mssync.sys PAGE_FAULT_IN_NONPAGED_AREA

pt49 · 08-05-2006, 10:05 AM

Yesterday I got my first Bluescreen in a computer running XP.

THe main thing about the blue screen with this message:

"The problem seems to be associated with the file mssync.sys

PAGE_FAULT_IN_NONPAGED_AREA and etc... " and the computer reboots after a few minutes.

I understand that I need to rename the offending files but can't find them. I can see them in the reports when I run Gmer and Blacklight Root Eliminator, but can't find them when I run search, because they are hidden files apparently.

Logfile of HijackThis v1.99.1
Scan saved at 2:32:50 AM, on 8/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\system32\HotfixQ0306270.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Bluetooth\Bluetooth Software\BTTray.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\DowntimeWitness\DowntimeWitness.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe
C:\Program Files\TechSmith\Camtasia Studio 3\TSCHelp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PHP Designer Toolbar Helper - {588869E0-6C28-400a-8A1A-2A099E41CE9B} - C:\Program Files\PHP Designer Toolbar\v2.0.0.1\PHP_Designer_Toolbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: PHP Designer Toolbar - {1DA183EF-8E1B-4a18-B927-CAB06B60FA46} - C:\Program Files\PHP Designer Toolbar\v2.0.0.1\PHP_Designer_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: downtimewitness.com.lnk = C:\Program Files\DowntimeWitness\DowntimeWitness.exe
O4 - Global Startup: FlintFX Live Forex Signals.lnk = C:\Program Files\FlintFX Live Forex Signals\FlintFXSignals.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: palstart.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.xara.com
O15 - Trusted Zone: *.xaraonline.com
O16 - DPF: SCV - https://www.omnovia.com/pages/sc2/image/SCV.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {10C9072D-2FF3-4AF8-882E-7974B1BF2729} (ChatCLientDownloadCtrl Class) - http://download.howudodat.com/chatte...nload/ccdl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133297998656
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37380.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {C7DC40E0-6601-4530-9AFB-68506CAE2628} (InstallShield Setup Player 2K2) - http://www.traderobot.com/setup-ts/setup.exe
O16 - DPF: {F1946764-3B40-4BE3-A87D-F371B112308F} (WPActiveX Control) - http://207.44.141.108/wp/wpax.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Vikesrock8411 · 08-06-2006, 01:22 AM

Download combofix.exe-Save it to your Desktop, we will need this later.

Double click combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please post a log from Blacklight and GMER in your next post along with the log from Combofix.

pt49 · 08-06-2006, 03:50 AM

Thanks for your help Vikesrock.

I continue to get Bluescreens. About ½ show the mssync20.sys error. Many show just numbers on the bottom of the reporting message, but now the last few are showing this:
mnmdd.sys
WMILB.SYS
avgtdi.sys

And on rebooting ZoneAlarm is slow initializing.

Combo Report:

Start Time= Sun 08/06/2006 20:29:39.85
Running from: C:\Documents and Settings\Russell\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-05 14:36:38 528446 ( A.... ) "C:\WINDOWS\gmer.dll"
2006-07-26 13:51:24 ( .D... ) "C:\Program Files\Sales Letter Creator"
2006-07-23 13:20:22 0 ( A..H. ) "C:\Documents and Settings\Russell\Application Data\L84577898.5v1"
2006-07-23 13:18:08 ( .D... ) "C:\Program Files\FileMaker"
2006-07-23 10:37:02 ( .D... ) "C:\Program Files\!Cool Programs"
2006-07-22 15:38:22 ( .D... ) "C:\Program Files\myownarticles rewriter"
2006-07-20 19:35:04 ( .D... ) "C:\Program Files\UseNeXT"
2006-07-20 15:11:10 ( .D... ) "C:\Program Files\TechSmith"
2006-07-12 03:12:18 ( .D... ) "C:\Program Files\Domain Suggestion Tool"
2006-06-15 21:03:52 86496 ( A.... ) "C:\Documents and Settings\Russell\Application Data\GDIPFONTCACHEV1.DAT"
2006-06-15 17:18:40 ( .D... ) "C:\Program Files\Cody Moya's .doc to .txt converter"
2006-06-15 03:12:00 45056 ( A.... ) "C:\WINDOWS\system32\CSvidcap.dll"
2006-06-14 22:26:06 ( .D... ) "C:\Program Files\The Keyword Bible Pro"
2006-06-14 21:13:42 102400 ( A.... ) "C:\WINDOWS\system32\tsccvid.dll"
2006-06-12 01:17:26 ( .D... ) "C:\Program Files\KA Sitebuilder"
2006-06-10 22:28:16 442 ( A.... ) "C:\Program Files\Shortcut to IVS.lnk"
2006-06-10 21:51:30 ( .D... ) "C:\Program Files\IVS"
2006-06-10 01:45:54 ( .D... ) "C:\Program Files\Web Audio Plus"
2006-06-09 16:15:46 5161 ( A.... ) "C:\Documents and Settings\Russell\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log"
2006-06-06 20:49:18 745531 ( A.... ) "C:\WINDOWS\gmer.exe"
2006-01-19 15:18:06 1135579 ( A.... ) "C:\Program Files\DocToTxtSetup.exe"
2005-11-19 22:12:46 1309840 ( A.... ) "C:\Program Files\a2freesetup.exe"
2005-11-19 21:30:44 777142 ( A.... ) "C:\Program Files\aaupd2012.exe"
2005-11-18 21:35:10 2693614 ( A.... ) "C:\Program Files\orwell.exe"
2005-11-15 00:39:48 13244 ( A.... ) "C:\Program Files\rssg2.zip"
2005-11-13 21:19:16 1014477 ( A.... ) "C:\Program Files\wrar351.exe"
2004-01-15 01:34:18 259539966 ( A.... ) "C:\Program Files\Microsoft Office XP Publisher 2003.zip"
2001-04-04 17:11:30 1499904 ( A...R ) "C:\Program Files\INSTMSIW.EXE"
2001-04-04 17:11:28 1489152 ( A...R ) "C:\Program Files\INSTMSI.EXE"
2001-04-04 17:11:28 184 ( A..HR ) "C:\Program Files\AUTORUN.INF"
2001-04-02 19:50:14 29 ( A...R ) "C:\Program Files\cd-key.txt"
2001-03-01 23:38:12 3485184 ( A...R ) "C:\Program Files\PROPLUS.MSI"
2001-03-01 23:35:58 306688 ( A...R ) "C:\Program Files\OWC10.MSI"
2001-03-01 14:35:26 224771818 ( A..HR ) "C:\Program Files\OFFICE1.CAB"
2001-02-28 12:14:46 476576 ( A...R ) "C:\Program Files\SETUP.EXE"
2001-02-21 12:18:24 7929 ( A...R ) "C:\Program Files\README.HTM"

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

2006-08-05 14:36 745,531 C:\WINDOWS\gmer.exe
2006-08-05 14:36 528,446 C:\WINDOWS\gmer.dll
2006-07-20 15:11 45,056 C:\WINDOWS\system32\CSvidcap.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SMSERIAL"="sm56hlpr.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"Prolific_PLUtil"="C:\\Program Files\\Prolific\\USB Flash Disk Utility\\PLBkMon.exe"
"PLFFAP"="C:\\WINDOWS\\system32\\HotfixQ0306270.exe"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"StatusClient 2.6"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\StatusClient\\StatusClient.exe /auto"
"TomcatStartup 2.5"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\hpbpsttp.exe"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"UltraMon"="\"C:\\Program Files\\UltraMon\\UltraMon.exe\" /auto"
"PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"PCPitstop Optimize Registration Reminder"="C:\\Program Files\\PCPitstop\\Optimize\\Reminder.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SoundMan"="SOUNDMAN.EXE"
"SoundMan"="SOUNDMAN.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"Update Service"="\"C:\\Program Files\\Common Files\\Teknum Systems\\update.exe\" /startup"
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"Uniblue Registry Booster"="C:\\Program Files\\Uniblue\\Registry Booster\\RegistryBooster.exe /S"
"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"googletalk"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"googletalk"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
@=hex(7b0):

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
@=hex(7b0):

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,02,00,00,00,00,00,00,80,02,00,00,de,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,0d,02,00,00,00,00,00,00,f3,02,00,00,de,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,0d,02,00,00,00,00,00,00,f3,02,00,00,de,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

Contents of the 'Scheduled Tasks' folder

Completion time: Sun 08/06/2006 20:30:02.07
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-05.211253.txt
ComboFix.2006-08-06.200215.txt
ComboFix.2006-08-06.201622.txt
ComboFix.2006-08-06.202939.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

08/06/06 20:31:57 [Info]: BlackLight Engine 1.0.42 initialized
08/06/06 20:31:57 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/06/06 20:31:58 [Note]: 7019 4
08/06/06 20:31:58 [Note]: 7005 0
08/06/06 20:32:00 [Note]: 7006 0
08/06/06 20:32:01 [Note]: 7011 2016
08/06/06 20:32:01 [Note]: 7026 0
08/06/06 20:32:01 [Note]: 7026 0
08/06/06 20:32:10 [Note]: FSRAW library version 1.7.1019
08/06/06 20:32:15 [Info]: Hidden file: c:\Documents and Settings\Russell\Desktop\Files named mssync20.fnd
08/06/06 20:32:15 [Note]: 7002 0
08/06/06 20:32:15 [Note]: 7003 1
08/06/06 20:32:15 [Note]: 10002 2
08/06/06 20:37:44 [Info]: Hidden file: c:\WINDOWS\system32\mssync20.exe
08/06/06 20:37:44 [Note]: 7002 0
08/06/06 20:37:44 [Note]: 7003 1
08/06/06 20:37:44 [Note]: 10002 2
08/06/06 20:37:44 [Info]: Hidden file: c:\WINDOWS\system32\mssync20.sys
08/06/06 20:37:44 [Note]: 7002 0
08/06/06 20:37:44 [Note]: 7003 1
08/06/06 20:37:44 [Note]: 10002 2
08/06/06 20:37:44 [Info]: Hidden file: c:\WINDOWS\system32\mssync20.tlb
08/06/06 20:37:44 [Note]: 7002 0
08/06/06 20:37:44 [Note]: 7003 1
08/06/06 20:37:44 [Note]: 10002 2
08/06/06 20:39:38 [Note]: 7007 0

~~~~~~~~~~~~~~~~~~~~~~~~

System crashed before finishing a Gmer report... I got a WMILB.SYS error on the blue screen.

I'll post a Gmer report when I get that computer back up.

pt49 · 08-06-2006, 04:48 AM

Here's the short log from Gmer... I have not been able to get a full report log so far. The computer keeps crashing before it completes.

I saved the short log report... I'm currently running Gmer full scan in SaAFE mode to see if I can get the full log... I'll post it next if I get it.

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-06 21:22:53
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.10 ----

SSDT \??\C:\WINDOWS\system32\mssync20.sys ZwEnumerateKey <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\mssync20.sys ZwEnumerateValueKey <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\mssync20.sys ZwQueryDirectoryFile <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\mssync20.sys ZwQuerySystemInformation <-- ROOTKIT !!!

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F7D7685A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F7D7685A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F7D7685A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F7D7685A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys

---- Processes - GMER 1.0.10 ----

Process hidden process (*** hidden *** ) 2972 <-- ROOTKIT !!!

---- Services - GMER 1.0.10 ----

Service C:\WINDOWS\system32\mssync20.sys (*** hidden *** ) [AUTO] mssync2020 <-- ROOTKIT !!!

---- EOF - GMER 1.0.10 ----

pt49 · 08-06-2006, 06:55 AM

This is all I got after a scan with Gmer in safe mode... it took over an hour.
I cannot access "system volume information" (access is denied)

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-06 23:45:13
Windows 5.1.2600 Service Pack 2

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\catalog.wci
File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{3A3E7379-0825-48B5-8A67-5510F535A923}

---- EOF - GMER 1.0.10 ----

pt49 · 08-06-2006, 07:14 AM

My computer now crashes about 6 - 10 minutes after rebooting in normal mode.

Vikesrock8411 · 08-06-2006, 10:59 AM

Click to watch a movie on how to remove this rootkit. You are looking for the part about 30 seconds from the end where GMER is used. Ignore the other tools. In the movie GMER is used with the pe386 service yours should be called mssync2020.

Reboot and post a new Blacklight log after deleting the service.

pt49 · 08-06-2006, 10:20 PM

I ran Gmer, rightclicked on the file mssync2020 highlighted in red and deleted it. Then rebooted and ran Blacklight... the resulting log is below.

When I rebooted AVG told me "Virus detected" ... Trojan Horse PSW.Agent.CCI It could not be moved to the Virus Vault, nor healed or removed.

Blacklight Log:

08/07/06 14:52:05 [Info]: BlackLight Engine 1.0.42 initialized
08/07/06 14:52:05 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/07/06 14:52:10 [Note]: 7019 4
08/07/06 14:52:10 [Note]: 7005 0
08/07/06 14:52:16 [Note]: 7006 0
08/07/06 14:52:16 [Note]: 7011 2040
08/07/06 14:52:16 [Note]: 7026 0
08/07/06 14:52:17 [Note]: 7026 0
08/07/06 14:52:27 [Note]: FSRAW library version 1.7.1019
08/07/06 15:05:18 [Note]: 7007 0

~~~~~~~~~~~~~~~~~~~~~~~

After running Blacklight, I rebooted again and ran Gmer again. Still got the AVG virus detected alert.

Gmer Log:

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-07 15:13:51
Windows 5.1.2600 Service Pack 2

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F7DAE85A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F7DAE85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F7DAE85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F7DAE85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys

---- EOF - GMER 1.0.10 ----

pt49 · 08-06-2006, 10:36 PM

My system appears to be stable for now. However I just rebooted and I got this AVG alert again:

While opening file C:\WINDOWS\system32\mmsync20.exe
Trojan Horse PSW.Agent.CCI

Vikesrock8411 · 08-07-2006, 01:22 AM

Now that the service is gone let's take out the files.

Download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Launch KillBox.exe & select the following options:

delete on Reboot

Select all the filenames below & then right-click & select Copy

c:\Documents and Settings\Russell\Desktop\Files named mssync20.fnd
c:\WINDOWS\system32\mssync20.exe
c:\WINDOWS\system32\mssync20.sys
c:\WINDOWS\system32\mssync20.tlb

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Online Scans
Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it may ask you to purchase the program, this is not necessary we will take care of the entries manually.

At the end of the scan click on see report. Then click Save report

Please post that log in your next reply.

In your next post please include:

Panda Activescan Log
A new Hijackthis! Log

pt49 · 08-07-2006, 03:08 AM

Gotta problem here...

When I click on the "Scan Now" button, the download screen comes up, then there's a "boing" sound and nothing more. The page says that

ActiveScan has started...
click the above bar to start the download.

... however the "Bar" does not appear.

Must be something to do with settings. I tried Forefox, but it won't run there either.

pt49 · 08-07-2006, 03:14 AM

I altered my custom security levels for "Download signed active X controls" from prompt to enable and it's now completing the download.

pt49 · 08-07-2006, 04:33 AM

After running the Pandasoftware active scan, it immediately dissapears off the screen before I can save the report. I tried it twice.

The second time I got this error message:

iedw.exe - Bad Image
The application or DLL C:\Program Files\Internet Explorer\xpsp2res.dll is not a valid Windows Image. Please check this against your installation diskette

Here's the new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:28:51 PM, on 8/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\system32\HotfixQ0306270.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Bluetooth\Bluetooth Software\BTTray.exe
C:\Program Files\DowntimeWitness\DowntimeWitness.exe
C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PHP Designer Toolbar Helper - {588869E0-6C28-400a-8A1A-2A099E41CE9B} - C:\Program Files\PHP Designer Toolbar\v2.0.0.1\PHP_Designer_Toolbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: PHP Designer Toolbar - {1DA183EF-8E1B-4a18-B927-CAB06B60FA46} - C:\Program Files\PHP Designer Toolbar\v2.0.0.1\PHP_Designer_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [mssync20] C:\WINDOWS\system32\mssync20.exe
O4 - HKLM\..\RunServices: [mssync20] C:\WINDOWS\system32\mssync20.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [mssync20] C:\WINDOWS\system32\mssync20.exe
O4 - HKCU\..\RunServices: [mssync20] C:\WINDOWS\system32\mssync20.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: downtimewitness.com.lnk = C:\Program Files\DowntimeWitness\DowntimeWitness.exe
O4 - Global Startup: FlintFX Live Forex Signals.lnk = C:\Program Files\FlintFX Live Forex Signals\FlintFXSignals.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: palstart.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.xara.com
O15 - Trusted Zone: *.xaraonline.com
O16 - DPF: SCV - https://www.omnovia.com/pages/sc2/image/SCV.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {10C9072D-2FF3-4AF8-882E-7974B1BF2729} (ChatCLientDownloadCtrl Class) - http://download.howudodat.com/chatte...nload/ccdl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133297998656
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37380.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C7DC40E0-6601-4530-9AFB-68506CAE2628} (InstallShield Setup Player 2K2) - http://www.traderobot.com/setup-ts/setup.exe
O16 - DPF: {F1946764-3B40-4BE3-A87D-F371B112308F} (WPActiveX Control) - http://207.44.141.108/wp/wpax.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

pt49 · 08-07-2006, 04:39 AM

I do have problems with IE, as I can't download files (zips etc) off the internet. When I try downloading a file it pops on the screen and then dissapears. I've had this problem for months.

I use Firefox to download on that computer.

Vikesrock8411 · 08-07-2006, 07:09 PM

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
O4 - HKLM\..\Run: [mssync20] C:\WINDOWS\system32\mssync20.exe
O4 - HKLM\..\RunServices: [mssync20] C:\WINDOWS\system32\mssync20.exe
O4 - HKCU\..\Run: [mssync20] C:\WINDOWS\system32\mssync20.exe
O4 - HKCU\..\RunServices: [mssync20] C:\WINDOWS\system32\mssync20.exe

Please remember to close all other windows, including browsers then click Fix checked.

Do you have an XP CD available to you?

pt49 · 08-07-2006, 07:46 PM

I do have an XP CD.

I have XP Home Edition 2002 incl Service pack 2 for the computer in question.

I also have XP Professional 2002 incl. SP2.

Here's another HiJackThis log after a reboot:

Logfile of HijackThis v1.99.1
Scan saved at 12:35:39 PM, on 8/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\system32\HotfixQ0306270.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Bluetooth\Bluetooth Software\BTTray.exe
C:\Program Files\DowntimeWitness\DowntimeWitness.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PHP Designer Toolbar Helper - {588869E0-6C28-400a-8A1A-2A099E41CE9B} - C:\Program Files\PHP Designer Toolbar\v2.0.0.1\PHP_Designer_Toolbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: PHP Designer Toolbar - {1DA183EF-8E1B-4a18-B927-CAB06B60FA46} - C:\Program Files\PHP Designer Toolbar\v2.0.0.1\PHP_Designer_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: downtimewitness.com.lnk = C:\Program Files\DowntimeWitness\DowntimeWitness.exe
O4 - Global Startup: FlintFX Live Forex Signals.lnk = C:\Program Files\FlintFX Live Forex Signals\FlintFXSignals.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: palstart.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.xara.com
O15 - Trusted Zone: *.xaraonline.com
O16 - DPF: SCV - https://www.omnovia.com/pages/sc2/image/SCV.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {10C9072D-2FF3-4AF8-882E-7974B1BF2729} (ChatCLientDownloadCtrl Class) - http://download.howudodat.com/chatte...nload/ccdl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133297998656
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37380.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C7DC40E0-6601-4530-9AFB-68506CAE2628} (InstallShield Setup Player 2K2) - http://www.traderobot.com/setup-ts/setup.exe
O16 - DPF: {F1946764-3B40-4BE3-A87D-F371B112308F} (WPActiveX Control) - http://207.44.141.108/wp/wpax.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Vikesrock8411 · 08-07-2006, 08:18 PM

Click Start>Run and type in sfc /scannow
This will check to make sure all protected Windows files are intact. If it finds any problems it may prompt you to insert your XP CD.

Copy the following text below in BOLD into Notepad

rem Script used to manually reregister Internet Explorer and Shell related *.dlls
rem Also included the Digital Signing and Cryptographic Provider *. dlls if needed
rem rundll32.exe advpack.dll /DelNodeRunDLL32 C:\WINNT\System32\dacui.dll
rem rundll32.exe advpack.dll /DelNodeRunDLL32 C:\WINNT\Catroot\icatalog.mdb
rem regsvr32 setupwbv.dll /s
rem regsvr32 wininet.dll /s
regsvr32 comcat.dll /s
regsvr32 CSSEQCHK.DLL /s
regsvr32 shdoc401.dll /s
regsvr32 shdoc401.dll /i /s
regsvr32 asctrls.ocx /s
regsvr32 oleaut32.dll /s
regsvr32 shdocvw.dll /I /s
regsvr32 shdocvw.dll /s
regsvr32 browseui.dll /s
regsvr32 browsewm.dll /s
regsvr32 browseui.dll /I /s
regsvr32 msrating.dll /s
regsvr32 mlang.dll /s
regsvr32 hlink.dll /s
rem regsvr32 mshtml.dll /s
regsvr32 mshtmled.dll /s
regsvr32 urlmon.dll /s
regsvr32 plugin.ocx /s
regsvr32 sendmail.dll /s
rem regsvr32 comctl32.dll /i /s
rem regsvr32 inetcpl.cpl /i /s
rem regsvr32 mshtml.dll /i /s
regsvr32 scrobj.dll /s
regsvr32 mmefxe.ocx /s
rem regsvr32 proctexe.ocx mshta.exe /register /s
regsvr32 corpol.dll /s
regsvr32 jscript.dll /s
regsvr32 msxml.dll /s
regsvr32 imgutil.dll /s
regsvr32 thumbvw.dll /s
regsvr32 cryptext.dll /s
regsvr32 rsabase.dll /s
rem regsvr32 triedit.dll /s
rem regsvr32 dhtmled.ocx /s
regsvr32 inseng.dll /s
regsvr32 iesetup.dll /i /s
rem regsvr32 hmmapi.dll /s
regsvr32 cryptdlg.dll /s
regsvr32 actxprxy.dll /s
regsvr32 dispex.dll /s
regsvr32 occache.dll /s
regsvr32 occache.dll /i /s
regsvr32 iepeers.dll /s
rem regsvr32 wininet.dll /i /s
regsvr32 urlmon.dll /i /s
rem regsvr32 digest.dll /i /s
regsvr32 cdfview.dll /s
regsvr32 webcheck.dll /s
regsvr32 mobsync.dll /s
regsvr32 pngfilt.dll /s
regsvr32 licmgr10.dll /s
regsvr32 icmfilter.dll /s
regsvr32 hhctrl.ocx /s
regsvr32 inetcfg.dll /s
rem regsvr32 trialoc.dll /s
regsvr32 tdc.ocx /s
regsvr32 MSR2C.DLL /s
regsvr32 msident.dll /s
regsvr32 msieftp.dll /s
regsvr32 xmsconf.ocx /s
regsvr32 ils.dll /s
regsvr32 msoeacct.dll /s
rem regsvr32 wab32.dll /s
rem regsvr32 wabimp.dll /s
rem regsvr32 wabfind.dll /s
rem regsvr32 oemiglib.dll /s
rem regsvr32 directdb.dll /s
regsvr32 inetcomm.dll /s
rem regsvr32 msoe.dll /s
rem regsvr32 oeimport.dll /s
regsvr32 msdxm.ocx /s
regsvr32 dxmasf.dll /s
rem regsvr32 laprxy.dll /s
regsvr32 l3codecx.ax /s
regsvr32 acelpdec.ax /s
regsvr32 mpg4ds32.ax /s
regsvr32 voxmsdec.ax /s
regsvr32 danim.dll /s
regsvr32 Daxctle.ocx /s
regsvr32 lmrt.dll /s
regsvr32 datime.dll /s
regsvr32 dxtrans.dll /s
regsvr32 dxtmsft.dll /s
rem regsvr32 vgx.dll /s
regsvr32 WEBPOST.DLL /s
regsvr32 WPWIZDLL.DLL /s
regsvr32 POSTWPP.DLL /s
regsvr32 CRSWPP.DLL /s
regsvr32 FTPWPP.DLL /s
regsvr32 FPWPP.DLL /s
rem regsvr32 FLUPL.OCX /s
regsvr32 wshom.ocx /s
regsvr32 wshext.dll /s
regsvr32 vbscript.dll /s
regsvr32 scrrun.dll mstinit.exe /setup /s
regsvr32 msnsspc.dll /SspcCreateSspiReg /s
regsvr32 msapsspc.dll /SspcCreateSspiReg /s
regsvr32 licdll.dll /s
regsvr32 regwizc.dll /s
regsvr32 softpub.dll /s
regsvr32 IEDKCS32.DLL /s
regsvr32 MSTIME.DLL /s
regsvr32 WINTRUST.DLL /s
regsvr32 INITPKI.DLL /s
regsvr32 DSSENH.DLL /s
regsvr32 RSAENH.DLL /s
regsvr32 CRYPTDLG.DLL /s
regsvr32 Gpkcsp.dll /s
regsvr32 Sccbase.dll /s
regsvr32 Slbcsp.dll /s
exit

Now save the file as 'All File Types' and name it fixie.bat.

Close down everything including IE and double click to run the batch file.

Then reboot the PC.

pt49 · 08-07-2006, 10:47 PM

OK all done as directed

Vikesrock8411 · 08-07-2006, 10:53 PM

Can you download files with IE now?

pt49 · 08-07-2006, 11:13 PM

When I click "Tools" in IE there are 2 items missing from the dropdown menu when compared to this computer which runs XP Pro.

They are:
Popup Blocker
Manage addons...

I've managed to run Panda now tho:

Incident Status Location

Adware:adware/powerscan Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\MySearchToolBar.ToolbarPlugin
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.2o7.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Russell\Cookies\russell@2o7[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Russell\Cookies\russell@ad.sensismediasmart.com[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Russell\Cookies\russell@ads.addynamix[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Russell\Cookies\russell@apmebf[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Russell\Cookies\russell@clickbank[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Russell\Cookies\russell@overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Russell\Cookies\russell@qksrv[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Russell\Cookies\russell@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Russell\Cookies\russell@statcounter[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Russell\Cookies\russell@tribalfusion[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Russell\Cookies\russell@www.myaffiliateprogram[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Russell\Cookies\russell@zedo[1].txt
Adware:Adware/Aureate-Radiate Not disinfected C:\Documents and Settings\Russell\Desktop\New Folder (2)\FlasDrive\Group Mail\BACKUP\GMAGlue.exe

08-05-2006, 10:05 AM	#1 (permalink)
pt49 Registered User Join Date: Aug 2006 Location: Australia Posts: 22 OS: XP My System	mssync.sys PAGE_FAULT_IN_NONPAGED_AREA Yesterday I got my first Bluescreen in a computer running XP. THe main thing about the blue screen with this message: "The problem seems to be associated with the file mssync.sys PAGE_FAULT_IN_NONPAGED_AREA and etc... " and the computer reboots after a few minutes. I understand that I need to rename the offending files but can't find them. I can see them in the reports when I run Gmer and Blacklight Root Eliminator, but can't find them when I run search, because they are hidden files apparently. Logfile of HijackThis v1.99.1 Scan saved at 2:32:50 AM, on 8/6/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\IoctlSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\sm56hlpr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe C:\WINDOWS\system32\HotfixQ0306270.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\UltraMon\UltraMon.exe C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE C:\Program Files\UltraMon\UltraMonTaskbar.exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Google\Google Talk\googletalk.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\Bluetooth\Bluetooth Software\BTTray.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\DowntimeWitness\DowntimeWitness.exe C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe C:\Program Files\TechSmith\Camtasia Studio 3\TSCHelp.exe C:\WINDOWS\system32\cidaemon.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local> R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: PHP Designer Toolbar Helper - {588869E0-6C28-400a-8A1A-2A099E41CE9B} - C:\Program Files\PHP Designer Toolbar\v2.0.0.1\PHP_Designer_Toolbar.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: PHP Designer Toolbar - {1DA183EF-8E1B-4a18-B927-CAB06B60FA46} - C:\Program Files\PHP Designer Toolbar\v2.0.0.1\PHP_Designer_Toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: downtimewitness.com.lnk = C:\Program Files\DowntimeWitness\DowntimeWitness.exe O4 - Global Startup: FlintFX Live Forex Signals.lnk = C:\Program Files\FlintFX Live Forex Signals\FlintFXSignals.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: palstart.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: .xara.com O15 - Trusted Zone: .xaraonline.com O16 - DPF: SCV - https://www.omnovia.com/pages/sc2/image/SCV.CAB O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {10C9072D-2FF3-4AF8-882E-7974B1BF2729} (ChatCLientDownloadCtrl Class) - http://download.howudodat.com/chatte...nload/ccdl.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133297998656 O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37380.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {C7DC40E0-6601-4530-9AFB-68506CAE2628} (InstallShield Setup Player 2K2) - http://www.traderobot.com/setup-ts/setup.exe O16 - DPF: {F1946764-3B40-4BE3-A87D-F371B112308F} (WPActiveX Control) - http://207.44.141.108/wp/wpax.cab O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

08-06-2006, 01:22 AM	#2 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Download combofix.exe-Save it to your Desktop, we will need this later. Double click combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Please post a log from Blacklight and GMER in your next post along with the log from Combofix. __________________

08-06-2006, 04:48 AM	#4 (permalink)
pt49 Registered User Join Date: Aug 2006 Location: Australia Posts: 22 OS: XP My System	Gmer short report log Here's the short log from Gmer... I have not been able to get a full report log so far. The computer keeps crashing before it completes. I saved the short log report... I'm currently running Gmer full scan in SaAFE mode to see if I can get the full log... I'll post it next if I get it. GMER 1.0.10.10122 - http://www.gmer.net Rootkit 2006-08-06 21:22:53 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.10 ---- SSDT \??\C:\WINDOWS\system32\mssync20.sys ZwEnumerateKey <-- ROOTKIT !!! SSDT \??\C:\WINDOWS\system32\mssync20.sys ZwEnumerateValueKey <-- ROOTKIT !!! SSDT \??\C:\WINDOWS\system32\mssync20.sys ZwQueryDirectoryFile <-- ROOTKIT !!! SSDT \??\C:\WINDOWS\system32\mssync20.sys ZwQuerySystemInformation <-- ROOTKIT !!! ---- Devices - GMER 1.0.10 ---- Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F7D7685A] avgtdi.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F7D7685A] avgtdi.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F7D7685A] avgtdi.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F7D7685A] avgtdi.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys ---- Processes - GMER 1.0.10 ---- Process hidden process (* hidden * ) 2972 <-- ROOTKIT !!! ---- Services - GMER 1.0.10 ---- Service C:\WINDOWS\system32\mssync20.sys (* hidden * ) [AUTO] mssync2020 <-- ROOTKIT !!! ---- EOF - GMER 1.0.10 ----

08-06-2006, 06:55 AM	#5 (permalink)
pt49 Registered User Join Date: Aug 2006 Location: Australia Posts: 22 OS: XP My System	Gmer in safe mode This is all I got after a scan with Gmer in safe mode... it took over an hour. I cannot access "system volume information" (access is denied) GMER 1.0.10.10122 - http://www.gmer.net Rootkit 2006-08-06 23:45:13 Windows 5.1.2600 Service Pack 2 ---- Files - GMER 1.0.10 ---- File C:\System Volume Information\catalog.wci File C:\System Volume Information\MountPointManagerRemoteDatabase File C:\System Volume Information\tracking.log File C:\System Volume Information\_restore{3A3E7379-0825-48B5-8A67-5510F535A923} ---- EOF - GMER 1.0.10 ---- Last edited by pt49; 08-06-2006 at 06:59 AM. Reason: Adding to comment

08-06-2006, 10:59 AM	#7 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Click to watch a movie on how to remove this rootkit. You are looking for the part about 30 seconds from the end where GMER is used. Ignore the other tools. In the movie GMER is used with the pe386 service yours should be called mssync2020. Reboot and post a new Blacklight log after deleting the service. __________________

08-06-2006, 03:50 AM	#3 (permalink)
pt49 Registered User Join Date: Aug 2006 Location: Australia Posts: 22 OS: XP My System	Thanks for your help Vikesrock. I continue to get Bluescreens. About ½ show the mssync20.sys error. Many show just numbers on the bottom of the reporting message, but now the last few are showing this: mnmdd.sys WMILB.SYS avgtdi.sys And on rebooting ZoneAlarm is slow initializing. Combo Report: Start Time= Sun 08/06/2006 20:29:39.85 Running from: C:\Documents and Settings\Russell\Desktop QuickScan did not find any signs of infected files (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-08-05 14:36:38 528446 ( A.... ) "C:\WINDOWS\gmer.dll" 2006-07-26 13:51:24 ( .D... ) "C:\Program Files\Sales Letter Creator" 2006-07-23 13:20:22 0 ( A..H. ) "C:\Documents and Settings\Russell\Application Data\L84577898.5v1" 2006-07-23 13:18:08 ( .D... ) "C:\Program Files\FileMaker" 2006-07-23 10:37:02 ( .D... ) "C:\Program Files\!Cool Programs" 2006-07-22 15:38:22 ( .D... ) "C:\Program Files\myownarticles rewriter" 2006-07-20 19:35:04 ( .D... ) "C:\Program Files\UseNeXT" 2006-07-20 15:11:10 ( .D... ) "C:\Program Files\TechSmith" 2006-07-12 03:12:18 ( .D... ) "C:\Program Files\Domain Suggestion Tool" 2006-06-15 21:03:52 86496 ( A.... ) "C:\Documents and Settings\Russell\Application Data\GDIPFONTCACHEV1.DAT" 2006-06-15 17:18:40 ( .D... ) "C:\Program Files\Cody Moya's .doc to .txt converter" 2006-06-15 03:12:00 45056 ( A.... ) "C:\WINDOWS\system32\CSvidcap.dll" 2006-06-14 22:26:06 ( .D... ) "C:\Program Files\The Keyword Bible Pro" 2006-06-14 21:13:42 102400 ( A.... ) "C:\WINDOWS\system32\tsccvid.dll" 2006-06-12 01:17:26 ( .D... ) "C:\Program Files\KA Sitebuilder" 2006-06-10 22:28:16 442 ( A.... ) "C:\Program Files\Shortcut to IVS.lnk" 2006-06-10 21:51:30 ( .D... ) "C:\Program Files\IVS" 2006-06-10 01:45:54 ( .D... ) "C:\Program Files\Web Audio Plus" 2006-06-09 16:15:46 5161 ( A.... ) "C:\Documents and Settings\Russell\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log" 2006-06-06 20:49:18 745531 ( A.... ) "C:\WINDOWS\gmer.exe" 2006-01-19 15:18:06 1135579 ( A.... ) "C:\Program Files\DocToTxtSetup.exe" 2005-11-19 22:12:46 1309840 ( A.... ) "C:\Program Files\a2freesetup.exe" 2005-11-19 21:30:44 777142 ( A.... ) "C:\Program Files\aaupd2012.exe" 2005-11-18 21:35:10 2693614 ( A.... ) "C:\Program Files\orwell.exe" 2005-11-15 00:39:48 13244 ( A.... ) "C:\Program Files\rssg2.zip" 2005-11-13 21:19:16 1014477 ( A.... ) "C:\Program Files\wrar351.exe" 2004-01-15 01:34:18 259539966 ( A.... ) "C:\Program Files\Microsoft Office XP Publisher 2003.zip" 2001-04-04 17:11:30 1499904 ( A...R ) "C:\Program Files\INSTMSIW.EXE" 2001-04-04 17:11:28 1489152 ( A...R ) "C:\Program Files\INSTMSI.EXE" 2001-04-04 17:11:28 184 ( A..HR ) "C:\Program Files\AUTORUN.INF" 2001-04-02 19:50:14 29 ( A...R ) "C:\Program Files\cd-key.txt" 2001-03-01 23:38:12 3485184 ( A...R ) "C:\Program Files\PROPLUS.MSI" 2001-03-01 23:35:58 306688 ( A...R ) "C:\Program Files\OWC10.MSI" 2001-03-01 14:35:26 224771818 ( A..HR ) "C:\Program Files\OFFICE1.CAB" 2001-02-28 12:14:46 476576 ( A...R ) "C:\Program Files\SETUP.EXE" 2001-02-21 12:18:24 7929 ( A...R ) "C:\Program Files\README.HTM" (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days ))))))))))))))))))))))))))))))))))))))))))) 2006-08-05 14:36 745,531 C:\WINDOWS\gmer.exe 2006-08-05 14:36 528,446 C:\WINDOWS\gmer.dll 2006-07-20 15:11 45,056 C:\WINDOWS\system32\CSvidcap.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "SMSERIAL"="sm56hlpr.exe" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe" "Prolific_PLUtil"="C:\\Program Files\\Prolific\\USB Flash Disk Utility\\PLBkMon.exe" "PLFFAP"="C:\\WINDOWS\\system32\\HotfixQ0306270.exe" "Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe" "Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe" "OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\"" "LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE" "LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe " "LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" "Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"" "StatusClient 2.6"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\StatusClient\\StatusClient.exe /auto" "TomcatStartup 2.5"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\hpbpsttp.exe" "HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe" "UltraMon"="\"C:\\Program Files\\UltraMon\\UltraMon.exe\" /auto" "PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup" "PCPitstop Optimize Registration Reminder"="C:\\Program Files\\PCPitstop\\Optimize\\Reminder.exe" "IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32" "MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC" "PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC" "PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName" "SoundMan"="SOUNDMAN.EXE" "SoundMan"="SOUNDMAN.EXE" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\"" "Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet" "Update Service"="\"C:\\Program Files\\Common Files\\Teknum Systems\\update.exe\" /startup" "LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe" "LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot" "Uniblue Registry Booster"="C:\\Program Files\\Uniblue\\Registry Booster\\RegistryBooster.exe /S" "PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog" "Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized" "googletalk"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart" "googletalk"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] @=hex(7b0): [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices] @=hex(7b0): [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,80,02,00,00,00,00,00,00,80,02,00,00,de,03,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,0d,02,00,00,00,00,00,00,f3,02,00,00,de,03,\ 00,00,04,00,00,40 "RestoredStateInfo"=hex:18,00,00,00,0d,02,00,00,00,00,00,00,f3,02,00,00,de,03,\ 00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\ 33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce] "tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\ 33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" Contents of the 'Scheduled Tasks' folder Completion time: Sun 08/06/2006 20:30:02.07 ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt ComboFix.2006-08-05.211253.txt ComboFix.2006-08-06.200215.txt ComboFix.2006-08-06.201622.txt ComboFix.2006-08-06.202939.txt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 08/06/06 20:31:57 [Info]: BlackLight Engine 1.0.42 initialized 08/06/06 20:31:57 [Info]: OS: 5.1 build 2600 (Service Pack 2) 08/06/06 20:31:58 [Note]: 7019 4 08/06/06 20:31:58 [Note]: 7005 0 08/06/06 20:32:00 [Note]: 7006 0 08/06/06 20:32:01 [Note]: 7011 2016 08/06/06 20:32:01 [Note]: 7026 0 08/06/06 20:32:01 [Note]: 7026 0 08/06/06 20:32:10 [Note]: FSRAW library version 1.7.1019 08/06/06 20:32:15 [Info]: Hidden file: c:\Documents and Settings\Russell\Desktop\Files named mssync20.fnd 08/06/06 20:32:15 [Note]: 7002 0 08/06/06 20:32:15 [Note]: 7003 1 08/06/06 20:32:15 [Note]: 10002 2 08/06/06 20:37:44 [Info]: Hidden file: c:\WINDOWS\system32\mssync20.exe 08/06/06 20:37:44 [Note]: 7002 0 08/06/06 20:37:44 [Note]: 7003 1 08/06/06 20:37:44 [Note]: 10002 2 08/06/06 20:37:44 [Info]: Hidden file: c:\WINDOWS\system32\mssync20.sys 08/06/06 20:37:44 [Note]: 7002 0 08/06/06 20:37:44 [Note]: 7003 1 08/06/06 20:37:44 [Note]: 10002 2 08/06/06 20:37:44 [Info]: Hidden file: c:\WINDOWS\system32\mssync20.tlb 08/06/06 20:37:44 [Note]: 7002 0 08/06/06 20:37:44 [Note]: 7003 1 08/06/06 20:37:44 [Note]: 10002 2 08/06/06 20:39:38 [Note]: 7007 0 ~~~~~~~~~~~~~~~~~~~~~~~~ System crashed before finishing a Gmer report... I got a WMILB.SYS error on the blue screen. I'll post a Gmer report when I get that computer back up.

08-06-2006, 07:14 AM	#6 (permalink)
pt49 Registered User Join Date: Aug 2006 Location: Australia Posts: 22 OS: XP My System	My computer now crashes about 6 - 10 minutes after rebooting in normal mode.

08-06-2006, 10:20 PM	#8 (permalink)
pt49 Registered User Join Date: Aug 2006 Location: Australia Posts: 22 OS: XP My System	BL log I ran Gmer, rightclicked on the file mssync2020 highlighted in red and deleted it. Then rebooted and ran Blacklight... the resulting log is below. When I rebooted AVG told me "Virus detected" ... Trojan Horse PSW.Agent.CCI It could not be moved to the Virus Vault, nor healed or removed. Blacklight Log: 08/07/06 14:52:05 [Info]: BlackLight Engine 1.0.42 initialized 08/07/06 14:52:05 [Info]: OS: 5.1 build 2600 (Service Pack 2) 08/07/06 14:52:10 [Note]: 7019 4 08/07/06 14:52:10 [Note]: 7005 0 08/07/06 14:52:16 [Note]: 7006 0 08/07/06 14:52:16 [Note]: 7011 2040 08/07/06 14:52:16 [Note]: 7026 0 08/07/06 14:52:17 [Note]: 7026 0 08/07/06 14:52:27 [Note]: FSRAW library version 1.7.1019 08/07/06 15:05:18 [Note]: 7007 0 ~~~~~~~~~~~~~~~~~~~~~~~ After running Blacklight, I rebooted again and ran Gmer again. Still got the AVG virus detected alert. Gmer Log: GMER 1.0.10.10122 - http://www.gmer.net Rootkit 2006-08-07 15:13:51 Windows 5.1.2600 Service Pack 2 ---- Devices - GMER 1.0.10 ---- Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F7DAE85A] avgtdi.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F7DAE85A] avgtdi.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F7DAE85A] avgtdi.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F7DAE85A] avgtdi.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys ---- EOF - GMER 1.0.10 ----

08-06-2006, 10:36 PM	#9 (permalink)
pt49 Registered User Join Date: Aug 2006 Location: Australia Posts: 22 OS: XP My System	Still have virus My system appears to be stable for now. However I just rebooted and I got this AVG alert again: While opening file C:\WINDOWS\system32\mmsync20.exe Trojan Horse PSW.Agent.CCI

08-07-2006, 01:22 AM	#10 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Now that the service is gone let's take out the files. Download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175) Launch KillBox.exe & select the following options: delete on Reboot Select all the filenames below & then right-click & select Copy c:\Documents and Settings\Russell\Desktop\Files named mssync20.fnd c:\WINDOWS\system32\mssync20.exe c:\WINDOWS\system32\mssync20.sys c:\WINDOWS\system32\mssync20.tlb * Go to the File menu, and choose Paste from Clipboard * Click the RED X button. * Click Yes at the Delete on Reboot prompt. * Click Yes at the 'Pending Operations prompt'. Online Scans Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Scan your PC** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it may ask you to purchase the program, this is not necessary we will take care of the entries manually. At the end of the scan click on see report. Then click Save report Please post that log in your next reply. In your next post please include: Panda Activescan Log A new Hijackthis! Log __________________

08-07-2006, 03:08 AM	#11 (permalink)
pt49 Registered User Join Date: Aug 2006 Location: Australia Posts: 22 OS: XP My System	Gotta problem here... When I click on the "Scan Now" button, the download screen comes up, then there's a "boing" sound and nothing more. The page says that ActiveScan has started... click the above bar to start the download. ... however the "Bar" does not appear. Must be something to do with settings. I tried Forefox, but it won't run there either.

08-07-2006, 03:14 AM	#12 (permalink)
pt49 Registered User Join Date: Aug 2006 Location: Australia Posts: 22 OS: XP My System	Fixed that I altered my custom security levels for "Download signed active X controls" from prompt to enable and it's now completing the download.

08-07-2006, 04:33 AM	#13 (permalink)
pt49 Registered User Join Date: Aug 2006 Location: Australia Posts: 22 OS: XP My System	After running Panda After running the Pandasoftware active scan, it immediately dissapears off the screen before I can save the report. I tried it twice. The second time I got this error message: iedw.exe - Bad Image The application or DLL C:\Program Files\Internet Explorer\xpsp2res.dll is not a valid Windows Image. Please check this against your installation diskette Here's the new Hijackthis log: Logfile of HijackThis v1.99.1 Scan saved at 9:28:51 PM, on 8/7/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\IoctlSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\sm56hlpr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe C:\WINDOWS\system32\HotfixQ0306270.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\UltraMon\UltraMon.exe C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE C:\Program Files\UltraMon\UltraMonTaskbar.exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Google\Google Talk\googletalk.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\Bluetooth\Bluetooth Software\BTTray.exe C:\Program Files\DowntimeWitness\DowntimeWitness.exe C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local> R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: PHP Designer Toolbar Helper - {588869E0-6C28-400a-8A1A-2A099E41CE9B} - C:\Program Files\PHP Designer Toolbar\v2.0.0.1\PHP_Designer_Toolbar.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: PHP Designer Toolbar - {1DA183EF-8E1B-4a18-B927-CAB06B60FA46} - C:\Program Files\PHP Designer Toolbar\v2.0.0.1\PHP_Designer_Toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [mssync20] C:\WINDOWS\system32\mssync20.exe O4 - HKLM\..\RunServices: [mssync20] C:\WINDOWS\system32\mssync20.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart O4 - HKCU\..\Run: [mssync20] C:\WINDOWS\system32\mssync20.exe O4 - HKCU\..\RunServices: [mssync20] C:\WINDOWS\system32\mssync20.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: downtimewitness.com.lnk = C:\Program Files\DowntimeWitness\DowntimeWitness.exe O4 - Global Startup: FlintFX Live Forex Signals.lnk = C:\Program Files\FlintFX Live Forex Signals\FlintFXSignals.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: palstart.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: .xara.com O15 - Trusted Zone: .xaraonline.com O16 - DPF: SCV - https://www.omnovia.com/pages/sc2/image/SCV.CAB O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {10C9072D-2FF3-4AF8-882E-7974B1BF2729} (ChatCLientDownloadCtrl Class) - http://download.howudodat.com/chatte...nload/ccdl.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133297998656 O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37380.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C7DC40E0-6601-4530-9AFB-68506CAE2628} (InstallShield Setup Player 2K2) - http://www.traderobot.com/setup-ts/setup.exe O16 - DPF: {F1946764-3B40-4BE3-A87D-F371B112308F} (WPActiveX Control) - http://207.44.141.108/wp/wpax.cab O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

08-07-2006, 04:39 AM	#14 (permalink)
pt49 Registered User Join Date: Aug 2006 Location: Australia Posts: 22 OS: XP My System	IE problems I do have problems with IE, as I can't download files (zips etc) off the internet. When I try downloading a file it pops on the screen and then dissapears. I've had this problem for months. I use Firefox to download on that computer.

08-07-2006, 07:09 PM	#15 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	HijackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O4 - HKLM\..\Run: [mssync20] C:\WINDOWS\system32\mssync20.exe O4 - HKLM\..\RunServices: [mssync20] C:\WINDOWS\system32\mssync20.exe O4 - HKCU\..\Run: [mssync20] C:\WINDOWS\system32\mssync20.exe O4 - HKCU\..\RunServices: [mssync20] C:\WINDOWS\system32\mssync20.exe Please remember to close all other windows, including browsers then click Fix checked. Do you have an XP CD available to you? __________________

08-07-2006, 07:46 PM	#16 (permalink)
pt49 Registered User Join Date: Aug 2006 Location: Australia Posts: 22 OS: XP My System	XP cd and HiJackThis log I do have an XP CD. I have XP Home Edition 2002 incl Service pack 2 for the computer in question. I also have XP Professional 2002 incl. SP2. Here's another HiJackThis log after a reboot: Logfile of HijackThis v1.99.1 Scan saved at 12:35:39 PM, on 8/8/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\IoctlSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\sm56hlpr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe C:\WINDOWS\system32\HotfixQ0306270.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\UltraMon\UltraMon.exe C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE C:\Program Files\UltraMon\UltraMonTaskbar.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Google\Google Talk\googletalk.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\Program Files\Bluetooth\Bluetooth Software\BTTray.exe C:\Program Files\DowntimeWitness\DowntimeWitness.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local> R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: PHP Designer Toolbar Helper - {588869E0-6C28-400a-8A1A-2A099E41CE9B} - C:\Program Files\PHP Designer Toolbar\v2.0.0.1\PHP_Designer_Toolbar.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: PHP Designer Toolbar - {1DA183EF-8E1B-4a18-B927-CAB06B60FA46} - C:\Program Files\PHP Designer Toolbar\v2.0.0.1\PHP_Designer_Toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: downtimewitness.com.lnk = C:\Program Files\DowntimeWitness\DowntimeWitness.exe O4 - Global Startup: FlintFX Live Forex Signals.lnk = C:\Program Files\FlintFX Live Forex Signals\FlintFXSignals.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: palstart.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth\Bluetooth Software\btsendto_ie.htm O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: .xara.com O15 - Trusted Zone: .xaraonline.com O16 - DPF: SCV - https://www.omnovia.com/pages/sc2/image/SCV.CAB O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {10C9072D-2FF3-4AF8-882E-7974B1BF2729} (ChatCLientDownloadCtrl Class) - http://download.howudodat.com/chatte...nload/ccdl.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133297998656 O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37380.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C7DC40E0-6601-4530-9AFB-68506CAE2628} (InstallShield Setup Player 2K2) - http://www.traderobot.com/setup-ts/setup.exe O16 - DPF: {F1946764-3B40-4BE3-A87D-F371B112308F} (WPActiveX Control) - http://207.44.141.108/wp/wpax.cab O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Bluetooth\Bluetooth Software\bin\btwdins.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

08-07-2006, 08:18 PM	#17 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Click Start>Run and type in sfc /scannow This will check to make sure all protected Windows files are intact. If it finds any problems it may prompt you to insert your XP CD. Copy the following text below in BOLD into Notepad rem Script used to manually reregister Internet Explorer and Shell related .dlls rem Also included the Digital Signing and Cryptographic Provider . dlls if needed rem rundll32.exe advpack.dll /DelNodeRunDLL32 C:\WINNT\System32\dacui.dll rem rundll32.exe advpack.dll /DelNodeRunDLL32 C:\WINNT\Catroot\icatalog.mdb rem regsvr32 setupwbv.dll /s rem regsvr32 wininet.dll /s regsvr32 comcat.dll /s regsvr32 CSSEQCHK.DLL /s regsvr32 shdoc401.dll /s regsvr32 shdoc401.dll /i /s regsvr32 asctrls.ocx /s regsvr32 oleaut32.dll /s regsvr32 shdocvw.dll /I /s regsvr32 shdocvw.dll /s regsvr32 browseui.dll /s regsvr32 browsewm.dll /s regsvr32 browseui.dll /I /s regsvr32 msrating.dll /s regsvr32 mlang.dll /s regsvr32 hlink.dll /s rem regsvr32 mshtml.dll /s regsvr32 mshtmled.dll /s regsvr32 urlmon.dll /s regsvr32 plugin.ocx /s regsvr32 sendmail.dll /s rem regsvr32 comctl32.dll /i /s rem regsvr32 inetcpl.cpl /i /s rem regsvr32 mshtml.dll /i /s regsvr32 scrobj.dll /s regsvr32 mmefxe.ocx /s rem regsvr32 proctexe.ocx mshta.exe /register /s regsvr32 corpol.dll /s regsvr32 jscript.dll /s regsvr32 msxml.dll /s regsvr32 imgutil.dll /s regsvr32 thumbvw.dll /s regsvr32 cryptext.dll /s regsvr32 rsabase.dll /s rem regsvr32 triedit.dll /s rem regsvr32 dhtmled.ocx /s regsvr32 inseng.dll /s regsvr32 iesetup.dll /i /s rem regsvr32 hmmapi.dll /s regsvr32 cryptdlg.dll /s regsvr32 actxprxy.dll /s regsvr32 dispex.dll /s regsvr32 occache.dll /s regsvr32 occache.dll /i /s regsvr32 iepeers.dll /s rem regsvr32 wininet.dll /i /s regsvr32 urlmon.dll /i /s rem regsvr32 digest.dll /i /s regsvr32 cdfview.dll /s regsvr32 webcheck.dll /s regsvr32 mobsync.dll /s regsvr32 pngfilt.dll /s regsvr32 licmgr10.dll /s regsvr32 icmfilter.dll /s regsvr32 hhctrl.ocx /s regsvr32 inetcfg.dll /s rem regsvr32 trialoc.dll /s regsvr32 tdc.ocx /s regsvr32 MSR2C.DLL /s regsvr32 msident.dll /s regsvr32 msieftp.dll /s regsvr32 xmsconf.ocx /s regsvr32 ils.dll /s regsvr32 msoeacct.dll /s rem regsvr32 wab32.dll /s rem regsvr32 wabimp.dll /s rem regsvr32 wabfind.dll /s rem regsvr32 oemiglib.dll /s rem regsvr32 directdb.dll /s regsvr32 inetcomm.dll /s rem regsvr32 msoe.dll /s rem regsvr32 oeimport.dll /s regsvr32 msdxm.ocx /s regsvr32 dxmasf.dll /s rem regsvr32 laprxy.dll /s regsvr32 l3codecx.ax /s regsvr32 acelpdec.ax /s regsvr32 mpg4ds32.ax /s regsvr32 voxmsdec.ax /s regsvr32 danim.dll /s regsvr32 Daxctle.ocx /s regsvr32 lmrt.dll /s regsvr32 datime.dll /s regsvr32 dxtrans.dll /s regsvr32 dxtmsft.dll /s rem regsvr32 vgx.dll /s regsvr32 WEBPOST.DLL /s regsvr32 WPWIZDLL.DLL /s regsvr32 POSTWPP.DLL /s regsvr32 CRSWPP.DLL /s regsvr32 FTPWPP.DLL /s regsvr32 FPWPP.DLL /s rem regsvr32 FLUPL.OCX /s regsvr32 wshom.ocx /s regsvr32 wshext.dll /s regsvr32 vbscript.dll /s regsvr32 scrrun.dll mstinit.exe /setup /s regsvr32 msnsspc.dll /SspcCreateSspiReg /s regsvr32 msapsspc.dll /SspcCreateSspiReg /s regsvr32 licdll.dll /s regsvr32 regwizc.dll /s regsvr32 softpub.dll /s regsvr32 IEDKCS32.DLL /s regsvr32 MSTIME.DLL /s regsvr32 WINTRUST.DLL /s regsvr32 INITPKI.DLL /s regsvr32 DSSENH.DLL /s regsvr32 RSAENH.DLL /s regsvr32 CRYPTDLG.DLL /s regsvr32 Gpkcsp.dll /s regsvr32 Sccbase.dll /s regsvr32 Slbcsp.dll /s exit Now save the file as 'All File Types' and name it fixie.bat. Close down everything including IE and double click to run the batch file. Then reboot the PC. __________________

08-07-2006, 10:47 PM	#18 (permalink)
pt49 Registered User Join Date: Aug 2006 Location: Australia Posts: 22 OS: XP My System	OK all done as directed

08-07-2006, 10:53 PM	#19 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Can you download files with IE now? __________________

08-07-2006, 11:13 PM	#20 (permalink)
pt49 Registered User Join Date: Aug 2006 Location: Australia Posts: 22 OS: XP My System	When I click "Tools" in IE there are 2 items missing from the dropdown menu when compared to this computer which runs XP Pro. They are: Popup Blocker Manage addons... I've managed to run Panda now tho: Incident Status Location Adware:adware/powerscan Not disinfected Windows Registry Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\MySearchToolBar.ToolbarPlugin Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.statcounter.com/] Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.bravenet.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.qksrv.net/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.apmebf.com/] Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.clickbank.net/] Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.toplist.cz/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.2o7.net/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.overture.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.perf.overture.com/] Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.revenue.net/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\jwv94gal.default\cookies.txt[landing.domainsponsor.com/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Russell\Cookies\russell@2o7[1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Russell\Cookies\russell@ad.sensismediasmart.com[1].txt Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Russell\Cookies\russell@ads.addynamix[2].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Russell\Cookies\russell@apmebf[1].txt Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Russell\Cookies\russell@clickbank[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Russell\Cookies\russell@overture[1].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Russell\Cookies\russell@qksrv[1].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Russell\Cookies\russell@serving-sys[2].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Russell\Cookies\russell@statcounter[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Russell\Cookies\russell@tribalfusion[1].txt Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Russell\Cookies\russell@www.myaffiliateprogram[1].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Russell\Cookies\russell@zedo[1].txt Adware:Adware/Aureate-Radiate Not disinfected C:\Documents and Settings\Russell\Desktop\New Folder (2)\FlasDrive\Group Mail\BACKUP\GMAGlue.exe