To talk on Icrontic, just register!

It only takes 30 seconds.

Have an account? Sign in:

Forgot?

To reopen your thread, send a Private Message (PM) to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own thread instead.

 
Reply to Discussion Options
fmueller
visit www.fmueller.com
fmueller
210 Posts
11 Jul 2006, 3:30am

My computer is a mess - please HELP!

OK, maybe about a year ago I had a major spyware and virus infestation on my machine. I downloaded a raft of anti-spyware and anti-virus software and tried to clean the mess up. I also contacted a guru in a similar forum as this one, and after a lot of hard work we cleaned the whole thing up - except for one pesky file that just would not go away but kept on changing names and cropped back up again. After a couple of weeks other things took priority over the computer trouble, and I gave up. Since I had that troublemaker on the machine anyhow, I never bothered keeping my virus and spyware protection up to date. Well, as you might expect things gradually deteriorated, and a few days ago things finally came to a grinding halt, forcing me to tackle the issue once again. I am hoping that this time up to date software will be able to fix that old problem as well as getting rid of any new bugs I might have caught - of which there seem to be many!

I have read many of the stickies in this forum, and have followed the instructions in 'Read Here First Before Posting A HijackThis Log!'.

Step 1: Clean out your temporary internet files and temp files

Done that.

Step 2: Scanning with Ad-Aware and SpyBot Search & Destroy

Done that.

Step 3: Scanning your computer for malware with online scans

Panda Active Scan:

Incident Status Location

Adware:Adware/ClkOptimizer Not disinfected c:\winnt\system32\yqrkwy.exe
Virus:Trojan Horse.AP3 Disinfected Operating system
Adware:Adware/ClkOptimizer Not disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pwgi.exe
Adware:adware/afaenhance Not disinfected c:\winnt\system\QBUninstaller.exe
Adware:adware/cws.searchmeup Not disinfected c:\winnt\system32\bose.ico
Spyware:spyware/safesurf Not disinfected c:\winnt\system32\InstallerV3.exe
Adware:adware/weirdontheweb Not disinfected C:\Documents and Settings\Frank Mueller\Favorites\WeirdOnTheWeb.url
Adware:adware/bookedspace Not disinfected c:\winnt\cfgmgr52.ini
Spyware:spyware/apropos Not disinfected c:\program files\Aprps
Adware:adware/pacimedia Not disinfected Windows Registry
Adware:adware/neededware Not disinfected Windows Registry
Adware:adware/novo Not disinfected Windows Registry
Spyware:spyware/media-motor Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:adware/elitebar Not disinfected Windows Registry
Adware:adware/xplugin Not disinfected Windows Registry
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies-1.txt[.xiti.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.com.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.belnk.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.entrepreneur.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.tickle.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[fe.lea.lycos.de/]
Spyware:Cookie/Netster Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[lb3.netster.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[server.iad.liveperson.net/hc/63152693]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[www.myaffiliateprogram.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Frank Mueller\Cookies\frank mueller@ad.yieldmanager[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Frank Mueller\Cookies\frank mueller@burstnet[2].txt
Adware:Adware/QoolAid Not disinfected C:\Documents and Settings\Frank Mueller\Local Settings\Temp\tm37254.exe
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Aprps\CxtPls.exe
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Aprps\ProxyStub.dll
Virus:Trojan Horse.AP3 Disinfected C:\WINNT\Downloaded Program Files\cskware.exe
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINNT\system32\P2P Networking v124.cpl
Potentially unwanted tool:Application/Psexec.A Not disinfected C:\WINNT\system32\psexec.exe
Adware:Adware/ClkOptimizer Not disinfected C:\WINNT\system32\qgbvp.dat
Bit Defender Scan:

BitDefender Online Scanner - Real Time Virus Report

Generated at: Mon, Jul 10, 2006 - 16:05:56

Scan Info

Scanned Files

152553

Infected Files

4

Virus Detected

Trojan.Downloader.Qoologic.AI

3

Trojan.Qoologic.24576.DLL

1

This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.
Kaspersky Scan:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 10, 2006 9:17:05 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 3 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/07/2006
Kaspersky Anti-Virus database records: 193944
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 39598
Number of viruses found: 12
Number of infected objects: 52 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:19:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0000.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0000.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0000.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0000.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0000.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0001.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0001.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0001.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0001.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0001.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0002.VBN Infected: Trojan-Downloader.Win32.Ani.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0003.VBN Infected: Trojan-Downloader.Win32.Ani.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0004.VBN Infected: Trojan-Downloader.Win32.Ani.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0005.VBN Infected: Trojan-Downloader.Win32.Ani.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0006.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0006.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0006.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0006.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0006.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0007.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0007.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0007.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0007.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0007.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80000.VBN.mwt Infected: Backdoor.Win32.SdBot.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80001.VBN.mwt Infected: Backdoor.Win32.SdBot.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80002.VBN.mwt Infected: Backdoor.Win32.SdBot.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80003.VBN.mwt Infected: Backdoor.Win32.SdBot.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80004.VBN.mwt Infected: Backdoor.Win32.SdBot.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80005.VBN.mwt Infected: Backdoor.Win32.SdBot.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04680000.VBN.mwt Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04700001.VBN.mwt Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\047C0001.VBN.mwt Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05000000.VBN.mwt Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05340000.VBN.mwt Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\055C0000.VBN.mwt Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05A40000.VBN Infected: Trojan-Downloader.JS.IstBar.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05D40000.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05D40000.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05D40000.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05D40000.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05D40000.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pwgi.exe Infected: Trojan-Downloader.Win32.Qoologic.ai skipped
C:\Documents and Settings\Frank Mueller\Application Data\Microsoft\Vorlagen\Normal.dot Object is locked skipped
C:\Documents and Settings\Frank Mueller\Application Data\Microsoft\Word\AutoRecovery save of Letter to Homini Ridge Lodge.asd Object is locked skipped
C:\Documents and Settings\Frank Mueller\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\History\History.IE5\MSHist012006071020060711\index.dat Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\offA.tmp Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\offB.tmp Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\tm37254.exe Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\~DF32B4.tmp Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\~DF34A2.tmp Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\~DF65A5.tmp Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\~DF65C2.tmp Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\~DF9953.tmp Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\~WRF2549.tmp Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\~WRS2577.tmp Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Frank Mueller\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Frank Mueller\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Aprps\ace.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Aprps\libexpat.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Aprps\ProxyStub.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Aprps\uninstaller.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Aprps\WinGenerics.dll Infected: Trojan.Win32.Crypt.t skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\security\logs\scepol.log Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\cxtpls_loader.exe Infected: Trojan-Downloader.Win32.Apropo.ae skipped
C:\WINNT\system32\kvdcfkk.exe Infected: Trojan-Downloader.Win32.Small.ctw skipped
C:\WINNT\system32\qspaeqq.dll Infected: Trojan-Downloader.Win32.Qoologic.bi skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
E:\Frank\Letter to Homini Ridge Lodge.doc Object is locked skipped
E:\Program Files\Microsoft Office\Office\Startup\PDFMaker.dot Object is locked skipped

Scan process completed.
Step 4: Getting a Firewall

It would seem to make more sense to do this after I get things a bit more under control, no?

Step 5: Getting an Anti-Virus program!

Same as 4?

Step 6: Protecting yourself with Windows Update

I am running Windows 2000 Professional and everything up to SP4 installed. I am reluctant to move to XP because I have lots of old harware installed (flatbed scanner, film scanner, laser printer, inkjet printer, etc) that might or might not be compatible.

Step 7: Downloading HijackThis and creating a log!

Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 9:21:47 PM, on 10/07/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\csrss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
E:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\NavNT\rtvscan.exe
E:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\svchost.exe
C:\winnt\Explorer.EXE
E:\Program Files\LiquidView\lviewj.exe
E:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\winnt\System32\MsgSys.EXE
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\WorldTime\WorldTime.exe
C:\winnt\System32\wuauclt.exe
E:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.kent.edu
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LiquidView] E:\Program Files\LiquidView\lviewj.exe -nogui
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] E:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winsync] C:\winnt\System32\yqrkwy.exe reg_run
O4 - HKCU\..\Run: [X-Cleaner Freeware] "E:\PROGRA~1\X-CLEA~1\XCLEAN~3.EXE" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: World Time.lnk = E:\Program Files\WorldTime\WorldTime.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.filesharingaccess.com
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {351CF0CE-B05A-11D2-ABD9-00104B685417} - http://ebay.sj.ipixmedia.com/code//PWActiveXImgCtl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - E:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Program Files\NavNT\rtvscan.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - E:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
Step 8: Creating your thread

Voila!

I realize that the helpers here are all volunteers, and really appreciate your guy's efforts in helping others out. If it means anything to you, I do the same on various photography and aquaristic related forums, and if any of you need advice on photography (old manual focus SLRs all the way to modern DSLRs) or various types of cichlids, I'd be happy to return the favour

Also, I can guarantee you that this isn't a request by one of those paranoid folks who really have no problem with their computer, but get a kick out of having others look through HijackThis logs. This one here is going to be a real challenge, but as the old German saying goes: 'Viel Feind, Viel Ehr!'

Many thanks!

Frank
fmueller edited : 11 Jul 2006 at 3:42am .
Crunchie
Veteran Icrontian
Crunchie
2,542 Posts
11 Jul 2006, 12:12pm
Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/Qoofix.zip
  1. Unzip all files to a convenient location such as C:\Qoofix.
  2. Go to the folder you unzipped all files and run Qoofix.exe.
  3. Click Begin Removal and wait for the scan to finish.
  4. If an infection has been found, select yes to restart your computer.

==

Please download Look2Me-Destroyer.exe to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK.
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a [color=blue]Done Scanning[/color\ message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new...b/MSWINSCK.OCX

Finally post a new HijackThis log, the contents of the Qoofix logfile and the contents of C:\Look2Me-Destroyer.txt.
__________________ Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster Browser settings for increased security.

If you think we have helped you, please consider using your computer for disease research - it's free and harmless, and it's a fun way to join our community. //(*_*)\\

DFI LanParty UT nF4 Ultra-D, Opteron 165 @ 2700, Zalman 9500LED, 2X512 OCZ PC4800 Platinum Elite, XFX 7900 GT Extreme @ 650/1600, VF900-cu, WD 250 Sata, Corsair HX 620, Thermaltake Xaser V5000D case,

fmueller
visit www.fmueller.com
fmueller
210 Posts
12 Jul 2006, 1:29am
Hi Crunchie, many thanks for taking on the challenge and special greetings to Oz. To my shame I have to admit that WA is the only state I have not been to, but my wife is a Kiwi and we used to live for about 4 years in Canberra before we moved to Ohio. We both have very fond memories of Oz.


One of my Sydney night shots

Anyhow, here the scan reports:

Qoofix

Qoofix v1.02 by http://www.malwarebytes.org
Scan started on [11/07/2006] at [12:48:43 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [11/07/2006] at [12:51:42 PM]

Note: Some registry keys may have been removed.
Look2Me


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 11/07/2006 3:10:37 PM


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded
Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 8:08:26 PM, on 11/07/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
E:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\NavNT\rtvscan.exe
E:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\svchost.exe
C:\winnt\Explorer.EXE
E:\Program Files\LiquidView\lviewj.exe
E:\Program Files\NavNT\vptray.exe
C:\winnt\System32\MsgSys.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\WorldTime\WorldTime.exe
C:\winnt\System32\wuauclt.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Frank Mueller\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.kent.edu
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LiquidView] E:\Program Files\LiquidView\lviewj.exe -nogui
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] E:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winsync] C:\winnt\System32\yqrkwy.exe reg_run
O4 - HKCU\..\Run: [X-Cleaner Freeware] "E:\PROGRA~1\X-CLEA~1\XCLEAN~3.EXE" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: World Time.lnk = E:\Program Files\WorldTime\WorldTime.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.filesharingaccess.com
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {351CF0CE-B05A-11D2-ABD9-00104B685417} - http://ebay.sj.ipixmedia.com/code//PWActiveXImgCtl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - E:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Program Files\NavNT\rtvscan.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - E:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
Again, many thanks for your help!
Crunchie
Veteran Icrontian
Crunchie
2,542 Posts
12 Jul 2006, 11:23am
1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
c:\winnt\system32\yqrkwy.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pwgi.exe
c:\winnt\system\QBUninstaller.exe
c:\winnt\system32\bose.ico
c:\winnt\system32\InstallerV3.exe
C:\Documents and Settings\Frank Mueller\Favorites\WeirdOnTheWeb.url
c:\winnt\cfgmgr52.ini
C:\WINNT\Downloaded Program Files\cskware.exe
C:\WINNT\system32\P2P Networking v124.cpl
C:\WINNT\system32\psexec.exe
C:\WINNT\system32\qgbvp.dat
C:\WINNT\system32\cxtpls_loader.exe
C:\WINNT\system32\kvdcfkk.exe
C:\WINNT\system32\qspaeqq.dll

Folders to delete:
c:\program files\Aprps

Programs to launch on reboot:
C:\Documents and Settings\Frank Mueller\Desktop\HijackThis.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5.

==

Can you please do the following once rebooted;

Scan with HiJackThis, then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank

O4 - HKLM\..\Run: [winsync] C:\winnt\System32\yqrkwy.exe reg_run

O15 - Trusted Zone: http://www.neededware.com


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Reboot.


Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
fmueller
visit www.fmueller.com
fmueller
210 Posts
12 Jul 2006, 7:44pm
Avenger Report

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xp^ejpsb

*******************

Script file located at: \??\C:\Documents and Settings\xegotipd.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File c:\winnt\system32\yqrkwy.exe deleted successfully.
File C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pwgi.exe deleted successfully.
File c:\winnt\system\QBUninstaller.exe deleted successfully.
File c:\winnt\system32\bose.ico deleted successfully.
File c:\winnt\system32\InstallerV3.exe deleted successfully.
File C:\Documents and Settings\Frank Mueller\Favorites\WeirdOnTheWeb.url deleted successfully.
File c:\winnt\cfgmgr52.ini deleted successfully.


File C:\WINNT\Downloaded Program Files\cskware.exe not found!
Deletion of file C:\WINNT\Downloaded Program Files\cskware.exe failed!

Could not process line:
C:\WINNT\Downloaded Program Files\cskware.exe
Status: 0xc0000034

File C:\WINNT\system32\P2P Networking v124.cpl deleted successfully.
File C:\WINNT\system32\psexec.exe deleted successfully.
File C:\WINNT\system32\qgbvp.dat deleted successfully.
File C:\WINNT\system32\cxtpls_loader.exe deleted successfully.
File C:\WINNT\system32\kvdcfkk.exe deleted successfully.
File C:\WINNT\system32\qspaeqq.dll deleted successfully.
Folder c:\program files\Aprps deleted successfully.
Program C:\Documents and Settings\Frank Mueller\Desktop\HijackThis.exe successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

HiJackThis Report

Logfile of HijackThis v1.99.1
Scan saved at 2:07:48 PM, on 12/07/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
E:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\NavNT\rtvscan.exe
E:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\svchost.exe
C:\winnt\Explorer.EXE
C:\winnt\System32\MsgSys.EXE
C:\winnt\System32\wuauclt.exe
E:\Program Files\LiquidView\lviewj.exe
E:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\WorldTime\WorldTime.exe
C:\Documents and Settings\Frank Mueller\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.kent.edu
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LiquidView] E:\Program Files\LiquidView\lviewj.exe -nogui
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] E:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [X-Cleaner Freeware] "E:\PROGRA~1\X-CLEA~1\XCLEAN~3.EXE" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: World Time.lnk = E:\Program Files\WorldTime\WorldTime.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.filesharingaccess.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {351CF0CE-B05A-11D2-ABD9-00104B685417} - http://ebay.sj.ipixmedia.com/code//PWActiveXImgCtl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - E:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Program Files\NavNT\rtvscan.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - E:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
Many thanks!

Frank
Crunchie
Veteran Icrontian
Crunchie
2,542 Posts
12 Jul 2006, 10:03pm
Can you please do the following.

===============

We'll need to unload Spybot's Teatimer before we begin. To do this can you start Spybot and go to Tools > Resident and uncheck the box next to Tea-Timer. Make sure that the icon in the system tray is no longer there. If it is, just right click on it and select "Exit". Do not forget to re-enable it when we are done .

===============

Scan with HiJackThis, then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
fmueller
visit www.fmueller.com
fmueller
210 Posts
13 Jul 2006, 12:29am
Spybot Teatimer

I was about to doubt my sanity when I eventually worked out that I had to be in the 'advanced mode' of Spybot before I can even see the tools menu

HiJackThis Report

Logfile of HijackThis v1.99.1
Scan saved at 7:22:07 PM, on 12/07/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
E:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
E:\Program Files\NavNT\rtvscan.exe
E:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\svchost.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\MsgSys.EXE
E:\Program Files\LiquidView\lviewj.exe
E:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\WorldTime\WorldTime.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.kent.edu
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LiquidView] E:\Program Files\LiquidView\lviewj.exe -nogui
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] E:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [X-Cleaner Freeware] "E:\PROGRA~1\X-CLEA~1\XCLEAN~3.EXE" -turbo -autostart -NOREBOOT
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: World Time.lnk = E:\Program Files\WorldTime\WorldTime.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.filesharingaccess.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {351CF0CE-B05A-11D2-ABD9-00104B685417} - http://ebay.sj.ipixmedia.com/code//PWActiveXImgCtl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - E:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Program Files\NavNT\rtvscan.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - E:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
Please let me know how your pc is now.

Well, it sure runs a lot better than before we started - many thanks! - but Windows Media Player still autostarts after each reboot and displays some advertising garbage, which indicates that no all is clear quite yet. Also, the machine takes unusually long to shut down, and displays 'saving settings' for what seems like forever. The latter could be due to lack of space on the C: partition of my harddrive though, which is the next problem I'll have to tackle.
Crunchie
Veteran Icrontian
Crunchie
2,542 Posts
13 Jul 2006, 10:36am
Log looks clear now . WMP could just need uninstalling then reinstalling.
Perhaps 1st you should get service pack 4 for W2K. That may well fix up what problems you are still having.
fmueller
visit www.fmueller.com
fmueller
210 Posts
13 Jul 2006, 4:38pm
Log looks clear now.

That's a relief. Many thanks! Your help is really very much appreciated!

WMP could just need uninstalling then reinstalling.
Perhaps 1st you should get service pack 4 for W2K. That may well fix up what problems you are still having.

Hmm, I was under the impression that I had SP4 already, and recently did one of those automatic Windows updates. However, I can see that HiJackThis detects only SP3. When I go into the control panel, add/remove programs, it looks like a mess:



Is it supposed to look that way or what's going on?

Frank
fmueller edited : 13 Jul 2006 at 7:04pm .
Crunchie
Veteran Icrontian
Crunchie
2,542 Posts
13 Jul 2006, 9:55pm
Looks about like it did when I had W2K . XP hides all those Hotfixes.
http://www.microsoft.com/windows2000...4/default.mspx
fmueller
visit www.fmueller.com
fmueller
210 Posts
17 Jul 2006, 4:52pm
Hi Crunchie,

I just wated to say thanks for all your help! This forum is awesome!

As recommended by you and in the sticky thread I was following, I have installed SP4 and replaced my old anti-virus/spayware software with a combination of Zone Alarm, AVG and Ewido. I also uninstalled then reinstalled WMP9, but unfortunately it began autostarting after each boot as soon as I re-installed 9. Not a big issue though.

Currently I am working on re-partitioning my drive with help of the good guys in the storage forum (http://www.short-media.com/forum/sho...d.php?t=48125).

Already my machine is running better than it has been in years!
Crunchie
Veteran Icrontian
Crunchie
2,542 Posts
17 Jul 2006, 10:12pm
No worries at all . Glad to be able to help.

==

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, Ewido anti-malware, Ad-Aware SE and Spybot S&D.
Run them both on a regular basis, following the manufacturer's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.


Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig. Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.
fmueller
visit www.fmueller.com
fmueller
210 Posts
19 Jul 2006, 6:14am
# If WMP is launching at the start-up of your system, this is likely because 3rd party trojan spamware has infected your system. "iedll.exe" for some reasons registers WMP to launch on system start-up - possibly to cover it's own tracks? Regardless, get and run the (free) LavaSoft AdAware anti-spyware software (or SpyBot anti-spy software, or the dedicated CoolWebSearch/iedll.exe killer program), which will clean up iedll.exe. Then you will want to go to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" in regedit.exe. There you will likely find a value name entitled "loader" (OR MAYBE SOMETHING ELSE - malicious software did this to your machine, so they try to hide themselves). If this has the data value pointing to wmplayer.exe, delete this registry value. If AFTER CLEANING YOUR SYSTEM OF SPYWARE you still are having this problem, you should be able to use MSConfig to figure out where WMP is being loaded at, and turn it off.
I found this at: http://www.zachd.com/pss/pss.html (WMP9, question 13). It seems to deal directly with my WMP problem, but I have no idea how 'to use MSConfig to figure out where WMP is being loaded at, and turn it off'.
Crunchie
Veteran Icrontian
Crunchie
2,542 Posts
19 Jul 2006, 10:24am
Go to the Start button then the Run button. Type in 'msconfig' without the quotes and hit the ok button. Go to the Startup Tab and you should find WMP there. Uncheck the box to the left and then ok out.
When you reboot you will get a popup window saying that you are in selective startup. Tick the box and click ok.
Done.
fmueller
visit www.fmueller.com
fmueller
210 Posts
19 Jul 2006, 2:43pm
Quoting Crunchie
Go to the Start button then the Run button. Type in 'msconfig' without the quotes and hit the ok button.
When I do this, I get an error message: "Cannot find the file 'msconfig' (or one of its components). Make sure the path and filename are correct and that all required libraries are available."

So I went ahead and did a search for msconfig in Windows Explorer. It appears to be on the desktop. Surely that's not the place where a system file like this would usually be

Quoting Crunchie
Go to the Startup Tab and you should find WMP there.
Not really. Here is what the Startup Tab looks like:



This Trojan messed up my machine pretty good, and I am starting to worry that there are still parts of it on there
Crunchie
Veteran Icrontian
Crunchie
2,542 Posts
19 Jul 2006, 2:48pm
Forgot that W2K doesn't come with msconfig. Download the following and we will see if an auto startup appears on the list;

Go here and download then run Silent Runners.vbs. It generates a log. Please post the information back in this thread.
If you have a script blocking program, please allow the file to run. It is not malicious.

I am off to bed now, but I will take a quick look before I leave for work in about 7 hours time .
fmueller
visit www.fmueller.com
fmueller
210 Posts
19 Jul 2006, 5:50pm
Hi Crunchie,

Many thanks for your continued assistance!

Here is the Silent Runners report:


"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"wmplayer" = "C:\Program Files\Windows Media Player\wmplayer.exe" [MS]
"vyepp" = "C:\WINNT\System32\vyepp.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LiquidView" = "E:\Program Files\LiquidView\lviewj.exe -nogui" ["Portrait Displays, Inc."]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Zone Labs Client" = ""E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "My Digital Camera"
-> {HKLM...CLSID} = "My Digital Camera"
\InProcServer32\(Default) = "C:\Program Files\Common Files\FotoNation\camview.dll" [file not found]
"{fe7634c0-f7b3-11cf-b9b4-444553540000}" = "NetFerret"
-> {HKLM...CLSID} = "NetFerret Find Menu Extension"
\InProcServer32\(Default) = "C:\WINNT\System32\NetFerret.dll" [null data]
"{49707377-6974-6368-2E4A-756E6F644A01}" = "WS_FTP Pro Explorer"
-> {HKLM...CLSID} = "WS_FTP Pro Explorer"
\InProcServer32\(Default) = "E:\Program Files\WS_FTP Pro\ftpproex.dll" ["Ipswitch, Inc. 81 Hartwell Ave, Lexington MA"]
"{D3796116-94D3-4009-96D7-51578411CC7D}" = "Outpost Shell Extension"
-> {HKLM...CLSID} = "oshdlr.ShellHandler"
\InProcServer32\(Default) = "E:\PROGRA~1\Agnitum\OUTPOS~1.0\oshdlr.dll" [file not found]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "E:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "E:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {HKLM...CLSID} = "PowerArchiver Shell Extensions"
\InProcServer32\(Default) = "E:\Program Files\PowerArchiver\PASHLEXT.DLL" ["eFront Media, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {HKLM...CLSID} = "PowerArchiver Shell Extensions"
\InProcServer32\(Default) = "E:\Program Files\PowerArchiver\PASHLEXT.DLL" ["eFront Media, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Default User\Desktop\Frontosa.jpg"


Startup items in "Frank Mueller" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"EPSON Status Monitor 3 Environment Check 2" -> shortcut to: "C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE" ["SEIKO EPSON CORPORATION"]
"World Time" -> shortcut to: "E:\Program Files\WorldTime\WorldTime.exe" ["pawprint.net"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
%SystemRoot%\system32\msafd.dll [MS], 1 - 3
%SystemRoot%\system32\rsvpsp.dll [MS], 4 - 5


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]


HOSTS file
----------

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
HIJACK WARNING! "DataBasePath" = "C:\winnt\nsdb"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINNT\System32\CTSvcCDA.exe" ["Creative Technology Ltd"]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "E:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
TrueVector Internet Monitor, vsmon, "C:\WINNT\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\winnt\System32\AdobePDF.dll" ["Adobe Systems Incorporated."]
EPSON V3 2KMonitor311\Driver = "E_SL2311.DLL" ["SEIKO EPSON CORPORATION"]
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 8 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 10 seconds.
---------- (total run time: 45 seconds)

Crunchie
Veteran Icrontian
Crunchie
2,542 Posts
19 Jul 2006, 10:10pm
Download the attached zip file and unzip fixme.reg. Close all browser windows. Double click the file to run it and when asked if you want to merge with your registry, answer yes.
Reboot when done and post another silent runners log. Let me know if wmp still starts at startup.

Download the Hoster.
Run it and press "Restore Original Hosts" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it. You can edit the host file with this program too.
Attached Files
File Type: zip fixme.zip (219 Bytes, 1 views)
fmueller
visit www.fmueller.com
fmueller
210 Posts
19 Jul 2006, 11:22pm
Quoting Crunchie
Download the attached zip file and unzip fixme.reg. Close all browser windows. Double click the file to run it and when asked if you want to merge with your registry, answer yes.
Reboot when done and post another silent runners log. Let me know if wmp still starts at startup.
Done that and wmp still starts at startup.

Silent Runners report:

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"wmplayer" = "C:\Program Files\Windows Media Player\wmplayer.exe" [MS]
"vyepp" = "C:\WINNT\System32\vyepp.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LiquidView" = "E:\Program Files\LiquidView\lviewj.exe -nogui" ["Portrait Displays, Inc."]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Zone Labs Client" = ""E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "My Digital Camera"
-> {HKLM...CLSID} = "My Digital Camera"
\InProcServer32\(Default) = "C:\Program Files\Common Files\FotoNation\camview.dll" [file not found]
"{fe7634c0-f7b3-11cf-b9b4-444553540000}" = "NetFerret"
-> {HKLM...CLSID} = "NetFerret Find Menu Extension"
\InProcServer32\(Default) = "C:\WINNT\System32\NetFerret.dll" [null data]
"{49707377-6974-6368-2E4A-756E6F644A01}" = "WS_FTP Pro Explorer"
-> {HKLM...CLSID} = "WS_FTP Pro Explorer"
\InProcServer32\(Default) = "E:\Program Files\WS_FTP Pro\ftpproex.dll" ["Ipswitch, Inc. 81 Hartwell Ave, Lexington MA"]
"{D3796116-94D3-4009-96D7-51578411CC7D}" = "Outpost Shell Extension"
-> {HKLM...CLSID} = "oshdlr.ShellHandler"
\InProcServer32\(Default) = "E:\PROGRA~1\Agnitum\OUTPOS~1.0\oshdlr.dll" [file not found]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "E:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "E:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {HKLM...CLSID} = "PowerArchiver Shell Extensions"
\InProcServer32\(Default) = "E:\Program Files\PowerArchiver\PASHLEXT.DLL" ["eFront Media, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {HKLM...CLSID} = "PowerArchiver Shell Extensions"
\InProcServer32\(Default) = "E:\Program Files\PowerArchiver\PASHLEXT.DLL" ["eFront Media, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Default User\Desktop\Frontosa.jpg"


Startup items in "Frank Mueller" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"EPSON Status Monitor 3 Environment Check 2" -> shortcut to: "C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE" ["SEIKO EPSON CORPORATION"]
"World Time" -> shortcut to: "E:\Program Files\WorldTime\WorldTime.exe" ["pawprint.net"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
%SystemRoot%\system32\msafd.dll [MS], 1 - 3
%SystemRoot%\system32\rsvpsp.dll [MS], 4 - 5


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]


HOSTS file
----------

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
HIJACK WARNING! "DataBasePath" = "C:\winnt\nsdb"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINNT\System32\CTSvcCDA.exe" ["Creative Technology Ltd"]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "E:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
TrueVector Internet Monitor, vsmon, "C:\WINNT\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\winnt\System32\AdobePDF.dll" ["Adobe Systems Incorporated."]
EPSON V3 2KMonitor311\Driver = "E_SL2311.DLL" ["SEIKO EPSON CORPORATION"]
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 8 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 10 seconds.
---------- (total run time: 45 seconds)
Quoting Crunchie
Download the Hoster.
Run it and press "Restore Original Hosts" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it. You can edit the host file with this program too.
When I click on 'Restore Microsoft's Original Host File' I get an error message: ERROR: Cannot create file C:\winnt\system32\DRIVERS\ETC\hosts

I've never had a custom host file - or at least not unless the spyware created it.
Crunchie
Veteran Icrontian
Crunchie
2,542 Posts
20 Jul 2006, 10:43am
Did you have each and every Internet Explorer window closed? If not, you must do so first. The reason I suspect that it is open is because both entries that were meant to be removed are still present in the log.
You can also try this in safe mode.
fmueller
visit www.fmueller.com
fmueller
210 Posts
20 Jul 2006, 4:37pm
Quoting Crunchie
Did you have each and every Internet Explorer window closed? If not, you must do so first. The reason I suspect that it is open is because both entries that were meant to be removed are still present in the log.
All browser windows were definetely closed when I performed the recommended actions. BTW - I am using Firefox and sometimes Opera, almost never Internet Explorer, in case that matters.

Quoting Crunchie
You can also try this in safe mode.
OK, I just 1. booted the computer in safe mode, 2. ran fixme.rag, 3. ran Hoster.exe (received no error message this time), 4. ran Silent Runners.vbs,

Silent Runners report:

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"wmplayer" = "C:\Program Files\Windows Media Player\wmplayer.exe" [MS]
"vyepp" = "C:\WINNT\System32\vyepp.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LiquidView" = "E:\Program Files\LiquidView\lviewj.exe -nogui" ["Portrait Displays, Inc."]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Zone Labs Client" = ""E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "My Digital Camera"
-> {HKLM...CLSID} = "My Digital Camera"
\InProcServer32\(Default) = "C:\Program Files\Common Files\FotoNation\camview.dll" [file not found]
"{fe7634c0-f7b3-11cf-b9b4-444553540000}" = "NetFerret"
-> {HKLM...CLSID} = "NetFerret Find Menu Extension"
\InProcServer32\(Default) = "C:\WINNT\System32\NetFerret.dll" [null data]
"{49707377-6974-6368-2E4A-756E6F644A01}" = "WS_FTP Pro Explorer"
-> {HKLM...CLSID} = "WS_FTP Pro Explorer"
\InProcServer32\(Default) = "E:\Program Files\WS_FTP Pro\ftpproex.dll" ["Ipswitch, Inc. 81 Hartwell Ave, Lexington MA"]
"{D3796116-94D3-4009-96D7-51578411CC7D}" = "Outpost Shell Extension"
-> {HKLM...CLSID} = "oshdlr.ShellHandler"
\InProcServer32\(Default) = "E:\PROGRA~1\Agnitum\OUTPOS~1.0\oshdlr.dll" [file not found]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "E:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "E:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {HKLM...CLSID} = "PowerArchiver Shell Extensions"
\InProcServer32\(Default) = "E:\Program Files\PowerArchiver\PASHLEXT.DLL" ["eFront Media, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {HKLM...CLSID} = "PowerArchiver Shell Extensions"
\InProcServer32\(Default) = "E:\Program Files\PowerArchiver\PASHLEXT.DLL" ["eFront Media, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Default User\Desktop\Frontosa.jpg"


Startup items in "Frank Mueller" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"EPSON Status Monitor 3 Environment Check 2" -> shortcut to: "C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE" ["SEIKO EPSON CORPORATION"]
"World Time" -> shortcut to: "E:\Program Files\WorldTime\WorldTime.exe" ["pawprint.net"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
%SystemRoot%\system32\msafd.dll [MS], 1 - 3
%SystemRoot%\system32\rsvpsp.dll [MS], 4 - 5


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]


HOSTS file
----------

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
HIJACK WARNING! "DataBasePath" = "C:\winnt\nsdb"


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINNT\System32\CTSvcCDA.exe" ["Creative Technology Ltd"]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "E:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
Logical Disk Manager Administrative Service, dmadmin, "C:\winnt\System32\dmadmin.exe /com" ["VERITAS Software Corp."]
Network DDE DSDM, NetDDEdsdm, "C:\winnt\system32\netdde.exe" [MS]
TrueVector Internet Monitor, vsmon, "C:\WINNT\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\winnt\System32\AdobePDF.dll" ["Adobe Systems Incorporated."]
EPSON V3 2KMonitor311\Driver = "E_SL2311.DLL" ["SEIKO EPSON CORPORATION"]
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 43 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 10 seconds.
---------- (total run time: 92 seconds)

5. rebooted the machine into standard mode, 6. ran Silent Runners.vbs again.

Silent Runners report:

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"wmplayer" = "C:\Program Files\Windows Media Player\wmplayer.exe" [MS]
"vyepp" = "C:\WINNT\System32\vyepp.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LiquidView" = "E:\Program Files\LiquidView\lviewj.exe -nogui" ["Portrait Displays, Inc."]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Zone Labs Client" = ""E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "My Digital Camera"
-> {HKLM...CLSID} = "My Digital Camera"
\InProcServer32\(Default) = "C:\Program Files\Common Files\FotoNation\camview.dll" [file not found]
"{fe7634c0-f7b3-11cf-b9b4-444553540000}" = "NetFerret"
-> {HKLM...CLSID} = "NetFerret Find Menu Extension"
\InProcServer32\(Default) = "C:\WINNT\System32\NetFerret.dll" [null data]
"{49707377-6974-6368-2E4A-756E6F644A01}" = "WS_FTP Pro Explorer"
-> {HKLM...CLSID} = "WS_FTP Pro Explorer"
\InProcServer32\(Default) = "E:\Program Files\WS_FTP Pro\ftpproex.dll" ["Ipswitch, Inc. 81 Hartwell Ave, Lexington MA"]
"{D3796116-94D3-4009-96D7-51578411CC7D}" = "Outpost Shell Extension"
-> {HKLM...CLSID} = "oshdlr.ShellHandler"
\InProcServer32\(Default) = "E:\PROGRA~1\Agnitum\OUTPOS~1.0\oshdlr.dll" [file not found]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "E:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "E:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {HKLM...CLSID} = "PowerArchiver Shell Extensions"
\InProcServer32\(Default) = "E:\Program Files\PowerArchiver\PASHLEXT.DLL" ["eFront Media, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {HKLM...CLSID} = "PowerArchiver Shell Extensions"
\InProcServer32\(Default) = "E:\Program Files\PowerArchiver\PASHLEXT.DLL" ["eFront Media, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Default User\Desktop\Frontosa.jpg"


Startup items in "Frank Mueller" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"EPSON Status Monitor 3 Environment Check 2" -> shortcut to: "C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE" ["SEIKO EPSON CORPORATION"]
"World Time" -> shortcut to: "E:\Program Files\WorldTime\WorldTime.exe" ["pawprint.net"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
%SystemRoot%\system32\msafd.dll [MS], 1 - 3
%SystemRoot%\system32\rsvpsp.dll [MS], 4 - 5


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]


HOSTS file
----------

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
HIJACK WARNING! "DataBasePath" = "C:\winnt\nsdb"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINNT\System32\CTSvcCDA.exe" ["Creative Technology Ltd"]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "E:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
TrueVector Internet Monitor, vsmon, "C:\WINNT\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\winnt\System32\AdobePDF.dll" ["Adobe Systems Incorporated."]
EPSON V3 2KMonitor311\Driver = "E_SL2311.DLL" ["SEIKO EPSON CORPORATION"]
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 35 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 11 seconds.
---------- (total run time: 75 seconds)
Crunchie
Veteran Icrontian
Crunchie
2,542 Posts
20 Jul 2006, 10:07pm
It is possible that Ewido is preventing the fix from happening. Uninstall Ewido and try the foxme.reg again please ans see if these entries still exist after rebooting;

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\ {++}

"wmplayer" = "C:\Program Files\Windows Media Player\wmplayer.exe" [MS]
"vyepp" = "C:\WINNT\System32\vyepp.exe" [file not found]

If they do and you are comfortable with fiddling in the registry, navigate to the ...\Run key and delete those two entries.

If you cannot delete them there is still something else we can do.
fmueller
visit www.fmueller.com
fmueller
210 Posts
21 Jul 2006, 5:08pm
Hi Crunchie,

I think we managed to solve that problem! Getting rid of Ewido didn't help, and I was initially unsure how exactly to delete the two entries from the registry. Eventually, while looking for something else, I discovered that I had a program called Registrar Lite on my machine, which made things pretty easy. I deleted both entries, and they have not come back after a reboot. A new Silent Runners log is at the end of this post. Many thanks!

Let me ask you two more questions:

1. Ewido does not seem to be starting up automatically after a reboot, or at least there is no corresponding icon in the system tray unless I manually start it up. What's the easiest way to ensure it autostarts?

2. Windows currently can't see my DVD-RW drive. It's a NEC ND-1300A. Sorry, I only noticed this now since I very rarely use the thing, but wanted to make a system backup before re-partitioning my drive. I suspect this might have come about as part of the virus cleanup or when I installed SP4.

NEC says about the thing (http://www.de.nec.de/print_faq.php?id=1341):

The NEC CD/ DVD Burners are ATAPI-devices, there is no need for
special drivers when using operating systems like Linux, MacOS or
Windows 9x/ME/NT/2000 and XP, because the drivers are already
embedded there.

If a DvD burningsoftware does not recognize the drive as a
CD/ DvD-Burner or demands a driver, all you need to do is
to update this software, pls. contact in this case manufacturer
of burningsoftware for updates.
The problem is, however, that not only a particular burningsoftware does not see the thing, but Windows explorer does not see the drive either, and I can't even play an audio CD in it.

I used the add/remove hardware wizard to uninstall the thing, and windows immediately found and reinstalled it upon reboot, but the problems persist.

Any suggestions what I could do?


"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LiquidView" = "E:\Program Files\LiquidView\lviewj.exe -nogui" ["Portrait Displays, Inc."]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Zone Labs Client" = ""E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "My Digital Camera"
-> {HKLM...CLSID} = "My Digital Camera"
\InProcServer32\(Default) = "C:\Program Files\Common Files\FotoNation\camview.dll" [file not found]
"{fe7634c0-f7b3-11cf-b9b4-444553540000}" = "NetFerret"
-> {HKLM...CLSID} = "NetFerret Find Menu Extension"
\InProcServer32\(Default) = "C:\WINNT\System32\NetFerret.dll" [null data]
"{49707377-6974-6368-2E4A-756E6F644A01}" = "WS_FTP Pro Explorer"
-> {HKLM...CLSID} = "WS_FTP Pro Explorer"
\InProcServer32\(Default) = "E:\Program Files\WS_FTP Pro\ftpproex.dll" ["Ipswitch, Inc. 81 Hartwell Ave, Lexington MA"]
"{D3796116-94D3-4009-96D7-51578411CC7D}" = "Outpost Shell Extension"
-> {HKLM...CLSID} = "oshdlr.ShellHandler"
\InProcServer32\(Default) = "E:\PROGRA~1\Agnitum\OUTPOS~1.0\oshdlr.dll" [file not found]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "E:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "E:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {HKLM...CLSID} = "PowerArchiver Shell Extensions"
\InProcServer32\(Default) = "E:\Program Files\PowerArchiver\PASHLEXT.DLL" ["eFront Media, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {HKLM...CLSID} = "PowerArchiver Shell Extensions"
\InProcServer32\(Default) = "E:\Program Files\PowerArchiver\PASHLEXT.DLL" ["eFront Media, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Default User\Desktop\Frontosa.jpg"


Startup items in "Frank Mueller" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"EPSON Status Monitor 3 Environment Check 2" -> shortcut to: "C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE" ["SEIKO EPSON CORPORATION"]
"World Time" -> shortcut to: "E:\Program Files\WorldTime\WorldTime.exe" ["pawprint.net"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
%SystemRoot%\system32\msafd.dll [MS], 1 - 3
%SystemRoot%\system32\rsvpsp.dll [MS], 4 - 5


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]


HOSTS file
----------

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
HIJACK WARNING! "DataBasePath" = "C:\winnt\nsdb"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINNT\System32\CTSvcCDA.exe" ["Creative Technology Ltd"]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "E:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
TrueVector Internet Monitor, vsmon, "C:\WINNT\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\winnt\System32\AdobePDF.dll" ["Adobe Systems Incorporated."]
EPSON V3 2KMonitor311\Driver = "E_SL2311.DLL" ["SEIKO EPSON CORPORATION"]
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 51 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 11 seconds.
---------- (total run time: 99 seconds)
Crunchie
Veteran Icrontian
Crunchie
2,542 Posts
23 Jul 2006, 11:55am
Ewido is only a 14 day trial, after which, you lose the auto update and real-life protection. It will still manually update and remove malware.
Try the advice given here http://www.networkclue.com/os/Windows/commands/sfc.aspx to see if that repairs any corrupted files.
The SR log looks clear now. Dows WMP still auto start?
fmueller
visit www.fmueller.com
fmueller
210 Posts
23 Jul 2006, 4:17pm
Hi Crunchie,

I didn't know about the Ewido 14 day trial period. Thanks for pointing that out!

WMP does no longer autostart since I manually deleted those two entries in the registry. Sorry if my earlier post was a little unclear about that.

Following your advice regarding the SFC might prove difficult - ie if I need to insert the Windows CD I am stuck, because currently I don't have a CD drive

I have a feeling that I need to move quickly on backing up my system and attempting a re-partitioning of my drive, because after all the messing around I have only 50MB left on the C-drive, which is horribly fragmented. Processes are slowing down badly despite the absence of viruses and spyware, and I am pretty certain that's caused by this drive being too full and in a mess.

Greetings

Frank
Crunchie
Veteran Icrontian
Crunchie
2,542 Posts
23 Jul 2006, 10:14pm
I'm really not sure what else you can do, other than try another optical drive and see if that one gets recognised. Try also posting in the hardware forum here where there are ppl more cluey than I in these matters .
Similar Threads
Thread Thread Starter Forum Replies Last Post
Tech support nightmare roland_dmp General Banter 5 13 Feb 2006 10:48pm
scvhost is using 100% of CPU.... HELP edelbrock Resolved / Inactive 8 21 Dec 2005 3:25am
NEED HELP REMOVING HOME SEARCH ASSISTANT (piojis76) piojis76 Resolved / Inactive 28 27 Jul 2005 10:26am
Computer Mess - Need Help basspunk336 Resolved / Inactive 1 27 Sep 2004 8:25pm

Go Back   Icrontic Forums > Malware Help > Spyware & Virus Removal > Resolved / Inactive
Reload this Page My computer is a mess - please HELP!
Jump to
This Thread Search this Thread
Search this Thread:

Advanced Search

Today's Posts - Mark All Read - Contact Us - Icrontic.com - Archive - Top

Current time: 5:33pm (GMT)
Powered by vBulletin®
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Get Vanilla instead. Trust me.