Hi Greyknight .... thanks for the help ...... I did what you told me to do and the Spybot exploit program detected 1 error to do with windows media player, details below:
spybot log before fixing:
--- Search result list ---
Windows Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-725345543-436374069-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0
--- Spybot - Search & Destroy version: 1.3 .1TX (build: 20040801) ---
2003-03-16 blindman.exe
2004-08-30 SpybotSD.exe (1.3.0.12)
2004-06-15 unins000.exe (51.15.0.0)
2003-03-16 Update.exe
2004-10-04 advcheck.dll (1.0.1.0)
2003-03-16 borlndmm.dll (7.0.4.453)
2003-03-16 delphimm.dll (7.0.4.453)
2003-03-16 SDHelper.dll
2003-03-16 Tools.dll
2003-03-16 UnzDll.dll (1.7.0.8)
2003-03-16 ZipDll.dll (1.7.0.8)
2003-03-16 Includes\Cookies.sbi
2003-03-16 Includes\Dialer.sbi
2003-03-16 Includes\Hijackers.sbi
2003-03-16 Includes\Keyloggers.sbi
2003-03-16 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-03-16 Includes\Security.sbi
2003-03-16 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2003-03-16 Includes\Tracks.uti
2003-03-16 Includes\Trojans.sbi
--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB886906)
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Service Pack 3 (KB867461)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB891781
--- Startup entries list ---
Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8
Located: WinLogon, crypt32chain
command: crypt32.dll
Located: WinLogon, cryptnet
command: cryptnet.dll
Located: WinLogon, cscdll
command: cscdll.dll
Located: WinLogon, ScCertProp
command: wlnotify.dll
Located: WinLogon, Schedule
command: wlnotify.dll
Located: WinLogon, sclgntfy
command: sclgntfy.dll
Located: WinLogon, SensLogn
command: WlNotify.dll
Located: WinLogon, termsrv
command: wlnotify.dll
Located: WinLogon, wlballoon
command: wlnotify.dll
--- Browser helper object list ---
--- ActiveX list ---
Yahoo! Pool 2 (Yahoo! Pool 2)
DPF name: Yahoo! Pool 2
CLSID name:
--- Process list ---
PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 256 ( 300) C:\WINDOWS\system32\NOTEPAD.EXE
PID: 300 ( 240) C:\WINDOWS\Explorer.EXE
PID: 316 ( 912) C:\WINDOWS\system32\wuauclt.exe
PID: 508 ( 4) \SystemRoot\System32\smss.exe
PID: 564 ( 508) csrss.exe
PID: 588 ( 508) \??\C:\WINDOWS\system32\winlogon.exe
PID: 632 ( 588) C:\WINDOWS\system32\services.exe
PID: 644 ( 588) C:\WINDOWS\system32\lsass.exe
PID: 756 ( 300) C:\WINDOWS\system32\ctfmon.exe
PID: 804 ( 632) C:\WINDOWS\system32\svchost.exe
PID: 848 ( 632) svchost.exe
PID: 912 ( 632) C:\WINDOWS\System32\svchost.exe
PID: 956 ( 632) svchost.exe
PID: 1004 ( 632) svchost.exe
PID: 1232 ( 632) C:\WINDOWS\system32\spoolsv.exe
PID: 1352 ( 632) C:\WINDOWS\system32\netdde.exe
PID: 1404 ( 632) C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
PID: 1420 ( 632) C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
PID: 1496 ( 632) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
PID: 1600 ( 632) C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PID: 1688 ( 632) wdfmgr.exe
PID: 1928 ( 632) alg.exe
PID: 2032 ( 300) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
Spybot - Search && Destroy process list report, 19/03/2005 3:28:23 AM
--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 19/03/2005 3:28:23 AM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D3B13AAC-DB54-4583-80B6-0105D415077B}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D3B13AAC-DB54-4583-80B6-0105D415077B}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{61CD2BFB-E942-4BC5-9256-A9FCF43BC154}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{61CD2BFB-E942-4BC5-9256-A9FCF43BC154}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{475A5BD5-0A81-4148-BF3F-3153C0421F12}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{475A5BD5-0A81-4148-BF3F-3153C0421F12}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
spybot log after fixing:
--- Search result list ---
Windows Media Player: Anonymous ID (Registry change, fixed)
HKEY_USERS\S-1-5-21-725345543-436374069-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0
--- Spybot - Search & Destroy version: 1.3 .1TX (build: 20040801) ---
2003-03-16 blindman.exe
2004-08-30 SpybotSD.exe (1.3.0.12)
2004-06-15 unins000.exe (51.15.0.0)
2003-03-16 Update.exe
2004-10-04 advcheck.dll (1.0.1.0)
2003-03-16 borlndmm.dll (7.0.4.453)
2003-03-16 delphimm.dll (7.0.4.453)
2003-03-16 SDHelper.dll
2003-03-16 Tools.dll
2003-03-16 UnzDll.dll (1.7.0.8)
2003-03-16 ZipDll.dll (1.7.0.8)
2003-03-16 Includes\Cookies.sbi
2003-03-16 Includes\Dialer.sbi
2003-03-16 Includes\Hijackers.sbi
2003-03-16 Includes\Keyloggers.sbi
2003-03-16 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-03-16 Includes\Security.sbi
2003-03-16 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2003-03-16 Includes\Tracks.uti
2003-03-16 Includes\Trojans.sbi
--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB886906)
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Service Pack 3 (KB867461)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB891781
--- Startup entries list ---
Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8
Located: WinLogon, crypt32chain
command: crypt32.dll
Located: WinLogon, cryptnet
command: cryptnet.dll
Located: WinLogon, cscdll
command: cscdll.dll
Located: WinLogon, ScCertProp
command: wlnotify.dll
Located: WinLogon, Schedule
command: wlnotify.dll
Located: WinLogon, sclgntfy
command: sclgntfy.dll
Located: WinLogon, SensLogn
command: WlNotify.dll
Located: WinLogon, termsrv
command: wlnotify.dll
Located: WinLogon, wlballoon
command: wlnotify.dll
--- Browser helper object list ---
--- ActiveX list ---
Yahoo! Pool 2 (Yahoo! Pool 2)
DPF name: Yahoo! Pool 2
CLSID name:
--- Process list ---
PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 256 ( 300) C:\WINDOWS\system32\NOTEPAD.EXE
PID: 300 ( 240) C:\WINDOWS\Explorer.EXE
PID: 316 ( 912) C:\WINDOWS\system32\wuauclt.exe
PID: 508 ( 4) \SystemRoot\System32\smss.exe
PID: 564 ( 508) csrss.exe
PID: 588 ( 508) \??\C:\WINDOWS\system32\winlogon.exe
PID: 632 ( 588) C:\WINDOWS\system32\services.exe
PID: 644 ( 588) C:\WINDOWS\system32\lsass.exe
PID: 756 ( 300) C:\WINDOWS\system32\ctfmon.exe
PID: 804 ( 632) C:\WINDOWS\system32\svchost.exe
PID: 848 ( 632) svchost.exe
PID: 912 ( 632) C:\WINDOWS\System32\svchost.exe
PID: 956 ( 632) svchost.exe
PID: 1004 ( 632) svchost.exe
PID: 1232 ( 632) C:\WINDOWS\system32\spoolsv.exe
PID: 1352 ( 632) C:\WINDOWS\system32\netdde.exe
PID: 1404 ( 632) C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
PID: 1420 ( 632) C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
PID: 1496 ( 632) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
PID: 1600 ( 632) C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PID: 1688 ( 632) wdfmgr.exe
PID: 1928 ( 632) alg.exe
PID: 2032 ( 300) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
Spybot - Search && Destroy process list report, 19/03/2005 3:28:58 AM
--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 19/03/2005 3:28:58 AM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D3B13AAC-DB54-4583-80B6-0105D415077B}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D3B13AAC-DB54-4583-80B6-0105D415077B}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{61CD2BFB-E942-4BC5-9256-A9FCF43BC154}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{61CD2BFB-E942-4BC5-9256-A9FCF43BC154}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{475A5BD5-0A81-4148-BF3F-3153C0421F12}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{475A5BD5-0A81-4148-BF3F-3153C0421F12}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
When I did the sfc /scannow check I got a message which you will find a copy of attached below, telling me that .dll files were missing, and while scanning the progress bar only moves very slowly and just a little bit before again showing the same error message.
Would you suggest that I try to fix the problem that way or just trying to repair windows using the XP cd and do you have any idea how it might have happened. I use system mechanic for and norton system works One Button Checkup for detecting registry errors and nortons fixes the problems while system mechanic gives me a list and asks me what to remove and I check the list and try to make sure that I'm only removing entries that correspond to unused items. When using Spybot I only delete items in RED. One other question..... I just noticed in my spybot logs under system information that when it lists the windows XP hotfixes it lists them as /windows /SP3:windows XP hotfix .... Is that meant to be like that? cos I thought that there was so far only a SP2 for windows XP..
thanks..