Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Another Aurora / Nail / Revenue Direct Victim
Goto page 1, 2, 3, 4  Next
 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics
View previous topic :: View next topic  
Author Message
MaccDuff
Warrior


Joined: 17 Jun 2005
Last Visit: 23 Sep 2013
Posts: 66
Location: USA

PostPosted: Fri Jun 17, 2005 5:08 pm    Post subject: Another Aurora / Nail / Revenue Direct Victim Reply with quote

My daughter brought home her laptop from college full of all kinds of crap. She had let her McAfee protections lapse. This was bad enough, then little brother apparently visited some poker site(s) and unleashed Aurora / Nail. Evil or Very Mad I've been hitting it with everything possible: Norton AV, Ad-Aware, AwareAlert (bye bye $29.90), Spy Sweeper, & SpyBot. I've been in the registry to the extent I dare. I even followed some advice on a spyware blog and edited the dreaded nail.exe, filling much of it with trash and corrupting it so that it can't run on Windows XP boot-up. I was reluctant to visit the @$$h0|e$ at www.revenue-direct.com responsible for this and use their uninstall utility because it itself downloads more cr@p. The pop-ups seem to have diminished, but her system is still running like a dog. Crying or Very sad ] This makes troubleshooting even more irritating. Brick wall

Here is my HijackThis log file. I'm fairly computer savvy, which makes not being able to zap this all the more galling. Help would be greatly appreciated Very Happy and would certainly result in a contribution to Spyware Warrior. (Maybe I can get my money back from AdwareAlert and forward it.)

Logfile of HijackThis v1.99.1
Scan saved at 8:46:40 PM, on 6/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\vidctrl\vidctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Amanda\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iPod USB Service] iPODService.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\adwarealert.Exe -boot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [7s5Q34W] dmdman.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [iPod USB Service] iPODService.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MBu4RQaFe] debio800.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Back to top
View user's profile Send private message
MaccDuff
Warrior


Joined: 17 Jun 2005
Last Visit: 23 Sep 2013
Posts: 66
Location: USA

PostPosted: Sat Jun 18, 2005 7:46 am    Post subject: Reply with quote

I've been hammering and hammering at this. Things have improved. Maybe corrupting the Nail.exe file as I did was the ticket. It seems to have kept it from running while I cleaned up. No more windows\nail.exe. I'm still working a PowerCinema boot warning problem and some Windows update ones. (When I go to windowsupdate.microsoft.com the page is blank and nothing happens.)

Here is the latest Hijack log. Expert input would be greatly appreciated to see if I have indeed eliminated all the cr@p. Thanks. Smile

Logfile of HijackThis v1.99.1
Scan saved at 11:19:47 AM, on 6/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\vidctrl\vidctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Documents and Settings\Amanda\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iPod USB Service] iPODService.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [7s5Q34W] dmdman.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [iPod USB Service] iPODService.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MBu4RQaFe] debio800.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Back to top
View user's profile Send private message
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Thu Jun 23, 2005 4:59 pm    Post subject: Reply with quote

Hi and welcome

Sorry for dealy...hopefully you are still around?

Adwarealert you might want to get your money back on that one...
See this page:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Looks like you got rid of most of the crap. Still a few things to do tho...

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

You may need to manually update the definitions which you can get here:

http://www.ewido.net/en/download/updates/

Boot computer to safe mode

Then please run Ewido, and run a full scan. Save the logfile from the scan. Please allow it to fix what it finds.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Thanks! Smile
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
MaccDuff
Warrior


Joined: 17 Jun 2005
Last Visit: 23 Sep 2013
Posts: 66
Location: USA

PostPosted: Tue Jun 28, 2005 7:25 pm    Post subject: Nailing Nail & Friends Reply with quote

Blender,

Thanks for checking in. I thought I was okay, but came back just to check. I downloaded ewido and started the scan in safe mode. Dang! That is one long scan. Confused Particularly the time it kept going after it reached 100%. Then I got a Security Suite error and it ended. Apparently no log file was created. Sad I'll try again.

Yeah, the AdwareAlert may have been a waste. They were helpful though when I pointed out that they didn't zap nail.exe. Money back? Hah!

Look for something tomorrow. Thanks for your help.

MaccDuff
Back to top
View user's profile Send private message
MaccDuff
Warrior


Joined: 17 Jun 2005
Last Visit: 23 Sep 2013
Posts: 66
Location: USA

PostPosted: Wed Jun 29, 2005 3:48 pm    Post subject: ewido and Current HijackThis Logs Reply with quote

Blender,

Here they are. ewido still took a long time but found some stuff. Computer seems to be running slower, particularly on start-up. I may have too many anti-whatever programs running, looking for updates. Here's the ewido log, followed by the HighjackThis log. Please advise if I'm out of the woods yet. (Although I uninstalled WeatherBug, some components linger.) Thanks! Clap Man

MaccDuf

P.S. I may have suffered some collateral damage in the spyware battle, including incomplete XP updates, a PowerCinema problem (reported on each boot), no access to Dell ServiceCenter, and an inoperative Search function in Windows Explorer.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:14:34 AM, 6/29/2005
+ Report-Checksum: F2AAD0CB

+ Date of database: 6/28/2005
+ Version of scan engine: v3.0

+ Duration: 468 min
+ Scanned Files: 114905
+ Speed: 4.09 Files/Second
+ Infected files: 23
+ Removed files: 23
+ Files put in quarantine: 23
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP216\A0016940.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP216\A0016941.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP216\A0016950.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP216\A0016952.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP216\A0016953.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP217\A0017044.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP217\A0017053.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP217\A0017054.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP217\A0017055.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP217\A0017064.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP217\A0017067.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP217\A0017068.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP218\A0017160.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP218\A0017169.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP218\A0017170.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP218\A0017171.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP218\A0017180.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP218\A0017182.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP218\A0017183.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP219\A0017201.exe -> Spyware.DelphinMediaViewer -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP219\A0017228.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP220\A0017259.exe -> Spyware.DelphinMediaViewer -> Cleaned with backup
C:\WINDOWS\SYSTEM32\dist001.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup


::Report End

HIJACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 7:23:30 AM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Security Stuff\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iPod USB Service] iPODService.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [7s5Q34W] dmdman.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [iPod USB Service] iPODService.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MBu4RQaFe] debio800.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Back to top
View user's profile Send private message
MaccDuff
Warrior


Joined: 17 Jun 2005
Last Visit: 23 Sep 2013
Posts: 66
Location: USA

PostPosted: Tue Jul 05, 2005 2:55 pm    Post subject: Is there anyone out there? Reply with quote

Hello, Spyware Warriors! Blender, are you there? I realize that Aurora probably has you swamped, but I'd like to know if I'm done. The computer in question has apparently suffered some collateral damage (boot errors, missing Explorer features, updates that won't take, etc.) and I'm considering reinstalling XP - which I really don't want to. System Restore may have been a casualty.

Let me know if I'm okay. Thanks.
Back to top
View user's profile Send private message
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Wed Jul 06, 2005 6:47 am    Post subject: Reply with quote

Hi

Sorry for missing you...Apparently I lost or accidently deleted some email! Embarassed

Your last log still shows some nasties...since they change names I will need to see a new log please.

I would also like to see a startup list.:

Start hijack
"open misc tools section"
Beside "generate startup list log" check both:

List also minor sections
List empty sections

Hit "generate startup list log" and OK.

Post results.

Thanks! Smile

I'll try not to loose ya this time Smile
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
MaccDuff
Warrior


Joined: 17 Jun 2005
Last Visit: 23 Sep 2013
Posts: 66
Location: USA

PostPosted: Wed Jul 06, 2005 4:03 pm    Post subject: Reply with quote

Blender,

Thanks for checking back. Smile I suspected I might still have some problems, although I attributed them to collateral damage from my attempts to fix this problem. Below are a current HijackThis log and a startuplist log; long that one. Hope I havent done anything permanent. Think I've been this close to reinstalling/repairing XP and starting over. I did install SP2 and a few things cleared up. Among the other curious behaviors are the following:

I get a PowerCinema from Dell bootup error every time. Four chat sessions with Dell haven't solved it. They referred me to their phone help.

After installing SP2, System Restore now works. However, I can only restore points saved after the SP2 install. In hindsight, maybe I should have tried a restore when all this began.

The Search function of Windows Explorer tells me it's missing a file. At least after I installed SP2 I now get the little dog.

Two pending XP updates won't take: GDI+ Detection Tool and Windows Malicious SW Removal Tool. Perhaps a nasty is preventing download of something that would kill it? Eh?

I also reloaded various Dell installation CDs, mainly to target the PowerCinema error. No effect that I can see.

Maybe these will help characterize the problem, maybe not. A computer guru friend said they were evidence the registry had been messed with. Mad Sure seems like it.

Let me know what you see and find. I'll be here. I WILL NOT GIVE UP!

MaccDuff


Logfile of HijackThis v1.99.1
Scan saved at 7:42:04 PM, on 7/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\keyhook.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Security Stuff\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [iPod USB Service] iPODService.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [7s5Q34W] dmdman.exe
O4 - HKLM\..\RunServices: [iPod USB Service] iPODService.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MBu4RQaFe] debio800.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120089459453
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

StartupList report, 7/6/2005, 7:43:44 PM
StartupList version: 1.52.2
Started from : C:\Security Stuff\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\keyhook.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Security Stuff\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Amanda\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ViewMgr = C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
UpdateManager = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
SiS Windows KeyHook = C:\WINDOWS\System32\keyhook.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
PSof1 = C:\WINDOWS\System32\PSof1.exe
PCMService = "C:\Program Files\Dell\Media Experience\PCMService.exe"
MMTray = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
iPod USB Service = iPODService.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
DVDSentry = C:\WINDOWS\System32\DSentry.exe
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Apoint = C:\Program Files\Apoint\Apoint.exe
AGRSMMSG = AGRSMMSG.exe
7s5Q34W = dmdman.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

iPod USB Service = iPODService.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Weather = C:\Program Files\AWS\WeatherBug\Weather.exe 1
Sonic RecordNow! =
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
MBu4RQaFe = debio800.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[fe7b1e46-5d94-479c-99f2-b74bacb234b8] *
StubPath = C:\WINDOWS\System32\ocdrnqn.exe

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\sstext3d.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer - Amanda.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[SysProWmi Class]
InProcServer32 = C:\WINDOWS\System32\Dell\SystemProfiler\SysPro.ocx
CODEBASE = http://support.dell.com/systemprofiler/SysPro.CAB

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[MSSecurityAdvisor Class]
InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1118890163197

[LSSupCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\LSSupCtl.dll
CODEBASE = https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab

[LocalExec Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\LOCALE~1.OCX
CODEBASE = http://portal.uga.edu/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB

[Microsoft Data Collection Control]
InProcServer32 = C:\WINDOWS\System32\odc.dll
CODEBASE = https://support.microsoft.com/OAS/ActiveX/odc.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120089459453

[Java Plug-in 1.4.2_03]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

[TLIEFlashObj Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\TLIEFlashCtrlU.dll
CODEBASE = https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

[Java Plug-in 1.4.2_03]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

[ActiveDataInfo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/asa/SymAData.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\system32\mswsock.dll
Protocol #23: C:\WINDOWS\system32\mswsock.dll
Protocol #24: C:\WINDOWS\system32\mswsock.dll
Protocol #25: C:\WINDOWS\system32\mswsock.dll
Protocol #26: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

IPv6 Helper Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
abp480n5: \SystemRoot\System32\DRIVERS\ABP480N5.SYS (disabled)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Embedded Controller Driver: System32\DRIVERS\ACPIEC.sys (system)
adpu160m: \SystemRoot\System32\DRIVERS\adpu160m.sys (disabled)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Agere Systems Soft Modem: System32\DRIVERS\AGRSM.sys (manual start)
Intel AGP Bus Filter: \SystemRoot\System32\DRIVERS\agp440.sys (disabled)
Compaq AGP Bus Filter: \SystemRoot\System32\DRIVERS\agpCPQ.sys (disabled)
Aha154x: \SystemRoot\System32\DRIVERS\aha154x.sys (disabled)
aic78u2: \SystemRoot\System32\DRIVERS\aic78u2.sys (disabled)
aic78xx: \SystemRoot\System32\DRIVERS\aic78xx.sys (disabled)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: \SystemRoot\System32\DRIVERS\aliide.sys (disabled)
ALI AGP Bus Filter: \SystemRoot\System32\DRIVERS\alim1541.sys (disabled)
AMD AGP Bus Filter Driver: \SystemRoot\System32\DRIVERS\amdagp.sys (disabled)
amsint: \SystemRoot\System32\DRIVERS\amsint.sys (disabled)
Alps Touch Pad Filter Driver for Windows 2000/XP: System32\DRIVERS\Apfiltr.sys (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
asc: \SystemRoot\System32\DRIVERS\asc.sys (disabled)
asc3350p: \SystemRoot\System32\DRIVERS\asc3350p.sys (disabled)
asc3550: \SystemRoot\System32\DRIVERS\asc3550.sys (disabled)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Dell Wireless WLAN Card Driver: System32\DRIVERS\bcmwl5.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
cbidf: \SystemRoot\System32\DRIVERS\cbidf2k.sys (disabled)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
cd20xrnt: \SystemRoot\System32\DRIVERS\cd20xrnt.sys (disabled)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
Microsoft ACPI Control Method Battery Driver: System32\DRIVERS\CmBatt.sys (manual start)
CmdIde: \SystemRoot\System32\DRIVERS\cmdide.sys (disabled)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cpqarray: \SystemRoot\System32\DRIVERS\cpqarray.sys (disabled)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
dac2w2k: \SystemRoot\System32\DRIVERS\dac2w2k.sys (disabled)
dac960nt: \SystemRoot\System32\DRIVERS\dac960nt.sys (disabled)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
dpti2o: \SystemRoot\System32\DRIVERS\dpti2o.sys (disabled)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
drvmcdb: system32\drivers\drvmcdb.sys (system)
drvnddm: system32\drivers\drvnddm.sys (autostart)
3Com EtherLink XL 90XB/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite driver: \??\C:\Program Files\ewido\security suite\guard.sys (system)
ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
hpn: \SystemRoot\System32\DRIVERS\hpn.sys (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i2omp: \SystemRoot\System32\DRIVERS\i2omp.sys (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV2: System32\DRIVERS\wATV03nt.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
ini910u: \SystemRoot\System32\DRIVERS\ini910u.sys (disabled)
IntelIde: \SystemRoot\System32\DRIVERS\intelide.sys (disabled)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
AEGIS Protocol (IEEE 802.1x) v2.3.1.7: System32\DRIVERS\mdc8021x.sys (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
mraid35x: \SystemRoot\System32\DRIVERS\mraid35x.sys (disabled)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Norton AntiVirus Auto-Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050629.008\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050629.008\NavEx15.Sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Norton AntiVirus Firewall Monitor Service: "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OMCI WDM Device Driver: System32\DRIVERS\omci.sys (system)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
perc2: \SystemRoot\System32\DRIVERS\perc2.sys (disabled)
perc2hib: \SystemRoot\System32\DRIVERS\perc2hib.sys (disabled)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
ql1080: \SystemRoot\System32\DRIVERS\ql1080.sys (disabled)
Ql10wnt: \SystemRoot\System32\DRIVERS\ql10wnt.sys (disabled)
ql12160: \SystemRoot\System32\DRIVERS\ql12160.sys (disabled)
ql1240: \SystemRoot\System32\DRIVERS\ql1240.sys (disabled)
ql1280: \SystemRoot\System32\DRIVERS\ql1280.sys (disabled)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\Program Files\Norton AntiVirus\SAVRT.SYS (manual start)
SAVRTPEL: \??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS (system)
SAVScan: "C:\Program Files\Norton AntiVirus\SAVScan.exe" (manual start)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS315: System32\DRIVERS\sisgrp.sys (manual start)
SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
SiSkp: System32\DRIVERS\srvkp.sys (system)
SiS PCI Fast Ethernet Adapter Driver: System32\DRIVERS\sisnic.sys (manual start)
smwdm: system32\drivers\smwdm.sys (manual start)
Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (autostart)
Sparrow: \SystemRoot\System32\DRIVERS\sparrow.sys (disabled)
SPBBCDrv: \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (system)
Symantec SPBBCSvc: "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
sscdbhk5: system32\drivers\sscdbhk5.sys (system)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
ssrtln: system32\drivers\ssrtln.sys (system)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{F79A1568-D6C5-4C69-A086-936CF52DBBE3} (manual start)
Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)
symc810: \SystemRoot\System32\DRIVERS\symc810.sys (disabled)
symc8xx: \SystemRoot\System32\DRIVERS\symc8xx.sys (disabled)
SYMDNS: \SystemRoot\System32\Drivers\SYMDNS.SYS (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMFW: \SystemRoot\System32\Drivers\SYMFW.SYS (manual start)
SYMIDS: \SystemRoot\System32\Drivers\SYMIDS.SYS (manual start)
SYMIDSCO: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20050610.011\symidsco.sys (manual start)
symlcbrd: \??\C:\WINDOWS\System32\drivers\symlcbrd.sys (autostart)
SYMNDIS: \SystemRoot\System32\Drivers\SYMNDIS.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
sym_hi: \SystemRoot\System32\DRIVERS\sym_hi.sys (disabled)
sym_u3: \SystemRoot\System32\DRIVERS\sym_u3.sys (disabled)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Microsoft IPv6 Protocol Driver: System32\DRIVERS\tcpip6.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
tfsnboio: system32\dla\tfsnboio.sys (autostart)
tfsncofs: system32\dla\tfsncofs.sys (autostart)
tfsndrct: system32\dla\tfsndrct.sys (autostart)
tfsndres: system32\dla\tfsndres.sys (autostart)
tfsnifs: system32\dla\tfsnifs.sys (autostart)
tfsnopio: system32\dla\tfsnopio.sys (autostart)
tfsnpool: system32\dla\tfsnpool.sys (autostart)
tfsnudf: system32\dla\tfsnudf.sys (autostart)
tfsnudfa: system32\dla\tfsnudfa.sys (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TosIde: \SystemRoot\System32\DRIVERS\toside.sys (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microsoft Tun Miniport Adapter Driver: system32\DRIVERS\tunmp.sys (manual start)
ultra: \SystemRoot\System32\DRIVERS\ultra.sys (disabled)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: \SystemRoot\System32\DRIVERS\viaagp.sys (disabled)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
WLTRYSVC: %SystemRoot%\System32\wltrysvc.exe %SystemRoot%\System32\bcmwltry.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

ndbc.exe = C:\WINDOWS\system\ndbc.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 41,196 bytes
Report generated in 0.250 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
    [list=][/list]
    Back to top
    View user's profile Send private message
    blender
    Site Admin


    Joined: 19 Jan 2004
    Last Visit: 09 Apr 2014
    Posts: 10886
    Location: Ontario

    PostPosted: Thu Jul 07, 2005 11:29 am    Post subject: Reply with quote

    Hi

    Glad you are not giving up! Might take a bit of investigation...but we can fix all this! Smile

    Question.....(s)

    What exactly is the error you are getting with PowerCinema?

    Are you told what file is missing when you attempt to use "search"?


    First i'd like to kill off the bad files.

    copy the following text to a new notepad file.
    Save as file name remove.reg
    As file types all files
    Save it to the desktop but dont run it yet.

    Code:
    Windows Registry Editor Version 5.00

    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]


    Update your Ewido
    Many suggest to uninstall the background guard.
    You can do that from main ewido window.
    Likely require reboot.
    After the 14 day trial is up...background guard is not gonna work anyway.
    Manual updates/scan/clean still work tho...


    Download Pocket Killbox from here:

    http://www.downloads.subratam.org/KillBox.zip
    Unzip it to a convienant location

    Open killbox.exe
    Checkmark the "delete on reboot" option

    Copy the following list to your clipboard:

    C:\WINDOWS\system\ndbc.exe
    C:\Windows\system32\debio800.exe
    C:\Windows\system32\dmdman.exe
    C:\WINDOWS\System32\PSof1.exe
    C:\Windows\System32\ksgvet.exe


    In the killbox window click the 'file' menu and choose "paste from clipboard"

    Hit the red button with white X
    Yes to delete files
    NO to pending operations prompt.

    Reboot computer to Safe mode.

    Run remove.reg
    Yes to the merge prompt.

    Start hijackthis and check:

    O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
    O4 - HKLM\..\Run: [7s5Q34W] dmdman.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [MBu4RQaFe] debio800.exe

    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)


    Close all windows cept hijack> click "fix checked"

    Exit hijack

    Find and delete if found:

    C:\Program files\AWS <--folder

    Empty out your Temp files, Temporary internet files including offline content.
    Empty out recycle bin.

    Run new scan with Ewido and save log if you can.

    Reboot to normal windows and post new hijackthis log please along with Ewido.

    Thanks! Smile
    _________________
    Never give up!
    Former Microsoft MVP Windows-Security 2005-2009

    If we have helped you please consider a donation Thank You
    Back to top
    View user's profile Send private message Send e-mail
    blender
    Site Admin


    Joined: 19 Jan 2004
    Last Visit: 09 Apr 2014
    Posts: 10886
    Location: Ontario

    PostPosted: Thu Jul 07, 2005 11:32 am    Post subject: Reply with quote

    And you thought that was it?...lol

    I just saw what looks like troj. qoologic in your startup log...

    Yep...more logs!

    Both these scanners take a while...count on at least 15 min each!

    Download FindQoologic-Narrator.zip save it to your Desktop.
    http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981

    Extract (unzip) the files inside into their own folder called FindQoologic.
    Open the FindQoologic folder. Preferable to your desktop.


    Download RKFiles.zip

    http://skads.org/special/rkfiles.zip

    Create a new folder c:\Antispyware\RKFiles
    Extract the contents of RKFiles.zip into the new folder you just created.



    Restart to safe mode.

    Open the C:\Antispyware\RKFiles folder
    Double click on RKFILES.BAT

    Give it time to run. this may take a while.
    Save the text file it creates.
    It should save by default to C:\Log.txt

    Locate and double-click the Find-Qoologic.bat in the folder you created for it.

    When it has finished it will open a text file.




    Restart into regular Windows mode and post the contents of C:\log.txt and the find-qoologic results.

    Thanks! Smile
    _________________
    Never give up!
    Former Microsoft MVP Windows-Security 2005-2009

    If we have helped you please consider a donation Thank You
    Back to top
    View user's profile Send private message Send e-mail
    MaccDuff
    Warrior


    Joined: 17 Jun 2005
    Last Visit: 23 Sep 2013
    Posts: 66
    Location: USA

    PostPosted: Thu Jul 07, 2005 2:54 pm    Post subject: Blender - Latest Post Reply with quote

    Blender,

    You posted two responses back to back. It doesn' t look like the 2nd applies to me. Does it? Anyway, I'm going to get to work on the details of the preceding one, which does appear directed to me. In the meantime, let me answer the two questions.

    1. On bootup, a dialog box pops up saying "PowerCinema Resident Program for Dell ... has encountered problems. Please tell Microsoft about this error." There is an option to send Microsoft an error report, as well as to see what it contains. Selecting either opens another dialog box either to send the message or give more info on the error. It lists the location of the text file with the error. I have the box itself captured in a screen shot as well as the text file itself.

    2. No file is specified. The dialog box it titled "Error" and simply has a line saying "A file that is required to run Search Companion cannot be found. You may need to run setup." Windows Explorer seems to take longer than it should to open.

    Hope this helps. I'm on the other stuff. Stand by. Cool
    Back to top
    View user's profile Send private message
    MaccDuff
    Warrior


    Joined: 17 Jun 2005
    Last Visit: 23 Sep 2013
    Posts: 66
    Location: USA

    PostPosted: Thu Jul 07, 2005 5:53 pm    Post subject: Killbox Copy Problem Reply with quote

    Blender,

    I followed your instructions. I did not have access to www.downloads.subratam.org, so I downloaded KillBox from www.bleepingcomputer.com. I copied the names of the files of interest from your message into the clipboard (copy buffer). But when I used the "Paste from Clipboard" option in KillBox nothing happened. Nothing appeared in the Full Path of File to Delete box, so pressing the red "kill" button gives an error that I haven't specified a file. I can Paste in the now-yellow File box, but only the first file name (ndbc.exe) appears.

    Let me know what to do, O shredder of spyware. Thanks. Sad
    MaccDuff
    Back to top
    View user's profile Send private message
    blender
    Site Admin


    Joined: 19 Jan 2004
    Last Visit: 09 Apr 2014
    Posts: 10886
    Location: Ontario

    PostPosted: Thu Jul 07, 2005 6:15 pm    Post subject: Reply with quote

    Hi

    Yes...the second post is also for you as well.
    I see indication of trojan qoologic in your startup list.
    I didn't see that till I had already posted.

    Those file names I listed...
    Go ahead and paste them one at a time into killbox.
    Hit red button for each one
    Yes to "backup & delete file at reboot"
    NO to the reboot prompt

    Once done pasting all the files in reboot manually to Safe mode.
    Carry on with rest of instructions.

    **If any of those files are not present...killbox will tell you. Just ok prompt and carry on with next file.

    Thanks! Smile
    _________________
    Never give up!
    Former Microsoft MVP Windows-Security 2005-2009

    If we have helped you please consider a donation Thank You
    Back to top
    View user's profile Send private message Send e-mail
    MaccDuff
    Warrior


    Joined: 17 Jun 2005
    Last Visit: 23 Sep 2013
    Posts: 66
    Location: USA

    PostPosted: Thu Jul 07, 2005 7:02 pm    Post subject: I'll Get On It! Reply with quote

    I get it, paste one at a time. Seems weird to have a feature like "Paste from Clipboard" when you can right-click then Paste. I figured "Paste from Clipboard" was just a way to add multiple files in one operation.

    Look for an update tomorrow. Again, many thanks. You're saving me here. Applause
    Back to top
    View user's profile Send private message
    blender
    Site Admin


    Joined: 19 Jan 2004
    Last Visit: 09 Apr 2014
    Posts: 10886
    Location: Ontario

    PostPosted: Fri Jul 08, 2005 8:55 am    Post subject: Reply with quote

    Hi

    Normally the "paste from clipboard" works fine...exactly what that "paste from clipboard" is for. Works nice when there are a ton of files.

    Couple possible reasons it is not.

    Either some of the files don't exist in list or malware is preventing copy the entire list.
    Some of the malwares target killbox and try to intercept the "pending operations" which is why I have you saying NO at the pending operations prompt and then reboot manually. Kinda tricking it...Smile

    I'm leaning towards files not present...I just tried it with a short list of bugus files and got same error with the yellow box.
    By doing one at a time...kb will tell you if file present or not.

    I work long shifts this weekend so it may take a bit for me to get back to you...Will get back asap. Smile

    Blender
    _________________
    Never give up!
    Former Microsoft MVP Windows-Security 2005-2009

    If we have helped you please consider a donation Thank You
    Back to top
    View user's profile Send private message Send e-mail
    MaccDuff
    Warrior


    Joined: 17 Jun 2005
    Last Visit: 23 Sep 2013
    Posts: 66
    Location: USA

    PostPosted: Fri Jul 08, 2005 10:05 am    Post subject: On the Road to Recovery (I Hope) Reply with quote

    Here's what happened. I'm including minor details that may or may not be significant.

    I pasted the fives files of interest individually into the KillBox window. The option presented was not "Backup and Delete file at Reboot" but rather "All listed files will be deleted." I don't think I got a "Pending Operations prompt". After each file load into KillBox, it prompted me to reboot. After the last file, I clicked "Yes" to reboot. I got a warning/error dialog box from KillBox saying "PendingFileRename Operations Registry Data has been removed by External Process!" Hope that's KillBox doing its thing and not something else thwarting it. Brick wall

    I then rebooted in Safe Mode and ran "remove.reg" (double-clicked) and responded affirmatively to its prompt. I then ran HijackThis, selected the files of interest, then "Fix Checked".

    Interestingly, I see file of interest related to the Dell PowerCinema boot error listed in the Hijack log. It is pcmservice.exe. This file is identified upon selecting the Show More Info option on the error dialog box.

    Deleted the AWS folder, cleared recyle bin and temporary internet files including offline content. Is there a something else to "emptying temp files"? There seem to be a lot of things in randomly named subfolders under a Document and Settings\...\temp folder.

    Running Ewido . . . Taking a long time now that there are restore points to check. It found nothing. (Oops, where's that log file? Thought I saved it, but can't find it.) Anyway, it found nothing. Below is the HiHack log. Looks like those nasties you ID'ed are gone.

    I'll continue with the actions in you recommended in your other message. I'll probably be out of touch for a week or so, but no one will be using the computer in question. When I get back, I'll let you know what happened. Please post any other info that may help.

    Again (and again), many many thanks. Smile


    Logfile of HijackThis v1.99.1
    Scan saved at 1:47:09 PM, on 7/8/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\System32\keyhook.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\SYSTEM32\sistray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Security Stuff\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [iPod USB Service] iPODService.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\RunServices: [iPod USB Service] iPODService.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.musicmatch.com
    O15 - Trusted Zone: *.musicmatch.com (HKLM)
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB
    O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120089459453
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
    Back to top
    View user's profile Send private message
    MaccDuff
    Warrior


    Joined: 17 Jun 2005
    Last Visit: 23 Sep 2013
    Posts: 66
    Location: USA

    PostPosted: Fri Jul 08, 2005 10:11 am    Post subject: Targeting KillBox Reply with quote

    Blender,

    I didn't see your latest until I had posted myself. Yes, it appears that malware may have targeted KillBox itself and interfered with the "pending operations". Hence the error message. I rebooted from KillBox and not manually; didn't know I should have done different. Embarassed

    Understand about working late shifts. Whatever you can do, when you do it, is appreciated.

    Is there an easier way to find my posts than by scrolling through the pages? If I'm gone for a week and you post a reply sometime in the interim, that might be a lot of searching. Thanks.

    MaccDuff
    Back to top
    View user's profile Send private message
    MaccDuff
    Warrior


    Joined: 17 Jun 2005
    Last Visit: 23 Sep 2013
    Posts: 66
    Location: USA

    PostPosted: Fri Jul 08, 2005 10:18 am    Post subject: Qoologic Missing Reply with quote

    And one more . . .

    When I went to your Qoologic link I got the following:

    findqoologic is no longer available, use an alternative such as scanning with a current updated version of Ewido While in safe mode please.

    I just did that, so I should be okay. Should I proceed with the other, rkfiles.zip actions?
    Back to top
    View user's profile Send private message
    MaccDuff
    Warrior


    Joined: 17 Jun 2005
    Last Visit: 23 Sep 2013
    Posts: 66
    Location: USA

    PostPosted: Fri Jul 08, 2005 11:03 am    Post subject: And Yet Another Reply with quote

    Here're the results from the RKFiles activity (log.txt). I didn't run in Safe mode or have Qoologic available (as noted), but I figured it couldn't hurt especially since I won't be around for a week.

    Yes, I had noted that System Defrag didn't work when I tried it a few days ago.

    MaccDuff prayer

    C:\Antispyware

    PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
    Files Found in system Folder............
    ------------------------
    C:\WINDOWS\SYSTEM32\DFRG.MSC: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

    Files Found in all users startup Folder............
    ------------------------
    Files Found in all users windows Folder............
    ------------------------
    Finished
    bye
    Back to top
    View user's profile Send private message
    blender
    Site Admin


    Joined: 19 Jan 2004
    Last Visit: 09 Apr 2014
    Posts: 10886
    Location: Ontario

    PostPosted: Fri Jul 08, 2005 4:34 pm    Post subject: Reply with quote

    Hi

    Your turn to post back 2 back... Razz

    Your Hijack log looks ok. The only thing I would uninstall is viewpoint in add/remove.
    Many regard it as spyware
    It also installs without your knowlege when installing AOL/AIM.

    Reboot to complete uninstall.

    ************

    Ewido has been doing well on detecting/cleaning qoologic. Thet entry I saw in your startup looks like a leftover registry entry.

    They must have just taken down that find-qoologic app.

    Your RKfiles log is fine.

    *************

    Finding your posts...

    Upper right corner of this page is "search"
    In "author" type your forum name
    Hit enter.

    Your posts list will come up.
    Choose the newest one. (usually listed first)

    You can also go into your profile and checkmark to "send email notification of replies"
    You will get email when someone replies to you. Link in email takes you right to the reply.

    ***********

    This error with killbox:

    "PendingFileRename Operations Registry Data has been removed by External Process!"

    Fair number of malwares do that in attempt to stop bad files from being removed.
    Most cases just rebooting manually like you did works.

    ************

    Temp files....

    Since you unhid all your files including protected ones...you will see alot of odd looking stuff.
    When we know all is well for sure...we'll hide em again.

    You can check under all the user names in the documents and settings folder and empty out all the temps & temporary internet files folders.
    There will be folders called:

    Administrator
    Your name
    Default User
    Network Service
    All Users
    Local Service.

    Shouldnt be much under any of them cept yours.

    *********

    PowerCinema...

    Other than that error at bootup...app seems to run ok?

    I been looking for more info on that file...seems that nobody knows wether it is needed or not.
    Lets disable it with hijack and see what happens. We can always put it back if we bust something.

    Have hijack fix the following and reboot:

    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

    If this is still in your log after uninstall viewpoint you can check it to fix too:

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    Reboot when done and see if that nagging error is gone.

    *****

    Search companion, system restore, etc...

    Try this:

    Click start> run> type regsvr32 jscript.dll and hit enter.
    You should get some kind of success messege.
    Click start> run> type regsvr32 vbscript.dll and hit enter.
    Should get success messege.

    Reboot computer and try search, system restore, Help & support, windows update.

    LMK if they all work.

    If those commands gave error...please tell me what they were.

    Thanks! Smile

    Have a good week! Smile
    _________________
    Never give up!
    Former Microsoft MVP Windows-Security 2005-2009

    If we have helped you please consider a donation Thank You
    Back to top
    View user's profile Send private message Send e-mail
    MaccDuff
    Warrior


    Joined: 17 Jun 2005
    Last Visit: 23 Sep 2013
    Posts: 66
    Location: USA

    PostPosted: Sat Jul 16, 2005 5:25 pm    Post subject: Many Returns Reply with quote

    Blender,

    I'm back and followed up on a few of the things you noted. I uninstalled Viewpoint. Interesting, as I was about to it gave me a popup-type window. I had never seen ViewPoint before, but its gone now.

    I used Disk Cleanup to clear out the temp files. However, Disk Defrag still doesn't work. It complains about C:\Windows\System32\DFRG.MSC, although this file exists.

    I'm not sure what PowerCinema is supposed to do. It's probably part of the PowerDVD player. When I run pcmservice.exe, I get the same error as on bootup. There's another file in the same folder pcm2.exe that gives a similar error. Guess I need to call Dell.

    Ran the two regsvr dlls you recommended. Both were successful, but Search companion still doesn't work. Same generic complaint about a file missing.

    Many thanks for your help. Applause I think the spyware itself is dead, although these other glitches may be collateral damage. Think
    Back to top
    View user's profile Send private message
    blender
    Site Admin


    Joined: 19 Jan 2004
    Last Visit: 09 Apr 2014
    Posts: 10886
    Location: Ontario

    PostPosted: Tue Jul 19, 2005 1:09 pm    Post subject: Reply with quote

    Hi

    Try this for search companion:

    Click start> run> type C:\Windows\inf and hit enter.

    Locate srchasst.inf

    Right click it & choose install

    You will likely be prompter for your xp cd...
    Instead of using that...direct it to:

    C:\Windows\ServicePackFiles\i386

    It will likely require reboot. Go ahead and restart.

    See if its fixed.

    *****Defrag

    Try this:

    Open a cmd prompt and type the following commands:

    cd:\windows\system32
    regsvr32 dfrgsnap.dll
    regsvr32 dfrgui.dll


    Should get success for both.
    Reboot & try defrag...if still no go...

    Try this:

    Start> run> C:\Windows\inf
    Locate the file called dfrg.inf
    Right click it> choose install

    If prompted for xp cd...direct it to:

    C:\Windows\ServicePackFiles\i386

    Likely need reboot. Go ahead and restart.
    Try defrrag.
    _________________
    Never give up!
    Former Microsoft MVP Windows-Security 2005-2009

    If we have helped you please consider a donation Thank You
    Back to top
    View user's profile Send private message Send e-mail
    MaccDuff
    Warrior


    Joined: 17 Jun 2005
    Last Visit: 23 Sep 2013
    Posts: 66
    Location: USA

    PostPosted: Tue Jul 19, 2005 5:45 pm    Post subject: Still Working on It Reply with quote

    Blender,

    I followed your advice on Search companion. After wanting msgr3en.dll (which I vectored it to), the operation also wanted nls302en.lex. Since I can't Search I couldn't look for it, but I had my XP CD and I managed to locate it there. Despite all that, the fix didn't work.

    Nor did either of the Defrag recommendations. I got success on both of first two regsvr's, but there was no change. When I tried to install dfrg.inf, nothing happened; I wasn't even prompted for any files. The error I get points to C:\Windows\System32\DFRG.MSC. It says either the file isn't there (it is), it's not an MMC console, it was created by a later version of MMC, or I don't have privilege. Running defrag.exe in the same folder gives the same error.

    Any other ideas, O spyware seer? Think

    On a brighter note, the PowerCinema boot error seems to have stopped. I finally called Dell Support about this (as directed by their chat folks). Since they considered this a SW error and I only have HW maintenance, they said it would cost $59 for a one-time support charge to troubleshoot it. Mad I just wanted them to tell me what the thing was and what it did so I could gauge what would happen if I zapped it. He directed me to Google around and see what I could find. Big help, Dell. Shame on you Not sure how or why it disappeared, but it seems gone.

    I've been considering whether it would be worth it to do a reinstall/repair of XP. What might I lose if I did so? Hopefully it would fix Search, Defrag, and any other system type functions. What do you think? Confused

    As always, 1000 thanks.

    MaccDuff
    Back to top
    View user's profile Send private message
    blender
    Site Admin


    Joined: 19 Jan 2004
    Last Visit: 09 Apr 2014
    Posts: 10886
    Location: Ontario

    PostPosted: Wed Jul 20, 2005 5:58 pm    Post subject: Reply with quote

    Hi

    I believe the power cinema bootup error is gone cus we disabled it with hijackthis....basically told it to not start at bootup.
    Unless you were playing around disabling/re-enabling it and still getting errors?

    I'm pretty sure the error would return if you were to restore this item in Hijackthis: (Hijackthis> misc tools> backups)

    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

    ************

    If you do a repair install of xp...you will loose all your updates. some programs may not work correctly till you re-install the updates including sp2.

    I recommend you back up your IE Favorites folder & your "my documents" folder, as well as your contact list from OE if you use it.
    I believe repair replaces those folders with fresh empty ones.
    Your other data *should remain untouched. As a precaution....back up your important stuff (burn to cd preferrably)

    I wonder....Before we do repair...

    Are you able to access mmc at all?

    Can you run any of these from the run box?

    services.msc
    eventvwr.msc
    gpedit.msc


    Any of those give errors?

    Can you open anything in admin tools from control panel?

    How about start> "help & support"....open to blank page or error?

    control panel> user accounts. Blank page?

    windows update is ok and System restore is ok altho you no longer can access any updates prior to sp2 install....correct?

    Windows media player work ok? Error when starting it?

    I'd like to see some reg info please...

    copy the following text to a new notepad file
    Save as file name export.bat
    As file types all files
    Save it to the desktop.

    Code:
    echo doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58} > ok1.txt

    regedit /e /a ok1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"

    echo doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58} > ok2.txt

    regedit /e /a ok2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"

    echo doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58} > ok3.txt

    regedit /e /a ok3.txt "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}" 

    Copy ok1.txt + ok2.txt + ok3.txt = look.txt
    del  ok1.txt
    del ok2.txt
    del ok3.txt

    Start Notepad look.txt


    Once saved...double click it and post results of the log that pops up.

    thanks Smile
    _________________
    Never give up!
    Former Microsoft MVP Windows-Security 2005-2009

    If we have helped you please consider a donation Thank You
    Back to top
    View user's profile Send private message Send e-mail
    MaccDuff
    Warrior


    Joined: 17 Jun 2005
    Last Visit: 23 Sep 2013
    Posts: 66
    Location: USA

    PostPosted: Fri Jul 22, 2005 4:43 pm    Post subject: Never Giving Up! Reply with quote

    Blender,

    Glad your motto is "Never give up!" Were I you, I think I might have given up a while back.

    Here are the answers:

    None of the three .msc files run from the run box. The first two give the same sort of error I see for DFRG.MSC; the third is a more generic "Can't find the file." error.

    Help and Support is weird. I get the right screen, but it is really whited out. I have to look at the laptop monitor at an extreme angle to see anything. But I think the things there "work".

    User Accounts seems to work.

    Windows Update really isn't okay. Although I've downloaded several updates recently, automatic updates always shows two updates pending that always try to autoload on bootup: GDI+ Detection Tool and Malicious SW Removal Tool - June 2005. Interesting failures given the ongoing battle eh? Going to the Windows update page results in nothing; I don't get vectored to the XP page. When I set the browser there manually, I get an error that Microsoft wants to know about. I've exchanged a couple e-mails with them about how to fix it, but all they've done is given me a few things to try (and mark the case closed). No real follow-up (not like good ol' Blender to be sure).

    System Restore seems to be as you stated.

    Media Player appears to work, although it asked me for some setup info when I opened it. (Not sure how often it's been used.)

    Here's the log file.

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}]
    @="JScript Language"

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories]

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32]
    @="C:\\Program Files\\Common Files\\Symantec Shared\\Script Blocking\\scrauth.dll"
    "ThreadingModel"="Both"
    "ScrAuthInProcServer32"="c:\\windows\\system32\\jscript.dll"

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript]

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID]
    @="JScript"

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}]
    @="JScript Language Authoring"

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories]

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32]
    @="C:\\WINDOWS\\system32\\jscript.dll"
    "ThreadingModel"="Both"

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript]

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID]
    @="JScript Author"

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}]
    @="JScript Language Encoding"

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories]

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32]
    @="C:\\Program Files\\Common Files\\Symantec Shared\\Script Blocking\\scrauth.dll"
    "ThreadingModel"="Both"
    "ScrAuthInProcServer32"="c:\\windows\\system32\\jscript.dll"

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript]

    [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID]
    @="JScript.Encode"


    When all is said and done here, I'd like to buy you a beer. Partyman

    Lacking that, some kind of renumeration is in order for your dedicated and brain-saving help.

    The Duffer Clap Man
    Back to top
    View user's profile Send private message
    TonyKlein
    SWW Distinguished Expert


    Joined: 31 Jul 2004
    Last Visit: 12 Aug 2013
    Posts: 157
    Location: the Netherlands

    PostPosted: Sat Jul 23, 2005 1:48 am    Post subject: Reply with quote

    JUst passing by, but I couldn't help noticing these (probably orphaned) Run entries:

    O4 - HKLM\..\Run: [iPod USB Service] iPODService.exe
    O4 - HKLM\..\RunServices: [iPod USB Service] iPODService.exe

    The legitimate iPODService.exe is implemented as a system service, and these are therefore almost certainly (remnants of?) a RBot or SDBot infection.

    They need removing as well.
    _________________
    Tony CLSID List - A Collection of Autostart Locations
    Back to top
    View user's profile Send private message
    blender
    Site Admin


    Joined: 19 Jan 2004
    Last Visit: 09 Apr 2014
    Posts: 10886
    Location: Ontario

    PostPosted: Mon Jul 25, 2005 1:52 am    Post subject: Reply with quote

    Hi Tony Smile

    Thanks for dropping in & pointing that out.

    Hey duffer Smile

    Lets take up on Tony's points and see what happens.

    Start up hijackthis, run system scan & check:

    O4 - HKLM\..\Run: [iPod USB Service] iPODService.exe
    O4 - HKLM\..\RunServices: [iPod USB Service] iPODService.exe


    Close all open windows and hit "fix checked".

    Reboot computer to "Safe mode with networking"

    Lets try another scan please at this site:

    http://www.kaspersky.com/beta?product=161744315

    You will need to enter a name and email address to continue
    You will need to allow active x install.

    Scanner takes a while
    Best to disable your current AV & Ewido while scan is in progress to prevent conflicts.
    Just dont be surfin around cus you will have no resident protection.

    Once done...Please post its results.
    Exclamation Don't forget to turn your AV back on.

    Thank you. Smile
    _________________
    Never give up!
    Former Microsoft MVP Windows-Security 2005-2009

    If we have helped you please consider a donation Thank You
    Back to top
    View user's profile Send private message Send e-mail
    TonyKlein
    SWW Distinguished Expert


    Joined: 31 Jul 2004
    Last Visit: 12 Aug 2013
    Posts: 157
    Location: the Netherlands

    PostPosted: Mon Jul 25, 2005 2:04 am    Post subject: Reply with quote

    You're very welcome, Blender. Smile
    _________________
    Tony CLSID List - A Collection of Autostart Locations
    Back to top
    View user's profile Send private message
    blender
    Site Admin


    Joined: 19 Jan 2004
    Last Visit: 09 Apr 2014
    Posts: 10886
    Location: Ontario

    PostPosted: Mon Jul 25, 2005 2:16 am    Post subject: Reply with quote

    Hi Tony Smile

    Your advice/help is always appreciated. Smile

    If doing above does not help him with updates, etc....feel free to drop your advice. Wink
    _________________
    Never give up!
    Former Microsoft MVP Windows-Security 2005-2009

    If we have helped you please consider a donation Thank You
    Back to top
    View user's profile Send private message Send e-mail
    MaccDuff
    Warrior


    Joined: 17 Jun 2005
    Last Visit: 23 Sep 2013
    Posts: 66
    Location: USA

    PostPosted: Mon Jul 25, 2005 5:52 pm    Post subject: Ahh, the Wizardry That You Bring Reply with quote

    Tony and Blender,

    Thanks for your inputs. I'll try them at first opportunity, but my daughter took her laptop with her for a day or so.

    CyberLink wanted a screenshot of the PowerCinema error. Even though disabling it has solve the error without any obvious downside, I may send it to them. They still won't tell me though exactly what PowerCinema does. Eh?

    I finally heard back from Microsoft on my XP Update failures. They said. "You might have a virus." Gee, really? The only other advice was to repair XP from CD. I've been resisting that, but - with Blender's advice and a detailed MS page on how - I may try it. I've reloaded OSs once or twice before; it was irritating.

    Ewido has expired. Good to know it's there again if I need it.

    Speaking of no protection: a guru friend of mine said he read where an XP OS operating on an open network will be polled within 15 minutes by someone trying to get in. D@mn the hackers! Nasty

    I'll check back in later. 1M thanks.

    The Duffer
    Back to top
    View user's profile Send private message
    MaccDuff
    Warrior


    Joined: 17 Jun 2005
    Last Visit: 23 Sep 2013
    Posts: 66
    Location: USA

    PostPosted: Fri Jul 29, 2005 12:42 pm    Post subject: Frustration Reply with quote

    Okay, I took care of the iPod entries with HijackThis. Not sure what they are/were doing, but they should be gone.

    Now then, Kapersky was extremely frustrating. Brick wall

    First, the link takes you to a page for Kapersky to sell you an anti-virus book. So I roamed around their site until I found the download. A whopper: 12MB. I downloaded this and installed it. It then downloaded its AV definitions: another 3 MB. However, when I tried to run K-AV it kept complaining that its database was corrupted. It would download some more files, but still kept saying it was corrupted. I did this in various combinations of Safe Mode and Normal mode. I noticed when installing K-AV that it finds NAV and says to uninstall it, not merely disable it. Well, I ain't gonna do that. I uninstalled K-AV and reinstalled it; same problems. I have to think K-AV's conflicting with NAV.

    Other than that, things seem as they were. I'm still considering repairing XP, but all the generic warnings about possibly losing files has me concerned. The other thing that concerns me is that I'll then have to reinstall all the XP updates. I have SP2 on CD, but since Windows Updates is one of the things that's not 100% functional right now, I'd hate to have to rely on it. (Ironic, eh? The thing that needs fixing is itself part of the solution to fixing it.) I have the detailed instructions on how to do the repair both from the XP site and in a Microsoft e-mail. So why am I still worried? Anxious

    Advice, O wizards? prayer
    Back to top
    View user's profile Send private message
    blender
    Site Admin


    Joined: 19 Jan 2004
    Last Visit: 09 Apr 2014
    Posts: 10886
    Location: Ontario

    PostPosted: Fri Jul 29, 2005 1:33 pm    Post subject: Reply with quote

    Hi

    Shocked

    Ok...that kaspersy link I didn't realise a short time ago they discontinued the online system scanner.

    Sorry about that. Embarassed

    Yes...having both Norton & KAV will conflict.

    Rescan of HJT no longer shows those iPod entries? If they are not there...Most likely ok. Likely leftovers.

    Try this scanner:

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    If there are results please save scan report and post it here.

    *************

    Ok...That reg export you done earlier looks fine. I think even tho you tried to re-register those 2 files...possibly they are corrupt.

    You have a copy of jscript.dll & vbscript.dll here:

    C:\windows\ServicePackFiles\i386

    Copy both of those to C:\Windows\system32\dllcache.

    We are going to use Windows File Protection to get the job done (hope it works)---meaning hope its those 2 files causing the problem.

    Once those 2 files are copied to dllcache...
    Open system32 folder and rename:

    jscript.dll to jscript.old
    vbscript.dll to vbscript.old.

    Wait a few seconds....
    New copies should appear in system32

    Reboot

    If still no go...try registering those files again, reboot

    Let me know. Smile
    _________________
    Never give up!
    Former Microsoft MVP Windows-Security 2005-2009

    If we have helped you please consider a donation Thank You
    Back to top
    View user's profile Send private message Send e-mail
    MaccDuff
    Warrior


    Joined: 17 Jun 2005
    Last Visit: 23 Sep 2013
    Posts: 66
    Location: USA

    PostPosted: Sat Jul 30, 2005 9:31 am    Post subject: Missing Folder Reply with quote

    Blender,

    Working on the regs first.

    The two files are where you noted, but I do not have a C:\Windows\system32\dllcache folder. Should I create one? Or is its absence perhaps part of the problem? I have "Show Hidden Folders" set.

    The Duffer
    Back to top
    View user's profile Send private message
    MaccDuff
    Warrior


    Joined: 17 Jun 2005
    Last Visit: 23 Sep 2013
    Posts: 66
    Location: USA

    PostPosted: Sat Jul 30, 2005 11:07 am    Post subject: Panda Scan Reply with quote

    Below are the results of the Panda scan. You may note, as I did, that Panda does not remove these. I figure you have to buy it to do so. Recommendations? Thought we'd taken care of PSof 1. Confused


    Incident Status Location
    Adware:adware/consumeralertsystem No disinfected HKEY_CURRENT_USER\SOFTWARE\CAS

    Adware:adware/pacimedia No disinfected HKEY_CURRENT_USER\SOFTWARE\PSOF1

    Spyware:spyware/media-motor No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\REVISIONS

    Adware:adware/delfinmedia No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\VIDCTRL

    Adware:adware/novo No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\CDM
    Back to top
    View user's profile Send private message
    blender
    Site Admin


    Joined: 19 Jan 2004
    Last Visit: 09 Apr 2014
    Posts: 10886
    Location: Ontario

    PostPosted: Sun Jul 31, 2005 11:46 am    Post subject: Reply with quote

    Hi

    Panda Online scanner does not remove spyware or fix registry items.

    We can do that. Smile

    That Psof1 entry from Panda...it is in a different location in registry than the one we fixed in HJT.

    The one we fixed in HJT was here:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    ***********

    dllcache folder is a protected folder....M$ "super hides" it.
    Don't try creating one cus if you are successful...you will effectively delete the folder where Windows stores it's protected file copies.
    That would be bad... Shocked
    Windows likely won't let you anyway but I have seen stranger things happen.

    Open folder options in control panel
    Under hiden files and folders UNcheck these 2 items:

    "hide file extensions for known file types"
    "hide protected operating system files (recommended)"

    Ok prompt.
    Apply and OK changes.

    Dllcache should show up now.
    If you are running NTFS file system...it will be blue.

    Go ahead and try the above fix regarding those 2 dll files.

    Reg fix to remopve those items flagged by Panda:

    Copy the following text to notepad
    Save as file name: out.reg
    As file types: All files
    Save it to your desktop.

    Code:
    REGEDIT4

    [-HKEY_CURRENT_USER\SOFTWARE\CAS]
    [-HKEY_CURRENT_USER\SOFTWARE\PSOF1]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\REVISIONS]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\VIDCTRL]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\CDM]


    Once saved...double click it and allow the merge/add prompt.
    Should get success messege.
    You can delete out.reg

    Reboot recommended.

    Let me know if you can run any .msc files. Still a few tricks yet.

    Thanks Smile
    _________________
    Never give up!
    Former Microsoft MVP Windows-Security 2005-2009

    If we have helped you please consider a donation Thank You
    Back to top
    View user's profile Send private message Send e-mail
    MaccDuff
    Warrior


    Joined: 17 Jun 2005
    Last Visit: 23 Sep 2013
    Posts: 66
    Location: USA

    PostPosted: Mon Aug 01, 2005 2:56 pm    Post subject: Bangin' Away Reply with quote

    Took care of what Panda found as you recommended. No problems during the operation, so I assume the baddies are gone.

    Looks like still no luck with the DLLs though. Crying or Very sad I un-super-protected the DLLCACHE folder, renamed the files to .OLD, and watched new copies of .DLL appear. But after rebooting, nothing new: WinEx's Search feature gives the same error and as does Defragmenter. One point: You said "If still no go...try registering those files again, reboot". Remind me again how to register those files.

    One good point: My guru buddy pointed out there's a manual Defrag that you can run from the Command Prompt. Running it now . . . Then again, he didn't want to join me for an XP Repair session. A fellow guru said he'd tried this a couple times and ended up just reinstalling it. And I got the usual generic warnings about backing things up . . .

    You said you still had a few tricks. Guy with axe Let 'em fly!

    The Duffer Big Thumb Up
    Back to top
    View user's profile Send private message
    blender
    Site Admin


    Joined: 19 Jan 2004
    Last Visit: 09 Apr 2014
    Posts: 10886
    Location: Ontario

    PostPosted: Wed Aug 03, 2005 6:32 am    Post subject: Reply with quote

    Hi

    Here's the files to try registering again.

    Click start> run> type regsvr32 jscript.dll and hit enter.
    You should get some kind of success messege.
    Click start> run> type regsvr32 vbscript.dll and hit enter.
    Should get success messege.

    Reboot computer and try search, system restore, Help & support, windows update, etc...

    LMK if they all work.

    After experencing a similar problem on my computer...

    Something else I want to check...

    Lets get a reg export of a couple keys.

    Copy the following text inside code box to a new notepad file
    Save as file name getzones0.bat
    As file types All files
    Save it to the desktop.

    Code:
    echo doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 > hklm.txt

    regedit /e /a hklm.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"

    echo doesn't exist HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 > hkcu.txt

    regedit /e /a hkcu.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"

    copy hklm.txt + hkcu.txt = zones.txt
    del hklm.txt
    del hkcu.txt

    Start notepad zones.txt


    Once saved...double click it.
    In a second or 2 a log will pop up.
    Please post its contents.

    Thanks! Smile
    _________________
    Never give up!
    Former Microsoft MVP Windows-Security 2005-2009

    If we have helped you please consider a donation Thank You
    Back to top
    View user's profile Send private message Send e-mail
    MaccDuff
    Warrior


    Joined: 17 Jun 2005
    Last Visit: 23 Sep 2013
    Posts: 66
    Location: USA

    PostPosted: Thu Aug 04, 2005 3:27 pm    Post subject: Still Crankin' Reply with quote

    Blender,

    On the re-regs: No apparent change. Bummer. d'oh!

    Here are the results of the log: Let me know.

    Your humble servant

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
    "1206"=dword:00000000
    "1806"=dword:00000000
    @=""
    "DisplayName"="My Computer"
    "Description"="Your computer"
    "Icon"="explorer.exe#0100"
    "CurrentLevel"=dword:00000000
    "Flags"=dword:00000021
    "1001"=dword:00000000
    "1004"=dword:00000000
    "1200"=dword:00000000
    "1201"=dword:00000001
    "1400"=dword:00000000
    "1402"=dword:00000000
    "1405"=dword:00000000
    "1406"=dword:00000000
    "1407"=dword:00000000
    "1601"=dword:00000000
    "1604"=dword:00000000
    "1605"=dword:00000000
    "1606"=dword:00000000
    "1607"=dword:00000000
    "1608"=dword:00000000
    "1609"=dword:00000001
    "1800"=dword:00000000
    "1802"=dword:00000000
    "1803"=dword:00000000
    "1804"=dword:00000000
    "1805"=dword:00000000
    "1A00"=dword:00000000
    "1A02"=dword:00000000
    "1A03"=dword:00000000
    "1A04"=dword:00000000
    "1A05"=dword:00000000
    "1A06"=dword:00000000
    "1A10"=dword:00000000
    "1C00"=dword:00020000
    "1E05"=dword:00030000
    "1807"=dword:00000000
    "1808"=dword:00000000
    "2000"=dword:00000000
    "2100"=dword:00000000
    "2101"=dword:00000003
    "2102"=dword:00000000
    "2200"=dword:00000000
    "2201"=dword:00000000
    "2300"=dword:00000001
    "1809"=dword:00000003

    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
    @=""
    "DisplayName"="My Computer"
    "Description"="Your computer"
    "Icon"="explorer.exe#0100"
    "CurrentLevel"=dword:00000000
    "Flags"=dword:00000021
    "1001"=dword:00000000
    "1004"=dword:00000000
    "1200"=dword:00000000
    "1201"=dword:00000001
    "1400"=dword:00000000
    "1402"=dword:00000000
    "1405"=dword:00000000
    "1406"=dword:00000000
    "1407"=dword:00000000
    "1601"=dword:00000000
    "1604"=dword:00000000
    "1605"=dword:00000000
    "1606"=dword:00000000
    "1607"=dword:00000000
    "1608"=dword:00000000
    "1609"=dword:00000001
    "1800"=dword:00000000
    "1802"=dword:00000000
    "1803"=dword:00000000
    "1804"=dword:00000000
    "1805"=dword:00000000
    "1A00"=dword:00000000
    "1A02"=dword:00000000
    "1A03"=dword:00000000
    "1A04"=dword:00000000
    "1A05"=dword:00000000
    "1A06"=dword:00000000
    "1A10"=dword:00000000
    "1C00"=dword:00020000
    "1E05"=dword:00030000
    "1206"=dword:00000000
    "1806"=dword:00000000
    "1807"=dword:00000000
    "1808"=dword:00000000
    "1809"=dword:00000003
    "2100"=dword:00000000
    "2101"=dword:00000003
    "2102"=dword:00000000
    "2200"=dword:00000000
    "2201"=dword:00000000
    "2300"=dword:00000001
    "2000"=dword:00000000

    
    Back to top
    View user's profile Send private message
    MaccDuff
    Warrior


    Joined: 17 Jun 2005
    Last Visit: 23 Sep 2013
    Posts: 66
    Location: USA

    PostPosted: Thu Aug 04, 2005 4:02 pm    Post subject: Worse!!! Reply with quote

    In thinking about repairing XP, I thought I'd check out the CD-DVD burner in case I want to back things up to a CD. The application is Sonic's RecordNow. When I clicked it, I got a small dialog box with a red X circled and an OK box. In other words, it did about the least possible. So I got the CD to reinstall the two. Trying this gave another dialog box with the header "16 bit Windows Subsystem" and the message:

    C:\WINDOWS\SYSTEM32\AUTOEXEC.NT
    The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate this application.


    There are Close and Ignore options that do the same thing - nothing. Sad The Sonic site doesn't offer much help, particularly since this preload doesn't have a serial number, which is needed to log on for assistance. So I don't have a CD burner to back anything up. Sure, I can just copy the files elsewhere on the hard drive but not having an install disk work is very worrisome.


    Any advice? Could this be related to the PowerCinema disablement? Should I just cross my fingers, repair XP, and hope?
    Back to top
    View user's profile Send private message
    blender
    Site Admin


    Joined: 19 Jan 2004
    Last Visit: 09 Apr 2014
    Posts: 10886
    Location: Ontario

    PostPosted: Fri Aug 05, 2005 4:50 am    Post subject: Reply with quote

    Hi

    This error:

    Quote:
    C:\WINDOWS\SYSTEM32\AUTOEXEC.NT
    The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate this application.


    Check here:

    C:\Windows\repair for that file. If present; copy it to your system32 folder and try burner again.
    Quite possible this has been the ongoing error with your PowerCinema too.

    Lots of malware infections delete that file. (not sure why)

    Also not sure if sonic's RecordNow adds anything to that autoexec.nt file. You may have to re-install it once again after you replace the default file from repair folder.

    Don't forget; once you repair XP...you will loose all your updates.
    Quite possible some of your apps won't work right till you update your XP again to sp2.

    Lets try something else too before repair.

    Click start> run> type cmd and hit enter.

    copy this line:

    cd c:\ & dir /s /a *.msc > files.txt & start notepad files.txt

    Right click in cmd window and choose paste.
    Give it a few minuites to run search & results should come up in notepad. Please post results.

    Thanks Smile
    _________________
    Never give up!
    Former Microsoft MVP Windows-Security 2005-2009

    If we have helped you please consider a donation Thank You
    Back to top
    View user's profile Send private message Send e-mail
    Display posts from previous:   
    This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics All times are GMT - 8 Hours
    Goto page 1, 2, 3, 4  Next
    Page 1 of 4

     
    Jump to:  
    You can post new topics in this forum
    You can reply to topics in this forum
    You cannot edit your posts in this forum
    You cannot delete your posts in this forum
    You cannot vote in polls in this forum



    smartBlue Style © 2002 Smartor
    Powered by phpBB © 2001, 2002 phpBB Group