C:\WINNT\System32\ctfmon.exe (Microsoft Corporation )
HKCU->Run\\MsnMsgr - "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (Microsoft Corporation )
HKCU->Run\\RealPlayer - "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot (RealNetworks, Inc. )

[>> Miscellaneous Startup Keys <<]

[AppInit DLLs]
AppInit_DLL - (File not found))

[Image File Execution Options]
Your Image File Name Here without a path - Debugger = ntsd -d

[Shell Service Object Delay Load]
CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINNT\System32\stobject.dll (Microsoft Corporation )
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation )

[Shell Execute Hooks]
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s. )
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - SABShellExecuteHook Class = C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com )
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

[Shared Task Scheduler]
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )

[SafeBoot Option]

[HKLM Command Processor AutoRun]
HKLM->Command Processor\\AutoRun -

[HKCU Command Processor AutoRun]

[Security Providers]
SecurityProviders\\SecurityProviders - msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

[BootExecute]
Session Manager\\BootExecute - autocheck autochk *;

[PendingFileRenameOperations]

[FileRenameOperations]

[ExcludeFromKnownDlls]
Session Manager\\ExcludeFromKnownDlls -

[>> Disabled MSConfig Items <<]

[>> User Agent Post Platform <<]

[>> Winlogon <<]
HMLM->UserInit - C:\WINNT\system32\userinit.exe, (Microsoft Corporation )
HKLM->Shell - Explorer.exe (Microsoft Corporation )
HKLM->System - (File not found))
HKLM->VMApplet - rundll32 shell32,Control_RunDLL "sysdm.cpl"
Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
Notify\cscdll - cscdll.dll (Microsoft Corporation )
Notify\SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com )
Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
Notify\Schedule - wlnotify.dll (Microsoft Corporation )
Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
Notify\termsrv - wlnotify.dll (Microsoft Corporation )
Notify\wlballoon - wlnotify.dll (Microsoft Corporation )

[>> DNS Name Servers <<]
{1FAD4413-FC9A-4989-9CA9-2744838C2957} - ()
{BE1F48A9-94BD-460C-B046-645A3606865F} - (D-Link DE-528 Ethernet PCI Adapter)

[>> All Winsock2 Catalogs <<]
NameSpace_Catalog5\Catalog_Entries\000000000001 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000003 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )

[>> Protocol Handlers (Non-Microsoft only) <<]
ipp - (File not found))
msdaipp - (File not found))
vnd.ms.radio - C:\WINNT\System32\msdxm.ocx ( )

[>> Protocol Filters (Non-Microsoft only) <<]

< All Services >
Application Layer Gateway Service (ALG) - C:\WINNT\System32\alg.exe (Microsoft Corporation ) [On Demand - Running - Win32, running in it's own process]
AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH ) [Automatic - Running - Win32, running in it's own process]
Windows Audio (AudioSrv) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Background Intelligent Transfer Service (BITS) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Computer Browser (Browser) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Cryptographic Services (CryptSvc) - C:\WINNT\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
DHCP Client (Dhcp) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Logical Disk Manager (dmserver) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
DNS Client (Dnscache) - C:\WINNT\System32\svchost.exe -k NetworkService (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Error Reporting Service (ERSvc) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Event Log (Eventlog) - C:\WINNT\system32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
COM+ Event System (EventSystem) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
ewido anti-spyware 4.0 guard (ewido anti-spyware 4.0 guard) - C:\Program Files\ewido anti-spyware 4.0\guard.exe (Anti-Malware Development a.s. ) [Automatic - Running - Win32, running in it's own process]
Help and Support (helpsvc) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Server (lanmanserver) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Workstation (lanmanworkstation) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
LexBce Server (LexBceS) - C:\WINNT\system32\LEXBCES.EXE (Lexmark International, Inc. ) [Automatic - Running - Win32, running in it's own process]
TCP/IP NetBIOS Helper (LmHosts) - C:\WINNT\System32\svchost.exe -k LocalService (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Network Connections (Netman) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Network Location Awareness (NLA) (Nla) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Removable Storage (NtmsSvc) - C:\WINNT\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Plug and Play (PlugPlay) - C:\WINNT\system32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
IPSEC Services (PolicyAgent) - C:\WINNT\System32\lsass.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Protected Storage (ProtectedStorage) - C:\WINNT\system32\lsass.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Remote Access Auto Connection Manager (RasAuto) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Remote Access Connection Manager (RasMan) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Routing and Remote Access (RemoteAccess) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Remote Procedure Call (RPC) (RpcSs) - C:\WINNT\system32\svchost -k rpcss (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Security Accounts Manager (SamSs) - C:\WINNT\system32\lsass.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Task Scheduler (Schedule) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Secondary Logon (seclogon) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
System Event Notification (SENS) - C:\WINNT\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - C:\WINNT\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Shell Hardware Detection (ShellHWDetection) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Print Spooler (Spooler) - C:\WINNT\system32\spoolsv.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
System Restore Service (srservice) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
SSDP Discovery Service (SSDPSRV) - C:\WINNT\System32\svchost.exe -k LocalService (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Windows Image Acquisition (WIA) (stisvc) - C:\WINNT\System32\svchost.exe -k imgsvc (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
STOPzilla Service (szserver) - C:\Program Files\Common Files\STOPzilla!\SZServer.exe ( ) [Automatic - Running - Win32, running in it's own process]
Telephony (TapiSrv) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Terminal Services (TermService) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Themes (Themes) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Distributed Link Tracking Client (TrkWks) - C:\WINNT\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Windows User Mode Driver Framework (UMWdf) - C:\WINNT\System32\wdfmgr.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
Upload Manager (uploadmgr) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Universal Plug and Play Device Host (upnphost) - C:\WINNT\System32\svchost.exe -k LocalService (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Windows Time (W32Time) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
WebClient (WebClient) - C:\WINNT\System32\svchost.exe -k LocalService (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Windows Management Instrumentation (winmgmt) - C:\WINNT\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Automatic Updates (wuauserv) - C:\WINNT\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Wireless Zero Configuration (WZCSVC) - C:\WINNT\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]

< Files >

Auto-Start Folders

HKLM->Explorer\Shell Folders\\Common Startup = C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated [Ver = 7.0.0.0 | Size = 29696 bytes | Date = 12/14/2004 04:44 | Attr = ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 03/14/2003 09:18 | Attr = HS])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe ( [Ver = 1, 0, 0, 1 | Size = 962663 bytes | Date = 07/08/2003 11:22 | Attr = ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe (Ulead Systems, Inc. [Ver = 2, 0, 0, 1 | Size = 55296 bytes | Date = 07/08/1998 13:01 | Attr = ])

HKLM->Explorer\User Shell Folders\\Common Startup = %ALLUSERSPROFILE%\Start Menu\Programs\Startup

HKLM->Explorer\Shell Folders\\Startup = C:\Documents and Settings\Tony\Start Menu\Programs\Startup
C:\Documents and Settings\Tony\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 03/14/2003 09:18 | Attr = HS])

HKCU->Explorer\User Shell Folders\\Startup = %USERPROFILE%\Start Menu\Programs\Startup

Miscellaneous Auto-Start Files
System.ini->[Boot]\\Shell - Explorer.exe

Miscellaneous Folders

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 03/14/2003 09:00 | Attr = HS])
C:\Documents and Settings\All Users\Application Data\addr_file.html - ( [Ver = | Size = 305 bytes | Date = 02/07/2006 15:21 | Attr = ])

CurrentUser ApplicationData Folder
C:\Documents and Settings\Tony\Application Data\GDIPFONTCACHEV1.DAT - ( [Ver = | Size = 40360 bytes | Date = 03/28/2005 19:50 | Attr = ])
C:\Documents and Settings\Tony\Application Data\dm.ini - ( [Ver = | Size = 0 bytes | Date = 02/18/2005 17:21 | Attr = ])
C:\Documents and Settings\Tony\Application Data\AdobeDLM.log - ( [Ver = | Size = 1552 bytes | Date = 02/18/2005 17:21 | Attr = ])

Program Files Folder
C:\Program Files\folder.htt - ( [Ver = | Size = 21952 bytes | Date = 03/14/2003 08:27 | Attr = H ])
C:\Program Files\desktop.ini - ( [Ver = | Size = 271 bytes | Date = 03/14/2003 08:27 | Attr = HS])

Common Files Folder

DPF files
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204
{3334504D-9980-0010-8000-00AA00389B71} - - CodeBase = http://download.microsoft.com/download/0/C...C4D/mp43dmo.CAB
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://download.macromedia.com/pub/shockwa...ash/swflash.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINNT\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase =

Hosts file (Non-Standard entries only). File size = 8458 bytes. C:\WINNT\System32\drivers\etc\Hosts

< Add On's >

>>>>Output for AddOn file HKCU_IEDesktop.def<<<<

KEY - HKCU\Software\Microsoft\Internet Explorer\Desktop - Include SUBKEYS
HKCU\Software\Microsoft\Internet Explorer\Desktop -
Desktop\Components -
Desktop\Components\\DeskHtmlVersion - 272
Desktop\Components\\DeskHtmlMinorVersion - 5
Desktop\Components\\Settings - 1
Desktop\Components\\GeneralFlags - 1
Desktop\Components\0 -
Desktop\Components\0\\Source - About:Home
Desktop\Components\0\\SubscribedURL - About:Home
Desktop\Components\0\\FriendlyName - My Current Home Page
Desktop\Components\0\\Flags - 2
Desktop\Components\0\\Position - 2C 00 00 00 CC 00 00 00 00 00 00 00 34 03 00 00 E2 02 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
Desktop\Components\0\\CurrentState - 04 00 00 40
Desktop\Components\0\\OriginalStateInfo - 18 00 00 00 FF FF 00 00 FF FF 00 00 FF FF FF FF FF FF FF FF 04 00 00 00
Desktop\Components\0\\RestoredStateInfo - 18 00 00 00 F0 01 00 00 1F 00 00 00 80 00 00 00 76 00 00 00 01 00 00 00
Desktop\General -
Desktop\General\\WallpaperFileTime - 00 FB B4 40 A5 84 C5 01
Desktop\General\\TileWallpaper - 0
Desktop\General\\WallpaperStyle - 0
Desktop\General\\Wallpaper - %SystemRoot%\Firefox Wallpaper.bmp
Desktop\General\\BackupWallpaper - %SystemRoot%\Firefox Wallpaper.bmp
Desktop\General\\WallpaperLocalFileTime - 00 63 79 A2 AD 84 C5 01
Desktop\Old WorkAreas -
Desktop\Old WorkAreas\\NoOfOldWorkAreas - 1
Desktop\Old WorkAreas\\OldWorkAreaRects - 00 00 00 00 00 00 00 00 00 04 00 00 E2 02 00 00
Desktop\SafeMode -
Desktop\SafeMode\General -
Desktop\SafeMode\General\\Wallpaper - %SystemRoot%\Web\SafeMode.htt
Desktop\SafeMode\General\\VisitGallery - 0
Desktop\Scheme -
Desktop\Scheme\\Edit -
Desktop\Scheme\\Display -

>>>>Output for AddOn file Policies.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\NonEnum -
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\Ratings -
policies\system -
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\undockwithoutlogon - 1

KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Explorer -
policies\System -
policies\System\\DisableRegistryTools - 0

>>>>Output for AddOn file SID_Run_Policies.def<<<<

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run -
Run\\internat.exe - internat.exe

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run -
Run\\internat.exe - internat.exe

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 145

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 145

< End of report >

Thanks OT.

Dave

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:13 AM

Posted 23 September 2006 - 07:02 AM

Hi dave1971. I don't see any problems in the WinPFind2 log either. Let's run HijackThis on the Win98 machine and post that log back here.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 dave1971

dave1971
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 24 September 2006 - 12:06 PM

Hi OT,

I've currently got a stand-in pc in place of the offending XP machine as I'm working on getting a validation the OS on it, I'm having re-run MS home network set up on it as the main internet connecting pc every time I reboot it, otherwise the '98 machine can't connect, although I don't have to reinstall the netsetup floppy on that one. It's running with no problems via the stand-in machine.

Here's the log of the '98 machine.

Logfile of HijackThis v1.99.1
Scan saved at 17:53:29, on 24/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALEVENT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [PersFw] "C:\Program Files\Kerio\Personal Firewall\persfw.exe" /hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

Thanks again.

Dave.

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:13 AM

Posted 24 September 2006 - 01:17 PM

Hi dave1971. I do not see any problems there either. The issue seems to be in the netowrk setup.

Here's what I would do. CHeck this MS article for setting up internet connection sharing: http://support.microsoft.com/kb/310563/ including the link http://support.microsoft.com/kb/306126/ on how to estacblish the connection.

If that doesn't resolve the issue then post a quesiton in the Networking forum and have them check the various settings for the network and ICS.

Cheers.

OT

Edited by OldTimer, 24 September 2006 - 01:17 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 dave1971

dave1971
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 27 September 2006 - 07:32 PM

Ok, well thanks very much for your help and time on this OT, it's greatly appreciated.

Cheers,

Dave.

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:13 AM

Posted 29 September 2006 - 03:45 AM

You re very welcome dave1971. I will now close this topic. If you have any future malware related quesitons or issues please start a new topic.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users