Author Topic: So much cr*p, will re-install fix it all? (Read 12994 times)

hotrod4x5 · « **Reply #20 on:** May 27, 2005, 07:08:42 PM »

Things are already working better! I can now download my email, I have been reading it online using my ISP's webmail interface. The computer also seems to be running faster overall.

I did notice that the appearance of windows has changed. It looks more like WIN 95 now, no more rounded windows.

Of course, the main goal after cleaning is to prevent this in the future!

I am guessing that you will have further instructions on how to prevent further infestations...

Thanks for all your help so far!

I have another system in my house which I know is majorly infected. Hopefully we can clean it out too!

hotrod4x5 · « **Reply #21 on:** May 27, 2005, 07:25:22 PM »

Just a few minutes are after posting the above logs, Norton has just popped up a window:

Virus found:
c;/windows/system32/TFTP2824
Unable to repair (I click OK)
Access to file denied (I click OK and the window closes)

All I had open was a Mozilla window reading an onlin forum for recreational vehicles.

Another thing I realized doing all this cleaning, my Norton real time protection had been disable without my knowing about it! I used to get these popups all the time, most saying acces to file denied, cannot repair.

Now that things are more cleaned up, I was able to run Norton and it found this.

Programs are now taking longer to open and the whole system slowed down somewhat again.

Thanks again for all your help!

guestolo · « **Reply #22 on:** May 29, 2005, 02:34:01 PM »

Hi again, can you do the following please

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop

Code: [Select]

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msdirectx]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart into safe mode
Delete that file
c:/windows/system32/TFTP2824
Don't delete tftp.exe

Double click on fix.reg and allow to add or Merge to the registry

Return to Normal mode

Run an Online Virus scan at Panda's
Save the report and post it back here along with a fresh Hijackthis log

http://www.pandasoftware.com/products/acti...n_principal.htm

Could you also download that registry search tool I asked for before and scan for msdirectx and post the results

hotrod4x5 · « **Reply #23 on:** May 29, 2005, 03:24:04 PM »

OK, I am doing the new instructions. thanks again for all your help!

I have a question about TFTP.exe

Since it seemed to be the culprit of a lot of trojans/viruses that Norton kept finding, I deleted it along with all TFTP**** **** being a string of 4 numbers.

Since i deleted it, I no longer got any norton popups with trojans in that directory with the string TFTP****

Then I read you say not to delete TFTP.exe so I restored it from recycle bin.

Within 5 minutes of restoring it, Norton popped another virus warning, this time called TFTP2716

At that time my computer basically froze. I couldn't close OE, I couldn't switch between active windows, although I was able to brwose the web on the browser window that was active. Basically my computer became partially handicapped when I restored TFTP.exe

I think I read somewher else that if you are not hosting a TFTP site, you don't need it?

But you said not to delete it, so what is it and why do I keep getting viruses when it is not deleted?

hotrod4x5 · « **Reply #24 on:** May 29, 2005, 03:48:03 PM »

Results of REG search:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "msdirectx" 5/29/2005 1:46:16 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSDIRECTX]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX]

=====================================================
Running the online virus scanner now, will post when finished

guestolo · « **Reply #25 on:** May 29, 2005, 04:03:30 PM »

Can you do the following for me please

# On the Windows taskbar, click Start > Search.
# Click All files and folders.
# In the "All or part of the file name" box, type, or copy and paste, the following file name:

tftp*.*

# Make sure that "Look in" is set to "Local Hard Drives" or to (C:).
# Click More advanced options.
# Check Search system folders.
# Check Search subfolders.
# Click Search.

Let me know what you find
Any 0 byte files found?

Also, the scan at Panda's would be a great help

hotrod4x5 · « **Reply #26 on:** May 29, 2005, 04:16:28 PM »

I had a whole list of them with 0 bytes, I deleted them along with the TFTP.exe, yesterday. Hope that was ok. They are all gone out of the recycle bin now.

In the middle of this, I just got hit with another Norton pop up finding another trojan with the file name TFTP****
There seems to be no 0 byte files at the moment.

All that is found is tftp.exe in system32 folder, tftp.exe in system32/dllcache folder and TFTP.EXE-2FB50BCA.pf in windows/prefetch folder.

guestolo · « **Reply #27 on:** May 29, 2005, 04:21:27 PM »

Can you finish the scan at Panda'a and include the report?
We'll take it from there

guestolo · « **Reply #28 on:** May 30, 2005, 08:38:15 PM »

Can you do the following

Download: Registrar Lite
http://www.resplendence.com/reglite
Free link at the bottom of the page

Stay connected to the Internet at this time
Access your Add/Remove programs and remove if found
Preview AdService
UCmore - The Search Accelerator
If either of the above is found, follow the uninstall prompts carefully

Copy and paste these instructions too a Notepad file and then Close down all other windows

* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".

* Keep the Notepad file open and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

[color=\"purple\"]Killbox file paths to copy and paste to Notepad between dotted lines[/color]
===========================================
C:\WINDOWS\ucmoreiex.exe
C:\Documents and Settings\Rodney Ninow\Favorites\Fun & Games
C:\Documents and Settings\Rodney Ninow\Favorites\Going Places
C:\Documents and Settings\Rodney Ninow\Favorites\Shop
C:\Documents and Settings\Rodney Ninow\Favorites\Technology
C:\WINDOWS\System32\msdirectx.sys
C:\up\update.html
C:\Program Files\Preview AdService\PrevAdComm.dll
C:\UCmore - The Search Accelerator\How To Uninstall.lnk
C:\UCmore - The Search Accelerator\UCmore Tour.lnk
C:\WINDOWS\update.html
C:\trufkz.html
===================================================
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

When Restarting, please Restart your computer to SAFE MODE
You can do that by tapping the F8 key as the computer is restarting just before Windows is ready to load

In Safe mode
Find and delete these folders
C:\UCmore - The Search Accelerator
C:\Program Files\Preview AdService
C:\up <-before deleting this folder, check out the contents, is it empty? If yes
go ahead and delete it, if there are other files in it and your unsure, don't remove it yet
But let me know what else you see in it

Run Windows CleanUp! again, don't log off or restart the computer yet

Can you access Internet Options via Control Panel
Under the Security tab
Can you check your settings under the 4 zones and reset to Defaults if unsure
of Custom level settings

Can you do the following please
Open Registrar Lite
Copy and paste the following line in bold into the top address bar of Registrar Lite and then hit GO

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX

Highlight LEGACY_MSDIRECTX on the left which shoud be a purple folder on the left
Right click on it and Delete it
If it won't delete

Right click on it and choose Properties
>>Permissions, >>Advanced button

Check the following
"Inherit from parent the permission entries that apply to child objects."
OK it and OK again
Then try and delete the key

Do the same for these entries of Legacy_Msdirectx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSDIRECTX

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX

Exit Registrar lite

Restart back to Normal mode

Run another scan with Hijackthis and post a fresh log

Could you also run msdirectx through the Registry search tool again
Let me know if you find any instances, is so post them

hotrod4x5 · « **Reply #29 on:** May 31, 2005, 12:56:57 PM »

OK, first of all c:/up has a file in it called sh.bat

Second, no instances of msdirectx were found

Third, the latest hijack this log:

========================================
Logfile of HijackThis v1.99.1
Scan saved at 10:53:02 AM, on 5/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PhotoCAL Startup.lnk = C:\Program Files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095064957359
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F3F322B5-26EE-46EB-8D03-030ACA4D6167} (Aurigma Image Uploader 2.5) - http://www.mpix.com/Customer/ImageUploader2.ocx
O17 - HKLM\System\CS2\Services\Tcpip\..\{04F2589F-6693-477E-AEBB-57D985018366}: NameServer = 66.59.235.1 64.30.215.129
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

============================================

hotrod4x5 · « **Reply #30 on:** May 31, 2005, 07:37:35 PM »

Just got home and am browsing my usual websites, ebay, rv.net forums and email.

Norton just popped up a window:

Virus found:
c:/windows/system32/eraseme_45781.exe
Virus name: W32.Spybot.Worm

Unable to repair file

I click ok

Access to file denied

I click ok and the window closes.

I then tried to run a HiJack this log and the program froze right when it normally creates the log.

How do these darn things keep getting on my system??? Will I ever be safe from this crap?

guestolo · « **Reply #31 on:** May 31, 2005, 08:24:31 PM »

Can you do the following please
Save these instructions to a notepad file on the desktop

Reboot into Safe mode

In safe mode do the following

Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Workstation Service Library

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Afterwards, make sure that this file is gone, if not delete it
C:\WINDOWS\wkssvc.exe <-file
Delete this one too
c:/windows/system32/eraseme_45781.exe
If it won't delete will get later

Also, send the C:\up folder to the recyle bin

Open Hijackthis>>Open Misc tools section>>Open "Delete an NT Service"
In the new window in the open box, copy and paste, or type in the below in bold and then hit OK

Microsoft Locator Service

Afterwards

If eraseme_45781.exe wouldn't delete
Stay in safe mode and run Killbox.exe

In the full path of file to delete, copy and paste the below in bold and choose the radio button to Delete on Reboot

c:/windows/system32/eraseme_45781.exe

Then click the Red circle with the white X

Click Yes to Delete on Reboot and Yes to restart the computer

Back in Windows

I want to run another scan with Mwav, but let's clear out some files in the System Restore folder to make the log a little smaller
Normally I leave this till last, but I want to ensure we see the whole log
Can you do the following
If things seem better
Disable System Restore>>>Restart your computer>>Renable system restore
Take a look at this link ahead of time if your unsure how to do this
How to Disable and Re-enable System Restore feature

After system Restore is reenabled
Can you do the following
Please Redownload Mwav, in case it's been updated, and run another scan and post the log from it

Also post a fresh Hijackthis log

Here the link and instructions again for eScan's mwav
====================================
==Download this virus checker from eScan
Mwav.exe
There's nothing to install, Save to your desktop
Double click to run eScan's Mwav scan
It will self extract

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
This may take awhile, let it finish
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and Paste it back here

****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are
===========================================

One more request
Go to START>>RUN>>COPY AND PASTE the bold line into the open field and then
Click OK

regedit /e C:\find4.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"

Copy and paste back the contents of C:\find4.txt

hotrod4x5 · « **Reply #32 on:** June 01, 2005, 09:39:16 AM »

Last night, after I downloaded the newest version of MWAV and before I ran a scan, I got yet another Norton Popup window saying it found the w32.spybot.worm, this time it was located in the file TFTP3588. (which IIRC was in the system32 folder of windows.

Norton always says unable to repair, then you click OK, then it says access to file denied.

Doing a file search this morning for anything with TFTP didn't reveal the above mentioned file, but it did fiind TFTP3408, which is 0 bytes. Of course it also found 2 instances of the TFTP.exe file, located in system32 and system32/dllcache.

Here is the new MWAV scan, scanned after the above mentioned incident:
=========================================================================
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\PrevAdX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Chs.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Cht.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Esp.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Fra.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Ita.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-kor.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Nld.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Ptg.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Chs.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Cht.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Esp.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Fra.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Ita.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Kor.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Nld.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Ptg.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Jpn.nls". Action Taken: No Action Taken.
Entry "HKCR\DXImageTransform.WebExtenderClient" refers to invalid object "{3CDFE52B-AFAF-4C37-1420-807EA3484639}". Action Taken: No Action Taken.
File C:\WINDOWS\System32\i infected by "Trojan-Downloader.BAT.Ftp.ab" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip infected by "Password-protected-EXE" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy18.zip infected by "Password-protected-EXE" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy3.zip infected by "Password-protected-EXE" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy52.zip infected by "Password-protected-EXE" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\0F1AE793-3838-411A-AAC0-51FE49\4222A183-459F-4938-9D64-CD1EA5 infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\0F1AE793-3838-411A-AAC0-51FE49\4FF15830-3DB5-41AC-AFDE-8C00A7 infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\27E69CBF-CAFC-476A-B573-3645CC\8B69F6EC-6554-43CB-BE55-491122 infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\27E69CBF-CAFC-476A-B573-3645CC\9E95CF82-01BD-442B-98FC-2BF38D infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\93F503E0-B44D-4007-91C4-0C65DF\C033A5F8-1F01-48C0-883B-73A06A tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\WINDOWS\system32\i infected by "Trojan-Downloader.BAT.Ftp.ab" Virus! Action Taken: No Action Taken.
File L:\Backup 10-18-04\Photo Shoots\Weddings\New Folder\DivX player\DivX502Bundle.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
=====================================================
latests HIJACK this scan:
====================================================
Logfile of HijackThis v1.99.1
Scan saved at 7:32:45 AM, on 6/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PhotoCAL Startup.lnk = C:\Program Files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095064957359
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F3F322B5-26EE-46EB-8D03-030ACA4D6167} (Aurigma Image Uploader 2.5) - http://www.mpix.com/Customer/ImageUploader2.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{04F2589F-6693-477E-AEBB-57D985018366}: NameServer = 66.59.235.1 64.30.215.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{04F2589F-6693-477E-AEBB-57D985018366}: NameServer = 66.59.235.1 64.30.215.129
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

====================================================
Contents of find4.txt:
=====================================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"LsaPid"=dword:000004e8
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"Windows Processe Manager"="mspn32.exe"
"Compaq32 Service Drivers"="msconfig32.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:61,5d,6c,9e,8c,bd,68,2d,42,0e,9e,5f,a0,72,21,1a,62,33,35,33,33,\
39,32,63,00,68,07,00,01,00,00,00,d8,00,00,00,dc,00,00,00,48,fa,06,00,d6,48,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,38,59,c0,d5

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:c8,ab,84,fa,db,24,4a,4b,14

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:30,82,25,8f,98,4a

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:85,11,13,0a,7e,c2,9d,64,a3,d2,3c,e1,05,a5,ee,4b

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:76,3c,5c,fe,6f,99,c4,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,60,bd,99,53,4f,c2,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,60,bd,99,53,4f,c2,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,60,bd,99,53,4f,c2,01
"Type"=dword:00000031

======================================================

hotrod4x5 · « **Reply #33 on:** June 01, 2005, 09:42:07 AM »

Today I am going to try and run a windows update, I haven't been able to, and I suspect with all this cleaning, it should work now.

I will not download SP2, as I do have the disk for it, but it caused network problems when we tried it on one of our computers at here at home, and I have some friends who also had problems with it.

guestolo · « **Reply #34 on:** June 01, 2005, 08:10:27 PM »

Trying to look in when I can, work is keeping me off the forum

Yes please, visit Windows updates and for now install all Latest Critical updates

Can you look for these files please and remove if found, let me know if you deleted them
C:\WINDOWS\system32\i
C:\WINDOWS\system32\mspn32.exe

Could you also
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop

Code: [Select]

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PrevAdX.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Windows Processe Manager"=-
"Compaq32 Service Drivers"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"

Double click on fix.reg and allow to merge to the registry
Restart your computer

Can you use the Registry search tool and enter this next entry to it and wait for the log and post it
mspn32.exe

Run this entry through also

msconfig32.exe

hotrod4x5 · « **Reply #35 on:** June 01, 2005, 08:18:44 PM »

Hey, I know you are doing a lot of helping here, and I really appreciate it! If you take a day or two to reply, or 3, that is ok.

I just tried to run a windows update and got the same problem I had last time:
======================================

[Error number: 0x8DDD0018]
Windows Update cannot continue because a required service application is disabled. Windows Update requires the following services:
Automatic Updates enables detection, downloading, and installation of critical updates for your computer.
Background Intelligent Transfer Service (BITS) enables faster, restartable downloading of updates.
Event Log logs Windows Update events for troubleshooting. To ensure that these services are enabled:

1. Click Start, and then click Run.
2. Type services.msc and then click OK.
3. In the list of services, right-click the service name, and then click Properties.
4. In the Startup type list, select Automatic.
5. Verify that the service status is started.

==========================================
A few weeks ago, I followed all the instructions they told me, but it still never started working.

guestolo · « **Reply #36 on:** June 01, 2005, 09:27:15 PM »

Carry on with the rest of the instructions
Found some more details at Symantec's
I just want to see the last output's from the Registry search tool after you have done the above

hotrod4x5 · « **Reply #37 on:** June 02, 2005, 10:14:06 AM »

Ok, let's see...

I found the file "i" and deleted it. I did not find the other file you said to look for.

I did the fix reg instructions.

REG SEARCH results for mspn32.exe
============================================
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "mspn32.exe" 6/2/2005 8:08:29 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"Windows Processe Manager"="mspn32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Processe Manager]
"command"="mspn32.exe"

[HKEY_USERS\.DEFAULT\Software\Microsoft\OLE]
"Windows Processe Manager"="mspn32.exe"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Processe Manager"="mspn32.exe"

[HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa]
"Windows Processe Manager"="mspn32.exe"

[HKEY_USERS\S-1-5-21-220523388-73586283-839522115-1004\Software\Microsoft\OLE]
"Windows Processe Manager"="mspn32.exe"

[HKEY_USERS\S-1-5-21-220523388-73586283-839522115-1004\SYSTEM\CurrentControlSet\Control\Lsa]
"Windows Processe Manager"="mspn32.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\OLE]
"Windows Processe Manager"="mspn32.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Processe Manager"="mspn32.exe"

[HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa]
"Windows Processe Manager"="mspn32.exe"

======================================================
REG SEARCH results for msconfig32.exe
=======================================================
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "msconfig32.exe" 6/2/2005 8:12:39 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"Compaq32 Service Drivers"="msconfig32.exe"

[HKEY_USERS\.DEFAULT\Software\Microsoft\OLE]
"Compaq32 Service Drivers"="msconfig32.exe"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Compaq32 Service Drivers"="msconfig32.exe"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Compaq32 Service Drivers"="msconfig32.exe"

[HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq32 Service Drivers"="msconfig32.exe"

[HKEY_USERS\S-1-5-21-220523388-73586283-839522115-1004\Software\Microsoft\OLE]
"Compaq32 Service Drivers"="msconfig32.exe"

[HKEY_USERS\S-1-5-21-220523388-73586283-839522115-1004\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq32 Service Drivers"="msconfig32.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\OLE]
"Compaq32 Service Drivers"="msconfig32.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Compaq32 Service Drivers"="msconfig32.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Compaq32 Service Drivers"="msconfig32.exe"

[HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq32 Service Drivers"="msconfig32.exe"
=======================================================

Guess that is all you for now, thanks!

guestolo · « **Reply #38 on:** June 03, 2005, 12:17:30 AM »

Thanks for sticking in there

Can you do the following please
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as repair.reg

Save this file on the desktop

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-21-220523388-73586283-839522115-1004\Software\Microsoft\OLE]
"Compaq32 Service Drivers"=-
"Windows Processe Manager"=-

[HKEY_USERS\S-1-5-21-220523388-73586283-839522115-1004\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq32 Service Drivers"=-
"Windows Processe Manager"=-

[HKEY_USERS\S-1-5-18\Software\Microsoft\OLE]
"Compaq32 Service Drivers"=-
"Windows Processe Manager"=-

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Compaq32 Service Drivers"=-

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Compaq32 Service Drivers"=-
"Windows Processe Manager"=-

[HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq32 Service Drivers"=-
"Windows Processe Manager"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"Windows Processe Manager"=-
"Compaq32 Service Drivers"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\OLE]
"Windows Processe Manager"=-
"Compaq32 Service Drivers"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Processe Manager"=-
"Compaq32 Service Drivers"=-

[HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa]
"Windows Processe Manager"=-
"Compaq32 Service Drivers"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Processe Manager]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iTunesMusic]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_ITUNESMUSIC]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_RDRIV]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions]
"Installed Time"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions]
"Record"=-

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareWks"=-

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=-

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters]
"AutoShareWks"=-

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters]
"AutoShareServer"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000

We'll need this reg file later
But first can I ask you to run one more scan please

Can you create a folder on your desktop
(Right click an empty spot on your desktop
Select NEW>>Folder)
Name it something you will remember

Next: Download and save to that folder
SysClean Package from Trend Micros

After you have that downloaded and saved to that folder
You must do the following
Get the Latest Pattern files for SysClean
Download this ZIP file from the link below and save it too the same folder as SysClean Package
UNZIP(Extract) the contents of the zipped file to the same folder
Here's the link
http://www.trendmicro.com/download/pattern.asp

Once you have it unzipped can you please restart into safe mode

In safe mode

Double click on repair.reg and allow to add or merge to the registry

Open the folder you saved SysClean Package
and Double click on SysClean.com and let it run and finish a scan

Restart back to Normal mode

Post the log from Sysclean
Could you also post a fresh Hijackthis log

guestolo · « **Reply #39 on:** June 05, 2005, 07:09:50 AM »

20 hours

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />
I just ran it myself and it took about 45 minutes
I wouldn't want you running it again unless you first revisited Trend Micro's and redownloaded the latest patern files and unzipping them to that folder you created on the desktop
As it's been updated
It appears it finished scanning your C: drive
At least I hope it did
You may of cho0se to unplug your external drive before scanning

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
Also ensure that Norton's is disabled...

Could I have you
post a startup list from Hijackthis
Open Hijackthis>>Open Misc tools section
Put a check in "List all minor sections (full)"
and "List empty sections (Complete)

Click the Generate startup list and post the whole list here, thanks

News:

Author Topic: So much cr*p, will re-install fix it all? (Read 12994 times)