Post by: Wadinator on July 10, 2006, 10:00:16 AM
Symptoms
Every time I boot up my machine, I get two errors, that the modules w00306e7.dll and w002f10d.dll cannot be found. I also get several popups and seemingly random errors such as Windows Explorer has encountered an error and needs to close. ( when I don't even have Windows Explorer running ) Most importantly (annoyingly), my taskbar (start bar) appears for a few seconds when I boot up my computer however it quickly disappears and I am forced to use the Ctrl + Esc workaround. Recently, I have also been getting (invisible) popups which play music but do not appear on the screen.
I have Ad-Aware SE, Spybot S&D, Ewido, and a free trial version of Kaspersky Antivirus 6.0 (recommended from another site). I have run several scans with each of the above. The most recent round of scans I performed last night got rid of everything except three registry keys for Command Service found by Spybot S&D. Spybot then is only able to get rid of one of the three keys and asked to run on startup. However, when I did this, Spybot was still unable to get rid of the keys, saying that they were in use (memory).
Below is my HijackThis log. Hopefully, someone here sees something that I don't. Thanks in advance.
Logfile of HijackThis v1.99.1
Scan saved at 10:56:19 AM, on 7/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Common Files\{145DF32C-0A6A-1033-0818-041025200001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com (http://\"http://www.emachines.com\")
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ntmsdba] "C:\WINDOWS\system32\ntmsdba.exe"
O4 - Startup: Mavis Beacon Teaches Typing 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on July 10, 2006, 10:34:08 AM
I also see Norton's AV installed, I suggest that if Norton's is kept up to date that you uninstall the trial version of
Kaspersky'
Having more than one active AV running in the background can cause conflicts
Also, you are controlling startup entries with msconfig
I need to see the whole log without interference
Go to START>>RUN>>type in
msconfig
Hit OK
Under the STARTUP tab ensure ALL is enabled
Under the General tab select NORMAL startup
Apply it and Close
Decline to Restart at the prompt
Instead, Spybot's TeaTimer will also interfere with any fixes we may have to do
Can I have you disable it for now, you can reenable it after we have you clean
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident
Uncheck Teatimer box.
Click Allow Change box if prompted
Exit Spybot
Reboot the computer, come back here and post a fresh hijackthis log
Post by: Wadinator on July 10, 2006, 11:05:11 AM
Logfile of HijackThis v1.99.1
Scan saved at 12:04:52 PM, on 7/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Common Files\{145DF32C-0A6A-1033-0818-041025200001}\Update.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com (http://\"http://www.emachines.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac (http://\"http://localhost:9100/proxy.pac\")
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [w00306e7.dll] RUNDLL32.EXE w00306e7.dll,I2 001a7b21000306e7
O4 - HKLM\..\Run: [jxea7b22] RUNDLL32.EXE w002f10d.dll,n 001a7b2100000003002f10d
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ntmsdba] "C:\WINDOWS\system32\ntmsdba.exe"
O4 - Startup: Mavis Beacon Teaches Typing 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\mwintpez.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on July 10, 2006, 11:27:18 AM
Apparently it's not all disabled
Be forwarned that this can cause problems!
==Download and install Windows CleanUp! 4.5.2 (http://\"http://www.stevengould.org/downloads/cleanup/CleanUp452.exe\")
Don't run a scan yet
CleanUp! attempts to delete files from various temporary directories (including download directories/caches),
as well as emptying the Recycle Bins.
If you make a habit of saving files that you wish to keep in any of these places, they will be deleted when CleanUp! is run.
Please move them too a different location before we run this tool if the above is true
Note: It is generally considered poor practice to use temporary folders or the Recycle Bin to store files you intend to keep.
==Open Ewido and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Close Ewido. Do not run it yet.
==Download [color=\"red\"]Brute Force Uninstaller[/color] (http://\"http://www.merijn.org/files/bfu.zip\")[/b] to your desktop.
- Right click the BFU folder on your desktop, and choose Extract All
- Click "Next"
- In the box to choose where to extract the files to, click "Browse"
- Click on the + sign next to "My Computer"
- Click on "Local Disk (C:) or whatever your primary drive is
- Click "Make New Folder"
- Type in BFU
- Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
Save it in the same folder you made earlier (c:\BFU).
==Download Delcmdservice.zip (http://\"http://users.telenet.be/marcvn/tools/delcmdservice.zip\") to your Desktop.
Now EXTRACT the delcmdservice-folder within to your desktop.
We'll need this later
Print the remainder of these instructions and/or save them to a text file on desktop for reference
Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.
Once in safe mode
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
When it's done>>Click Close
DECLINE to Log off or Restart the computer
NOTE: The first time you run CleanUp! it may prompt to run in Demonstration mode
Deny this, we want to run the actual cleanup!!
==Go to Start > My Computer and navigate to the C:\BFU folder.
- Start the Brute Force Uninstaller by doubleclicking BFU.exe
- Next to the scriptline to execute field click the folder icon (http://metallica.geekstogo.com/foldericon.png) and select alcanshorty.bfu
- Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
- Wait for the complete script execution box to pop up and press OK.
- Press exit to terminate the BFU program.
Exit the delcmdservice folder when done
Ewido Scan
- Then run Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
- Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
- Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
O4 - HKLM\..\Run: [w00306e7.dll] RUNDLL32.EXE w00306e7.dll,I2 001a7b21000306e7
O4 - HKLM\..\Run: [jxea7b22] RUNDLL32.EXE w002f10d.dll,n 001a7b2100000003002f10d
O4 - HKCU\..\Run: [ntmsdba] "C:\WINDOWS\system32\ntmsdba.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\mwintpez.exe
After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot back to Normal mode
Back in Windows
Check for updates and run a scan with Spybot
Post back the following please
1. Run Hijackthis again and post back a fresh log
2. Post the whole report from Ewido's
Let me know if Spybot found anything
Post by: Wadinator on July 10, 2006, 11:32:35 AM
Thanks for your help. I will get back to you when I have finished the previous set of instructions.
Post by: Wadinator on July 10, 2006, 01:51:16 PM
Cleanup! worked as specified. No problems.
BruteForceUninstall also worked fine.
Delreg.bat - no problems.
Updated and ran ewido. After a two hour scan, it showed nothing. I did not upload the empty file.
Then I ran HJT. Only the first 4 of the five items were found. I fixed them all.
When I rebooted to normal mode, I still had no taskbar. However, the module errors I had gotten before were gone.
Then, I updated Spybot S&D and ran a scan. It found 2 registry keys I have not encountered before while using S&D. The first is called Axfibula. The second is called Windows Security Center.AntiVirusDisableNotify. I assume I should delete the first, but am not sure about the second.
At several times during this process, Norton AV found several trojans including Downloader. It was able to delete them or disable them.
Anyway, below is the newest version of the HijackThis log. Thanks again for your help.
Logfile of HijackThis v1.99.1
Scan saved at 2:50:22 PM, on 7/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\{145DF32C-0A6A-1033-0818-041025200001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com (http://\"http://www.emachines.com\")
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Mavis Beacon Teaches Typing 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
FYI: I will not be back until about 5-6 pm EST. Thanks for all your help.
Post by: guestolo on July 10, 2006, 01:59:35 PM
Back in Windows
Open Hijackthis>>Open Misc tools section>>Open Uninstall Manager
Click the SAVE LIST button
Save this list too desktop then copy>Paste back here the whole contents please
Additionally:
Go to either of these links
http://virusscan.jotti.org/ (http://\"http://virusscan.jotti.org/\")
or
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")
Use the browse button and navigate to this file on your harddrive
C:\Program Files\Common Files\{145DF32C-0A6A-1033-0818-041025200001}\Update.exe <-this file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Are there any other files in the {145DF32C-0A6A-1033-0818-041025200001} folder?
EDIT>>Are you sure that you uninstalled Kaspersky's???
I want to make sure, because if you did it didn't remove properly
We will have to use alternate means to remove it
Post by: Wadinator on July 10, 2006, 06:21:51 PM
Spybot got rid of the two registry keys without problems.
Here is the list of programs generated by HJT.
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Reader 6.0
Age of Empires III Trial
Age of Mythology Gold
AOL You've Got Pictures Screensaver
BigFix
CC_ccStart
ccCommon
CleanUp!
Derivator 2.4
DesktopX
Digital Media Reader
Easy Video Converter
eGames Master's Edition 151
ewido anti-spyware 4.0
Foto Breakout
Galaxy of Games 201
gdShutdown
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Google Video Player
Google Web Accelerator
HijackThis 1.99.1
Hoyle Card Games 5
Hoyle Casino 6
hp instant support
Intel® Extreme Graphics Driver
Intel® PRO Network Connections Drivers
Intel® PROSet
iPod for Windows 2005-09-23
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
iPod Music Liberator 4.5
iTunes
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2
Java 2 Runtime Environment, SE v1.4.2_11
Java 2 SDK, SE v1.4.2_11
JCreator LE 3.50
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
Luxury Liner Tycoon
Macromedia Flash Player 8
Macromedia Shockwave Player
Mavis Beacon Teaches Typing 11
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office Access MUI (English) 2007 (Beta)
Microsoft Office Excel MUI (English) 2007 (Beta)
Microsoft Office InfoPath MUI (English) 2007 (Beta)
Microsoft Office Outlook MUI (English) 2007 (Beta)
Microsoft Office PowerPoint MUI (English) 2007 (Beta)
Microsoft Office Professional 2007 (Beta)
Microsoft Office Professional Plus 2007 (Beta)
Microsoft Office Proof (English) 2007 (Beta)
Microsoft Office Proof (French) 2007 (Beta)
Microsoft Office Proof (Spanish) 2007 (Beta)
Microsoft Office Publisher MUI (English) 2007 (Beta)
Microsoft Office Shared MUI (English) 2007 (Beta)
Microsoft Office Word MUI (English) 2007 (Beta)
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual Studio .NET Enterprise Architect 2003 - English
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Web Publishing Wizard 1.53
Microsoft Works
MSDN Library for Visual Studio .NET 2003
MSN
MSN Messenger 7.5
MSRedist
MSXML4 Parser
New X Editor 3
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton WMI Update
ObjectDock
PowerDVD
QuickTime
RealPlayer
Rhapsody Player Engine
RollerCoaster Tycoon 2
RollerCoaster Tycoon 2: Time Twister
RollerCoaster Tycoon 2: Wacky Worlds
SeaWorld Adventure Park Tycoon
Secret Circuit
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Sid Meier's SimGolf
SimCity 4 Deluxe
SkinStudio Free
Sliding Coins
SoftV92 Data Fax Modem with SmartCP
SoundMAX
Spybot - Search & Destroy 1.4
Symantec Script Blocking Installer
SymNet
The Oregon Trail
The Sims 2
The Sims 2 University
Tropico
Turning
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Wild Wheels Special Edition
Winamp (remove only)
WindowBlinds
Windows Backup Utility
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinRAR archiver
WinZip
Zoo Tycoon 2
============================================
The Update.exe file in the Common Files directory gave the following report.
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.Starter.65
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing
There is also a file in that directory called services.dll.
============================================
As far as Kaspersky goes... You're right. The uninstall did not work the first time because the program does not actually close when you hit close. It is hidden as an icon near the clock on the taskbar. I did not see this because I could not see the taskbar. Anyway, I am 100% sure it is uninstalled now. No further measures need to be taken to get rid of it, I hope.
Post by: guestolo on July 10, 2006, 06:41:50 PM
Can I get you to run another scanner please, this is a virus scanner you don't have to install
Dr. Web's is the only one that identified the file as bad
You may want to first disable Norton's Auto Protection, then
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe (http://\"ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe\")
- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, Click Options > Change settings
- Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
- Back at the main window, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, look if you can click next icon next to the files found: (http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif)
- If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
(http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif)
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) - After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Along with a fresh Hijackthis log
[/list]
Post by: Wadinator on July 10, 2006, 08:48:16 PM
Anyway, here is the saved file and a new HJT report. Thank you for your assistance.
Update.exe;C:\Program Files\Common Files\{145DF32C-0A6A-1033-0818-041025200001};Trojan.Starter.65;Will be cured after reboot.;
RegUBP2b-Owner.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots;Trojan.StartPage.1505;Deleted.;
new[1].htm\javascript.0;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MXK8TLW8\new[1].htm;Trojan.DownLoader.7201;;
new[1].htm;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MXK8TLW8;Archive contains infected objects;Moved.;
Update.exe;C:\Program Files\Common Files\{145DF32C-0A6A-1033-0818-041025200001};Trojan.Starter.65;Will be cured after reboot.;
pojyxi.html\Javascript.0;C:\Program Files\ComPlus Applications\pojyxi.html;Trojan.Click.1237;;
Logfile of HijackThis v1.99.1
Scan saved at 9:48:01 PM, on 7/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com (http://\"http://www.emachines.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac (http://\"http://localhost:9100/proxy.pac\")
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Mavis Beacon Teaches Typing 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on July 10, 2006, 09:14:59 PM
Download and save WinPFind.zip (http://\"http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip\")
UNZIP the contents to your desktop
Don't run it yet
Access your add/remove programs and remove all older updates and versions of Java
This includes J2SE Runtime Environment 5.0 Update 6
We'll update this in a bit
RESTART your Computer into SAFE MODE
Sign in with your normal user account
In safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
Let this finish, a log will open so you will know it's done
Close out after
Reboot back to Normal mode
Back in Windows
Access the following link to get the latest version of Java
http://www.java.com/en/download/manual.jsp (http://\"http://www.java.com/en/download/manual.jsp\")
Download and save to desktop the Windows OFFLINE installer
Double click on the installer and follow the prompts
You can delete the installer after installation
Post the results of the WindPFind.txt located in the WinPFind folder
Keep me informed how things are running please
eg.. Are you still having problems with Taskbar?
Post by: Wadinator on July 10, 2006, 10:10:15 PM
Below is the txt file resulting from the WPFind scan.
=====================================
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Checking %System% folder...
PEC2 1/5/2002 6:18:20 AM 2011136 C:\WINDOWS\SYSTEM32\atl70.pdb
PEC2 3/18/2003 11:05:48 PM 2052096 C:\WINDOWS\SYSTEM32\atl71.pdb
PEC2 8/4/2004 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 6/17/1998 1:00:00 AM 8015872 C:\WINDOWS\SYSTEM32\MFC42.PDB
PEC2 6/17/1998 1:00:00 AM 3944448 C:\WINDOWS\SYSTEM32\MFC42D.PDB
PEC2 1/5/2002 8:48:16 AM 9546752 C:\WINDOWS\SYSTEM32\mfc70.pdb
PEC2 1/5/2002 7:54:08 AM 7564288 C:\WINDOWS\SYSTEM32\mfc70d.pdb
PEC2 1/5/2002 8:36:38 AM 9538560 C:\WINDOWS\SYSTEM32\mfc70u.pdb
PEC2 1/5/2002 7:56:58 AM 7597056 C:\WINDOWS\SYSTEM32\mfc70ud.pdb
PEC2 3/19/2003 1:20:00 AM 10357760 C:\WINDOWS\SYSTEM32\mfc71.pdb
PEC2 3/19/2003 12:28:40 AM 8252416 C:\WINDOWS\SYSTEM32\MFC71d.pdb
PEC2 3/19/2003 1:12:12 AM 10333184 C:\WINDOWS\SYSTEM32\mfc71u.pdb
PEC2 3/19/2003 12:31:58 AM 8293376 C:\WINDOWS\SYSTEM32\mfc71ud.pdb
PEC2 6/17/1998 1:00:00 AM 2052096 C:\WINDOWS\SYSTEM32\MFCD42D.PDB
PEC2 6/17/1998 1:00:00 AM 1454080 C:\WINDOWS\SYSTEM32\MFCN42D.PDB
PEC2 6/17/1998 1:00:00 AM 4395008 C:\WINDOWS\SYSTEM32\MFCO42D.PDB
PECompact2 6/8/2006 9:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/8/2006 9:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 8:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 8:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 7/9/2006 6:15:36 PM 76800 C:\WINDOWS\SYSTEM32\VundoFix.exe
winsync 8/4/2004 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 6/2/2006 1:39:46 PM 286000 C:\WINDOWS\SYSTEM32\WgaTray.exe
Checking %System%\Drivers folder and sub-folders...
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/10/2006 10:44:04 PM S 2048 C:\WINDOWS\bootstat.dat
7/10/2006 11:10:26 AM H 54156 C:\WINDOWS\QTFont.qfn
6/22/2006 7:18:30 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
5/29/2006 12:16:00 PM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
5/18/2006 3:15:12 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917344.cat
6/1/2006 4:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
6/2/2006 1:40:32 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
7/10/2006 10:43:56 PM H 8192 C:\WINDOWS\system32\config\default.LOG
7/10/2006 10:44:26 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
7/10/2006 10:44:08 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
7/10/2006 10:44:28 PM H 147456 C:\WINDOWS\system32\config\software.LOG
7/10/2006 10:44:12 PM H 872448 C:\WINDOWS\system32\config\system.LOG
6/24/2006 6:09:10 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
6/8/2006 5:57:32 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\252d2607-2581-449c-961b-aad31cc534b6
6/8/2006 5:57:32 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
5/23/2006 11:03:18 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\074ad5ac-3c0d-4935-88ed-606f64a1a852
5/23/2006 11:03:18 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/10/2006 10:42:56 PM H 6 C:\WINDOWS\Tasks\SA.DAT
Checking for CPL files...
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 1/23/2005 11:33:44 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel® Corporation 10/23/2002 8:06:36 PM 77824 C:\WINDOWS\SYSTEM32\PRApplet.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 1/30/2004 5:13:06 AM 98304 C:\WINDOWS\SYSTEM32\ReinstallBackups\0009\DriverFiles\igfxcpl.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
6/18/2003 6:01:36 AM 1540 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
9/16/2004 5:12:36 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
7/5/2006 6:09:30 PM 1078 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
4/8/2006 12:38:20 PM 1518 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/16/2004 10:04:54 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
11/8/2005 8:59:24 PM 456 C:\Documents and Settings\All Users\Application Data\hpzinstall.log
3/7/2006 8:42:56 PM 6979 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
Checking files in %USERPROFILE%\Startup folder...
9/16/2004 5:12:36 PM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini
1/6/2005 5:04:44 PM 918 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Mavis Beacon Teaches Typing 11.lnk
9/18/2005 7:19:30 PM 1667 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
Checking files in %USERPROFILE%\Application Data folder...
Items found in C:\Documents and Settings\Owner\Application Data\.googlewebacchosts
7/10/2006 10:31:20 PM 1086 C:\Documents and Settings\Owner\Application Data\.googlewebacchosts
9/16/2004 10:04:54 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini
1/16/2006 8:26:26 PM H 52 C:\Documents and Settings\Owner\Application Data\iml_system_file
7/6/2006 9:07:00 PM 0 C:\Documents and Settings\Owner\Application Data\internaldb41.dat
1/16/2006 8:34:30 PM 331 C:\Documents and Settings\Owner\Application Data\iPodMusicLiberatorPrefsV4
10/19/2005 7:24:24 PM 0 C:\Documents and Settings\Owner\Application Data\wklnhst.dat
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{7CD84FAA-2E87-49A3-950E-631EFCE43BF8} = C:\WINDOWS\system32\sdclogon.dll
{B3B541D1-E34A-4D17-8575-87B18A672CDB} = C:\WINDOWS\system32\wjploc.dll
{0FDC65BA-0C27-42E5-A5D8-29762C3A36D1} = C:\WINDOWS\system32\dround3d.dll
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar3.dll
{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} = Google Web Accelerator : C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{4982D40A-C53B-4615-B15B-B5B5E98D167C} = :
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar3.dll
{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} = Google Web Accelerator : C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
{CBCC61FA-0221-4CCC-B409-CEE865CACA3A} = :
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
RemoteControl "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
SunKistEM C:\Program Files\Digital Media Reader\shwiconem.exe
Google Desktop Search "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
IgfxTray C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item
hkey HKLM
command
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
NoActiveDesktopChanges 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0
ForceActiveDesktopOn 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
{145DF32C-0A6A-1033-0818-041025200001} "C:\Program Files\Common Files\{145DF32C-0A6A-1033-0818-041025200001}\Update.exe" mc-110-12-0000228
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
NoColorChoice 0
NoSizeChoice 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0
NoDispAppearancePage 0
DisableRegistryTools 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
0aMCPClient {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} = C:\PROGRA~1\COMMON~1\Stardock\MCPCore.dll
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit.exe
Shell = explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/10/2006 10:52:08 PM
========================================================
I think I may have found a solution to the missing taskbar problem. At the bottom of the page linked below, http://www.cybertechhelp.com/forums/archiv...php/t-8830.html (http://\"http://www.cybertechhelp.com/forums/archive/index.php/t-8830.html\")
there is advice given about deleting a registry key. I am hesitant to try this without confirmation that it won't mess up my system further. What do you think?
========================================================
Thank you for taking your time to help myself and others sort out malware problems. It is good to see that there are still some good people left in this world.
Post by: guestolo on July 10, 2006, 10:47:30 PM
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as export.bat
Save this file on the desktop
Code: [Select]
regedit /e Export.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run" Double click on export.bat, a text file called export.txt will appear on desktop
Copy>Paste back here the whole contents please
Post by: Wadinator on July 10, 2006, 10:53:44 PM
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"{145DF32C-0A6A-1033-0818-041025200001}"="\"C:\\Program Files\\Common Files\\{145DF32C-0A6A-1033-0818-041025200001}\\Update.exe\" mc-110-12-0000228"
If you don't mind me asking, what did I just do?
Post by: guestolo on July 10, 2006, 11:01:48 PM
Can you do the following please
I need you to disable Norton's script blocking so it won't interfere with any fixes we try
It will probably interfere
To disable Norton AntiVirus Script Blocking
1. Start Norton AntiVirus.
If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
2. Click Options.
If you see a menu, click Norton AntiVirus.
3. In the left pane, click Script Blocking.
4. In the right pane, uncheck Enable Script Blocking (recommended).
5. Click OK.
Afterwards
Send this folder to the recycle bin please
C:\Program Files\Common Files\{145DF32C-0A6A-1033-0818-041025200001} <-this folder
Then
==Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box
Code: [Select]
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"{145DF32C-0A6A-1033-0818-041025200001}"=- Double click on fix.reg and allow to add/merge to the registry at the prompt
Download the latest version of Look2Me-Remover.exe (http://\"http://www.atribune.org/ccount/click.php?id=7\") by Atribune
and save it to your desktop
* Close all windows before continuing.
* Double-click Look2Me-Remover.exe to run it.
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Remover will close and re-open in 1 minute. Click OK
* When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
* Once it's done scanning, click the Remove L2M button.
* You will receive a Done Scanning message, click OK.
* When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
* Your computer will then shutdown.
* After it has completed the shutdown>>Turn your computer back on.
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX (http://\"http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX\")
Can you post back the following back in windows
1. Post the report from Look2Me-Destroyer, which may be found on your desktop or at C:\Look2Me-Destroyer.txt
2. Delete export.txt on the desktop, then double click on export.bat again
Post the contents of export.txt again
Post by: Wadinator on July 10, 2006, 11:10:10 PM
Cannot import C:/Documents and Settings/ Owner/ Desktop/ fix.reg. The specified file is not a registry script. You can only import binary registry files from within the registry editor.
Post by: guestolo on July 10, 2006, 11:25:51 PM
I edited my above post
Can you delete fix.reg on your desktop and redo the steps again from my last reply
To remake a new fix.reg
Post by: Wadinator on July 10, 2006, 11:29:26 PM
OK All Done. NOTE: I did NOT receive the 339 error.
=====================================
Here is the text file created by export.bat.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
=====================================
Here is the Look2Me log file.
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 7/11/2006 12:31:11 AM
Attempting to delete infected files...
Making registry repairs.
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7CD84FAA-2E87-49A3-950E-631EFCE43BF8}"
HKCR\Clsid\{7CD84FAA-2E87-49A3-950E-631EFCE43BF8}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B3B541D1-E34A-4D17-8575-87B18A672CDB}"
HKCR\Clsid\{B3B541D1-E34A-4D17-8575-87B18A672CDB}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0FDC65BA-0C27-42E5-A5D8-29762C3A36D1}"
HKCR\Clsid\{0FDC65BA-0C27-42E5-A5D8-29762C3A36D1}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
Post by: guestolo on July 10, 2006, 11:47:18 PM
If you are
From kellys-korner-xp.com
Download and save too desktop nodesktop.reg (http://\"http://www.kellys-korner-xp.com/regs_edits/nodesktop.reg\")
Double click on nodesktop.reg
allow to add/merge to registry
Reboot the computer
How is everything?
Post by: Wadinator on July 10, 2006, 11:54:12 PM
The lack of taskbar problem seems to be the last thing wrong with my pc. Everything else seems to be working fine.
Do you have any other suggestions?
Post by: guestolo on July 11, 2006, 12:09:29 AM
Download [color=\"red\"]SmitfraudFix[/color] (http://\"http://siri.urz.free.fr/Fix/SmitfraudFix.zip\")[/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
[color=\"#3366FF\"]Note[/color] : [color=\"#FF0000\"]process.exe[/color] [color=\"#3366FF\"]is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.[/color]
If you find these file, can you send them too the recycle bin
Exact file names in the exact locations
They should be gone, but take a look
C:\WINDOWS\system32\sdclogon.dll
C:\WINDOWS\system32\wjploc.dll
C:\WINDOWS\system32\dround3d.dll
Could you also
Download: Registry Search Tool from this link, it's a very small download
http://billsway.com/vbspage/ (http://\"http://billsway.com/vbspage/\")
You will have to scroll down to see it
Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run
In the open field copy and paste the below in bold then hit OK
145DF32C-0A6A-1033-0818-041025200001
Wait for the results and post them back here
Post by: Wadinator on July 11, 2006, 07:13:44 AM
I found none of the three files you specified. I think that's good. Below are the SmitfraudFix and Registry Search log files.
SmitFraudFix v2.69
Scan done at 8:08:21.62, Tue 07/11/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Common Files\\ryle.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\ComPlus Applications\\pojyxi.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
=================================================
Here are the results from the registry searching download.
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "145DF32C-0A6A-1033-0818-041025200001" 7/11/2006 8:03:16 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\S-1-5-21-3960438994-4057883899-726034567-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
"b"="C:\\Program Files\\Common Files\\{145DF32C-0A6A-1033-0818-041025200001}\\Update.exe"
[HKEY_USERS\S-1-5-21-3960438994-4057883899-726034567-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Common Files\\{145DF32C-0A6A-1033-0818-041025200001}\\Update.exe"="Update"
[HKEY_USERS\S-1-5-21-3960438994-4057883899-726034567-1003\Software\Classes\CLSID\{145DF32C-0A6A-1033-0818-041025200001}]
[HKEY_USERS\S-1-5-21-3960438994-4057883899-726034567-1003_Classes\CLSID\{145DF32C-0A6A-1033-0818-041025200001}]
=================================================
Post by: guestolo on July 11, 2006, 08:26:18 PM
Delete fix.reg you saved earlier on desktop
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box
Code: [Select]
REGEDIT4
[-HKEY_USERS\S-1-5-21-3960438994-4057883899-726034567-1003\Software\Classes\CLSID\{145DF32C-0A6A-1033-0818-041025200001}]
[-HKEY_USERS\S-1-5-21-3960438994-4057883899-726034567-1003_Classes\CLSID\{145DF32C-0A6A-1033-0818-041025200001}] Double click on fix.reg and allow to merge to the registry at the prompt
Reboot back into safe mode, sign in with your normal user account
Find and delete these files if found
C:\Program Files\Common Files\ryle.html <-file
C:\\Program Files\ComPlus Applications\pojyxi.html <-file, this one should be gone, but take a look
==Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process
I'll need to see these later, by default they are also saved at C:\rapport.txt
Reboot back to Normal mode
Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
6. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked
Post back the log from Smitfraudfix located here >> C:\rapport.txt
Post back one more fresh hijackthis log please
Post by: Wadinator on July 11, 2006, 09:05:10 PM
When I ran SmitfraudFix, I did not get any messages about wininet.dll.
Around this time, Disk Cleanup started. I let it run.
SmitfraudFix did not prompt me to restart the system, but I did anyway since that was the next instruction.
There were no checkboxes checked on the web tab of Display Settings.
My system is running identical to last time I explained. No taskbar. Slow Startup. Other than that, it seems OK.
Here are the two log files you wanted.
===================================
SmitFraudFix v2.69
Scan done at 21:47:01.28, Tue 07/11/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
===================================
HJT log file
===================================
Logfile of HijackThis v1.99.1
Scan saved at 10:04:16 PM, on 7/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac (http://\"http://localhost:9100/proxy.pac\")
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Mavis Beacon Teaches Typing 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Thanks for all your help.
Oh yeah, one more thing, the background of my desktop changed back to the original default blue color.
Post by: guestolo on July 11, 2006, 09:08:38 PM
Then we can see if it's related to a legit program you have installed
1. Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/combofix.exe\") and save it too desktop
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Also, Download and save too desktop
F-Secure Blacklight(blbeta.exe) (http://\"https://europe.f-secure.com/blacklight/try.shtml\")
Double click to run blbeta.exe
* Accept the user agreement.
* Click Scan.
* After the scan finishes, click on Next, then Exit.
Do not rename any files if found by blacklight, I need to see the log
BlackLight will create a log on your desktop with the name "fsbl-xxxxxxx.log". Please post that log .
Post by: Wadinator on July 11, 2006, 09:19:53 PM
Thanks
I'll run the first app and get back to you in a few minutes.
Post by: guestolo on July 11, 2006, 09:22:03 PM
Post by: Wadinator on July 11, 2006, 09:38:45 PM
================
ComboFix
================
Start Time= Tue 07/11/2006 22:21:54.23
Running from: C:\Documents and Settings\Owner\Desktop
QuickScan did not find any signs of infected files
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-07-11 22:20:00 2182 ( A.... ) "C:\Documents and Settings\Owner\Application Data\.googlewebacchosts"
2006-07-10 22:59:16 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-10 12:46:02 ( .D... ) "C:\Program Files\CleanUp!"
2006-07-10 11:54:58 ( .D... ) "C:\Program Files\SymNetDrv"
2006-07-09 18:15:36 76800 ( A.... ) "C:\WINDOWS\system32\VundoFix.exe"
2006-07-06 23:58:22 ( .D... ) "C:\Program Files\Common Files\??stem"
2006-07-06 23:58:22 ( .D... ) "C:\Program Files\??crosoft.NET"
2006-07-06 23:58:22 ( .D... ) "C:\Documents and Settings\Owner\Application Data\?racle"
2006-07-06 23:47:22 1063 ( A.... ) "C:\WINDOWS\system32\jxea7b22.sys"
2006-07-06 23:47:22 1063 ( A.... ) "C:\WINDOWS\system32\jxea7b22.sys"
2006-07-06 23:41:12 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-06 22:24:52 2 ( A.... ) "C:\WINDOWS\system32\wnsintit.exe"
2006-07-06 21:07:00 0 ( A.... ) "C:\Documents and Settings\Owner\Application Data\internaldb41.dat"
2006-07-06 21:06:30 ( .D... ) "C:\Program Files\PSHope"
2006-07-06 21:06:10 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-07-01 22:17:04 ( .D... ) "C:\Program Files\QuickTime"
2006-07-01 16:25:34 ( .D... ) "C:\Program Files\MSBuild"
2006-06-29 10:07:36 61440 ( A.... ) "C:\WINDOWS\system32\BattyRun.dll"
2006-06-07 18:42:54 ( .D... ) "C:\Program Files\Need2Find"
2006-06-07 11:15:24 ( .D... ) "C:\Program Files\Common Files\xing shared"
2006-06-07 11:15:12 176167 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-06-07 11:15:00 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
2006-06-07 11:15:00 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
2006-06-07 11:14:54 278528 ( A.... ) "C:\WINDOWS\system32\pncrt.dll"
2006-06-02 13:39:46 402736 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-05-28 22:30:54 ( .D... ) "C:\Program Files\WinRAR"
2006-05-20 22:12:18 ( .D... ) "C:\Program Files\Derivator 2.4"
2006-05-11 17:07:22 ( .D... ) "C:\Program Files\gdShutdown"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"
2006-04-28 01:51:38 29968 ( A.... ) "C:\WINDOWS\system32\mdimon.dll"
2006-04-25 20:41:04 1190152 ( A.... ) "C:\WINDOWS\system32\FM20.DLL"
2006-04-25 20:41:04 32528 ( A.... ) "C:\WINDOWS\system32\FM20ENU.DLL"
(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))
2006-07-11 21:52 527,224,832 C:\hiberfil.sys
2006-07-10 23:01 53,346 C:\WINDOWS\system32\javaw.exe
2006-07-10 23:01 49,248 C:\WINDOWS\system32\java.exe
2006-07-10 23:01 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-09 18:15 76,800 C:\WINDOWS\system32\VundoFix.exe
2006-07-06 22:01 2 C:\WINDOWS\system32\wnsintit.exe
2006-07-06 21:06 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-06 21:06 1,063 C:\WINDOWS\system32\jxea7b22.sys
2006-07-01 16:29 29,968 C:\WINDOWS\system32\mdimon.dll
2006-06-30 20:24 163,840 C:\WINDOWS\system32\igfxres.dll
2006-06-29 10:07 61,440 C:\WINDOWS\system32\BattyRun.dll
2006-06-02 13:39 402,736 C:\WINDOWS\system32\WgaLogon.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunKistEM"="C:\\Program Files\\Digital Media Reader\\shwiconem.exe"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,30,01,00,00,00,00,00,00,4d,03,00,00,44,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,44,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,44,03,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\ISP signup reminder 3.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: Tue 07/11/2006 22:28:24.67
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt
================
F-Secure Blacklight
================
07/11/06 22:32:06 [Info]: BlackLight Engine 1.0.42 initialized
07/11/06 22:32:06 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/11/06 22:32:06 [Note]: 7019 4
07/11/06 22:32:06 [Note]: 7005 0
07/11/06 22:32:12 [Note]: 7006 0
07/11/06 22:32:12 [Note]: 7011 1808
07/11/06 22:32:12 [Note]: 7026 0
07/11/06 22:32:12 [Note]: 7026 0
07/11/06 22:32:26 [Note]: FSRAW library version 1.7.1019
07/11/06 22:38:05 [Note]: 7007 0
Post by: guestolo on July 12, 2006, 06:46:33 PM
Follow the instructions at the below link
and run the OiUninstaller.exe (http://\"http://www.purityscan.com/uninstall.html\")
Be sure to reboot when done
Back in Windows
Run Combofix again and post the new log from it please
Let's see what we're left with
Post by: Wadinator on July 12, 2006, 09:30:55 PM
Once the computer rebooted, I still encountered the disappearing taskbar error. (It disappeared after about 5 seconds)
Then, I ran ComboFix again. Here is the log file it created.
Start Time= Wed 07/12/2006 22:19:29.39
Running from: C:\Documents and Settings\Owner\Desktop
QuickScan did not find any signs of infected files
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-07-12 22:14:08 2223 ( A.... ) "C:\Documents and Settings\Owner\Application Data\.googlewebacchosts"
2006-07-10 22:59:16 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-10 12:46:02 ( .D... ) "C:\Program Files\CleanUp!"
2006-07-10 11:54:58 ( .D... ) "C:\Program Files\SymNetDrv"
2006-07-09 18:15:36 76800 ( A.... ) "C:\WINDOWS\system32\VundoFix.exe"
2006-07-06 23:58:22 ( .D... ) "C:\Program Files\??crosoft.NET"
2006-07-06 23:58:22 ( .D... ) "C:\Documents and Settings\Owner\Application Data\?racle"
2006-07-06 23:47:22 1063 ( A.... ) "C:\WINDOWS\system32\jxea7b22.sys"
2006-07-06 23:47:22 1063 ( A.... ) "C:\WINDOWS\system32\jxea7b22.sys"
2006-07-06 23:41:12 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-06 21:07:00 0 ( A.... ) "C:\Documents and Settings\Owner\Application Data\internaldb41.dat"
2006-07-06 21:06:30 ( .D... ) "C:\Program Files\PSHope"
2006-07-06 21:06:10 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-07-01 22:17:04 ( .D... ) "C:\Program Files\QuickTime"
2006-07-01 16:25:34 ( .D... ) "C:\Program Files\MSBuild"
2006-06-29 10:07:36 61440 ( A.... ) "C:\WINDOWS\system32\BattyRun.dll"
2006-06-07 18:42:54 ( .D... ) "C:\Program Files\Need2Find"
2006-06-07 11:15:24 ( .D... ) "C:\Program Files\Common Files\xing shared"
2006-06-07 11:15:12 176167 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-06-07 11:15:00 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
2006-06-07 11:15:00 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
2006-06-07 11:14:54 278528 ( A.... ) "C:\WINDOWS\system32\pncrt.dll"
2006-06-02 13:39:46 402736 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-05-28 22:30:54 ( .D... ) "C:\Program Files\WinRAR"
2006-05-20 22:12:18 ( .D... ) "C:\Program Files\Derivator 2.4"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"
2006-04-28 01:51:38 29968 ( A.... ) "C:\WINDOWS\system32\mdimon.dll"
2006-04-25 20:41:04 1190152 ( A.... ) "C:\WINDOWS\system32\FM20.DLL"
2006-04-25 20:41:04 32528 ( A.... ) "C:\WINDOWS\system32\FM20ENU.DLL"
(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))
2006-07-11 21:52 527,224,832 C:\hiberfil.sys
2006-07-10 23:01 53,346 C:\WINDOWS\system32\javaw.exe
2006-07-10 23:01 49,248 C:\WINDOWS\system32\java.exe
2006-07-10 23:01 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-09 18:15 76,800 C:\WINDOWS\system32\VundoFix.exe
2006-07-06 21:06 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-06 21:06 1,063 C:\WINDOWS\system32\jxea7b22.sys
2006-07-01 16:29 29,968 C:\WINDOWS\system32\mdimon.dll
2006-06-30 20:24 163,840 C:\WINDOWS\system32\igfxres.dll
2006-06-29 10:07 61,440 C:\WINDOWS\system32\BattyRun.dll
2006-06-02 13:39 402,736 C:\WINDOWS\system32\WgaLogon.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunKistEM"="C:\\Program Files\\Digital Media Reader\\shwiconem.exe"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,30,01,00,00,00,00,00,00,4d,03,00,00,44,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,44,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,44,03,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\ISP signup reminder 3.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: Wed 07/12/2006 22:25:59.12
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt
ComboFix.2006-07-12.221929.txt
Post by: guestolo on July 12, 2006, 09:58:14 PM
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Find and delete this file from another fix
C:\WINDOWS\system32\VundoFix.exe
and these folders
C:\Program Files\PSHope
C:\Program Files\Need2Find
I want you to find the next folders and send them too the recycle bin also
Leave them there for now
They are the folders with question marks in them, the ? marks will not actually be found, they are characters not recognized by Windows
They may actually appear as legit folder names
Remain in the Program Files folder and look for the next folder name
C:\Program Files\??crosoft.NET <--in the Exact location, may be named as a legit folder Microsoft.NET which is located in the Windows folder
Right click on the folder, it should have a creation date of 2006-07-06
and then navigate to this one
C:\Documents and Settings\Owner\Application Data\?racle
May be named Oracle
Creation date also
2006-07-06
Can you again go to either
http://virusscan.jotti.org/ (http://\"http://virusscan.jotti.org/\")
or
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")
Can you scan these files and post the results please
C:\WINDOWS\system32\jxea7b22.sys
C:\Documents and Settings\Owner\Application Data\internaldb41.dat"
C:\WINDOWS\system32\BattyRun.dll"
Post by: Wadinator on July 12, 2006, 10:03:36 PM
I found and removed the first three files/folders you told me to.
I also found the Microsoft.NET folder but its creation date was August 15, 2005. So I did not move it to the recycle bin.
The Oracle folder did have a creation date of 2006-07-06 so I deleted that one.
The online virus scan I did on the three files produced the following results:
1) jxea7b22.sys >> nothing found
2) internaldb41.dat >> This file brought up another page which said "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"
3) BattyRun.dll >> nothing found
Thanks for your help.
Post by: guestolo on July 12, 2006, 10:30:36 PM
Can you send it to the recycle bin for now, we'll leave it there
Could you also send BattyRun.dll with it
Can you do the following
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as find.bat
Save this file on the desktop
Code: [Select]
REMOVEDDouble click on find.bat, a text file called find.txt should open, can you copy>paste back here the whole contents please
Post by: Wadinator on July 12, 2006, 10:33:43 PM
I'll do what you said anyway, just checking.
OK, here are the results of find.bat
Volume in drive C has no label.
Volume Serial Number is 145D-F32C
Directory of C:\Program Files\Microsoft.NET
Post by: guestolo on July 12, 2006, 10:37:30 PM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: Wadinator on July 12, 2006, 10:41:48 PM
Post by: guestolo on July 12, 2006, 10:54:25 PM
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> Can you do this one more time
Delete find.bat
And create a new one with the following entry in the code box below
Then post the results please
Code: [Select]
@echo off
cd C:\Program Files\??crosoft.NET
dir /s /a > C:\find.txt
notepad C:\find.txt
del /q C:\find.txt
Post by: Wadinator on July 12, 2006, 11:00:20 PM
Volume in drive C has no label.
Volume Serial Number is 145D-F32C
Directory of C:\Program Files\Microsoft.NET
08/19/2005 08:49 PM <DIR> .
08/19/2005 08:49 PM <DIR> ..
08/19/2005 09:23 PM <DIR> Primary Interop Assemblies
0 File(s) 0 bytes
Directory of C:\Program Files\Microsoft.NET\Primary Interop Assemblies
08/19/2005 09:23 PM <DIR> .
08/19/2005 09:23 PM <DIR> ..
03/19/2003 05:49 AM 110,592 adodb.dll
03/19/2003 05:53 AM 8,007,680 Microsoft.mshtml.dll
03/19/2003 05:50 AM 13,312 Microsoft.stdformat.dll
03/19/2003 05:50 AM 4,096 msdatasrc.dll
03/19/2003 05:50 AM 40,960 msddslmp.dll
03/19/2003 05:50 AM 143,360 msddsp.dll
03/19/2003 05:51 AM 16,384 stdole.dll
7 File(s) 8,336,384 bytes
Total Files Listed:
7 File(s) 8,336,384 bytes
5 Dir(s) 39,414,722,560 bytes free
Post by: guestolo on July 12, 2006, 11:31:21 PM
Don't delete Microsoft.NET
If you find this file, send it to the recycle bin also
C:\WINDOWS\system32\ntmsdba.exe
Reboot the computer
Any luck with taskbar?
If not, Can you do the following for me
Go to START>>RUN>>type in msconfig
Hit OK
Under the SERVICES tab Select "Hide All Microsoft Services"
Then Choose Disable ALL and select APPLY
Under the STARTUP tab select Disable ALL
APPLY and then CLOSE
Reboot the computer
Any luck with the taskbar?
I don't want you running like this for long, just let me know if the taskbar appears
Post by: Wadinator on July 12, 2006, 11:35:12 PM
By the way, I do not see a file with the name ntmsdba.exe but I do have a .dll with the same name.
Post by: guestolo on July 12, 2006, 11:42:03 PM
In addition, can you ensure that a program such as Stardock doesn't have an option such as hide taskbar enabled
Post by: Wadinator on July 12, 2006, 11:47:12 PM
Would you like a list of the services I disabled?
No, Stardock has no hide taskbar settings. Nevermind, I think it does. (Just checked their website)
I'll restart with ObjectDock service and startup features enabled to see if I can get it back. OK?
Post by: guestolo on July 12, 2006, 11:50:50 PM
Quote
Would you like a list of the services I disabled?Sure, or could it have been a startup entry?
Quote
No, Stardock has no hide taskbar settings. Nevermind, I think it does. (Just checked their website)EDIT>>That would be your next move, by process of elimination find out which startup entry or Service is the cause of the problem
I'll restart with ObjectDock service and startup features enabled to see if I can get it back. OK?
Post by: Wadinator on July 13, 2006, 12:01:27 AM
I found it. It turns out there IS in fact a setting in ObjectDock that reads "Show Windows Taskbar". I have no idea how that got unchecked.
You have been a tremendous help. I appreciate the time you put in to helping me. You and the other people on this forum really do a great job. Thank you for all your continued assistance. I could have never cleared this up without you.
Could you leave this thread open for a while? In case that was not the last problem. I'll test everything the next few days and if everything works, I'll add even more thanks to the above paragraph.
Post by: guestolo on July 13, 2006, 12:10:10 AM
Make sure you don't empty the contents of the recycle bin yet
The PSHope
and Need2Find folders you removed you can definitely live without, they are NOT legit
Same with BattyRun.dll
I want to make sure you can live without the Oracle folder and jxea7b22.sys file
Ensure to reenable all Services and startup entries related to Anti-Virus as soon as possible
We did clear you of some malware, so that's a good thing
I have some other recommendations later, for now goodnight
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> Let me know how things are running as soon as you can.
By tomorrow evening, or soon after, post one last hijackthis log when you post back
Post by: Wadinator on July 13, 2006, 05:50:10 PM
Things are running OK. I do have 2 minor concerns however.
1) Windows Security Center brings up a popup (speech bubble style) near my taskbar everytime I reboot. It says that my computer may be at risk because Norton AV is disabled. However, when I open NAV, I find everything is up to date and enabled. See picture below.
[attachment=935:attachment]
2) Secondly, before I got infected, I used a program called Windows Blinds ( perhaps you've heard of it ) to change the appearance of my pc. Now, the skins will still load, but they do not do so automatically like they did before. I've looked around for any settings that may have caused this but I can't find anything. Since everything in the startup tab in MSCONFIG is enabled, I assume the startup app that loaded the skins is now disabled and no longer on the list.
I have deleted the 3 things you specified above permanently. Have you found anything about the Oracle folder and jxea7b22.sys file?
You said you had a few more recomendations. I would love to hear them, considering how well your previous advice has worked.
Here is an updated HijackThis log you requested.
Logfile of HijackThis v1.99.1
Scan saved at 6:49:32 PM, on 7/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac (http://\"http://localhost:9100/proxy.pac\")
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Mavis Beacon Teaches Typing 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: Wadinator on July 13, 2006, 08:33:46 PM
Why am I only able to edit once or twice? That is the only reason I posted again.
Post by: guestolo on July 14, 2006, 11:55:53 PM
You can also reenabe Script blocking if disabled
If that's not the problem, let me know, I have other options
Post by: Wadinator on July 15, 2006, 10:31:58 AM
Yeah, I'm sure Auto-Protect and Script Blocking are enabled. I don't know what's wrong. Even when I use all default settings ( everything enabled ), I still get the strange error. Should I just assume it is working and tell Windows not to warn me about NAV being disabled?
Post by: guestolo on July 15, 2006, 08:43:56 PM
Quote
Should I just assume it is working and tell Windows not to warn me about NAV being disabled?
Yes, just to double check
Go into Security Center in Control panel and ensure it states that AntiVirus is enabled
Then you can tell it the next time it pops up
Click the balloon >>Recommended Solutions then put a check mark at "I have an anti-virus program that i will monitor myself....."
Post by: Wadinator on July 15, 2006, 09:51:56 PM
I've double and triple checked. I'll just tell Windows not to worry about it.
Quote
I have some other recommendations later, for now goodnightOk, so what are they? Please...
Quote
I want to make sure you can live without the Oracle folder and jxea7b22.sys fileWhat did you find out?
Hey cool, I'm a Journeyman.
Post by: guestolo on July 16, 2006, 12:00:49 AM
We should flush all your restore points
- Go to START>>RUN
Type in
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
[/list]
Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature and creates a new restore point
[indent][color=\"#CC0000\"]Protect yourself against Future Attacks[/color][/i][/b][/indent]
*Install SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
- *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
*Keep up to date on Windows updates (High Priorities)
This is the most important step in keeping your system secure
Make sure you check for updates at least once a month and/or set to Autoupdate
*Make sure your Anti-Virus software is always kept up to date and actively running in the background
*Keep your Firewall protection enabled
A Firewall is also very important
This provides a line of defense against someone who might try to access your computer without your permission
Update and do scan's with your Anti-Spyware programs on a regular basis
In addition, open Spybot 1.4
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Immunize after every update
About the folder and file I couldn't find info on
They both had creation dates about the same time as your problems
To be safe, try the following
Open the MyDocuments folder>>Right click an empty spot and select NEW>>Folder
Name the new folder>>Backup
Go into the recycle bin and restore both folder and file
Then navigate to both the following
C:\Documents and Settings\Owner\Application Data\?racle (Oracle)
Right click on Oracle and select CUT then PASTE it to the Backup folder you created
Don't select Copy, we actually want to remove them from their original locations
Do the same for
C:\WINDOWS\system32\jxea7b22.sys
Keep them in the backup folder for a couple of weeks, if you have no problems with any programs
Chances are they were/are bad and you can delete the Backup folder
Stay safe
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: Wadinator on July 16, 2006, 11:19:11 AM
I'll delete all the restore points and try your advice with the folders. You have been a tremendous help. I sincerely thank you for your help and patience.
Post by: guestolo on July 16, 2006, 02:36:09 PM
These entries in your log
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
Not malicious, but here's some info
You can disable these from running on startup to save on system resources
Quote
Name: [TkBellExe]Application Scheduler installed along with RealOne_Player Once installed it runs independently of RealOne To disable tkbell.exe in the new version (1) Start RealOne Player (2) Tools - Preferences (3) Automatic services in the Categories pane (4) Uncheck all options and then OK
Quote
Name: [bigfix]Can automatically download and read technical support information provided by computer and software manufacturers and other technical support experts (published in the form of Fixlet® Messages) and can automatically check your computer for bugs configuration conflicts and security holes. Should only be started manually as it's a resource hog
If you decide to fix both or either
After doing the above instructions to disable Realone Player updater
With all other windows closed have Hijackthis fix checked both those entries
Reboot the computer
If you have no other problems I'll lock this topic shortly, take care