Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Yardman_shottw

Pages: [1]
1
Tech Clinic / PC on Point identifies error but wont fix
« on: June 27, 2006, 05:51:21 PM »
hey Questolo,

Apologies for the earlier post, i didnt realise u had made another post. I will run the prog and repond shortly.

Is there a tool that i could download which would tell me all the different components that I have installed and their manufacturers?

Thanks

2
Tech Clinic / PC on Point identifies error but wont fix
« on: June 25, 2006, 12:39:46 PM »
hey guestolo.

Have you forgotten me?.

I did run the GMER log

3
Tech Clinic / PC on Point identifies error but wont fix
« on: June 19, 2006, 10:27:05 PM »
GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-06-19 23:26:38
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwConnectPort
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwCreateFile
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwCreateKey
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwCreateProcess
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwCreateProcessEx
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwCreateSection
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwDeleteFile
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwDeleteKey
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwDeleteValueKey
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwDuplicateObject
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwLoadKey
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwOpenFile
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwOpenProcess
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwOpenThread
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwReplaceKey
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwRequestWaitReplyPort
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwRestoreKey
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwSecureConnectPort
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwSetInformationFile
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwSetValueKey
SSDT    \SystemRoot\System32\vsdatant.sys                                 ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device  \Driver\Tcpip \Device\Ip IRP_MJ_CREATE                            [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ                  [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL           [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN                          [F7AF285A] avgtdi.sys
Device  \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT                   [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE                           [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ                 [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL          [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN                         [F7AF285A] avgtdi.sys
Device  \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT                  [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\Udp IRP_MJ_CREATE                           [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ                 [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL          [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN                         [F7AF285A] avgtdi.sys
Device  \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT                  [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE                         [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ               [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL        [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN                       [F7AF285A] avgtdi.sys
Device  \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT                [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE                   [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ         [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL  [F612A230] vsdatant.sys
Device  \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN                 [F7AF285A] avgtdi.sys
Device  \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT          [F612A230] vsdatant.sys
Device  \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE                              F0D28400

---- Files - GMER 1.0.10 ----

File    C:\System Volume Information\MountPointManagerRemoteDatabase      
File    C:\System Volume Information\tracking.log                        

---- EOF - GMER 1.0.10 ----

4
Tech Clinic / PC on Point identifies error but wont fix
« on: June 18, 2006, 04:49:38 PM »
The only yellow question mark is at:

- Other Devices
    - Application Layer gateway Service

The PC was was rebooting, but it got worst in the last 4 weeks when I did some windows updates that included Windows Genuine Advantage. I dont know if that had anything to do with it but each time it reboots, when it finally comes back with windows, it gives me an error report saying windows and Windows Genuine advantage has encourntered serious errors and gives me the option of sending or not sendin the report.

5
Tech Clinic / PC on Point identifies error but wont fix
« on: June 15, 2006, 08:11:37 PM »
Memtest ran for 23 hrs and didnt find any errors.

I didnt install any new progs, its been like this for weeks.

I checked the drivers and there was one yellow question mark (cant recall now but it wasnt on any specific device - I will check and post later)

I tried updating the drivers but it requested CD's that i dont have.

6
Tech Clinic / PC on Point identifies error but wont fix
« on: June 13, 2006, 07:27:46 PM »
Volume in drive C has no label.
 Volume Serial Number is 98F0-D166

 Directory of C:\WINDOWS\system32

08/23/2001  08:00 AM             7,046 l_intl.nls
               1 File(s)          7,046 bytes

 Directory of C:\WINDOWS\system32\dllcache

08/23/2001  08:00 AM             7,046 l_intl.nls
               1 File(s)          7,046 bytes

7
Tech Clinic / PC on Point identifies error but wont fix
« on: June 13, 2006, 05:04:08 PM »
How long should the memtest take, its been running on my machine now for 23 hours?

Is that normal? and what should I do to stop it?

Thanks

8
Tech Clinic / PC keeps rebooting
« on: June 10, 2006, 11:51:37 AM »
I did not record the complete text of the (Blue Screen):error I posted earlier.

Since then it has given me a number of errors (which I have recorded verbatim below) in the following order:

1)

Windows could not start because the following file is missing or corrupt:
\Windows\system32\l_intl.nls

2)

A problem has been detected and windows has been shutdown to prevent damage to your computer.

If this is the first time you have seen this STOP error screen, restart your computer. If this screen appears again, follow these steps:

Check to make sure you have aequate disk space. If a driver is identified in the STOP message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.

Check with you hardware vendor for any BIOS updates. Disable BIOS Memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical information:

**** STOP: 0x0000007E (0xC0000005, 0x7FFFFFFE2, 0xF7A57BC4, 0xF7A578C0)

3)

STOP: C0000145 {Application Error}

The application failed to initialise properly (0xC0000142)
Click on OK to terminate the application.

4)

A problem has been detected and Windows has been shutdown to prevent damage to your computer.

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you have seen this STOP Error, check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows update you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:
*** STOP 0x00000050 (0xF5CC19D0, 0x00000000, 0xF5CC19D0, 0x00000000)

Beginning dump of physical memory,
Physica; memory dump complete.
Contact you system administrator or technical support group for further assistance.

5)

A problem has been detected and Windows has been shutdown to prevent damage to your computer.

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you have seen this STOP Error, check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows update you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:
*** STOP 0x00000050 (0xA2185938, 0x00000000, 0xF5BF6852, 0x00000000)

Beginning dump of physical memory,
Physica; memory dump complete.
Contact you system administrator or technical support group for further assistance

6)

A problem has been detected and Windows has been shutdown to prevent damage to your computer.

If this is the first time you have seen this STOP Error, check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows update you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:
*** STOP 0x0000008E (0xC0000005, 0xBF8047D4, 0xF717CAE8, 0x00000000)

*** Win32K.sys - Address BF8047D4 base at BF800000, Date stamp 43446a58

7)

A problem has been detected and Windows has been shutdown to prevent damage to your computer.

Disable Driver

If this is the first time you have seen this STOP Error, check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows update you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:
*** STOP 0x0000008E (0xC0000005, 0xBF8047D4, 0xF717CAE8, 0x00000000)

*** Win32K.sys - Address BF8047D4 base at BF800000, Date stamp 43446a58

8)

A problem has been detected and Windows has been shutdown to prevent damage to your computer.

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you have seen this STOP Error, check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows update you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:
*** STOP 0x00000050 (0xE3F40FDC, 0x00000000, 0x8056B08D, 0x00000002)

Beginning dump of physical memory,
Physica; memory dump complete.
Contact you system administrator or technical support group for further assistance

9)

A problem has been detected and Windows has been shutdown to prevent damage to your computer.

Disable Driver

If this is the first time you have seen this STOP Error, check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows update you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:
*** STOP 0x0000008E (0xC0000005, 0xBF8047D4, 0xF717CAE8, 0x00000000)

*** Win32K.sys - Address BF8047D4 base at BF800000, Date stamp 43446a58

10)
A problem has been detected and Windows has been shutdown to prevent damage to your computer.

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you have seen this STOP Error, check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows update you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:
*** STOP 0x00000050 (0xF2E0E060, 0x00000000, 0xF2E0E060, 0x00000000)

Beginning dump of physical memory,
Physica; memory dump complete.
Contact you system administrator or technical support group for further assistance

11)

A problem has been detected and Windows has been shutdown to prevent damage to your computer.

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you have seen this STOP Error, check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows update you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:
*** STOP 0x00000050 (0xB75A27F8, 0x00000000, 0x8056B08D, 0x00000000)

Beginning dump of physical memory,
Physica; memory dump complete.
Contact you system administrator or technical support group for further assistance


That was the last error and I havent used the machine since then.

9
Tech Clinic / PC on Point identifies error but wont fix
« on: June 09, 2006, 10:09:27 AM »
I did not record the complete text of the (Blue Screen):error I posted earlier.

Since then it has given me a number of errors (which I have recorded verbatim below) in the following order:

1)

Windows could not start because the following file is missing or corrupt:
\Windows\system32\l_intl.nls

2)

A problem has been detected and windows has been shutdown to prevent damage to your computer.

If this is the first time you have seen this STOP error screen, restart your computer. If this screen appears again, follow these steps:

Check to make sure you have aequate disk space. If a driver is identified in the STOP message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.

Check with you hardware vendor for any BIOS updates. Disable BIOS Memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical information:

**** STOP: 0x0000007E (0xC0000005, 0x7FFFFFFE2, 0xF7A57BC4, 0xF7A578C0)

3)

STOP: C0000145 {Application Error}

The application failed to initialise properly (0xC0000142)
Click on OK to terminate the application.

4)

A problem has been detected and Windows has been shutdown to prevent damage to your computer.

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you have seen this STOP Error, check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows update you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:
*** STOP 0x00000050 (0xF5CC19D0, 0x00000000, 0xF5CC19D0, 0x00000000)

Beginning dump of physical memory,
Physica; memory dump complete.
Contact you system administrator or technical support group for further assistance.

5)

A problem has been detected and Windows has been shutdown to prevent damage to your computer.

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you have seen this STOP Error, check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows update you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:
*** STOP 0x00000050 (0xA2185938, 0x00000000, 0xF5BF6852, 0x00000000)

Beginning dump of physical memory,
Physica; memory dump complete.
Contact you system administrator or technical support group for further assistance

6)

A problem has been detected and Windows has been shutdown to prevent damage to your computer.

If this is the first time you have seen this STOP Error, check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows update you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:
*** STOP 0x0000008E (0xC0000005, 0xBF8047D4, 0xF717CAE8, 0x00000000)

*** Win32K.sys - Address BF8047D4 base at BF800000, Date stamp 43446a58

7)

A problem has been detected and Windows has been shutdown to prevent damage to your computer.

Disable Driver

If this is the first time you have seen this STOP Error, check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows update you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:
*** STOP 0x0000008E (0xC0000005, 0xBF8047D4, 0xF717CAE8, 0x00000000)

*** Win32K.sys - Address BF8047D4 base at BF800000, Date stamp 43446a58

8)

A problem has been detected and Windows has been shutdown to prevent damage to your computer.

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you have seen this STOP Error, check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows update you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:
*** STOP 0x00000050 (0xE3F40FDC, 0x00000000, 0x8056B08D, 0x00000002)

Beginning dump of physical memory,
Physica; memory dump complete.
Contact you system administrator or technical support group for further assistance

9)

A problem has been detected and Windows has been shutdown to prevent damage to your computer.

Disable Driver

If this is the first time you have seen this STOP Error, check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows update you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:
*** STOP 0x0000008E (0xC0000005, 0xBF8047D4, 0xF717CAE8, 0x00000000)

*** Win32K.sys - Address BF8047D4 base at BF800000, Date stamp 43446a58

10)
A problem has been detected and Windows has been shutdown to prevent damage to your computer.

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you have seen this STOP Error, check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows update you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:
*** STOP 0x00000050 (0xF2E0E060, 0x00000000, 0xF2E0E060, 0x00000000)

Beginning dump of physical memory,
Physica; memory dump complete.
Contact you system administrator or technical support group for further assistance

11)

A problem has been detected and Windows has been shutdown to prevent damage to your computer.

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you have seen this STOP Error, check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows update you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:
*** STOP 0x00000050 (0xB75A27F8, 0x00000000, 0x8056B08D, 0x00000000)

Beginning dump of physical memory,
Physica; memory dump complete.
Contact you system administrator or technical support group for further assistance


That was the last error and I havent used the machine since then.

10
Tech Clinic / PC on Point identifies error but wont fix
« on: June 06, 2006, 08:17:04 PM »
when the PC crashed it gave this error (blue screen) instead of reebooting:

Driver_IRQL_NOT_LESS_OR_EQUAL and then it said some message about contacting adminstator if its 1st you are seeing this error. Further in the message it said *** STOP:0x000000D1 (0x00005C80, 0x000000FF, 0x00000001, 0xE2BD0048)

Then I pressed the reset on computer and it gave me this error:

STOP: C000021a{Fatal System Error} with text the Windows Subsystem system process terminated unexpectedly with a status of 0xC0000005(0x75e94ea2 0x0052ef00)

11
Tech Clinic / PC on Point identifies error but wont fix
« on: June 05, 2006, 12:02:03 AM »
[quote name=\'guestolo\' post=\'130982\' date=\'Jun 4 2006, 11:32 AM\']Looks good, If you didn't intentionally install PartyPoker
Access your add/remove programs and remove it

Your running without any Anti-Virus software, this is not safe
If you don't have your own AV software to install
I highly recommend you install one of these free versions
All have links to the free downloads, so read carefully
ONLY install one, more than one AV running realtime protection in the background can cause conflicts
Note: Ewido is not the same as AV, so it won't conflict

AVG 7 by Grisoft

Avast Home Edition by ALWIL

Avira AntiVir Personal Edition Classic

After you decide which one to install, ensure it is totally updated and run a full system scan, letting it clean whatever it finds
Reboot the computer afterwards

Come back here and post a fresh hijackthis log and let me know how things are running please[/quote]

Machine is still crashing and rebooting

Logfile of HijackThis v1.99.1
Scan saved at 12:51:13 AM, on 6/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\HAPPY\Desktop\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://sef.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://sef.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DFE6E85-1988-4B99-9CDE-EA3EBCBD98B1}: NameServer = 208.138.33.250 208.131.176.126
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

12
Tech Clinic / PC on Point identifies error but wont fix
« on: June 04, 2006, 12:24:15 PM »
Logfile of HijackThis v1.99.1
Scan saved at 6:46:06 PM, on 6/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NZSearch\hcm.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HAPPY\Desktop\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://sef.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://sef.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"uoltray" = "C:\Program Files\NetZero\exec.exe regrun" [file not found]
"spc_w" = ""C:\Program Files\NZSearch\hcm.exe" -w" ["United Online, Inc."]
"Yahoo! Pager" = ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CountrySelection" = "pctptt.exe" ["PCtel, Inc."]
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot" ["RealNetworks, Inc."]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "AcroIEHlprObj Class"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Google Toolbar Helper"
                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {HKLM...CLSID} = "Display Panning CPL Extension"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook File Icon Extension"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {HKLM...CLSID} = "Portable Media Devices"
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {HKLM...CLSID} = "Portable Media Devices Menu"
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
  -> {HKLM...CLSID} = "Shell Search Band"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
                   \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
                   \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\HAPPY\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "HAPPY" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
  -> {HKLM...CLSID} = "&Google"
                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\
"ButtonText" = "PartyPoker.com"
"MenuText" = "PartyPoker.com"
"Exec" = "C:\Program Files\PartyPoker\PartyPoker.exe" ["iGlobalMedia.com"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

Missing lines (compared with English-language version):
"{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}" = (no title provided)
  -> {HKLM...CLSID} = "URLSearchHook Class"
                   \InProcServer32\(Default) = "C:\Program Files\NZSearch\SearchEnh1.dll" ["United Online, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
W2k PCtel speaker phone, Pctspk, "C:\WINDOWS\system32\pctspk.exe" ["PCtel, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 43 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
  took 53 seconds.
---------- (total run time: 162 seconds)

13
Tech Clinic / PC on Point identifies error but wont fix
« on: June 04, 2006, 12:21:24 PM »
[quote name=\'guestolo\' post=\'129231\' date=\'May 30 2006, 09:54 PM\']Can you try the following please

download [color=\"red\"]Brute Force Uninstaller[/color][/b] to your desktop. (rightclick on this link and choose save as, if using IE save target as)
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
[color=\"#FF0000\"]RIGHT CLICK HERE[/color]
and choose "Save As" (in IE it's "Save Target As") in order to download [color=\"#FF0000\"]EGDACCESS Remover[/color]. Save it in the folder you made earlier (c:\BFU)

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu
Sign in with your normal user account
In safe mode

=Open the C:\BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to EGDACCESS.bfu in the C:\BFU folder
Right click EGDACCESS.bfu and choose Select
In Brute Force Uninstaller select Execute
Wait for the "complete script execution" box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot back to Normal mode

Post back the following
1. Run another scan and save logfile with Hijackthis and post a fresh log
2. Save Silent Runners.vbs to your desktop
Right click on that link and choose Save Link As
Double click on it to run. You don't have to click yes or no, it will continue to run in a few seconds
If prompted by your AV, please let this script run, we are just collecting information

 This will create a text file on your desktop
Open the text file and copy and paste the contents back here

NOTE: let silentrunners completely finish, it WILL prompt when it is done[/quote]

14
Tech Clinic / PC on Point identifies error but wont fix
« on: May 30, 2006, 10:40:07 PM »
Logfile of HijackThis v1.99.1
Scan saved at 11:30:39 PM, on 5/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\PokerStars\PokerStars.exe
C:\Program Files\PokerStars\PokerStarsCommunicate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HAPPY\Desktop\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39EA2F6F-3F50-4F58-9C63-4B3D53B0926E} - http://scripts.downloadv3.com/binaries/P2E..._1049_EN_XP.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://sef.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6AA85413-165C-4200-8154-71166077B22E} - http://scripts.downloadv3.com/binaries/IA/...svc32_EN_XP.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://sef.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DFE6E85-1988-4B99-9CDE-EA3EBCBD98B1}: NameServer = 208.138.33.250 208.131.176.126
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

15
Software / PC on POint scan identifies errors but wont fix
« on: May 27, 2006, 09:58:41 PM »
[quote name=\'guestolo\' post=\'125165\' date=\'May 23 2006, 09:35 PM\']Just for a closer look
From my signature below, download and save too a permanent folder of it's own onto your harddrive
Hijackthis 1.99.1
Open Hijackthis.exe

Do a "SCAN and Save a Log file"
A log will open in Notepad
Copy and paste the WHOLE contents of the log  here... Don't try and fix anything yet----It is all important

If I find problems, I will ask that you start a new post in the TechClinic section of the forums
It just keeps everything a little tidier  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />[/quote]

<LOG REMOVED>
Thanks for posting it Yardman_shottw
We'll look at a new log in Tech Clinic

16
Software / PC on POint scan identifies errors but wont fix
« on: May 23, 2006, 10:59:03 AM »
My PC keeps crashing with windows errors and i downloaded PConPoint and did the scan. It idenfied some errors and fixed some but didnt repair the others unless i bought the product. the unreparied errors are below:

Startup Programs          1
Classes Section            20
Application Paths          1
Shared Program files     54
Program ID Section       7
Complete Registry Scan 79
Invalid Shortcuts           2

Is there any shareware prog that can repair all these errors?

Can you help me please?. I would be most grateful

17
Tech Clinic / MCAFEE REPORTS PUP called MSCLOCK.DLL
« on: February 08, 2006, 08:23:51 PM »
02/08/06 20:07:25 [Info]: BlackLight Engine 1.0.30 initialized
02/08/06 20:07:25 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/08/06 20:07:26 [Note]: 7019 4
02/08/06 20:07:26 [Note]: 7005 0
02/08/06 20:07:30 [Note]: 7006 0
02/08/06 20:07:30 [Note]: 7011 1540
02/08/06 20:07:31 [Note]: 7018 1876
02/08/06 20:07:31 [Info]: Hidden process: C:\windows\system32\cfvdtoku.exe
02/08/06 20:07:32 [Note]: FSRAW library version 1.7.1014
02/08/06 20:08:18 [Info]: Hidden file: C:\WINDOWS\system32\cfvdtoku.dat
02/08/06 20:08:18 [Note]: 10002 1
02/08/06 20:08:19 [Info]: Hidden file: C:\windows\system32\cfvdtoku.exe
02/08/06 20:08:19 [Note]: 10002 1
02/08/06 20:08:19 [Info]: Hidden file: C:\WINDOWS\system32\cfvdtoku_nav.dat
02/08/06 20:08:20 [Note]: 10002 1
02/08/06 20:08:20 [Info]: Hidden file: C:\WINDOWS\system32\cfvdtoku_navps.dat
02/08/06 20:08:20 [Note]: 10002 1
02/08/06 20:08:25 [Info]: Hidden file: C:\WINDOWS\system32\msclock32.dll
02/08/06 20:08:25 [Note]: 10002 1
02/08/06 20:08:29 [Info]: Hidden file: C:\WINDOWS\system32\msplock32.dll
02/08/06 20:08:29 [Note]: 10002 1
02/08/06 20:09:01 [Note]: 7007 0


"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"uoltray" = "C:\Program Files\NetZero\exec.exe regrun" [file not found]
"spc_w" = ""C:\Program Files\NZSearch\hcm.exe" -w" ["United Online, Inc."]
"Instant Access" = "rundll32.exe C:\WINDOWS\eg_auth_1049.dll,InstantAccess /L" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CountrySelection" = "pctptt.exe" ["PCtel, Inc."]
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"VSOCheckTask" = ""C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask" ["McAfee, Inc."]
"VirusScan Online" = "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" ["McAfee, Inc."]
"OASClnt" = "C:\Program Files\McAfee.com\VSO\oasclnt.exe" ["McAfee, Inc."]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" ["McAfee, Inc"]
"AdwareAlert" = "C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot" [file not found]
"cfvdtoku" = "c:\windows\system32\cfvdtoku.exe cfvdtoku" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\HAPPY\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "HAPPY" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
  -> {CLSID}\InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["McAfee, Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\
"ButtonText" = "PartyPoker.com"
"MenuText" = "PartyPoker.com"
"Exec" = "C:\Program Files\PartyPoker\PartyPoker.exe" ["iGlobalMedia.com"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

Missing lines (compared with English-language version):
"{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}" = "URLSearchHook Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\NZSearch\SearchEnh1.dll" ["United Online, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

McAfee Task Scheduler, McTskshd.exe, "c:\PROGRA~1\mcafee.com\agent\mctskshd.exe" ["McAfee, Inc"]
McAfee WSC Integration, McDetect.exe, "c:\program files\mcafee.com\agent\mcdetect.exe" ["McAfee, Inc"]
McAfee.com McShield, McShield, "c:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["McAfee Inc."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
W2k PCtel speaker phone, Pctspk, "C:\WINDOWS\system32\pctspk.exe" ["PCtel, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 61 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
  took 59 seconds.
---------- (total run time: 216 seconds)

18
Tech Clinic / MCAFEE REPORTS PUP called MSCLOCK.DLL
« on: February 06, 2006, 08:20:53 PM »
I have been getting a message from McAfee Virusscan about a PUP called msclock.dll. In recent times my pc has also been giving me a cmos checksum error when booting up. I think this error is causing my PC to not retain time ie. after boot it tends to go to Feb 2001 time and not the current time. this affects how my Zonealarm works as i need to reset the time to current time of else Zonealam gives me a vsinit.dll error.

Appreciate your help


Logfile of HijackThis v1.99.1
Scan saved at 8:43:26 AM, on 2/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\PokerStars\PokerStars.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\HAPPY\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1073.dll,InstantAccess
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {07C9CFC7-DE33-4A0C-9FFB-CDFBA843B157} - http://akamai.downloadv3.com/binaries/EGDA...ESS_1063_XP.cab
O16 - DPF: {11F1D260-129E-4EB7-B37E-57E3D97A3DF1} - http://akamai.downloadv3.com/binaries/P2EC..._1044_EN_XP.cab
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/s...net32_EN_XP.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://sef.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by13fd.bay13.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {54579C3D-A58D-4623-B5B5-465552BDA45B} - http://scripts.downloadv3.com/binaries/EGD...2_ASPIV4_XP.cab
O16 - DPF: {54C75FB0-6B8B-4278-BF7B-77036F15A69E} - http://akamai.downloadv3.com/binaries/P2EC..._1041_EN_XP.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://sef.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://sef.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BA749BC1-143E-430D-B1DA-1D2AF67A3658} - http://scripts.downloadv3.com/binaries/EGD...ESS_1069_XP.cab
O16 - DPF: {BD3653E4-884B-43C4-970B-670802501B7F} - http://akamai.downloadv3.com/binaries/P2EC..._1043_EN_XP.cab
O16 - DPF: {BE5A7132-329F-4319-B781-2A83BFE51534} - http://akamai.downloadv3.com/binaries/P2EC..._1045_EN_XP.cab
O16 - DPF: {C2481ED1-9896-4D49-AE90-69858DFDE446} - http://scripts.downloadv3.com/binaries/EGD...ESS_1073_XP.cab
O16 - DPF: {C6760A07-A574-4705-B113-7856315922C3} - http://akamai.downloadv3.com/binaries/IA/s...svc32_EN_XP.cab
O16 - DPF: {D8B94E9A-A34B-4253-BF48-C7CB7F2CFDB0} - http://akamai.downloadv3.com/binaries/P2EC..._1046_EN_XP.cab
O16 - DPF: {EFB23983-5803-4914-ADA3-C0EA2CFBDC37} - http://scripts.downloadv3.com/binaries/EGD...ESS_1072_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DFE6E85-1988-4B99-9CDE-EA3EBCBD98B1}: NameServer = 208.138.33.250 200.10.152.232
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

19
Tech Clinic / MSCLOCK.DLL
« on: February 04, 2006, 08:01:59 PM »
Hey All,

I have gotten an alert from McAfee regarding a Potentially Unwanted Program (PUP) with the tag msclock.dll, but when i try to clean the file it says it cannote be cleaned as it might be write protected.

The file is located at C:\windows\system32\msclock.dll.

Can you advise.

Yardman

Pages: [1]