when i restart, its back!

Unknown · March 2007

hi im really at my wits end. all my computer seems to be doing it whiring, by that i mean full speed, sounds like a train. especially when performing a scan or somthing requiring more cpu usage.

its been infected for 2-3 months now but unbearable over the past 2 weeks as previously it was mostly only when connected to the net.

i have kaspersky and thought i'd solved it after a scan as it was perfect for a couple of days until i restarted it & it was back. now no amount of scans will do anygood nor anything you guys suggest before submitting a hjt log. nobody seems to know what it is or how to remove it & scans say nothing detected?

its pretty bad just sitting at it but impossible to get any work done, im really desperate, and have tried counless hours recently with no success. heres my hjt log. any help greatly appreciated: oh, and 1 of kasperskys reports of a ps.psyme.cz trojan but that was only the other day!

Logfile of HijackThis v1.99.1
Scan saved at 00:34:23, on 17/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\SOUNDMAN.EXE
C:\WINDOWS.0\system32\igfxtray.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinAce\WinAce.exe
C:\DOCUME~1\ALANJO~1\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Orange
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS.0\system32\igfxtray.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS.0\system32\regscan.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{E478468A-33D4-4A80-847F-B70CCE020228}: NameServer = 193.36.79.101 193.36.79.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS.0\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS.0\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.0\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS.0\system32\WPDShServiceObj.dll
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

DanG · March 2007

have you scanned in safe mode with system restore turned off?

AdamJ · March 2007

no just closed any programs that were running. should i have done it in safe mode?

AdamJ · March 2007

bump

oldguy2 · March 2007

Hello Adam,

Please go to Jotti's malware scan
Copy and paste the following file path C:\WINDOWS.0\system32\regscan.exe
into the box on the top of the page:
Click on the submit button
Please post the results in your next reply.

Also

Download ComboScan to your Desktop.

Close all applications and windows.
Double-click on comboscan.exe to run it, and follow the prompts.
The scan may take a minute. When the scan is complete, a text file will open - ComboScan.txt

Extra Note: When running Comboscan, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags Comboscan as suspicious. Please allow the Comboscan to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)
Post the Comboscan.txt from the Comboscan into your next reply

AdamJ · March 2007

thanks for replying oldguy2, your time is appreiciated. i carried out the combo scan, results attached but the jottis page scan told me a firewall or malware was blocking the upload, but when i disable firewall the connection just times out as the malware opens loads of connections and swamps the system.:mad2:

kind regards Adam

p.s my homepage has also changed to wanadoo and i cant change it back as the option has been disabled!

oldguy2 · March 2007

could you post for me please the primary log it will be found in
C:\ComboScan <--folder please post it here for me please

AdamJ · March 2007

ComboScan v20070306.20 run by Alan Jones on 2007-03-21 at 02:05:19
Computer is in Normal Mode.

-- System Restore

Successfully created ComboScan Restore Point.

-- Last 5 Restore Point(s) --
107: 2007-03-21 02:05:22 UTC - RP298 - ComboScan Restore Point
106: 2007-03-19 00:49:28 UTC - RP297 - Software Distribution Service 2.0
105: 2007-03-17 22:03:07 UTC - RP296 - System Checkpoint
104: 2007-03-16 21:29:47 UTC - RP295 - Installed Ad-Aware SE Personal
103: 2007-03-16 18:56:02 UTC - RP294 - System Checkpoint

-- First Restore Point --
1: 2006-12-28 13:47:49 UTC - RP190 - Restore Operation

Performed disk cleanup.

-- HijackThis (run as Alan Jones.exe)

Logfile of HijackThis v1.99.1
Scan saved at 02:05:32, on 21/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\SOUNDMAN.EXE
C:\WINDOWS.0\system32\igfxtray.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Documents and Settings\Alan Jones\Desktop\comboscan.exe
C:\DOCUME~1\ALANJO~1\Desktop\Alan Jones.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Orange
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS.0\system32\igfxtray.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS.0\system32\regscan.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{E478468A-33D4-4A80-847F-B70CCE020228}: NameServer = 193.36.79.101 193.36.79.100
O20 - Winlogon Notify: igfxcui - C:\WINDOWS.0\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS.0\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.0\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

-- HijackThis Fixed Entries (C:\DOCUME~1\ALANJO~1\Desktop\backups\)

backup-20070319-014345-949 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
-- File Associations

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS.0\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

3R alcan5wn (SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)) - C:\WINDOWS.0\system32\drivers\alcan5wn.sys
3R alcaudsl (SpeedTouch ADSL Modem ATM Transport) - C:\WINDOWS.0\system32\drivers\alcaudsl.sys
3R ALCXSENS (Service for WDM 3D Audio Driver) - C:\WINDOWS.0\system32\drivers\ALCXSENS.SYS
3R ALCXWDM (Service for Realtek AC97 Audio (WDM)) - C:\WINDOWS.0\system32\drivers\ALCXWDM.SYS
1S AVG Anti-Spyware Driver - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (not found)
1R Avg7Core (AVG7 Kernel) - C:\WINDOWS.0\system32\drivers\avg7core.sys
1R Avg7RsW (AVG7 Wrap Driver) - C:\WINDOWS.0\system32\drivers\avg7rsw.sys
1R Avg7RsXP (AVG7 Resident Driver XP) - C:\WINDOWS.0\system32\drivers\avg7rsxp.sys
1R AvgAsCln (AVG Anti-Spyware Clean Driver) - C:\WINDOWS.0\system32\drivers\AvgAsCln.sys
1R AvgClean (AVG7 Clean Driver) - C:\WINDOWS.0\system32\drivers\avgclean.sys
2R AvgTdi (AVG Network Redirector) - C:\WINDOWS.0\system32\drivers\avgtdi.sys
3R bcm4sbxp (Broadcom 440x 10/100 Integrated Controller XP Driver) - C:\WINDOWS.0\system32\drivers\bcm4sbxp.sys
3R HidUsb (Microsoft HID Class Driver) - C:\WINDOWS.0\system32\drivers\hidusb.sys
2R HPOPAR05 - C:\WINDOWS.0\system32\drivers\HPOPAR05.SYS
3R ialm - C:\WINDOWS.0\system32\drivers\ialmnt5.sys
1S InCDRm (InCD Reader) - C:\WINDOWS.0\system32\drivers\InCDRm.sys (not found)
1R intelppm (Intel Processor Driver) - C:\WINDOWS.0\system32\drivers\intelppm.sys
0R kl1 - C:\WINDOWS.0\system32\drivers\kl1.sys
1R klif - C:\WINDOWS.0\system32\drivers\klif.sys
3R mouhid (Mouse HID Driver) - C:\WINDOWS.0\system32\drivers\mouhid.sys
3S SONYPVU1 (Sony USB Filter Driver (SONYPVU1)) - C:\WINDOWS.0\system32\drivers\SONYPVU1.SYS
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS.0\system32\drivers\usbehci.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS.0\system32\drivers\USBSTOR.SYS
1R WS2IFSL (Windows Socket 2.0 Non-IFS Service Provider Support Environment) - C:\WINDOWS.0\system32\drivers\ws2ifsl.sys
3S WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - C:\WINDOWS.0\system32\drivers\WudfPf.sys
3S WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - C:\WINDOWS.0\system32\drivers\WudfRd.sys
3S ZDNDIS5 (ZDNDIS5 Protocol Driver) - C:\WINDOWS.0\system32\ZDNDIS5.sys
3R {6080A529-897E-4629-A488-ABA0C29B635E} (Intel(R) Graphics Platform (SoftBIOS) Driver) - C:\WINDOWS.0\system32\drivers\ialmsbw.sys
3R {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (Intel(R) Graphics Chipset (KCH) Driver) - C:\WINDOWS.0\system32\drivers\ialmkchw.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

3S aspnet_state (ASP.NET State Service) - C:\WINDOWS.0\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
4S AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
2R Avg7Alrt (AVG7 Alert Manager Server) - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
2R Avg7UpdSvc (AVG7 Update Service) - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
2R AVGEMS (AVG E-mail Scanner) - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
2R AVP (Kaspersky Internet Security 6.0) - "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r
3S clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86) - C:\WINDOWS.0\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
3S IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
3S usnsvc (Messenger Sharing USN Journal Reader service) - C:\WINDOWS.0\system32\svchost.exe -k usnsvc

-- Files created between 2007-02-21 and 2007-03-21

2007-03-20 02:47:41 4960 --a

C:\WINDOWS.0\system32\drivers\avgtdi.sys
2007-03-20 02:47:41 19392 --a

C:\WINDOWS.0\system32\drivers\avgmfx86.sys
2007-03-20 02:47:41 3968 --a

C:\WINDOWS.0\system32\drivers\avgclean.sys
2007-03-20 02:47:39 27776 --a

C:\WINDOWS.0\system32\drivers\avg7rsxp.sys
2007-03-20 02:47:39 4224 --a

C:\WINDOWS.0\system32\drivers\avg7rsw.sys
2007-03-20 02:47:37 775680 --a

C:\WINDOWS.0\system32\drivers\avg7core.sys
2007-03-20 02:47:35 0 d

C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Grisoft
2007-03-20 02:47:35 0 d

C:\Documents and Settings\All Users.WINDOWS.0\Application Data\avg7
2007-03-16 23:10:30 0 d

C:\WINDOWS.0\BDOSCAN8
2007-03-16 22:20:24 0 d

C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-03-16 21:29:56 0 d

C:\Documents and Settings\Alan Jones\Application Data\Lavasoft
2007-03-11 13:11:18 0 d

C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Google
2007-03-08 08:49:32 0 d

C:\Program Files\MegaSquirt<MEGASQ~1>
2007-02-26 19:03:30 0 d

C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-02-23 21:05:35 0 d

C:\Documents and Settings\Alan Jones\Temp
2007-02-23 21:05:21 0 d

C:\Documents and Settings\Administrator.ALAN-7903520305\Temp

-- Find3M Report

2007-02-26 17:42:42 1756 --a

C:\WINDOWS.0\system32\tmp.reg
2007-02-19 21:59:26 0 d

C:\Program Files\MFInstall<MFINST~1>
2007-02-12 23:29:18 18768 --a

C:\Documents and Settings\Alan Jones\Application Data\GDIPFONTCACHEV1.DAT<GDIPFO~1.DAT>
2007-02-12 00:29:20 0 d

C:\Documents and Settings\Alan Jones\Application Data\GetRightToGo<GETRIG~1>
2007-02-09 08:40:32 0 d

C:\Program Files\Kaspersky Lab<KASPER~1>
2007-02-06 16:46:42 0 d

C:\Program Files\Common Files\xing shared<XINGSH~1>
2007-02-05 00:53:28 0 d

C:\Documents and Settings\Alan Jones\Application Data\Player Orange<PLAYER~1>
2007-02-05 00:53:24 0 d

C:\Program Files\Orange
2007-02-04 21:16:28 0 d

C:\Program Files\Real
2007-02-04 21:16:28 0 d

C:\Program Files\Common Files\Real
2007-02-04 21:14:40 0 d

C:\Documents and Settings\Alan Jones\Application Data\Real
2007-01-29 23:04:00 200768 --a

C:\WINDOWS.0\system32\klogon.dll
2007-01-29 08:58:06 60416

n--- C:\WINDOWS.0\system32\tzchange.exe

-- Registry Dump

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"STManager"="\"C:\\Program Files\\SpeedTouch\\Dr SpeedTouch\\drst.exe\" -b"
"Regscan"="C:\\WINDOWS.0\\system32\\regscan.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"IgfxTray"="C:\\WINDOWS.0\\system32\\igfxtray.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

-- End of ComboScan: finished at 2007-03-21 at 02:05:55

oldguy2 · March 2007

Make sure you can view all Hidden Files/Folders

Please restart HJT put a check next to the following, close all open windows and click "Fix Checked"
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS.0\system32\regscan.exe
O20 - Winlogon Notify: klogon - C:\WINDOWS.0\

Next Reboot into SAFE MODE
Search for and delete the File highlighted in BOLD

C:\WINDOWS.0\system32\regscan.exe

Restart your computer, Post back a fresh HJT log please

AdamJ · March 2007

all hidden files and folders are showin & cant find regscan.exe. in safe mode.

Logfile of HijackThis v1.99.1
Scan saved at 19:24:15, on 24/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\Explorer.EXE
C:\Documents and Settings\Alan Jones\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Orange
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
F2 - REG:system.ini: Shell=
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS.0\system32\igfxtray.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS.0\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.0\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Kind Regards- Adam

oldguy2 · March 2007

Looks like you ran the fresh scan with HJT for safe mode, please be sure your in normal mode run HJT save the log and post it back here for me please

AdamJ · March 2007

Logfile of HijackThis v1.99.1
Scan saved at 17:53:43, on 25/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS.0\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS.0\SOUNDMAN.EXE
C:\WINDOWS.0\system32\igfxtray.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Documents and Settings\Alan Jones\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Orange
F2 - REG:system.ini: Shell=
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS.0\system32\igfxtray.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E478468A-33D4-4A80-847F-B70CCE020228}: NameServer = 193.36.79.101 193.36.79.100
O20 - Winlogon Notify: igfxcui - C:\WINDOWS.0\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.0\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

oldguy2 · March 2007

Looks clean now how is it running ?

You appear to have 2 Anti Virus prgrams running Kaspersky and AVG this is not a good idea as it will use up valuable resources and aactually will cause conflicts between the 2
Please provide me with an uninstall list

Start HijackThis
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
You can click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into this topic please,

p.s my homepage has also changed to wanadoo and i cant change it back as the option has been disabled!

Have HJT fix the following line reboot your computer and try and change your homepage now
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

AdamJ · March 2007

its still running poorly, the only reason two antiviruis were running is because i was having to disable most of kaspersky i.e hacker and proactive defence to get on internet explorer as it either wouldnt run or would run realy slow.

if i go into the hacker options in kaspersky and view the open connections i am told there are sometimes upto 500 active connections. is this normal?

uninstall list;

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
AVG 7.5
CliffNet Wizard Pro
Dr SpeedTouch
eMule
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Intel(R) Extreme Graphics 2 Driver
Kaspersky Internet Security 6.0
Kaspersky Internet Security 6.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Media Content
Microsoft Office XP Pro Step by Step Interactive
Microsoft Office XP Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Nero 7 Demo
PowerDVD
RealPlayer
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
SpeedTouch USB Software
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
uninstall
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Viewpoint Media Player
WinAce Archiver
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781

oldguy2 · March 2007

Lets go with an online scan so we can see if anything is hiding on us

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

[*]Click OK
[*]Now under select a target to scan:

SelectMy Computer

[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

[*]Save the file to your desktop.
[*]Copy and paste that information in your next post.

AdamJ · March 2007

KASPERSKY ONLINE SCANNER REPORT Monday, March 26, 2007 6:05:32 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 26/03/2007
Kaspersky Anti-Virus database records: 285792
Scan SettingsScan using the following antivirus databaseextendedScan ArchivestrueScan Mail BasestrueScan TargetMy ComputerA:\
C:\
D:\ Scan StatisticsTotal number of scanned objects81877Number of viruses found0Number of infected objects0 / 0Number of suspicious objects0Duration of the scan process01:00:00
Infected Object NameVirus NameLast ActionC:\Documents and Settings\All Users.WINDOWS.0\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Kaspersky Lab\AVP6\Report\report.rpt Object is locked skipped C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Kaspersky Lab\AVP6\Report\detected.idx Object is locked skipped C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Kaspersky Lab\AVP6\Report\detected.rpt Object is locked skipped C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Kaspersky Lab\AVP6\Report\eventlog Object is locked skipped C:\Documents and Settings\All Users.WINDOWS.0\Application Data\avg7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Alan Jones\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Alan Jones\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Alan Jones\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Alan Jones\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Alan Jones\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Alan Jones\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Alan Jones\ntuser.dat Object is locked skipped C:\System Volume Information\_restore{ADBEE739-84E9-47A5-B07A-FD503707F18A}\RP301\change.log Object is locked skipped C:\WINDOWS.0\system32\config\system.LOG Object is locked skipped C:\WINDOWS.0\system32\config\software.LOG Object is locked skipped C:\WINDOWS.0\system32\config\default.LOG Object is locked skipped C:\WINDOWS.0\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS.0\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS.0\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS.0\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS.0\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS.0\system32\config\DEFAULT Object is locked skipped C:\WINDOWS.0\system32\config\SECURITY Object is locked skipped C:\WINDOWS.0\system32\config\SOFTWARE Object is locked skipped C:\WINDOWS.0\system32\config\SYSTEM Object is locked skipped C:\WINDOWS.0\system32\config\SAM Object is locked skipped C:\WINDOWS.0\system32\drivers\fidbox.idx Object is locked skipped C:\WINDOWS.0\system32\drivers\fidbox.dat Object is locked skipped C:\WINDOWS.0\system32\drivers\fidbox2.idx Object is locked skipped C:\WINDOWS.0\system32\drivers\fidbox2.dat Object is locked skipped C:\WINDOWS.0\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS.0\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS.0\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS.0\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS.0\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS.0\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS.0\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS.0\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS.0\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS.0\system32\h323log.txt Object is locked skipped C:\WINDOWS.0\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS.0\WindowsUpdate.log Object is locked skipped C:\WINDOWS.0\SchedLgU.Txt Object is locked skipped C:\WINDOWS.0\SoftwareDistribution\ReportingEvents.log Object is locked skipped Scan process completed.

oldguy2 · March 2007

That is showing your clean
I see you have emule on the system if you have it open and running it could explain the activity

AdamJ · March 2007

ok i dont know whether this is significant but, looking at the hijackthis log it only shows 1 svchost process but when i open the task manager there are 5 or 6 showing.

also, my internet connects automatically but doesnt register any connection. what i mean is when i go into my network connections it shows all 3 are disconnected. when i open ie in the left hand corner it says detecting proxy settings.

i havnt been able to use emule for a while now, when i press connect i get the message a 'fatal error has occured your internet may not be connected' although the function of ie seems to be normal when im using it

Kind Regards
Adam

oldguy2 · March 2007

ok i dont know whether this is significant but, looking at the hijackthis log it only shows 1 svchost process but when i open the task manager there are 5 or 6 showing.

thats not uncommon

let me ask around a bit on this I m not seeing malware in your log

oldguy2 · March 2007

I have someone looking into your issue with me as I don't see any malware running its possibly a hardware problem

Have HJT fix the following line,, reboot and post back a fresh HJT log

F2 - REG:system.ini: Shell=

when i restart, its back!

Comments